From f689f50dd565d6e9233aa7f15b7e6f4c8b8df879 Mon Sep 17 00:00:00 2001
From: Daniel J Walsh
Date: Mar 10 2010 15:27:34 +0000
Subject: - Update to upstream
---
diff --git a/.cvsignore b/.cvsignore
index fdfed60..747509c 100644
--- a/.cvsignore
+++ b/.cvsignore
@@ -203,3 +203,4 @@ setroubleshoot-2.2.58.tar.gz
serefpolicy-3.7.9.tgz
serefpolicy-3.7.11.tgz
serefpolicy-3.7.12.tgz
+serefpolicy-3.7.13.tgz
diff --git a/nsadiff b/nsadiff
index b96333f..e5d977a 100755
--- a/nsadiff
+++ b/nsadiff
@@ -1 +1 @@
-diff --exclude-from=exclude -N -u -r nsaserefpolicy serefpolicy-3.7.12 > /tmp/diff
+diff --exclude-from=exclude -N -u -r nsaserefpolicy serefpolicy-3.7.13 > /tmp/diff
diff --git a/policy-F13.patch b/policy-F13.patch
index 26d7889..82dfa5d 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -1,6 +1,6 @@
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.7.12/Makefile
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.7.13/Makefile
--- nsaserefpolicy/Makefile 2009-08-18 11:41:14.000000000 -0400
-+++ serefpolicy-3.7.12/Makefile 2010-03-05 17:18:51.000000000 -0500
++++ serefpolicy-3.7.13/Makefile 2010-03-09 18:51:11.000000000 -0500
@@ -244,7 +244,7 @@
appdir := $(contextpath)
user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts)
@@ -10,9 +10,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.7.12/
net_contexts := $(builddir)net_contexts
all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.7.12/policy/global_tunables
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.7.13/policy/global_tunables
--- nsaserefpolicy/policy/global_tunables 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.7.12/policy/global_tunables 2010-03-05 17:18:51.000000000 -0500
++++ serefpolicy-3.7.13/policy/global_tunables 2010-03-09 18:51:11.000000000 -0500
@@ -61,15 +61,6 @@
##
@@ -48,9 +48,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables seref
+##
+gen_tunable(mmap_low_allowed, false)
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/acct.te serefpolicy-3.7.12/policy/modules/admin/acct.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/acct.te serefpolicy-3.7.13/policy/modules/admin/acct.te
--- nsaserefpolicy/policy/modules/admin/acct.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/admin/acct.te 2010-03-05 17:18:51.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/admin/acct.te 2010-03-09 18:51:11.000000000 -0500
@@ -43,6 +43,7 @@
fs_getattr_xattr_fs(acct_t)
@@ -59,9 +59,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/acct.te
corecmd_exec_bin(acct_t)
corecmd_exec_shell(acct_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.if serefpolicy-3.7.12/policy/modules/admin/alsa.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.if serefpolicy-3.7.13/policy/modules/admin/alsa.if
--- nsaserefpolicy/policy/modules/admin/alsa.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/admin/alsa.if 2010-03-05 17:18:51.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/admin/alsa.if 2010-03-09 18:51:11.000000000 -0500
@@ -76,6 +76,26 @@
########################################
@@ -89,9 +89,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.if
## Read alsa lib files.
##
##
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.7.12/policy/modules/admin/alsa.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.7.13/policy/modules/admin/alsa.te
--- nsaserefpolicy/policy/modules/admin/alsa.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/admin/alsa.te 2010-03-05 17:18:51.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/admin/alsa.te 2010-03-09 18:51:11.000000000 -0500
@@ -51,6 +51,8 @@
files_read_etc_files(alsa_t)
files_read_usr_files(alsa_t)
@@ -101,9 +101,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te
auth_use_nsswitch(alsa_t)
init_use_fds(alsa_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.7.12/policy/modules/admin/anaconda.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.7.13/policy/modules/admin/anaconda.te
--- nsaserefpolicy/policy/modules/admin/anaconda.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/admin/anaconda.te 2010-03-05 17:18:51.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/admin/anaconda.te 2010-03-09 18:51:11.000000000 -0500
@@ -31,6 +31,7 @@
modutils_domtrans_insmod(anaconda_t)
@@ -121,9 +121,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anacond
')
optional_policy(`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/brctl.te serefpolicy-3.7.12/policy/modules/admin/brctl.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/brctl.te serefpolicy-3.7.13/policy/modules/admin/brctl.te
--- nsaserefpolicy/policy/modules/admin/brctl.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/admin/brctl.te 2010-03-05 17:18:51.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/admin/brctl.te 2010-03-09 18:51:11.000000000 -0500
@@ -21,7 +21,7 @@
allow brctl_t self:unix_dgram_socket create_socket_perms;
allow brctl_t self:tcp_socket create_socket_perms;
@@ -133,9 +133,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/brctl.t
kernel_read_network_state(brctl_t)
kernel_read_sysctl(brctl_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwatch.te serefpolicy-3.7.12/policy/modules/admin/certwatch.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwatch.te serefpolicy-3.7.13/policy/modules/admin/certwatch.te
--- nsaserefpolicy/policy/modules/admin/certwatch.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/admin/certwatch.te 2010-03-05 17:18:51.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/admin/certwatch.te 2010-03-09 18:51:11.000000000 -0500
@@ -36,7 +36,7 @@
miscfiles_read_localization(certwatch_t)
@@ -145,9 +145,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwat
optional_policy(`
apache_exec_modules(certwatch_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.if serefpolicy-3.7.12/policy/modules/admin/consoletype.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.if serefpolicy-3.7.13/policy/modules/admin/consoletype.if
--- nsaserefpolicy/policy/modules/admin/consoletype.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/admin/consoletype.if 2010-03-05 17:18:51.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/admin/consoletype.if 2010-03-09 18:51:11.000000000 -0500
@@ -19,6 +19,9 @@
corecmd_search_bin($1)
@@ -158,9 +158,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/console
')
########################################
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.7.12/policy/modules/admin/consoletype.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.7.13/policy/modules/admin/consoletype.te
--- nsaserefpolicy/policy/modules/admin/consoletype.te 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/admin/consoletype.te 2010-03-05 17:18:51.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/admin/consoletype.te 2010-03-09 18:51:11.000000000 -0500
@@ -10,7 +10,6 @@
type consoletype_exec_t;
application_executable_file(consoletype_exec_t)
@@ -169,9 +169,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/console
role system_r types consoletype_t;
########################################
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstboot.te serefpolicy-3.7.12/policy/modules/admin/firstboot.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstboot.te serefpolicy-3.7.13/policy/modules/admin/firstboot.te
--- nsaserefpolicy/policy/modules/admin/firstboot.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/admin/firstboot.te 2010-03-05 17:18:51.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/admin/firstboot.te 2010-03-09 18:51:11.000000000 -0500
@@ -91,8 +91,12 @@
userdom_user_home_dir_filetrans_user_home_content(firstboot_t, { dir file lnk_file fifo_file sock_file })
@@ -194,9 +194,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstbo
')
optional_policy(`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.7.12/policy/modules/admin/kismet.te
---- nsaserefpolicy/policy/modules/admin/kismet.te 2009-11-25 15:15:48.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/admin/kismet.te 2010-03-05 17:18:51.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.7.13/policy/modules/admin/kismet.te
+--- nsaserefpolicy/policy/modules/admin/kismet.te 2010-03-09 15:39:06.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/admin/kismet.te 2010-03-09 18:51:11.000000000 -0500
@@ -45,6 +45,7 @@
manage_dirs_pattern(kismet_t, kismet_home_t, kismet_home_t)
manage_files_pattern(kismet_t, kismet_home_t, kismet_home_t)
@@ -205,27 +205,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.
userdom_user_home_dir_filetrans(kismet_t, kismet_home_t, { file dir })
manage_files_pattern(kismet_t, kismet_log_t, kismet_log_t)
-@@ -53,7 +54,8 @@
-
- manage_dirs_pattern(kismet_t, kismet_tmp_t, kismet_tmp_t)
- manage_files_pattern(kismet_t, kismet_tmp_t, kismet_tmp_t)
--files_tmp_filetrans(kismet_t, kismet_tmp_t, { file dir })
-+manage_sock_files_pattern(kismet_t, kismet_tmp_t, kismet_tmp_t)
-+files_tmp_filetrans(kismet_t, kismet_tmp_t, { file dir sock_file })
-
- manage_dirs_pattern(kismet_t, kismet_tmpfs_t, kismet_tmpfs_t)
- manage_files_pattern(kismet_t, kismet_tmpfs_t, kismet_tmpfs_t)
-@@ -69,6 +71,7 @@
-
- kernel_search_debugfs(kismet_t)
- kernel_read_system_state(kismet_t)
-+kernel_read_network_state(kismet_t)
-
- corecmd_exec_bin(kismet_t)
-
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.7.12/policy/modules/admin/logrotate.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.7.13/policy/modules/admin/logrotate.te
--- nsaserefpolicy/policy/modules/admin/logrotate.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/admin/logrotate.te 2010-03-05 17:18:51.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/admin/logrotate.te 2010-03-09 18:51:11.000000000 -0500
@@ -32,7 +32,7 @@
# Change ownership on log files.
allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice };
@@ -243,7 +225,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrota
kernel_read_system_state(logrotate_t)
kernel_read_kernel_sysctls(logrotate_t)
-@@ -116,8 +117,9 @@
+@@ -108,6 +109,7 @@
+
+ logging_manage_all_logs(logrotate_t)
+ logging_send_syslog_msg(logrotate_t)
++logging_send_audit_msgs(logrotate_t)
+ # cjp: why is this needed?
+ logging_exec_all_logs(logrotate_t)
+
+@@ -116,8 +118,9 @@
seutil_dontaudit_read_config(logrotate_t)
userdom_use_user_terminals(logrotate_t)
@@ -254,7 +244,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrota
cron_system_entry(logrotate_t, logrotate_exec_t)
cron_search_spool(logrotate_t)
-@@ -137,6 +139,10 @@
+@@ -137,6 +140,10 @@
')
optional_policy(`
@@ -265,13 +255,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrota
acct_domtrans(logrotate_t)
acct_manage_data(logrotate_t)
acct_exec_data(logrotate_t)
-@@ -149,6 +155,16 @@
+@@ -149,6 +156,14 @@
')
optional_policy(`
-+ asterisk_exec(logrotate_t)
-+ asterisk_stream_connect(logrotate_t)
-+ asterisk_manage_lib_files(logrotate_t)
++ asterisk_domtrans(logrotate_t)
+')
+
+optional_policy(`
@@ -282,7 +270,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrota
consoletype_exec(logrotate_t)
')
-@@ -157,11 +173,15 @@
+@@ -157,11 +172,15 @@
')
optional_policy(`
@@ -299,7 +287,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrota
')
optional_policy(`
-@@ -183,6 +203,15 @@
+@@ -183,6 +202,15 @@
')
optional_policy(`
@@ -315,7 +303,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrota
slrnpull_manage_spool(logrotate_t)
')
-@@ -191,5 +220,9 @@
+@@ -191,5 +219,9 @@
')
optional_policy(`
@@ -325,38 +313,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrota
+optional_policy(`
varnishd_manage_log(logrotate_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.7.12/policy/modules/admin/logwatch.te
---- nsaserefpolicy/policy/modules/admin/logwatch.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/admin/logwatch.te 2010-03-05 17:18:51.000000000 -0500
-@@ -93,6 +93,13 @@
- sysnet_exec_ifconfig(logwatch_t)
-
- userdom_dontaudit_search_user_home_dirs(logwatch_t)
-+tunable_policy(`use_nfs_home_dirs',`
-+ fs_list_nfs(logwatch_t)
-+')
-+
-+tunable_policy(`use_samba_home_dirs',`
-+ fs_list_cifs(logwatch_t)
-+')
-
- mta_send_mail(logwatch_t)
-
-@@ -136,4 +143,5 @@
-
- optional_policy(`
- samba_read_log(logwatch_t)
-+ samba_read_share_files(logwatch_t)
- ')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog.fc serefpolicy-3.7.12/policy/modules/admin/mcelog.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog.fc serefpolicy-3.7.13/policy/modules/admin/mcelog.fc
--- nsaserefpolicy/policy/modules/admin/mcelog.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/admin/mcelog.fc 2010-03-05 17:18:51.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/admin/mcelog.fc 2010-03-09 18:51:11.000000000 -0500
@@ -0,0 +1,2 @@
+
+/usr/sbin/mcelog -- gen_context(system_u:object_r:mcelog_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog.if serefpolicy-3.7.12/policy/modules/admin/mcelog.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog.if serefpolicy-3.7.13/policy/modules/admin/mcelog.if
--- nsaserefpolicy/policy/modules/admin/mcelog.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/admin/mcelog.if 2010-03-05 17:18:51.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/admin/mcelog.if 2010-03-09 18:51:11.000000000 -0500
@@ -0,0 +1,21 @@
+
+## policy for mcelog
@@ -379,9 +344,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog.
+ domtrans_pattern($1, mcelog_exec_t, mcelog_t)
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog.te serefpolicy-3.7.12/policy/modules/admin/mcelog.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog.te serefpolicy-3.7.13/policy/modules/admin/mcelog.te
--- nsaserefpolicy/policy/modules/admin/mcelog.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/admin/mcelog.te 2010-03-05 17:18:51.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/admin/mcelog.te 2010-03-09 18:51:11.000000000 -0500
@@ -0,0 +1,32 @@
+
+policy_module(mcelog,1.0.0)
@@ -415,9 +380,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog.
+miscfiles_read_localization(mcelog_t)
+
+logging_send_syslog_msg(mcelog_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te serefpolicy-3.7.12/policy/modules/admin/mrtg.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te serefpolicy-3.7.13/policy/modules/admin/mrtg.te
--- nsaserefpolicy/policy/modules/admin/mrtg.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/admin/mrtg.te 2010-03-05 17:18:51.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/admin/mrtg.te 2010-03-09 18:51:11.000000000 -0500
@@ -116,6 +116,7 @@
userdom_use_user_terminals(mrtg_t)
userdom_dontaudit_read_user_home_content_files(mrtg_t)
@@ -426,9 +391,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te
netutils_domtrans_ping(mrtg_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.fc serefpolicy-3.7.12/policy/modules/admin/netutils.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.fc serefpolicy-3.7.13/policy/modules/admin/netutils.fc
--- nsaserefpolicy/policy/modules/admin/netutils.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/admin/netutils.fc 2010-03-05 17:18:51.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/admin/netutils.fc 2010-03-09 18:51:11.000000000 -0500
@@ -9,6 +9,7 @@
/usr/bin/nmap -- gen_context(system_u:object_r:traceroute_exec_t,s0)
/usr/bin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0)
@@ -437,9 +402,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutil
/usr/sbin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0)
/usr/sbin/hping2 -- gen_context(system_u:object_r:ping_exec_t,s0)
/usr/sbin/tcpdump -- gen_context(system_u:object_r:netutils_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.7.12/policy/modules/admin/netutils.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.7.13/policy/modules/admin/netutils.te
--- nsaserefpolicy/policy/modules/admin/netutils.te 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/admin/netutils.te 2010-03-05 17:18:51.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/admin/netutils.te 2010-03-09 18:51:11.000000000 -0500
@@ -44,6 +44,7 @@
allow netutils_t self:packet_socket create_socket_perms;
allow netutils_t self:udp_socket create_socket_perms;
@@ -490,17 +455,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutil
+ term_use_all_ttys(traceroute_t)
+ term_use_all_ptys(traceroute_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.fc serefpolicy-3.7.12/policy/modules/admin/prelink.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.fc serefpolicy-3.7.13/policy/modules/admin/prelink.fc
--- nsaserefpolicy/policy/modules/admin/prelink.fc 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/admin/prelink.fc 2010-03-05 17:18:51.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/admin/prelink.fc 2010-03-09 18:51:11.000000000 -0500
@@ -1,3 +1,4 @@
+/etc/cron\.daily/prelink -- gen_context(system_u:object_r:prelink_cron_system_exec_t,s0)
/etc/prelink\.cache -- gen_context(system_u:object_r:prelink_cache_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.if serefpolicy-3.7.12/policy/modules/admin/prelink.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.if serefpolicy-3.7.13/policy/modules/admin/prelink.if
--- nsaserefpolicy/policy/modules/admin/prelink.if 2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/admin/prelink.if 2010-03-05 17:18:51.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/admin/prelink.if 2010-03-09 18:51:11.000000000 -0500
@@ -21,6 +21,25 @@
########################################
@@ -541,9 +506,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink
- relabelfrom_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t)
+ relabel_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.7.12/policy/modules/admin/prelink.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.7.13/policy/modules/admin/prelink.te
--- nsaserefpolicy/policy/modules/admin/prelink.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/admin/prelink.te 2010-03-05 17:18:51.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/admin/prelink.te 2010-03-09 18:51:11.000000000 -0500
@@ -21,8 +21,21 @@
type prelink_tmp_t;
files_tmp_file(prelink_tmp_t)
@@ -668,9 +633,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink
+optional_policy(`
+ rpm_read_db(prelink_cron_system_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/quota.te serefpolicy-3.7.12/policy/modules/admin/quota.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/quota.te serefpolicy-3.7.13/policy/modules/admin/quota.te
--- nsaserefpolicy/policy/modules/admin/quota.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/admin/quota.te 2010-03-05 17:18:51.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/admin/quota.te 2010-03-09 18:51:11.000000000 -0500
@@ -39,6 +39,7 @@
kernel_list_proc(quota_t)
kernel_read_proc_symlinks(quota_t)
@@ -679,9 +644,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/quota.t
dev_read_sysfs(quota_t)
dev_getattr_all_blk_files(quota_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.7.12/policy/modules/admin/readahead.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.7.13/policy/modules/admin/readahead.te
--- nsaserefpolicy/policy/modules/admin/readahead.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/admin/readahead.te 2010-03-05 17:18:51.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/admin/readahead.te 2010-03-09 18:51:11.000000000 -0500
@@ -52,6 +52,7 @@
files_list_non_security(readahead_t)
@@ -699,9 +664,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahe
fs_read_tmpfs_symlinks(readahead_t)
fs_list_inotifyfs(readahead_t)
fs_dontaudit_search_ramfs(readahead_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.7.12/policy/modules/admin/rpm.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.7.13/policy/modules/admin/rpm.fc
--- nsaserefpolicy/policy/modules/admin/rpm.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/admin/rpm.fc 2010-03-05 17:18:51.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/admin/rpm.fc 2010-03-09 18:51:11.000000000 -0500
@@ -1,18 +1,19 @@
/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -752,9 +717,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc
# SuSE
ifdef(`distro_suse', `
/usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.7.12/policy/modules/admin/rpm.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.7.13/policy/modules/admin/rpm.if
--- nsaserefpolicy/policy/modules/admin/rpm.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/admin/rpm.if 2010-03-05 17:18:51.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/admin/rpm.if 2010-03-09 18:51:11.000000000 -0500
@@ -13,11 +13,36 @@
interface(`rpm_domtrans',`
gen_require(`
@@ -1208,9 +1173,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if
+')
+
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.7.12/policy/modules/admin/rpm.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.7.13/policy/modules/admin/rpm.te
--- nsaserefpolicy/policy/modules/admin/rpm.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/admin/rpm.te 2010-03-05 17:18:51.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/admin/rpm.te 2010-03-09 18:51:11.000000000 -0500
@@ -1,6 +1,8 @@
policy_module(rpm, 1.10.0)
@@ -1495,40 +1460,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
optional_policy(`
java_domtrans_unconfined(rpm_script_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.fc serefpolicy-3.7.12/policy/modules/admin/shorewall.fc
---- nsaserefpolicy/policy/modules/admin/shorewall.fc 2010-02-22 08:30:53.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/admin/shorewall.fc 2010-03-05 17:18:51.000000000 -0500
-@@ -10,3 +10,5 @@
- /var/lib/shorewall(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0)
- /var/lib/shorewall6(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0)
- /var/lib/shorewall-lite(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0)
-+
-+/var/log/shorewall.* gen_context(system_u:object_r:shorewall_log_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.te serefpolicy-3.7.12/policy/modules/admin/shorewall.te
---- nsaserefpolicy/policy/modules/admin/shorewall.te 2010-02-22 08:30:53.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/admin/shorewall.te 2010-03-05 17:18:51.000000000 -0500
-@@ -29,6 +29,9 @@
- type shorewall_var_lib_t;
- files_type(shorewall_var_lib_t)
-
-+type shorewall_log_t;
-+logging_log_file(shorewall_log_t)
-+
- ########################################
- #
- # shorewall local policy
-@@ -49,6 +52,10 @@
- manage_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
- files_var_lib_filetrans(shorewall_t, shorewall_var_lib_t, { dir file })
-
-+manage_files_pattern(shorewall_t, shorewall_log_t, shorewall_log_t)
-+manage_dirs_pattern(shorewall_t, shorewall_log_t, shorewall_log_t)
-+logging_log_filetrans(shorewall_t, shorewall_log_t, { file dir })
-+
- manage_dirs_pattern(shorewall_t, shorewall_tmp_t, shorewall_tmp_t)
- manage_files_pattern(shorewall_t, shorewall_tmp_t, shorewall_tmp_t)
- files_tmp_filetrans(shorewall_t, shorewall_tmp_t, { file dir })
-@@ -80,7 +87,7 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.te serefpolicy-3.7.13/policy/modules/admin/shorewall.te
+--- nsaserefpolicy/policy/modules/admin/shorewall.te 2010-03-08 14:49:44.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/admin/shorewall.te 2010-03-09 18:51:11.000000000 -0500
+@@ -87,7 +87,7 @@
sysnet_domtrans_ifconfig(shorewall_t)
@@ -1537,22 +1472,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewa
optional_policy(`
iptables_domtrans(shorewall_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.fc serefpolicy-3.7.12/policy/modules/admin/smoltclient.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.fc serefpolicy-3.7.13/policy/modules/admin/smoltclient.fc
--- nsaserefpolicy/policy/modules/admin/smoltclient.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/admin/smoltclient.fc 2010-03-05 17:18:51.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/admin/smoltclient.fc 2010-03-09 18:51:11.000000000 -0500
@@ -0,0 +1,4 @@
+
+/usr/share/smolt/client/sendProfile.py -- gen_context(system_u:object_r:smoltclient_exec_t,s0)
+
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.if serefpolicy-3.7.12/policy/modules/admin/smoltclient.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.if serefpolicy-3.7.13/policy/modules/admin/smoltclient.if
--- nsaserefpolicy/policy/modules/admin/smoltclient.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/admin/smoltclient.if 2010-03-05 17:18:51.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/admin/smoltclient.if 2010-03-09 18:51:11.000000000 -0500
@@ -0,0 +1 @@
+## The Fedora hardware profiler client
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.te serefpolicy-3.7.12/policy/modules/admin/smoltclient.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.te serefpolicy-3.7.13/policy/modules/admin/smoltclient.te
--- nsaserefpolicy/policy/modules/admin/smoltclient.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/admin/smoltclient.te 2010-03-05 17:18:51.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/admin/smoltclient.te 2010-03-09 18:51:11.000000000 -0500
@@ -0,0 +1,66 @@
+policy_module(smoltclient,1.0.0)
+
@@ -1620,9 +1555,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltcl
+ rpm_exec(smoltclient_t)
+ rpm_read_db(smoltclient_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.7.12/policy/modules/admin/sudo.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.7.13/policy/modules/admin/sudo.if
--- nsaserefpolicy/policy/modules/admin/sudo.if 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/admin/sudo.if 2010-03-05 17:18:51.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/admin/sudo.if 2010-03-09 18:51:11.000000000 -0500
@@ -73,12 +73,16 @@
# Enter this derived domain from the user domain
domtrans_pattern($3, sudo_exec_t, $1_sudo_t)
@@ -1651,9 +1586,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files($1_sudo_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.7.12/policy/modules/admin/su.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.7.13/policy/modules/admin/su.if
--- nsaserefpolicy/policy/modules/admin/su.if 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/admin/su.if 2010-03-05 17:18:51.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/admin/su.if 2010-03-09 18:51:11.000000000 -0500
@@ -58,6 +58,10 @@
allow $2 $1_su_t:fifo_file rw_file_perms;
allow $2 $1_su_t:process sigchld;
@@ -1676,9 +1611,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s
ps_process_pattern($3, $1_su_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.7.12/policy/modules/admin/tmpreaper.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.7.13/policy/modules/admin/tmpreaper.te
--- nsaserefpolicy/policy/modules/admin/tmpreaper.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/admin/tmpreaper.te 2010-03-05 17:18:51.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/admin/tmpreaper.te 2010-03-09 18:51:11.000000000 -0500
@@ -42,6 +42,7 @@
cron_system_entry(tmpreaper_t, tmpreaper_exec_t)
@@ -1717,9 +1652,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreap
+optional_policy(`
unconfined_domain(tmpreaper_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.if serefpolicy-3.7.12/policy/modules/admin/usermanage.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.if serefpolicy-3.7.13/policy/modules/admin/usermanage.if
--- nsaserefpolicy/policy/modules/admin/usermanage.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/admin/usermanage.if 2010-03-05 17:18:51.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/admin/usermanage.if 2010-03-09 18:51:11.000000000 -0500
@@ -18,6 +18,10 @@
files_search_usr($1)
corecmd_search_bin($1)
@@ -1775,9 +1710,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
optional_policy(`
nscd_run(useradd_t, $2)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.7.12/policy/modules/admin/usermanage.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.7.13/policy/modules/admin/usermanage.te
--- nsaserefpolicy/policy/modules/admin/usermanage.te 2010-02-18 14:06:31.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/admin/usermanage.te 2010-03-05 17:18:51.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/admin/usermanage.te 2010-03-09 18:51:11.000000000 -0500
@@ -209,6 +209,7 @@
files_manage_etc_files(groupadd_t)
files_relabel_etc_files(groupadd_t)
@@ -1846,9 +1781,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
puppet_rw_tmp(useradd_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.7.12/policy/modules/admin/vbetool.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.7.13/policy/modules/admin/vbetool.te
--- nsaserefpolicy/policy/modules/admin/vbetool.te 2010-02-22 08:30:53.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/admin/vbetool.te 2010-03-05 17:18:51.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/admin/vbetool.te 2010-03-09 18:51:11.000000000 -0500
@@ -25,7 +25,13 @@
dev_rw_xserver_misc(vbetool_t)
dev_rw_mtrr(vbetool_t)
@@ -1863,9 +1798,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool
term_use_unallocated_ttys(vbetool_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te serefpolicy-3.7.12/policy/modules/admin/vpn.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te serefpolicy-3.7.13/policy/modules/admin/vpn.te
--- nsaserefpolicy/policy/modules/admin/vpn.te 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/admin/vpn.te 2010-03-05 17:18:51.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/admin/vpn.te 2010-03-09 18:51:11.000000000 -0500
+@@ -31,7 +31,7 @@
+ allow vpnc_t self:rawip_socket create_socket_perms;
+ allow vpnc_t self:unix_dgram_socket create_socket_perms;
+ allow vpnc_t self:unix_stream_socket create_socket_perms;
+-allow vpnc_t self:tun_socket create;
++allow vpnc_t self:tun_socket { create_socket_perms };
+ # cjp: this needs to be fixed
+ allow vpnc_t self:socket create_socket_perms;
+
@@ -46,6 +46,7 @@
kernel_read_system_state(vpnc_t)
kernel_read_network_state(vpnc_t)
@@ -1882,27 +1826,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te
optional_policy(`
dbus_system_bus_client(vpnc_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cdrecord.te serefpolicy-3.7.12/policy/modules/apps/cdrecord.te
---- nsaserefpolicy/policy/modules/apps/cdrecord.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/apps/cdrecord.te 2010-03-05 17:18:51.000000000 -0500
-@@ -32,6 +32,8 @@
- allow cdrecord_t self:unix_dgram_socket create_socket_perms;
- allow cdrecord_t self:unix_stream_socket create_stream_socket_perms;
-
-+corecmd_exec_bin(cdrecord_t)
-+
- # allow searching for cdrom-drive
- dev_list_all_dev_nodes(cdrecord_t)
- dev_read_sysfs(cdrecord_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.fc serefpolicy-3.7.12/policy/modules/apps/chrome.fc
+@@ -115,3 +117,7 @@
+ networkmanager_dbus_chat(vpnc_t)
+ ')
+ ')
++
++optional_policy(`
++ networkmanager_attach_tun_iface(vpnc_t)
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.fc serefpolicy-3.7.13/policy/modules/apps/chrome.fc
--- nsaserefpolicy/policy/modules/apps/chrome.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/apps/chrome.fc 2010-03-05 17:18:51.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/apps/chrome.fc 2010-03-09 18:51:11.000000000 -0500
@@ -0,0 +1,2 @@
+
+/usr/lib(64)?/chromium-browser/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.if serefpolicy-3.7.12/policy/modules/apps/chrome.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.if serefpolicy-3.7.13/policy/modules/apps/chrome.if
--- nsaserefpolicy/policy/modules/apps/chrome.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/apps/chrome.if 2010-03-05 17:18:51.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/apps/chrome.if 2010-03-09 18:51:11.000000000 -0500
@@ -0,0 +1,90 @@
+
+## policy for chrome
@@ -1994,9 +1934,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.i
+ allow $2 chrome_sandbox_tmpfs_t:file rw_file_perms;
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.te serefpolicy-3.7.12/policy/modules/apps/chrome.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.te serefpolicy-3.7.13/policy/modules/apps/chrome.te
--- nsaserefpolicy/policy/modules/apps/chrome.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/apps/chrome.te 2010-03-05 17:18:51.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/apps/chrome.te 2010-03-09 18:51:11.000000000 -0500
@@ -0,0 +1,81 @@
+policy_module(chrome,1.0.0)
+
@@ -2079,9 +2019,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.t
+ fs_dontaudit_append_cifs_files(chrome_sandbox_t)
+ fs_dontaudit_read_cifs_files(chrome_sandbox_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqselector.te serefpolicy-3.7.12/policy/modules/apps/cpufreqselector.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqselector.te serefpolicy-3.7.13/policy/modules/apps/cpufreqselector.te
--- nsaserefpolicy/policy/modules/apps/cpufreqselector.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/apps/cpufreqselector.te 2010-03-05 17:18:51.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/apps/cpufreqselector.te 2010-03-09 18:51:11.000000000 -0500
@@ -26,7 +26,7 @@
dev_rw_sysfs(cpufreqselector_t)
@@ -2091,11 +2031,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqs
optional_policy(`
dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.fc serefpolicy-3.7.12/policy/modules/apps/execmem.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.fc serefpolicy-3.7.13/policy/modules/apps/execmem.fc
--- nsaserefpolicy/policy/modules/apps/execmem.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/apps/execmem.fc 2010-03-05 17:18:51.000000000 -0500
-@@ -0,0 +1,43 @@
++++ serefpolicy-3.7.13/policy/modules/apps/execmem.fc 2010-03-09 19:08:08.000000000 -0500
+@@ -0,0 +1,45 @@
++
+/usr/bin/aticonfig -- gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/bin/compiz -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/darcs -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/haddock.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/hasktags -- gen_context(system_u:object_r:execmem_exec_t,s0)
@@ -2138,9 +2080,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.
+
+/opt/google/chrome/chrome -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/opt/Komodo-Edit-5/lib/mozilla/komodo-bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.if serefpolicy-3.7.12/policy/modules/apps/execmem.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.if serefpolicy-3.7.13/policy/modules/apps/execmem.if
--- nsaserefpolicy/policy/modules/apps/execmem.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/apps/execmem.if 2010-03-05 17:18:51.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/apps/execmem.if 2010-03-09 18:51:11.000000000 -0500
@@ -0,0 +1,108 @@
+## execmem domain
+
@@ -2250,9 +2192,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.
+
+ domtrans_pattern($1, execmem_exec_t, $2)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.te serefpolicy-3.7.12/policy/modules/apps/execmem.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.te serefpolicy-3.7.13/policy/modules/apps/execmem.te
--- nsaserefpolicy/policy/modules/apps/execmem.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/apps/execmem.te 2010-03-05 17:18:51.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/apps/execmem.te 2010-03-09 18:51:11.000000000 -0500
@@ -0,0 +1,11 @@
+
+policy_module(execmem, 1.0.0)
@@ -2265,16 +2207,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.
+type execmem_exec_t alias unconfined_execmem_exec_t;
+application_executable_file(execmem_exec_t)
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.fc serefpolicy-3.7.12/policy/modules/apps/firewallgui.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.fc serefpolicy-3.7.13/policy/modules/apps/firewallgui.fc
--- nsaserefpolicy/policy/modules/apps/firewallgui.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/apps/firewallgui.fc 2010-03-05 17:18:51.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/apps/firewallgui.fc 2010-03-09 18:51:11.000000000 -0500
@@ -0,0 +1,3 @@
+
+/usr/share/system-config-firewall/system-config-firewall-mechanism.py -- gen_context(system_u:object_r:firewallgui_exec_t,s0)
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.if serefpolicy-3.7.12/policy/modules/apps/firewallgui.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.if serefpolicy-3.7.13/policy/modules/apps/firewallgui.if
--- nsaserefpolicy/policy/modules/apps/firewallgui.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/apps/firewallgui.if 2010-03-05 17:18:51.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/apps/firewallgui.if 2010-03-09 18:51:11.000000000 -0500
@@ -0,0 +1,23 @@
+
+## policy for firewallgui
@@ -2299,9 +2241,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewall
+ allow $1 firewallgui_t:dbus send_msg;
+ allow firewallgui_t $1:dbus send_msg;
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.te serefpolicy-3.7.12/policy/modules/apps/firewallgui.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.te serefpolicy-3.7.13/policy/modules/apps/firewallgui.te
--- nsaserefpolicy/policy/modules/apps/firewallgui.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/apps/firewallgui.te 2010-03-05 17:18:51.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/apps/firewallgui.te 2010-03-09 18:51:11.000000000 -0500
@@ -0,0 +1,66 @@
+
+policy_module(firewallgui,1.0.0)
@@ -2369,9 +2311,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewall
+ policykit_dbus_chat(firewallgui_t)
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.if serefpolicy-3.7.12/policy/modules/apps/gitosis.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.if serefpolicy-3.7.13/policy/modules/apps/gitosis.if
--- nsaserefpolicy/policy/modules/apps/gitosis.if 2009-09-09 09:23:16.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/apps/gitosis.if 2010-03-05 17:18:51.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/apps/gitosis.if 2010-03-09 18:51:11.000000000 -0500
@@ -43,3 +43,47 @@
role $2 types gitosis_t;
')
@@ -2420,9 +2362,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.
+ manage_lnk_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
+ manage_dirs_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.7.12/policy/modules/apps/gnome.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.7.13/policy/modules/apps/gnome.fc
--- nsaserefpolicy/policy/modules/apps/gnome.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/apps/gnome.fc 2010-03-05 17:18:51.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/apps/gnome.fc 2010-03-09 18:51:11.000000000 -0500
@@ -1,8 +1,28 @@
-HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0)
@@ -2454,9 +2396,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc
+
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.7.12/policy/modules/apps/gnome.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.7.13/policy/modules/apps/gnome.if
--- nsaserefpolicy/policy/modules/apps/gnome.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/apps/gnome.if 2010-03-05 17:18:51.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/apps/gnome.if 2010-03-09 18:51:11.000000000 -0500
@@ -74,6 +74,24 @@
########################################
@@ -2482,7 +2424,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if
## manage gnome homedir content (.config)
##
##
-@@ -84,10 +102,207 @@
+@@ -84,10 +102,228 @@
#
interface(`gnome_manage_config',`
gen_require(`
@@ -2693,9 +2635,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if
+
+ allow $1 gnome_home_type:file rw_inherited_file_perms;
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.7.12/policy/modules/apps/gnome.te
++
++########################################
++##
++## Send and receive messages from
++## gconf system service over dbus.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gnome_dbus_chat_gconfdefault',`
++ gen_require(`
++ type gconfdefaultsm_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 gconfdefaultsm_t:dbus send_msg;
++ allow gconfdefaultsm_t $1:dbus send_msg;
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.7.13/policy/modules/apps/gnome.te
--- nsaserefpolicy/policy/modules/apps/gnome.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/apps/gnome.te 2010-03-05 17:18:51.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/apps/gnome.te 2010-03-09 18:51:11.000000000 -0500
@@ -7,18 +7,33 @@
#
@@ -2844,18 +2807,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te
+ policykit_read_lib(gnomesystemmm_t)
+ policykit_read_reload(gnomesystemmm_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc serefpolicy-3.7.12/policy/modules/apps/gpg.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc serefpolicy-3.7.13/policy/modules/apps/gpg.fc
--- nsaserefpolicy/policy/modules/apps/gpg.fc 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/apps/gpg.fc 2010-03-05 17:18:51.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/apps/gpg.fc 2010-03-09 18:51:11.000000000 -0500
@@ -1,4 +1,5 @@
HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0)
+/root/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0)
/usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0)
/usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.7.12/policy/modules/apps/gpg.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.7.13/policy/modules/apps/gpg.if
--- nsaserefpolicy/policy/modules/apps/gpg.if 2009-09-09 09:23:16.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/apps/gpg.if 2010-03-05 17:18:51.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/apps/gpg.if 2010-03-09 18:51:11.000000000 -0500
@@ -52,11 +52,8 @@
ifdef(`hide_broken_symptoms',`
@@ -2869,9 +2832,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if s
')
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.7.12/policy/modules/apps/gpg.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.7.13/policy/modules/apps/gpg.te
--- nsaserefpolicy/policy/modules/apps/gpg.te 2009-12-04 09:43:33.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/apps/gpg.te 2010-03-05 17:18:51.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/apps/gpg.te 2010-03-09 18:51:11.000000000 -0500
@@ -20,6 +20,7 @@
typealias gpg_t alias { auditadm_gpg_t secadm_gpg_t };
application_domain(gpg_t, gpg_exec_t)
@@ -2897,7 +2860,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s
allow gpg_t self:process { signal setrlimit getcap setcap setpgid };
allow gpg_t self:fifo_file rw_fifo_file_perms;
-@@ -130,10 +132,10 @@
+@@ -112,6 +114,7 @@
+ # sign/encrypt user files
+ userdom_manage_user_tmp_files(gpg_t)
+ userdom_manage_user_home_content_files(gpg_t)
++userdom_user_home_dir_filetrans_user_home_content(gpg_t, file)
+
+ mta_write_config(gpg_t)
+
+@@ -130,10 +133,10 @@
xserver_rw_xdm_pipes(gpg_t)
')
@@ -2912,9 +2883,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s
########################################
#
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.7.12/policy/modules/apps/java.fc
+@@ -184,6 +187,7 @@
+ #
+ # GPG agent local policy
+ #
++domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
+
+ # rlimit: gpg-agent wants to prevent coredumps
+ allow gpg_agent_t self:process setrlimit;
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.7.13/policy/modules/apps/java.fc
--- nsaserefpolicy/policy/modules/apps/java.fc 2010-02-22 08:30:53.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/apps/java.fc 2010-03-05 17:18:51.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/apps/java.fc 2010-03-09 18:51:11.000000000 -0500
@@ -9,6 +9,7 @@
#
# /usr
@@ -2934,9 +2913,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc
+
+/usr/java/eclipse[^/]*/eclipse -- gen_context(system_u:object_r:java_exec_t,s0)
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.7.12/policy/modules/apps/java.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.7.13/policy/modules/apps/java.if
--- nsaserefpolicy/policy/modules/apps/java.if 2010-02-22 08:30:53.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/apps/java.if 2010-03-05 17:18:51.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/apps/java.if 2010-03-09 18:51:11.000000000 -0500
@@ -72,6 +72,7 @@
domain_interactive_fd($1_java_t)
@@ -2962,9 +2941,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if
')
########################################
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.7.12/policy/modules/apps/java.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.7.13/policy/modules/apps/java.te
--- nsaserefpolicy/policy/modules/apps/java.te 2010-02-22 08:30:53.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/apps/java.te 2010-03-05 17:18:51.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/apps/java.te 2010-03-09 18:51:11.000000000 -0500
@@ -147,6 +147,14 @@
init_dbus_chat_script(unconfined_java_t)
@@ -2980,21 +2959,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te
+ rpm_domtrans(unconfined_java_t)
+ ')
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.fc serefpolicy-3.7.12/policy/modules/apps/kdumpgui.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.fc serefpolicy-3.7.13/policy/modules/apps/kdumpgui.fc
--- nsaserefpolicy/policy/modules/apps/kdumpgui.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/apps/kdumpgui.fc 2010-03-05 17:18:51.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/apps/kdumpgui.fc 2010-03-09 18:51:11.000000000 -0500
@@ -0,0 +1,2 @@
+
+/usr/share/system-config-kdump/system-config-kdump-backend.py -- gen_context(system_u:object_r:kdumpgui_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.if serefpolicy-3.7.12/policy/modules/apps/kdumpgui.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.if serefpolicy-3.7.13/policy/modules/apps/kdumpgui.if
--- nsaserefpolicy/policy/modules/apps/kdumpgui.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/apps/kdumpgui.if 2010-03-05 17:18:51.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/apps/kdumpgui.if 2010-03-09 18:51:11.000000000 -0500
@@ -0,0 +1,2 @@
+## system-config-kdump policy
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.te serefpolicy-3.7.12/policy/modules/apps/kdumpgui.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.te serefpolicy-3.7.13/policy/modules/apps/kdumpgui.te
--- nsaserefpolicy/policy/modules/apps/kdumpgui.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/apps/kdumpgui.te 2010-03-05 17:18:51.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/apps/kdumpgui.te 2010-03-09 18:51:11.000000000 -0500
@@ -0,0 +1,68 @@
+policy_module(kdumpgui,1.0.0)
+
@@ -3064,15 +3043,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui
+optional_policy(`
+ policykit_dbus_chat(kdumpgui_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.fc serefpolicy-3.7.12/policy/modules/apps/livecd.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.fc serefpolicy-3.7.13/policy/modules/apps/livecd.fc
--- nsaserefpolicy/policy/modules/apps/livecd.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/apps/livecd.fc 2010-03-05 17:18:51.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/apps/livecd.fc 2010-03-09 18:51:11.000000000 -0500
@@ -0,0 +1,2 @@
+
+/usr/bin/livecd-creator -- gen_context(system_u:object_r:livecd_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.if serefpolicy-3.7.12/policy/modules/apps/livecd.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.if serefpolicy-3.7.13/policy/modules/apps/livecd.if
--- nsaserefpolicy/policy/modules/apps/livecd.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/apps/livecd.if 2010-03-05 17:18:51.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/apps/livecd.if 2010-03-09 18:51:11.000000000 -0500
@@ -0,0 +1,52 @@
+
+## policy for livecd
@@ -3126,9 +3105,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.i
+ usermanage_run_chfn(livecd_t, $2)
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.te serefpolicy-3.7.12/policy/modules/apps/livecd.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.te serefpolicy-3.7.13/policy/modules/apps/livecd.te
--- nsaserefpolicy/policy/modules/apps/livecd.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/apps/livecd.te 2010-03-05 17:18:51.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/apps/livecd.te 2010-03-09 18:51:11.000000000 -0500
@@ -0,0 +1,27 @@
+policy_module(livecd, 1.0.0)
+
@@ -3157,9 +3136,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.t
+
+seutil_domtrans_setfiles_mac(livecd_t)
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.if serefpolicy-3.7.12/policy/modules/apps/loadkeys.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.if serefpolicy-3.7.13/policy/modules/apps/loadkeys.if
--- nsaserefpolicy/policy/modules/apps/loadkeys.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/apps/loadkeys.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/apps/loadkeys.if 2010-03-09 18:51:11.000000000 -0500
@@ -17,6 +17,9 @@
corecmd_search_bin($1)
@@ -3170,9 +3149,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys
')
########################################
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.te serefpolicy-3.7.12/policy/modules/apps/loadkeys.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.te serefpolicy-3.7.13/policy/modules/apps/loadkeys.te
--- nsaserefpolicy/policy/modules/apps/loadkeys.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/apps/loadkeys.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/apps/loadkeys.te 2010-03-09 18:51:11.000000000 -0500
@@ -40,8 +40,12 @@
miscfiles_read_localization(loadkeys_t)
@@ -3187,9 +3166,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys
+ifdef(`hide_broken_symptoms',`
+ dev_dontaudit_rw_lvm_control(loadkeys_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.7.12/policy/modules/apps/mono.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.7.13/policy/modules/apps/mono.if
--- nsaserefpolicy/policy/modules/apps/mono.if 2010-02-22 08:30:53.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/apps/mono.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/apps/mono.if 2010-03-09 18:51:11.000000000 -0500
@@ -40,10 +40,10 @@
domain_interactive_fd($1_mono_t)
application_type($1_mono_t)
@@ -3202,9 +3181,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if
allow $3 $1_mono_t:process { getattr ptrace noatsecure signal_perms };
domtrans_pattern($3, mono_exec_t, $1_mono_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.fc serefpolicy-3.7.12/policy/modules/apps/mozilla.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.fc serefpolicy-3.7.13/policy/modules/apps/mozilla.fc
--- nsaserefpolicy/policy/modules/apps/mozilla.fc 2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/apps/mozilla.fc 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/apps/mozilla.fc 2010-03-09 18:51:11.000000000 -0500
@@ -1,6 +1,7 @@
HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
@@ -3221,9 +3200,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
/usr/bin/mozilla-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/bin/mozilla-bin-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.7.12/policy/modules/apps/mozilla.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.7.13/policy/modules/apps/mozilla.if
--- nsaserefpolicy/policy/modules/apps/mozilla.if 2009-12-04 09:43:33.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/apps/mozilla.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/apps/mozilla.if 2010-03-09 18:51:11.000000000 -0500
@@ -48,6 +48,12 @@
mozilla_dbus_chat($2)
@@ -3269,9 +3248,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
+ allow $1 mozilla_home_t:file execmod;
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.7.12/policy/modules/apps/mozilla.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.7.13/policy/modules/apps/mozilla.te
--- nsaserefpolicy/policy/modules/apps/mozilla.te 2009-12-04 09:43:33.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/apps/mozilla.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/apps/mozilla.te 2010-03-09 18:51:11.000000000 -0500
@@ -91,6 +91,7 @@
corenet_raw_sendrecv_generic_node(mozilla_t)
corenet_tcp_sendrecv_http_port(mozilla_t)
@@ -3330,9 +3309,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
+optional_policy(`
thunderbird_domtrans(mozilla_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.7.12/policy/modules/apps/nsplugin.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.7.13/policy/modules/apps/nsplugin.fc
--- nsaserefpolicy/policy/modules/apps/nsplugin.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/apps/nsplugin.fc 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/apps/nsplugin.fc 2010-03-09 18:51:11.000000000 -0500
@@ -0,0 +1,10 @@
+HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
+HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
@@ -3344,9 +3323,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
+/usr/lib(64)?/nspluginwrapper/npviewer.bin -- gen_context(system_u:object_r:nsplugin_exec_t,s0)
+/usr/lib(64)?/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:nsplugin_config_exec_t,s0)
+/usr/lib(64)?/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.7.12/policy/modules/apps/nsplugin.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.7.13/policy/modules/apps/nsplugin.if
--- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/apps/nsplugin.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/apps/nsplugin.if 2010-03-09 18:51:11.000000000 -0500
@@ -0,0 +1,355 @@
+
+## policy for nsplugin
@@ -3703,9 +3682,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
+ allow $1 nsplugin_t:sem rw_sem_perms;
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.7.12/policy/modules/apps/nsplugin.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.7.13/policy/modules/apps/nsplugin.te
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/apps/nsplugin.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/apps/nsplugin.te 2010-03-10 09:44:06.000000000 -0500
@@ -0,0 +1,296 @@
+
+policy_module(nsplugin, 1.0.0)
@@ -4003,16 +3982,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
+')
+
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.fc serefpolicy-3.7.12/policy/modules/apps/openoffice.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.fc serefpolicy-3.7.13/policy/modules/apps/openoffice.fc
--- nsaserefpolicy/policy/modules/apps/openoffice.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/apps/openoffice.fc 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/apps/openoffice.fc 2010-03-09 18:51:11.000000000 -0500
@@ -0,0 +1,3 @@
+/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0)
+/usr/lib64/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0)
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.if serefpolicy-3.7.12/policy/modules/apps/openoffice.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.if serefpolicy-3.7.13/policy/modules/apps/openoffice.if
--- nsaserefpolicy/policy/modules/apps/openoffice.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/apps/openoffice.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/apps/openoffice.if 2010-03-09 18:51:11.000000000 -0500
@@ -0,0 +1,92 @@
+## Openoffice
+
@@ -4106,9 +4085,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffi
+ xserver_common_x_domain_template($1, $1_openoffice_t)
+ ')
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.te serefpolicy-3.7.12/policy/modules/apps/openoffice.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.te serefpolicy-3.7.13/policy/modules/apps/openoffice.te
--- nsaserefpolicy/policy/modules/apps/openoffice.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/apps/openoffice.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/apps/openoffice.te 2010-03-09 18:51:11.000000000 -0500
@@ -0,0 +1,11 @@
+
+policy_module(openoffice, 1.0.0)
@@ -4121,9 +4100,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffi
+type openoffice_t;
+type openoffice_exec_t;
+application_domain(openoffice_t, openoffice_exec_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.te serefpolicy-3.7.12/policy/modules/apps/podsleuth.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.te serefpolicy-3.7.13/policy/modules/apps/podsleuth.te
--- nsaserefpolicy/policy/modules/apps/podsleuth.te 2009-12-04 09:43:33.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/apps/podsleuth.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/apps/podsleuth.te 2010-03-09 18:51:11.000000000 -0500
@@ -50,6 +50,7 @@
fs_tmpfs_filetrans(podsleuth_t, podsleuth_tmpfs_t, { dir file lnk_file })
@@ -4147,9 +4126,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleut
optional_policy(`
dbus_system_bus_client(podsleuth_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ptchown.if serefpolicy-3.7.12/policy/modules/apps/ptchown.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ptchown.if serefpolicy-3.7.13/policy/modules/apps/ptchown.if
--- nsaserefpolicy/policy/modules/apps/ptchown.if 2009-08-31 13:30:04.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/apps/ptchown.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/apps/ptchown.if 2010-03-09 18:51:11.000000000 -0500
@@ -18,3 +18,27 @@
domtrans_pattern($1, ptchown_exec_t, ptchown_t)
')
@@ -4178,9 +4157,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ptchown.
+ ptchown_domtrans($1)
+ role $2 types ptchown_t;
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ptchown.te serefpolicy-3.7.12/policy/modules/apps/ptchown.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ptchown.te serefpolicy-3.7.13/policy/modules/apps/ptchown.te
--- nsaserefpolicy/policy/modules/apps/ptchown.te 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/apps/ptchown.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/apps/ptchown.te 2010-03-09 18:51:11.000000000 -0500
@@ -24,6 +24,7 @@
fs_rw_anon_inodefs_files(ptchown_t)
@@ -4189,9 +4168,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ptchown.
term_setattr_all_ptys(ptchown_t)
term_use_generic_ptys(ptchown_t)
term_use_ptmx(ptchown_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.fc serefpolicy-3.7.12/policy/modules/apps/pulseaudio.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.fc serefpolicy-3.7.13/policy/modules/apps/pulseaudio.fc
--- nsaserefpolicy/policy/modules/apps/pulseaudio.fc 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/apps/pulseaudio.fc 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/apps/pulseaudio.fc 2010-03-09 18:51:11.000000000 -0500
@@ -1 +1,9 @@
+HOME_DIR/\.pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0)
+HOME_DIR/\.pulse-cookie gen_context(system_u:object_r:pulseaudio_home_t,s0)
@@ -4202,9 +4181,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud
+
/usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0)
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.if serefpolicy-3.7.12/policy/modules/apps/pulseaudio.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.if serefpolicy-3.7.13/policy/modules/apps/pulseaudio.if
--- nsaserefpolicy/policy/modules/apps/pulseaudio.if 2009-08-31 13:30:04.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/apps/pulseaudio.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/apps/pulseaudio.if 2010-03-09 18:51:11.000000000 -0500
@@ -29,7 +29,7 @@
ps_process_pattern($2, pulseaudio_t)
@@ -4308,9 +4287,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud
- allow $1 pulseaudio_t:unix_stream_socket connectto;
+ stream_connect_pattern($1, pulseaudio_var_run_t, pulseaudio_var_run_t, pulseaudio_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.7.12/policy/modules/apps/pulseaudio.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.7.13/policy/modules/apps/pulseaudio.te
--- nsaserefpolicy/policy/modules/apps/pulseaudio.te 2010-02-18 14:06:31.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/apps/pulseaudio.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/apps/pulseaudio.te 2010-03-09 18:51:11.000000000 -0500
@@ -8,24 +8,52 @@
type pulseaudio_t;
@@ -4399,9 +4378,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud
+ xserver_read_xdm_pid(pulseaudio_t)
+ xserver_user_x_domain_template(pulseaudio, pulseaudio_t, pulseaudio_tmpfs_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.7.12/policy/modules/apps/qemu.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.7.13/policy/modules/apps/qemu.if
--- nsaserefpolicy/policy/modules/apps/qemu.if 2010-02-22 08:30:53.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/apps/qemu.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/apps/qemu.if 2010-03-09 18:51:11.000000000 -0500
@@ -127,12 +127,14 @@
template(`qemu_role',`
gen_require(`
@@ -4490,9 +4469,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if
manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t)
')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.7.12/policy/modules/apps/qemu.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.7.13/policy/modules/apps/qemu.te
--- nsaserefpolicy/policy/modules/apps/qemu.te 2010-02-22 08:30:53.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/apps/qemu.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/apps/qemu.te 2010-03-09 18:51:11.000000000 -0500
@@ -50,6 +50,8 @@
#
# qemu local policy
@@ -4523,20 +4502,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te
allow unconfined_qemu_t self:process { execstack execmem };
+ allow unconfined_qemu_t qemu_exec_t:file execmod;
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.fc serefpolicy-3.7.12/policy/modules/apps/sambagui.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.fc serefpolicy-3.7.13/policy/modules/apps/sambagui.fc
--- nsaserefpolicy/policy/modules/apps/sambagui.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/apps/sambagui.fc 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/apps/sambagui.fc 2010-03-09 18:51:11.000000000 -0500
@@ -0,0 +1 @@
+/usr/share/system-config-samba/system-config-samba-mechanism.py -- gen_context(system_u:object_r:sambagui_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.if serefpolicy-3.7.12/policy/modules/apps/sambagui.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.if serefpolicy-3.7.13/policy/modules/apps/sambagui.if
--- nsaserefpolicy/policy/modules/apps/sambagui.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/apps/sambagui.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/apps/sambagui.if 2010-03-09 18:51:11.000000000 -0500
@@ -0,0 +1,2 @@
+## system-config-samba policy
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.te serefpolicy-3.7.12/policy/modules/apps/sambagui.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.te serefpolicy-3.7.13/policy/modules/apps/sambagui.te
--- nsaserefpolicy/policy/modules/apps/sambagui.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/apps/sambagui.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/apps/sambagui.te 2010-03-09 18:51:11.000000000 -0500
@@ -0,0 +1,66 @@
+policy_module(sambagui,1.0.0)
+
@@ -4604,14 +4583,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui
+optional_policy(`
+ policykit_dbus_chat(sambagui_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.fc serefpolicy-3.7.12/policy/modules/apps/sandbox.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.fc serefpolicy-3.7.13/policy/modules/apps/sandbox.fc
--- nsaserefpolicy/policy/modules/apps/sandbox.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/apps/sandbox.fc 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/apps/sandbox.fc 2010-03-09 18:51:11.000000000 -0500
@@ -0,0 +1 @@
+# No types are sandbox_exec_t
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.7.12/policy/modules/apps/sandbox.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.7.13/policy/modules/apps/sandbox.if
--- nsaserefpolicy/policy/modules/apps/sandbox.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/apps/sandbox.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/apps/sandbox.if 2010-03-09 18:51:11.000000000 -0500
@@ -0,0 +1,248 @@
+
+## policy for sandbox
@@ -4861,9 +4840,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+
+ allow $1 sandbox_file_type:dir list_dir_perms;
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.7.12/policy/modules/apps/sandbox.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.7.13/policy/modules/apps/sandbox.te
--- nsaserefpolicy/policy/modules/apps/sandbox.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/apps/sandbox.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/apps/sandbox.te 2010-03-09 18:51:11.000000000 -0500
@@ -0,0 +1,365 @@
+policy_module(sandbox,1.0.0)
+dbus_stub()
@@ -5230,9 +5209,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+optional_policy(`
+ hal_dbus_chat(sandbox_net_client_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.7.12/policy/modules/apps/screen.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.7.13/policy/modules/apps/screen.if
--- nsaserefpolicy/policy/modules/apps/screen.if 2009-12-04 09:43:33.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/apps/screen.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/apps/screen.if 2010-03-09 18:51:11.000000000 -0500
@@ -141,6 +141,7 @@
userdom_create_user_pty($1_screen_t)
userdom_user_home_domtrans($1_screen_t, $3)
@@ -5241,9 +5220,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.i
tunable_policy(`use_samba_home_dirs',`
fs_cifs_domtrans($1_screen_t, $3)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.if serefpolicy-3.7.12/policy/modules/apps/seunshare.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.if serefpolicy-3.7.13/policy/modules/apps/seunshare.if
--- nsaserefpolicy/policy/modules/apps/seunshare.if 2009-12-04 09:43:33.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/apps/seunshare.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/apps/seunshare.if 2010-03-09 18:51:11.000000000 -0500
@@ -2,59 +2,14 @@
########################################
@@ -5341,9 +5320,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshar
+ dontaudit $1_seunshare_t $3:socket_class_set { read write };
+ ')
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.te serefpolicy-3.7.12/policy/modules/apps/seunshare.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.te serefpolicy-3.7.13/policy/modules/apps/seunshare.te
--- nsaserefpolicy/policy/modules/apps/seunshare.te 2009-12-04 09:43:33.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/apps/seunshare.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/apps/seunshare.te 2010-03-09 18:51:11.000000000 -0500
@@ -6,40 +6,39 @@
# Declarations
#
@@ -5402,9 +5381,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshar
+ mozilla_dontaudit_manage_user_home_files(seunshare_domain)
')
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate.te serefpolicy-3.7.12/policy/modules/apps/slocate.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate.te serefpolicy-3.7.13/policy/modules/apps/slocate.te
--- nsaserefpolicy/policy/modules/apps/slocate.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/apps/slocate.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/apps/slocate.te 2010-03-09 18:51:11.000000000 -0500
@@ -30,6 +30,7 @@
manage_files_pattern(locate_t, locate_var_lib_t, locate_var_lib_t)
@@ -5421,9 +5400,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate.
# getpwnam
auth_use_nsswitch(locate_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.if serefpolicy-3.7.12/policy/modules/apps/vmware.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.if serefpolicy-3.7.13/policy/modules/apps/vmware.if
--- nsaserefpolicy/policy/modules/apps/vmware.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/apps/vmware.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/apps/vmware.if 2010-03-09 18:51:11.000000000 -0500
@@ -84,3 +84,22 @@
logging_search_logs($1)
append_files_pattern($1, vmware_log_t, vmware_log_t)
@@ -5447,9 +5426,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.i
+ can_exec($1, vmware_host_exec_t)
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.7.12/policy/modules/apps/vmware.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.7.13/policy/modules/apps/vmware.te
--- nsaserefpolicy/policy/modules/apps/vmware.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/apps/vmware.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/apps/vmware.te 2010-03-10 09:53:01.000000000 -0500
@@ -29,6 +29,10 @@
type vmware_host_exec_t;
init_daemon_domain(vmware_host_t, vmware_host_exec_t)
@@ -5461,21 +5440,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.t
type vmware_host_pid_t alias vmware_var_run_t;
files_pid_file(vmware_host_pid_t)
-@@ -80,6 +84,11 @@
+@@ -79,6 +83,12 @@
+
# cjp: the ro and rw files should be split up
manage_files_pattern(vmware_host_t, vmware_sys_conf_t, vmware_sys_conf_t)
-
++manage_lnk_files_pattern(vmware_host_t, vmware_sys_conf_t, vmware_sys_conf_t)
++
+manage_dirs_pattern(vmware_host_t, vmware_host_tmp_t, vmware_host_tmp_t)
+manage_files_pattern(vmware_host_t, vmware_host_tmp_t, vmware_host_tmp_t)
+manage_sock_files_pattern(vmware_host_t, vmware_host_tmp_t, vmware_host_tmp_t)
+files_tmp_filetrans(vmware_host_t, vmware_host_tmp_t, { file dir })
-+
+
manage_files_pattern(vmware_host_t, vmware_var_run_t, vmware_var_run_t)
manage_sock_files_pattern(vmware_host_t, vmware_var_run_t, vmware_var_run_t)
- files_pid_filetrans(vmware_host_t, vmware_var_run_t, { file sock_file })
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.7.12/policy/modules/apps/wine.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.7.13/policy/modules/apps/wine.if
--- nsaserefpolicy/policy/modules/apps/wine.if 2010-02-22 08:30:53.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/apps/wine.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/apps/wine.if 2010-03-09 18:51:11.000000000 -0500
@@ -35,6 +35,8 @@
role $1 types wine_t;
@@ -5501,9 +5481,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if
optional_policy(`
xserver_role($1_r, $1_wine_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.7.12/policy/modules/apps/wine.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.7.13/policy/modules/apps/wine.te
--- nsaserefpolicy/policy/modules/apps/wine.te 2010-02-22 08:30:53.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/apps/wine.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/apps/wine.te 2010-03-09 18:51:11.000000000 -0500
@@ -1,6 +1,14 @@
policy_module(wine, 1.6.1)
@@ -5534,9 +5514,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te
files_execmod_all_files(wine_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.if serefpolicy-3.7.12/policy/modules/apps/wm.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.if serefpolicy-3.7.13/policy/modules/apps/wm.if
--- nsaserefpolicy/policy/modules/apps/wm.if 2009-07-27 18:11:17.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/apps/wm.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/apps/wm.if 2010-03-09 18:51:11.000000000 -0500
@@ -30,6 +30,7 @@
template(`wm_role_template',`
gen_require(`
@@ -5586,9 +5566,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.if se
')
########################################
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.7.12/policy/modules/kernel/corecommands.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.7.13/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2010-03-05 17:14:56.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/kernel/corecommands.fc 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/kernel/corecommands.fc 2010-03-09 18:51:11.000000000 -0500
@@ -147,6 +147,9 @@
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
')
@@ -5621,9 +5601,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
+/usr/lib(64)?/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0)
+
+/usr/lib(64)?/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.7.12/policy/modules/kernel/corecommands.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.7.13/policy/modules/kernel/corecommands.if
--- nsaserefpolicy/policy/modules/kernel/corecommands.if 2010-03-05 17:14:56.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/kernel/corecommands.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/kernel/corecommands.if 2010-03-09 18:51:11.000000000 -0500
@@ -931,6 +931,7 @@
read_lnk_files_pattern($1, bin_t, bin_t)
@@ -5640,9 +5620,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
manage_files_pattern($1, bin_t, exec_type)
manage_lnk_files_pattern($1, bin_t, bin_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.7.12/policy/modules/kernel/corenetwork.te.in
---- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2010-03-05 17:14:56.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/kernel/corenetwork.te.in 2010-03-07 10:13:31.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.7.13/policy/modules/kernel/corenetwork.te.in
+--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2010-03-08 14:49:44.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/kernel/corenetwork.te.in 2010-03-09 18:51:11.000000000 -0500
@@ -65,6 +65,7 @@
type server_packet_t, packet_type, server_packet_type;
@@ -5670,22 +5650,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0)
network_port(ftp_data, tcp,20,s0)
network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
-@@ -109,13 +114,13 @@
- network_port(howl, tcp,5335,s0, udp,5353,s0)
- network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
- network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
--network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,10001-10010) # 8118 is for privoxy
-+network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,10001-10010,s0) # 8118 is for privoxy
- network_port(i18n_input, tcp,9010,s0)
- network_port(imaze, tcp,5323,s0, udp,5323,s0)
- network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
- network_port(innd, tcp,119,s0)
- network_port(ipmi, udp,623,s0, udp,664,s0)
--network_port(ipp, tcp,631,s0, udp,631,s0, tcp,8610-8614,20, udp,8610-8614,s0)
-+network_port(ipp, tcp,631,s0, udp,631,s0, tcp,8610-8614,s0, udp,8610-8614,s0)
- network_port(ipsecnat, tcp,4500,s0, udp,4500,s0)
- network_port(ircd, tcp,6667,s0)
- network_port(isakmp, udp,500,s0)
@@ -131,12 +136,14 @@
network_port(ktalkd, udp,517,s0, udp,518,s0)
network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0)
@@ -5744,19 +5708,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
network_port(swat, tcp,901,s0)
network_port(syslogd, udp,514,s0)
-@@ -200,7 +217,8 @@
+@@ -200,7 +217,7 @@
network_port(varnishd, tcp,6081,s0, tcp,6082,s0)
network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
network_port(virt_migration, tcp,49152-49216,s0)
-network_port(vnc, tcp,5900,s0)
-+# Reserve 100 ports for vnc/virt machines
-+network_port(vnc, tcp,5901-5999,s0)
++network_port(vnc, tcp,5900-5999,s0)
network_port(wccp, udp,2048,s0)
network_port(whois, tcp,43,s0, udp,43,s0, tcp, 4321, s0 , udp, 4321, s0 )
network_port(xdmcp, udp,177,s0, tcp,177,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.7.12/policy/modules/kernel/devices.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.7.13/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2010-03-05 10:46:32.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/kernel/devices.fc 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/kernel/devices.fc 2010-03-09 18:51:11.000000000 -0500
@@ -108,6 +108,7 @@
/dev/urandom -c gen_context(system_u:object_r:urandom_device_t,s0)
/dev/ub[a-c] -c gen_context(system_u:object_r:usb_device_t,s0)
@@ -5765,9 +5728,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
/dev/usblp.* -c gen_context(system_u:object_r:printer_device_t,s0)
ifdef(`distro_suse', `
/dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.7.12/policy/modules/kernel/devices.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.7.13/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2010-03-05 10:46:32.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/kernel/devices.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/kernel/devices.if 2010-03-09 18:51:11.000000000 -0500
@@ -934,6 +934,42 @@
########################################
@@ -5836,9 +5799,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
## Mount a usbfs filesystem.
##
##
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.7.12/policy/modules/kernel/devices.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.7.13/policy/modules/kernel/devices.te
--- nsaserefpolicy/policy/modules/kernel/devices.te 2010-03-05 10:46:32.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/kernel/devices.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/kernel/devices.te 2010-03-09 18:51:11.000000000 -0500
@@ -239,6 +239,12 @@
dev_node(usb_device_t)
@@ -5859,9 +5822,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
-allow devices_unconfined_type device_node:{ blk_file chr_file } *;
+allow devices_unconfined_type device_node:{ blk_file chr_file lnk_file } *;
allow devices_unconfined_type mtrr_device_t:file *;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.7.12/policy/modules/kernel/domain.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.7.13/policy/modules/kernel/domain.if
--- nsaserefpolicy/policy/modules/kernel/domain.if 2010-03-03 23:26:37.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/kernel/domain.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/kernel/domain.if 2010-03-09 18:51:11.000000000 -0500
+@@ -611,7 +611,7 @@
+
+ ########################################
+ ##
+-## Get the attributes of all domains of all domains.
++## Get the attributes of all domains.
+ ##
+ ##
+ ##
+@@ -630,7 +630,7 @@
+
+ ########################################
+ ##
+-## Get the attributes of all domains of all domains.
++## Dontaudit geting the attributes of all domains.
+ ##
+ ##
+ ##
@@ -831,6 +831,42 @@
########################################
@@ -6063,9 +6044,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
+
+ dontaudit $1 domain:socket_class_set { read write };
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.7.12/policy/modules/kernel/domain.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.7.13/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/kernel/domain.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/kernel/domain.te 2010-03-09 18:51:11.000000000 -0500
@@ -5,6 +5,21 @@
#
# Declarations
@@ -6234,9 +6215,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
+ userdom_relabelto_user_home_dirs(polydomain)
+ userdom_relabelto_user_home_files(polydomain)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.7.12/policy/modules/kernel/files.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.7.13/policy/modules/kernel/files.fc
--- nsaserefpolicy/policy/modules/kernel/files.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/kernel/files.fc 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/kernel/files.fc 2010-03-09 18:51:11.000000000 -0500
@@ -18,6 +18,7 @@
/fsckoptions -- gen_context(system_u:object_r:etc_runtime_t,s0)
/halt -- gen_context(system_u:object_r:etc_runtime_t,s0)
@@ -6308,9 +6289,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
/var/lib(/.*)? gen_context(system_u:object_r:var_lib_t,s0)
/var/lib/nfs/rpc_pipefs(/.*)? <>
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.7.12/policy/modules/kernel/files.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.7.13/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2010-03-03 23:26:37.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/kernel/files.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/kernel/files.if 2010-03-09 18:51:11.000000000 -0500
@@ -1053,10 +1053,8 @@
relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
@@ -6876,7 +6857,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
+##
+##
+#
-+interface(`files_manage_root',`
++interface(`files_manage_root_files',`
+ gen_require(`
+ type root_t;
+ ')
@@ -7067,9 +7048,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
+ dontaudit $1 file_type:file rw_inherited_file_perms;
+ dontaudit $1 file_type:lnk_file { read };
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.7.12/policy/modules/kernel/files.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.7.13/policy/modules/kernel/files.te
--- nsaserefpolicy/policy/modules/kernel/files.te 2010-02-18 14:06:31.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/kernel/files.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/kernel/files.te 2010-03-09 18:51:11.000000000 -0500
@@ -12,6 +12,7 @@
attribute mountpoint;
attribute pidfile;
@@ -7102,9 +7083,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
########################################
#
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.7.12/policy/modules/kernel/filesystem.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.7.13/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2010-03-03 23:26:37.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/kernel/filesystem.if 2010-03-07 08:32:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/kernel/filesystem.if 2010-03-09 18:51:11.000000000 -0500
@@ -929,7 +929,7 @@
type cifs_t;
')
@@ -7177,10 +7158,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
## Search inotifyfs filesystem.
##
##
-@@ -1672,6 +1721,24 @@
+@@ -1668,6 +1717,25 @@
+ ')
- ########################################
- ##
+ allow $1 inotifyfs_t:dir list_dir_perms;
++ fs_read_anon_inodefs_files($1)
++')
++
++########################################
++##
+## Dontaudit List inotifyfs filesystem.
+##
+##
@@ -7195,14 +7181,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
+ ')
+
+ dontaudit $1 inotifyfs_t:dir list_dir_perms;
-+')
-+
-+########################################
-+##
- ## Mount an iso9660 filesystem, which
- ## is usually used on CDs.
- ##
-@@ -2070,7 +2137,7 @@
+ ')
+
+ ########################################
+@@ -2070,7 +2138,7 @@
type nfs_t;
')
@@ -7211,7 +7193,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
')
########################################
-@@ -2092,6 +2159,25 @@
+@@ -2092,6 +2160,25 @@
read_lnk_files_pattern($1, nfs_t, nfs_t)
')
@@ -7237,7 +7219,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
#########################################
##
## Read named sockets on a NFS filesystem.
-@@ -3481,6 +3567,24 @@
+@@ -3481,6 +3568,24 @@
########################################
##
@@ -7262,7 +7244,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
## Read and write generic tmpfs files.
##
##
-@@ -3707,6 +3811,24 @@
+@@ -3707,6 +3812,24 @@
########################################
##
@@ -7287,7 +7269,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
## Mount a XENFS filesystem.
##
##
-@@ -4216,3 +4338,214 @@
+@@ -4216,3 +4339,214 @@
relabelfrom_blk_files_pattern($1, noxattrfs, noxattrfs)
relabelfrom_chr_files_pattern($1, noxattrfs, noxattrfs)
')
@@ -7502,9 +7484,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
+ dontaudit $1 filesystem_type:file rw_inherited_file_perms;
+ dontaudit $1 filesystem_type:lnk_file { read };
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.7.12/policy/modules/kernel/filesystem.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.7.13/policy/modules/kernel/filesystem.te
--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/kernel/filesystem.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/kernel/filesystem.te 2010-03-09 18:51:11.000000000 -0500
@@ -29,6 +29,7 @@
fs_use_xattr ext4dev gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr gfs gen_context(system_u:object_r:fs_t,s0);
@@ -7562,9 +7544,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
#
# nfs_t is the default type for NFS file systems
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.7.12/policy/modules/kernel/kernel.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.7.13/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2010-03-01 15:12:54.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/kernel/kernel.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/kernel/kernel.if 2010-03-09 18:51:11.000000000 -0500
@@ -144,6 +144,24 @@
########################################
@@ -7698,9 +7680,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
+
+ allow $1 kernel_t:unix_stream_socket connectto;
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.7.12/policy/modules/kernel/kernel.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.7.13/policy/modules/kernel/kernel.te
--- nsaserefpolicy/policy/modules/kernel/kernel.te 2010-03-04 08:02:45.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/kernel/kernel.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/kernel/kernel.te 2010-03-09 18:51:11.000000000 -0500
@@ -64,6 +64,15 @@
genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0)
@@ -7775,9 +7757,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
########################################
#
# Unlabeled process local policy
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.7.12/policy/modules/kernel/selinux.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.7.13/policy/modules/kernel/selinux.if
--- nsaserefpolicy/policy/modules/kernel/selinux.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/kernel/selinux.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/kernel/selinux.if 2010-03-09 18:51:11.000000000 -0500
@@ -40,7 +40,7 @@
# because of this statement, any module which
@@ -7835,9 +7817,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinu
+ fs_type($1)
+ mls_trusted_object($1)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.7.12/policy/modules/kernel/terminal.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.7.13/policy/modules/kernel/terminal.if
--- nsaserefpolicy/policy/modules/kernel/terminal.if 2010-02-18 14:06:31.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/kernel/terminal.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/kernel/terminal.if 2010-03-09 18:51:11.000000000 -0500
@@ -292,9 +292,11 @@
interface(`term_dontaudit_use_console',`
gen_require(`
@@ -7878,9 +7860,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/termin
')
########################################
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/auditadm.te serefpolicy-3.7.12/policy/modules/roles/auditadm.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/auditadm.te serefpolicy-3.7.13/policy/modules/roles/auditadm.te
--- nsaserefpolicy/policy/modules/roles/auditadm.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/roles/auditadm.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/roles/auditadm.te 2010-03-09 18:51:11.000000000 -0500
@@ -33,6 +33,8 @@
seutil_run_runinit(auditadm_t, auditadm_r)
seutil_read_bin_policy(auditadm_t)
@@ -7890,25 +7872,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/auditad
optional_policy(`
consoletype_exec(auditadm_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.te serefpolicy-3.7.12/policy/modules/roles/guest.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.te serefpolicy-3.7.13/policy/modules/roles/guest.te
--- nsaserefpolicy/policy/modules/roles/guest.te 2010-03-05 17:14:56.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/roles/guest.te 2010-03-05 17:18:52.000000000 -0500
-@@ -1,5 +1,5 @@
-
--policy_module(guest, 1.0.1)
-+policy_module(guest, 1.0.0)
-
- ########################################
- #
++++ serefpolicy-3.7.13/policy/modules/roles/guest.te 2010-03-09 18:51:11.000000000 -0500
@@ -23,4 +23,4 @@
mono_role_template(guest, guest_r, guest_t)
')
-#gen_user(guest_u,, guest_r, s0, s0)
+gen_user(guest_u, user, guest_r, s0, s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.7.12/policy/modules/roles/staff.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.7.13/policy/modules/roles/staff.te
--- nsaserefpolicy/policy/modules/roles/staff.te 2010-02-17 14:07:02.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/roles/staff.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/roles/staff.te 2010-03-09 18:51:11.000000000 -0500
@@ -10,11 +10,26 @@
userdom_unpriv_user_template(staff)
@@ -8084,9 +8059,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t
+optional_policy(`
+ virt_stream_connect(staff_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.7.12/policy/modules/roles/sysadm.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.7.13/policy/modules/roles/sysadm.te
--- nsaserefpolicy/policy/modules/roles/sysadm.te 2010-02-17 10:37:39.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/roles/sysadm.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/roles/sysadm.te 2010-03-09 18:51:11.000000000 -0500
@@ -15,7 +15,7 @@
role sysadm_r;
@@ -8438,9 +8413,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
+
+init_script_role_transition(sysadm_r)
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.fc serefpolicy-3.7.12/policy/modules/roles/unconfineduser.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.fc serefpolicy-3.7.13/policy/modules/roles/unconfineduser.fc
--- nsaserefpolicy/policy/modules/roles/unconfineduser.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/roles/unconfineduser.fc 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/roles/unconfineduser.fc 2010-03-09 18:51:11.000000000 -0500
@@ -0,0 +1,10 @@
+# Add programs here which should not be confined by SELinux
+# e.g.:
@@ -8452,9 +8427,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi
+
+/usr/sbin/xrdp -- gen_context(system_u:object_r:unconfined_exec_t,s0)
+/usr/sbin/xrdp-sesman -- gen_context(system_u:object_r:unconfined_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.if serefpolicy-3.7.12/policy/modules/roles/unconfineduser.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.if serefpolicy-3.7.13/policy/modules/roles/unconfineduser.if
--- nsaserefpolicy/policy/modules/roles/unconfineduser.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/roles/unconfineduser.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/roles/unconfineduser.if 2010-03-09 18:51:11.000000000 -0500
@@ -0,0 +1,667 @@
+## Unconfiend user role
+
@@ -9123,9 +9098,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi
+
+ allow $1 unconfined_r;
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.7.12/policy/modules/roles/unconfineduser.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.7.13/policy/modules/roles/unconfineduser.te
--- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/roles/unconfineduser.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/roles/unconfineduser.te 2010-03-09 18:51:11.000000000 -0500
@@ -0,0 +1,433 @@
+policy_module(unconfineduser, 1.0.0)
+
@@ -9560,9 +9535,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi
+gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.7.12/policy/modules/roles/unprivuser.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.7.13/policy/modules/roles/unprivuser.te
--- nsaserefpolicy/policy/modules/roles/unprivuser.te 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/roles/unprivuser.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/roles/unprivuser.te 2010-03-09 18:51:11.000000000 -0500
@@ -13,6 +13,7 @@
userdom_unpriv_user_template(user)
@@ -9606,9 +9581,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivu
+optional_policy(`
+ setroubleshoot_dontaudit_stream_connect(user_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.7.12/policy/modules/roles/xguest.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.7.13/policy/modules/roles/xguest.te
--- nsaserefpolicy/policy/modules/roles/xguest.te 2010-02-18 14:06:31.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/roles/xguest.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/roles/xguest.te 2010-03-09 18:51:11.000000000 -0500
@@ -15,7 +15,7 @@
##
@@ -9725,9 +9700,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.
-#gen_user(xguest_u,, xguest_r, s0, s0)
+gen_user(xguest_u, user, xguest_r, s0, s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.fc serefpolicy-3.7.12/policy/modules/services/abrt.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.fc serefpolicy-3.7.13/policy/modules/services/abrt.fc
--- nsaserefpolicy/policy/modules/services/abrt.fc 2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/services/abrt.fc 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/abrt.fc 2010-03-09 18:51:11.000000000 -0500
@@ -1,11 +1,17 @@
/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
@@ -9747,9 +9722,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
/var/run/abrt\.pid -- gen_context(system_u:object_r:abrt_var_run_t,s0)
/var/run/abrt\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0)
+/var/run/abrt(/.*)? gen_context(system_u:object_r:abrt_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.if serefpolicy-3.7.12/policy/modules/services/abrt.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.if serefpolicy-3.7.13/policy/modules/services/abrt.if
--- nsaserefpolicy/policy/modules/services/abrt.if 2010-03-01 15:12:54.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/abrt.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/abrt.if 2010-03-09 18:51:11.000000000 -0500
@@ -19,6 +19,28 @@
domtrans_pattern($1, abrt_exec_t, abrt_t)
')
@@ -9914,9 +9889,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
#####################################
##
## All of the rules required to administrate
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.7.12/policy/modules/services/abrt.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.7.13/policy/modules/services/abrt.te
--- nsaserefpolicy/policy/modules/services/abrt.te 2010-03-01 15:12:54.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/abrt.te 2010-03-07 08:57:09.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/abrt.te 2010-03-10 10:19:23.000000000 -0500
@@ -33,12 +33,24 @@
type abrt_var_run_t;
files_pid_file(abrt_var_run_t)
@@ -9964,7 +9939,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir })
kernel_read_ring_buffer(abrt_t)
-@@ -75,25 +90,39 @@
+@@ -75,25 +90,40 @@
corecmd_exec_bin(abrt_t)
corecmd_exec_shell(abrt_t)
@@ -10007,11 +9982,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
+fs_read_fusefs_files(abrt_t)
+fs_read_noxattr_fs_files(abrt_t)
+fs_read_nfs_files(abrt_t)
++fs_read_nfs_symlinks(abrt_t)
+fs_search_all(abrt_t)
sysnet_read_config(abrt_t)
-@@ -103,22 +132,98 @@
+@@ -103,22 +133,98 @@
miscfiles_read_certs(abrt_t)
miscfiles_read_localization(abrt_t)
@@ -10117,9 +10093,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
+ dev_dontaudit_write_all_blk_files(abrt_helper_t)
+ fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.if serefpolicy-3.7.12/policy/modules/services/afs.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.if serefpolicy-3.7.13/policy/modules/services/afs.if
--- nsaserefpolicy/policy/modules/services/afs.if 2010-03-01 15:12:54.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/afs.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/afs.if 2010-03-09 18:51:11.000000000 -0500
@@ -94,7 +94,7 @@
#
interface(`afs_admin',`
@@ -10129,9 +10105,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.
')
allow $1 afs_t:process { ptrace signal_perms getattr };
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.te serefpolicy-3.7.12/policy/modules/services/afs.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.te serefpolicy-3.7.13/policy/modules/services/afs.te
--- nsaserefpolicy/policy/modules/services/afs.te 2010-03-01 15:12:54.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/afs.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/afs.te 2010-03-09 18:51:11.000000000 -0500
@@ -71,8 +71,8 @@
# afs client local policy
#
@@ -10152,18 +10128,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.
########################################
#
# AFS bossserver local policy
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.fc serefpolicy-3.7.12/policy/modules/services/aiccu.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.fc serefpolicy-3.7.13/policy/modules/services/aiccu.fc
--- nsaserefpolicy/policy/modules/services/aiccu.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/aiccu.fc 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/aiccu.fc 2010-03-09 18:51:11.000000000 -0500
@@ -0,0 +1,5 @@
+
+/usr/sbin/aiccu -- gen_context(system_u:object_r:aiccu_exec_t,s0)
+
+/etc/rc\.d/init\.d/aiccu -- gen_context(system_u:object_r:aiccu_initrc_exec_t,s0)
+/var/run/aiccu.pid -- gen_context(system_u:object_r:aiccu_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.if serefpolicy-3.7.12/policy/modules/services/aiccu.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.if serefpolicy-3.7.13/policy/modules/services/aiccu.if
--- nsaserefpolicy/policy/modules/services/aiccu.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/aiccu.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/aiccu.if 2010-03-09 18:51:11.000000000 -0500
@@ -0,0 +1,119 @@
+
+## policy for aiccu
@@ -10284,9 +10260,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aicc
+ aiccu_manage_var_run($1)
+
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.te serefpolicy-3.7.12/policy/modules/services/aiccu.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.te serefpolicy-3.7.13/policy/modules/services/aiccu.te
--- nsaserefpolicy/policy/modules/services/aiccu.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/aiccu.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/aiccu.te 2010-03-09 18:51:11.000000000 -0500
@@ -0,0 +1,41 @@
+policy_module(aiccu,1.0.0)
+
@@ -10329,9 +10305,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aicc
+manage_dirs_pattern(aiccu_t, aiccu_var_run_t, aiccu_var_run_t)
+manage_files_pattern(aiccu_t, aiccu_var_run_t, aiccu_var_run_t)
+files_pid_filetrans(aiccu_t, aiccu_var_run_t, { file dir })
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.fc serefpolicy-3.7.12/policy/modules/services/aisexec.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.fc serefpolicy-3.7.13/policy/modules/services/aisexec.fc
--- nsaserefpolicy/policy/modules/services/aisexec.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/aisexec.fc 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/aisexec.fc 2010-03-09 18:51:11.000000000 -0500
@@ -0,0 +1,10 @@
+
+/etc/rc\.d/init\.d/openais -- gen_context(system_u:object_r:aisexec_initrc_exec_t,s0)
@@ -10343,9 +10319,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aise
+/var/log/cluster/aisexec\.log -- gen_context(system_u:object_r:aisexec_var_log_t,s0)
+
+/var/run/aisexec\.pid -- gen_context(system_u:object_r:aisexec_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.if serefpolicy-3.7.12/policy/modules/services/aisexec.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.if serefpolicy-3.7.13/policy/modules/services/aisexec.if
--- nsaserefpolicy/policy/modules/services/aisexec.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/aisexec.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/aisexec.if 2010-03-09 18:51:11.000000000 -0500
@@ -0,0 +1,106 @@
+## SELinux policy for Aisexec Cluster Engine
+
@@ -10453,9 +10429,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aise
+
+ admin_pattern($1, aisexec_tmpfs_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.te serefpolicy-3.7.12/policy/modules/services/aisexec.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.te serefpolicy-3.7.13/policy/modules/services/aisexec.te
--- nsaserefpolicy/policy/modules/services/aisexec.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/aisexec.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/aisexec.te 2010-03-09 18:51:11.000000000 -0500
@@ -0,0 +1,115 @@
+
+policy_module(aisexec,1.0.0)
@@ -10572,9 +10548,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aise
+ groupd_rw_semaphores(aisexec_t)
+ groupd_rw_shm(aisexec_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.if serefpolicy-3.7.12/policy/modules/services/amavis.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.if serefpolicy-3.7.13/policy/modules/services/amavis.if
--- nsaserefpolicy/policy/modules/services/amavis.if 2010-03-04 11:17:25.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/amavis.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/amavis.if 2010-03-09 18:51:11.000000000 -0500
@@ -18,30 +18,11 @@
type amavis_t, amavis_exec_t;
')
@@ -10622,9 +10598,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amav
domain_system_change_exemption($1)
role_transition $2 amavis_initrc_exec_t system_r;
allow $2 system_r;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-3.7.12/policy/modules/services/amavis.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-3.7.13/policy/modules/services/amavis.te
--- nsaserefpolicy/policy/modules/services/amavis.te 2010-03-04 11:17:25.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/amavis.te 2010-03-06 10:17:14.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/amavis.te 2010-03-09 18:51:11.000000000 -0500
@@ -1,5 +1,5 @@
-policy_module(amavis, 1.10.2)
@@ -10646,9 +10622,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amav
sysnet_dns_name_resolve(amavis_t)
sysnet_use_ldap(amavis_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.7.12/policy/modules/services/apache.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.7.13/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/services/apache.fc 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/apache.fc 2010-03-09 18:51:11.000000000 -0500
@@ -2,12 +2,19 @@
/etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
@@ -10776,9 +10752,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.7.12/policy/modules/services/apache.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.7.13/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/apache.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/apache.if 2010-03-09 18:51:11.000000000 -0500
@@ -13,21 +13,17 @@
#
template(`apache_content_template',`
@@ -11487,9 +11463,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+ dontaudit $1 httpd_t:unix_dgram_socket { read write };
+ dontaudit $1 httpd_t:unix_stream_socket { read write };
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.7.12/policy/modules/services/apache.te
---- nsaserefpolicy/policy/modules/services/apache.te 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/apache.te 2010-03-05 17:18:52.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.7.13/policy/modules/services/apache.te
+--- nsaserefpolicy/policy/modules/services/apache.te 2010-03-09 19:04:58.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/apache.te 2010-03-09 18:51:11.000000000 -0500
@@ -19,6 +19,8 @@
# Declarations
#
@@ -11547,21 +11523,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
## Allow HTTPD scripts and modules to connect to databases over the network.
##
##
-@@ -87,6 +110,13 @@
+@@ -87,10 +110,10 @@
##
##
+-## Allow httpd to manage modify performance limits
+## Allow httpd to read user content
-+##
-+##
-+gen_tunable(httpd_read_user_content, false)
-+
-+##
-+##
- ## Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
##
##
-@@ -94,6 +124,13 @@
+-gen_tunable(httpd_manage_limits, false)
++gen_tunable(httpd_read_user_content, false)
+
+ ##
+ ##
+@@ -101,6 +124,13 @@
##
##
@@ -11575,7 +11550,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
## Unify HTTPD to communicate with the terminal.
## Needed for entering the passphrase for certificates at
## the terminal.
-@@ -108,6 +145,36 @@
+@@ -115,6 +145,36 @@
##
gen_tunable(httpd_unified, false)
@@ -11612,7 +11587,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
attribute httpdcontent;
attribute httpd_user_content_type;
-@@ -140,6 +207,9 @@
+@@ -147,6 +207,9 @@
domain_entry_file(httpd_helper_t, httpd_helper_exec_t)
role system_r types httpd_helper_t;
@@ -11622,7 +11597,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
type httpd_lock_t;
files_lock_file(httpd_lock_t)
-@@ -180,6 +250,10 @@
+@@ -187,6 +250,10 @@
# setup the system domain for system CGI scripts
apache_content_template(sys)
@@ -11633,7 +11608,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
type httpd_tmp_t;
files_tmp_file(httpd_tmp_t)
-@@ -187,28 +261,28 @@
+@@ -194,28 +261,28 @@
files_tmpfs_file(httpd_tmpfs_t)
apache_content_template(user)
@@ -11675,7 +11650,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
# for apache2 memory mapped files
type httpd_var_lib_t;
-@@ -230,7 +304,7 @@
+@@ -237,7 +304,7 @@
# Apache server local policy
#
@@ -11684,7 +11659,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
dontaudit httpd_t self:capability { net_admin sys_tty_config };
allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow httpd_t self:fd use;
-@@ -249,6 +323,7 @@
+@@ -256,6 +323,7 @@
manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
@@ -11692,7 +11667,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
# Allow the httpd_t to read the web servers config files
allow httpd_t httpd_config_t:dir list_dir_perms;
-@@ -272,6 +347,7 @@
+@@ -279,6 +347,7 @@
allow httpd_t httpd_modules_t:dir list_dir_perms;
mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
@@ -11700,7 +11675,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
apache_domtrans_rotatelogs(httpd_t)
# Apache-httpd needs to be able to send signals to the log rotate procs.
-@@ -283,9 +359,9 @@
+@@ -290,9 +359,9 @@
allow httpd_t httpd_suexec_exec_t:file read_file_perms;
@@ -11713,7 +11688,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
-@@ -301,9 +377,11 @@
+@@ -308,9 +377,11 @@
manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
files_var_lib_filetrans(httpd_t, httpd_var_lib_t, file)
@@ -11726,7 +11701,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
-@@ -312,18 +390,21 @@
+@@ -319,18 +390,21 @@
kernel_read_kernel_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
@@ -11753,7 +11728,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
corenet_sendrecv_http_server_packets(httpd_t)
# Signal self for shutdown
corenet_tcp_connect_http_port(httpd_t)
-@@ -335,15 +416,15 @@
+@@ -342,15 +416,15 @@
fs_getattr_all_fs(httpd_t)
fs_search_auto_mountpoints(httpd_t)
@@ -11772,7 +11747,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
files_read_usr_files(httpd_t)
files_list_mnt(httpd_t)
files_search_spool(httpd_t)
-@@ -358,6 +439,10 @@
+@@ -365,6 +439,10 @@
files_read_var_lib_symlinks(httpd_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -11783,7 +11758,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
libs_read_lib_files(httpd_t)
-@@ -372,18 +457,33 @@
+@@ -379,18 +457,33 @@
userdom_use_unpriv_users_fds(httpd_t)
@@ -11804,7 +11779,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+##
+gen_tunable(allow_httpd_mod_auth_pam, false)
+
-+tunable_policy(`allow_httpd_mod_auth_pam',`
+ tunable_policy(`allow_httpd_mod_auth_pam',`
+- auth_domtrans_chk_passwd(httpd_t)
+ auth_domtrans_chkpwd(httpd_t)
+')
+
@@ -11815,13 +11791,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+##
+gen_tunable(allow_httpd_mod_auth_ntlm_winbind, false)
+optional_policy(`
- tunable_policy(`allow_httpd_mod_auth_pam',`
-- auth_domtrans_chk_passwd(httpd_t)
++tunable_policy(`allow_httpd_mod_auth_pam',`
+ samba_domtrans_winbind_helper(httpd_t)
')
')
-@@ -391,32 +491,71 @@
+@@ -398,32 +491,71 @@
corenet_tcp_connect_all_ports(httpd_t)
')
@@ -11898,7 +11873,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -424,11 +563,23 @@
+@@ -431,14 +563,21 @@
fs_read_nfs_symlinks(httpd_t)
')
@@ -11913,16 +11888,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
fs_read_cifs_symlinks(httpd_t)
')
+-tunable_policy(`httpd_manage_limits',`
+- allow httpd_t self:capability sys_resource;
+- allow httpd_t self:process setrlimit;
+tunable_policy(`httpd_use_cifs',`
+ fs_manage_cifs_dirs(httpd_t)
+ fs_manage_cifs_files(httpd_t)
+ fs_manage_cifs_symlinks(httpd_t)
-+')
-+
+ ')
+
tunable_policy(`httpd_ssi_exec',`
- corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
- allow httpd_sys_script_t httpd_t:fd use;
-@@ -451,7 +602,18 @@
+@@ -463,7 +602,18 @@
')
optional_policy(`
@@ -11941,7 +11917,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
optional_policy(`
-@@ -463,8 +625,24 @@
+@@ -475,8 +625,24 @@
')
optional_policy(`
@@ -11968,7 +11944,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
optional_policy(`
-@@ -472,22 +650,19 @@
+@@ -484,22 +650,19 @@
mailman_domtrans_cgi(httpd_t)
# should have separate types for public and private archives
mailman_search_data(httpd_t)
@@ -11994,7 +11970,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
optional_policy(`
-@@ -498,12 +673,23 @@
+@@ -510,12 +673,23 @@
')
optional_policy(`
@@ -12018,7 +11994,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
')
-@@ -512,6 +698,11 @@
+@@ -524,6 +698,11 @@
')
optional_policy(`
@@ -12030,7 +12006,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -539,6 +730,23 @@
+@@ -551,6 +730,23 @@
userdom_use_user_terminals(httpd_helper_t)
@@ -12054,7 +12030,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
#
# Apache PHP script local policy
-@@ -568,20 +776,32 @@
+@@ -580,20 +776,32 @@
fs_search_auto_mountpoints(httpd_php_t)
@@ -12093,7 +12069,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
########################################
-@@ -599,23 +819,24 @@
+@@ -611,23 +819,24 @@
append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
@@ -12122,7 +12098,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -628,6 +849,7 @@
+@@ -640,6 +849,7 @@
logging_send_syslog_msg(httpd_suexec_t)
miscfiles_read_localization(httpd_suexec_t)
@@ -12130,7 +12106,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_can_network_connect',`
allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
-@@ -635,22 +857,31 @@
+@@ -647,22 +857,31 @@
corenet_all_recvfrom_unlabeled(httpd_suexec_t)
corenet_all_recvfrom_netlabel(httpd_suexec_t)
@@ -12169,7 +12145,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -676,16 +907,16 @@
+@@ -688,16 +907,16 @@
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -12190,7 +12166,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
dontaudit httpd_sys_script_t httpd_config_t:dir search;
-@@ -700,15 +931,29 @@
+@@ -712,15 +931,29 @@
files_search_var_lib(httpd_sys_script_t)
files_search_spool(httpd_sys_script_t)
@@ -12222,7 +12198,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -716,6 +961,35 @@
+@@ -728,6 +961,35 @@
fs_read_nfs_symlinks(httpd_sys_script_t)
')
@@ -12258,7 +12234,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -728,6 +1002,10 @@
+@@ -740,6 +1002,10 @@
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -12269,7 +12245,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
optional_policy(`
-@@ -739,6 +1017,8 @@
+@@ -751,6 +1017,8 @@
# httpd_rotatelogs local policy
#
@@ -12278,7 +12254,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
kernel_read_kernel_sysctls(httpd_rotatelogs_t)
-@@ -758,11 +1038,88 @@
+@@ -770,11 +1038,88 @@
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -12298,12 +12274,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+ userdom_search_user_home_content(httpd_t)
+ userdom_search_user_home_content(httpd_suexec_t)
+ userdom_search_user_home_content(httpd_user_script_t)
- ')
++')
+
+tunable_policy(`httpd_read_user_content',`
+ userdom_read_user_home_content_files(httpd_user_script_t)
+ userdom_read_user_home_content_files(httpd_suexec_t)
-+')
+ ')
+
+tunable_policy(`httpd_read_user_content && httpd_builtin_scripting',`
+ userdom_read_user_home_content_files(httpd_t)
@@ -12370,168 +12346,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+typealias httpd_sys_script_t alias httpd_fastcgi_script_t;
+typealias httpd_var_run_t alias httpd_fastcgi_var_run_t;
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.if serefpolicy-3.7.12/policy/modules/services/apcupsd.if
---- nsaserefpolicy/policy/modules/services/apcupsd.if 2010-03-04 11:17:25.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/apcupsd.if 2010-03-05 17:18:52.000000000 -0500
-@@ -15,30 +15,11 @@
- type apcupsd_t, apcupsd_exec_t;
- ')
-
-- corecmd_search_bin($1)
- domtrans_pattern($1, apcupsd_exec_t, apcupsd_t)
- ')
-
- ########################################
- ##
--## Execute apcupsd server in the apcupsd domain.
--##
--##
--##
--## Domain allowed access.
--##
--##
--#
--interface(`apcupsd_initrc_domtrans',`
-- gen_require(`
-- type apcupsd_initrc_exec_t;
-- ')
--
-- init_labeled_script_domtrans($1, apcupsd_initrc_exec_t)
--')
--
--########################################
--##
- ## Read apcupsd PID files.
- ##
- ##
-@@ -113,11 +94,6 @@
- type httpd_apcupsd_cgi_script_t, httpd_apcupsd_cgi_script_exec_t;
- ')
-
-- optional_policy(`
-- apache_search_sys_content($1)
-- ')
--
-- files_search_var($1)
- domtrans_pattern($1, httpd_apcupsd_cgi_script_exec_t, httpd_apcupsd_cgi_script_t)
- ')
-
-@@ -142,14 +118,13 @@
- gen_require(`
- type apcupsd_t, apcupsd_tmp_t;
- type apcupsd_log_t, apcupsd_lock_t;
-- type apcupsd_var_run_t;
-- type apcupsd_initrc_exec_t;
-+ type apcupsd_var_run_t, apcupsd_initrc_exec_t;
- ')
-
- allow $1 apcupsd_t:process { ptrace signal_perms };
- ps_process_pattern($1, apcupsd_t)
-
-- apcupsd_initrc_domtrans($1, apcupsd_initrc_exec_t)
-+ init_labeled_script_domtrans($1, apcupsd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 apcupsd_initrc_exec_t system_r;
- allow $2 system_r;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.te serefpolicy-3.7.12/policy/modules/services/apcupsd.te
---- nsaserefpolicy/policy/modules/services/apcupsd.te 2010-03-04 11:17:25.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/apcupsd.te 2010-03-05 17:18:52.000000000 -0500
-@@ -1,5 +1,5 @@
-
--policy_module(apcupsd, 1.6.1)
-+policy_module(apcupsd, 1.6.0)
-
- ########################################
- #
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.te serefpolicy-3.7.12/policy/modules/services/apm.te
---- nsaserefpolicy/policy/modules/services/apm.te 2010-03-04 11:17:25.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/apm.te 2010-03-05 17:18:52.000000000 -0500
-@@ -1,5 +1,5 @@
-
--policy_module(apm, 1.10.2)
-+policy_module(apm, 1.10.1)
-
- ########################################
- #
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.if serefpolicy-3.7.12/policy/modules/services/arpwatch.if
---- nsaserefpolicy/policy/modules/services/arpwatch.if 2010-03-04 11:17:25.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/arpwatch.if 2010-03-05 17:18:52.000000000 -0500
-@@ -2,24 +2,6 @@
-
- ########################################
- ##
--## Execute arpwatch server in the arpwatch domain.
--##
--##
--##
--## Domain allowed access.
--##
--##
--#
--interface(`arpwatch_initrc_domtrans',`
-- gen_require(`
-- type arpwatch_initrc_exec_t;
-- ')
--
-- init_labeled_script_domtrans($1, arpwatch_initrc_exec_t)
--')
--
--########################################
--##
- ## Search arpwatch's data file directories.
- ##
- ##
-@@ -33,7 +15,6 @@
- type arpwatch_data_t;
- ')
-
-- files_search_var_lib($1)
- allow $1 arpwatch_data_t:dir search_dir_perms;
- ')
-
-@@ -52,7 +33,6 @@
- type arpwatch_data_t;
- ')
-
-- files_search_var_lib($1)
- manage_files_pattern($1, arpwatch_data_t, arpwatch_data_t)
- ')
-
-@@ -71,7 +51,6 @@
- type arpwatch_tmp_t;
- ')
-
-- files_search_tmp($1)
- allow $1 arpwatch_tmp_t:file rw_file_perms;
- ')
-
-@@ -90,7 +69,6 @@
- type arpwatch_tmp_t;
- ')
-
-- files_search_tmp($1)
- allow $1 arpwatch_tmp_t:file manage_file_perms;
- ')
-
-@@ -140,7 +118,7 @@
- allow $1 arpwatch_t:process { ptrace signal_perms getattr };
- ps_process_pattern($1, arpwatch_t)
-
-- arpwatch_initrc_domtrans($1)
-+ init_labeled_script_domtrans($1, arpwatch_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 arpwatch_initrc_exec_t system_r;
- allow $2 system_r;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.te serefpolicy-3.7.12/policy/modules/services/arpwatch.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.te serefpolicy-3.7.13/policy/modules/services/arpwatch.te
--- nsaserefpolicy/policy/modules/services/arpwatch.te 2010-03-04 11:17:25.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/arpwatch.te 2010-03-05 17:18:52.000000000 -0500
-@@ -1,5 +1,5 @@
-
--policy_module(arpwatch, 1.8.1)
-+policy_module(arpwatch, 1.8.0)
-
- ########################################
- #
++++ serefpolicy-3.7.13/policy/modules/services/arpwatch.te 2010-03-09 18:51:11.000000000 -0500
@@ -34,6 +34,7 @@
allow arpwatch_t self:tcp_socket { connect create_stream_socket_perms };
allow arpwatch_t self:udp_socket create_socket_perms;
@@ -12557,90 +12374,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpw
fs_getattr_all_fs(arpwatch_t)
fs_search_auto_mountpoints(arpwatch_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.if serefpolicy-3.7.12/policy/modules/services/asterisk.if
---- nsaserefpolicy/policy/modules/services/asterisk.if 2009-12-18 11:38:25.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/asterisk.if 2010-03-05 17:18:52.000000000 -0500
-@@ -2,8 +2,28 @@
-
- #####################################
- ##
--## Connect to asterisk over a unix domain
--## stream socket.
-+## Connect to asterisk over a unix domain
-+## stream socket.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`asterisk_stream_connect',`
-+ gen_require(`
-+ type asterisk_t, asterisk_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ stream_connect_pattern($1, asterisk_var_run_t, asterisk_var_run_t, asterisk_t)
-+')
-+
-+########################################
-+##
-+## Create, read, write, and delete
-+## asterisk lib files.
- ##
- ##
- ##
-@@ -11,18 +31,18 @@
- ##
- ##
- #
--interface(`asterisk_stream_connect',`
-+interface(`asterisk_manage_lib_files',`
- gen_require(`
-- type asterisk_t, asterisk_var_run_t;
-+ type asterisk_var_lib_t;
- ')
-
-- files_search_pids($1)
-- stream_connect_pattern($1, asterisk_var_run_t, asterisk_var_run_t, asterisk_t)
-+ manage_files_pattern($1, asterisk_var_lib_t, asterisk_var_lib_t)
-+ files_search_var_lib($1)
- ')
-
- ########################################
- ##
--## All of the rules required to administrate
-+## All of the rules required to administrate
- ## an asterisk environment
- ##
- ##
-@@ -71,3 +91,22 @@
- files_list_pids($1)
- admin_pattern($1, asterisk_var_run_t)
- ')
-+
-+
-+######################################
-+##
-+## Execute asterisk
-+##
-+##
-+##
-+## The type of the process performing this action.
-+##
-+##
-+#
-+interface(`asterisk_exec',`
-+ gen_require(`
-+ type asterisk_exec_t;
-+ ')
-+
-+ can_exec($1, asterisk_exec_t)
-+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.te serefpolicy-3.7.12/policy/modules/services/asterisk.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.te serefpolicy-3.7.13/policy/modules/services/asterisk.te
--- nsaserefpolicy/policy/modules/services/asterisk.te 2009-12-18 11:38:25.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/asterisk.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/asterisk.te 2010-03-09 18:51:11.000000000 -0500
@@ -40,12 +40,13 @@
#
@@ -12741,18 +12477,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aste
+ udev_read_db(asterisk_t)
')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.fc serefpolicy-3.7.12/policy/modules/services/avahi.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.fc serefpolicy-3.7.13/policy/modules/services/avahi.fc
--- nsaserefpolicy/policy/modules/services/avahi.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/services/avahi.fc 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/avahi.fc 2010-03-09 18:51:11.000000000 -0500
@@ -6,4 +6,4 @@
/var/run/avahi-daemon(/.*)? gen_context(system_u:object_r:avahi_var_run_t,s0)
-/usr/lib/avahi-autoipd(/.*) gen_context(system_u:object_r:avahi_var_lib_t,s0)
+/var/lib/avahi-autoipd(/.*)? gen_context(system_u:object_r:avahi_var_lib_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.7.12/policy/modules/services/avahi.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.7.13/policy/modules/services/avahi.te
--- nsaserefpolicy/policy/modules/services/avahi.te 2010-01-11 09:40:36.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/avahi.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/avahi.te 2010-03-09 18:51:11.000000000 -0500
@@ -24,7 +24,7 @@
# Local policy
#
@@ -12797,9 +12533,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avah
userdom_dontaudit_use_unpriv_user_fds(avahi_t)
userdom_dontaudit_search_user_home_dirs(avahi_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.7.12/policy/modules/services/bind.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.7.13/policy/modules/services/bind.if
--- nsaserefpolicy/policy/modules/services/bind.if 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/bind.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/bind.if 2010-03-09 18:51:11.000000000 -0500
@@ -253,7 +253,7 @@
########################################
@@ -12844,9 +12580,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind
domain_system_change_exemption($1)
role_transition $2 named_initrc_exec_t system_r;
allow $2 system_r;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.7.12/policy/modules/services/bind.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.7.13/policy/modules/services/bind.te
--- nsaserefpolicy/policy/modules/services/bind.te 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/bind.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/bind.te 2010-03-09 18:51:11.000000000 -0500
@@ -142,11 +142,11 @@
logging_send_syslog_msg(named_t)
@@ -12861,9 +12597,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind
userdom_dontaudit_use_unpriv_user_fds(named_t)
userdom_dontaudit_search_user_home_dirs(named_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.7.12/policy/modules/services/bluetooth.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.7.13/policy/modules/services/bluetooth.te
--- nsaserefpolicy/policy/modules/services/bluetooth.te 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/bluetooth.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/bluetooth.te 2010-03-09 18:51:11.000000000 -0500
@@ -96,6 +96,7 @@
kernel_read_system_state(bluetooth_t)
kernel_read_network_state(bluetooth_t)
@@ -12872,9 +12608,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/blue
corenet_all_recvfrom_unlabeled(bluetooth_t)
corenet_all_recvfrom_netlabel(bluetooth_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.fc serefpolicy-3.7.12/policy/modules/services/cachefilesd.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.fc serefpolicy-3.7.13/policy/modules/services/cachefilesd.fc
--- nsaserefpolicy/policy/modules/services/cachefilesd.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/cachefilesd.fc 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/cachefilesd.fc 2010-03-09 18:51:11.000000000 -0500
@@ -0,0 +1,28 @@
+###############################################################################
+#
@@ -12904,9 +12640,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cach
+/var/fscache(/.*)? gen_context(system_u:object_r:cachefiles_var_t,s0)
+
+/var/run/cachefilesd\.pid -- gen_context(system_u:object_r:cachefiles_var_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.if serefpolicy-3.7.12/policy/modules/services/cachefilesd.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.if serefpolicy-3.7.13/policy/modules/services/cachefilesd.if
--- nsaserefpolicy/policy/modules/services/cachefilesd.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/cachefilesd.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/cachefilesd.if 2010-03-09 18:51:11.000000000 -0500
@@ -0,0 +1,41 @@
+###############################################################################
+#
@@ -12949,9 +12685,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cach
+ allow cachefilesd_t $1:fifo_file rw_file_perms;
+ allow cachefilesd_t $1:process sigchld;
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.te serefpolicy-3.7.12/policy/modules/services/cachefilesd.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.te serefpolicy-3.7.13/policy/modules/services/cachefilesd.te
--- nsaserefpolicy/policy/modules/services/cachefilesd.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/cachefilesd.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/cachefilesd.te 2010-03-09 18:51:11.000000000 -0500
@@ -0,0 +1,146 @@
+###############################################################################
+#
@@ -13099,9 +12835,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cach
+fs_getattr_xattr_fs(cachefiles_kernel_t)
+
+dev_search_sysfs(cachefiles_kernel_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.te serefpolicy-3.7.12/policy/modules/services/ccs.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.te serefpolicy-3.7.13/policy/modules/services/ccs.te
--- nsaserefpolicy/policy/modules/services/ccs.te 2010-02-16 14:58:22.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/ccs.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/ccs.te 2010-03-09 18:51:11.000000000 -0500
@@ -114,5 +114,10 @@
')
@@ -13113,9 +12849,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.
+optional_policy(`
unconfined_use_fds(ccs_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.fc serefpolicy-3.7.12/policy/modules/services/certmaster.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.fc serefpolicy-3.7.13/policy/modules/services/certmaster.fc
--- nsaserefpolicy/policy/modules/services/certmaster.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/services/certmaster.fc 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/certmaster.fc 2010-03-09 18:51:11.000000000 -0500
@@ -3,5 +3,6 @@
/usr/bin/certmaster -- gen_context(system_u:object_r:certmaster_exec_t,s0)
@@ -13123,9 +12859,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert
+/var/lib/certmaster(/.*)? gen_context(system_u:object_r:certmaster_var_lib_t,s0)
/var/log/certmaster(/.*)? gen_context(system_u:object_r:certmaster_var_log_t,s0)
/var/run/certmaster.* gen_context(system_u:object_r:certmaster_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.fc serefpolicy-3.7.12/policy/modules/services/certmonger.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.fc serefpolicy-3.7.13/policy/modules/services/certmonger.fc
--- nsaserefpolicy/policy/modules/services/certmonger.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/certmonger.fc 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/certmonger.fc 2010-03-09 18:51:11.000000000 -0500
@@ -0,0 +1,6 @@
+/etc/rc\.d/init\.d/certmonger -- gen_context(system_u:object_r:certmonger_initrc_exec_t,s0)
+
@@ -13133,9 +12869,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert
+
+/var/run/certmonger.pid -- gen_context(system_u:object_r:certmonger_var_run_t,s0)
+/var/lib/certmonger(/.*)? gen_context(system_u:object_r:certmonger_var_lib_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.if serefpolicy-3.7.12/policy/modules/services/certmonger.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.if serefpolicy-3.7.13/policy/modules/services/certmonger.if
--- nsaserefpolicy/policy/modules/services/certmonger.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/certmonger.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/certmonger.if 2010-03-09 18:51:11.000000000 -0500
@@ -0,0 +1,217 @@
+
+## Certificate status monitor and PKI enrollment client
@@ -13354,9 +13090,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert
+ files_search_pids($1)
+ admin_pattern($1, cermonger_var_run_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.te serefpolicy-3.7.12/policy/modules/services/certmonger.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.te serefpolicy-3.7.13/policy/modules/services/certmonger.te
--- nsaserefpolicy/policy/modules/services/certmonger.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/certmonger.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/certmonger.te 2010-03-09 18:51:11.000000000 -0500
@@ -0,0 +1,74 @@
+policy_module(certmonger,1.0.0)
+
@@ -13432,9 +13168,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert
+optional_policy(`
+ unconfined_dbus_send(certmonger_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.fc serefpolicy-3.7.12/policy/modules/services/cgroup.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.fc serefpolicy-3.7.13/policy/modules/services/cgroup.fc
--- nsaserefpolicy/policy/modules/services/cgroup.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/cgroup.fc 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/cgroup.fc 2010-03-09 18:51:11.000000000 -0500
@@ -0,0 +1,7 @@
+/etc/rc\.d/init\.d/cgconfig -- gen_context(system_u:object_r:cgconfig_initrc_exec_t, s0)
+/etc/rc\.d/init\.d/cgred -- gen_context(system_u:object_r:cgred_initrc_exec_t, s0)
@@ -13443,9 +13179,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro
+/sbin/cgconfigparser -- gen_context(system_u:object_r:cgconfigparser_exec_t, s0)
+
+/var/run/cgred.* gen_context(system_u:object_r:cgred_var_run_t, s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.if serefpolicy-3.7.12/policy/modules/services/cgroup.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.if serefpolicy-3.7.13/policy/modules/services/cgroup.if
--- nsaserefpolicy/policy/modules/services/cgroup.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/cgroup.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/cgroup.if 2010-03-09 18:51:11.000000000 -0500
@@ -0,0 +1,35 @@
+## Control group rules engine daemon.
+##
@@ -13482,9 +13218,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro
+ stream_connect_pattern($1, cgred_var_run_t, cgred_var_run_t, cgred_t)
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.te serefpolicy-3.7.12/policy/modules/services/cgroup.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.te serefpolicy-3.7.13/policy/modules/services/cgroup.te
--- nsaserefpolicy/policy/modules/services/cgroup.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/cgroup.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/cgroup.te 2010-03-09 18:51:11.000000000 -0500
@@ -0,0 +1,87 @@
+policy_module(cgroup, 1.0.0)
+
@@ -13573,18 +13309,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro
+# /mnt/cgroups/cpu
+kernel_list_unlabeled(cgconfigparser_t)
+kernel_read_system_state(cgconfigparser_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.fc serefpolicy-3.7.12/policy/modules/services/chronyd.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.fc serefpolicy-3.7.13/policy/modules/services/chronyd.fc
--- nsaserefpolicy/policy/modules/services/chronyd.fc 2010-02-16 14:58:22.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/chronyd.fc 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/chronyd.fc 2010-03-09 18:51:11.000000000 -0500
@@ -1,3 +1,5 @@
+/etc/chrony\.keys -- gen_context(system_u:object_r:chronyd_keys_t,s0)
+
/etc/rc\.d/init\.d/chronyd -- gen_context(system_u:object_r:chronyd_initrc_exec_t,s0)
/usr/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.if serefpolicy-3.7.12/policy/modules/services/chronyd.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.if serefpolicy-3.7.13/policy/modules/services/chronyd.if
--- nsaserefpolicy/policy/modules/services/chronyd.if 2010-02-16 14:58:22.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/chronyd.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/chronyd.if 2010-03-09 18:51:11.000000000 -0500
@@ -77,7 +77,7 @@
gen_require(`
type chronyd_t, chronyd_var_log_t;
@@ -13603,9 +13339,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chro
logging_search_logs($1)
admin_pattern($1, chronyd_var_log_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.te serefpolicy-3.7.12/policy/modules/services/chronyd.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.te serefpolicy-3.7.13/policy/modules/services/chronyd.te
--- nsaserefpolicy/policy/modules/services/chronyd.te 2010-02-16 14:58:22.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/chronyd.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/chronyd.te 2010-03-09 18:51:11.000000000 -0500
@@ -13,6 +13,9 @@
type chronyd_initrc_exec_t;
init_script_file(chronyd_initrc_exec_t)
@@ -13654,9 +13390,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chro
+optional_policy(`
+ gpsd_rw_shm(chronyd_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.7.12/policy/modules/services/clamav.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.7.13/policy/modules/services/clamav.te
--- nsaserefpolicy/policy/modules/services/clamav.te 2010-01-07 14:53:53.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/clamav.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/clamav.te 2010-03-09 18:51:11.000000000 -0500
@@ -57,6 +57,7 @@
#
@@ -13680,17 +13416,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
optional_policy(`
cron_system_entry(freshclam_t, freshclam_exec_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.fc serefpolicy-3.7.12/policy/modules/services/clogd.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.fc serefpolicy-3.7.13/policy/modules/services/clogd.fc
--- nsaserefpolicy/policy/modules/services/clogd.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/clogd.fc 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/clogd.fc 2010-03-09 18:51:11.000000000 -0500
@@ -0,0 +1,4 @@
+
+/usr/sbin/clogd -- gen_context(system_u:object_r:clogd_exec_t,s0)
+
+/var/run/clogd\.pid -- gen_context(system_u:object_r:clogd_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.if serefpolicy-3.7.12/policy/modules/services/clogd.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.if serefpolicy-3.7.13/policy/modules/services/clogd.if
--- nsaserefpolicy/policy/modules/services/clogd.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/clogd.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/clogd.if 2010-03-09 18:51:11.000000000 -0500
@@ -0,0 +1,82 @@
+## clogd - clustered mirror log server
+
@@ -13774,9 +13510,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clog
+ fs_search_tmpfs($1)
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.te serefpolicy-3.7.12/policy/modules/services/clogd.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.te serefpolicy-3.7.13/policy/modules/services/clogd.te
--- nsaserefpolicy/policy/modules/services/clogd.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/clogd.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/clogd.te 2010-03-09 18:51:11.000000000 -0500
@@ -0,0 +1,65 @@
+
+policy_module(clogd,1.0.0)
@@ -13843,9 +13579,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clog
+')
+
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.if serefpolicy-3.7.12/policy/modules/services/cobbler.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.if serefpolicy-3.7.13/policy/modules/services/cobbler.if
--- nsaserefpolicy/policy/modules/services/cobbler.if 2010-03-05 10:46:32.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/cobbler.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/cobbler.if 2010-03-09 18:51:11.000000000 -0500
@@ -173,9 +173,11 @@
files_list_var_lib($1)
admin_pattern($1, cobbler_var_lib_t)
@@ -13859,9 +13595,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb
cobblerd_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 cobblerd_initrc_exec_t system_r;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.te serefpolicy-3.7.12/policy/modules/services/cobbler.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.te serefpolicy-3.7.13/policy/modules/services/cobbler.te
--- nsaserefpolicy/policy/modules/services/cobbler.te 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/cobbler.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/cobbler.te 2010-03-09 18:51:11.000000000 -0500
@@ -40,6 +40,7 @@
allow cobblerd_t self:fifo_file rw_fifo_file_perms;
allow cobblerd_t self:tcp_socket create_stream_socket_perms;
@@ -13892,9 +13628,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb
+apache_content_template(cobbler)
+manage_dirs_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
+manage_files_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.fc serefpolicy-3.7.12/policy/modules/services/consolekit.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.fc serefpolicy-3.7.13/policy/modules/services/consolekit.fc
--- nsaserefpolicy/policy/modules/services/consolekit.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/services/consolekit.fc 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/consolekit.fc 2010-03-09 18:51:11.000000000 -0500
@@ -2,4 +2,5 @@
/var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0)
@@ -13902,9 +13638,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons
-/var/run/ConsoleKit(/.*)? -- gen_context(system_u:object_r:consolekit_var_run_t,s0)
+
+/var/run/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.7.12/policy/modules/services/consolekit.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.7.13/policy/modules/services/consolekit.if
--- nsaserefpolicy/policy/modules/services/consolekit.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/services/consolekit.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/consolekit.if 2010-03-09 18:51:11.000000000 -0500
@@ -57,3 +57,42 @@
read_files_pattern($1, consolekit_log_t, consolekit_log_t)
files_search_pids($1)
@@ -13948,9 +13684,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons
+ read_files_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.7.12/policy/modules/services/consolekit.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.7.13/policy/modules/services/consolekit.te
--- nsaserefpolicy/policy/modules/services/consolekit.te 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/consolekit.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/consolekit.te 2010-03-09 18:51:11.000000000 -0500
@@ -16,12 +16,15 @@
type consolekit_var_run_t;
files_pid_file(consolekit_var_run_t)
@@ -14036,9 +13772,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons
+ unconfined_ptrace(consolekit_t)
unconfined_stream_connect(consolekit_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.fc serefpolicy-3.7.12/policy/modules/services/corosync.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.fc serefpolicy-3.7.13/policy/modules/services/corosync.fc
--- nsaserefpolicy/policy/modules/services/corosync.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/corosync.fc 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/corosync.fc 2010-03-09 18:51:11.000000000 -0500
@@ -0,0 +1,14 @@
+
+/etc/rc\.d/init\.d/corosync -- gen_context(system_u:object_r:corosync_initrc_exec_t,s0)
@@ -14054,9 +13790,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro
+/var/run/cman_.* -s gen_context(system_u:object_r:corosync_var_run_t,s0)
+/var/run/corosync\.pid -- gen_context(system_u:object_r:corosync_var_run_t,s0)
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.if serefpolicy-3.7.12/policy/modules/services/corosync.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.if serefpolicy-3.7.13/policy/modules/services/corosync.if
--- nsaserefpolicy/policy/modules/services/corosync.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/corosync.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/corosync.if 2010-03-09 18:51:11.000000000 -0500
@@ -0,0 +1,108 @@
+## SELinux policy for Corosync Cluster Engine
+
@@ -14166,9 +13902,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro
+')
+
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.te serefpolicy-3.7.12/policy/modules/services/corosync.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.te serefpolicy-3.7.13/policy/modules/services/corosync.te
--- nsaserefpolicy/policy/modules/services/corosync.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/corosync.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/corosync.te 2010-03-09 18:51:11.000000000 -0500
@@ -0,0 +1,115 @@
+
+policy_module(corosync,1.0.0)
@@ -14285,9 +14021,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro
+optional_policy(`
+ rgmanager_manage_tmpfs_files(corosync_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.7.12/policy/modules/services/cron.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.7.13/policy/modules/services/cron.fc
--- nsaserefpolicy/policy/modules/services/cron.fc 2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/services/cron.fc 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/cron.fc 2010-03-09 18:51:11.000000000 -0500
@@ -14,7 +14,7 @@
/var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
/var/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
@@ -14305,9 +14041,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
+/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0)
+
+/var/log/mcelog.* -- gen_context(system_u:object_r:cron_log_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.7.12/policy/modules/services/cron.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.7.13/policy/modules/services/cron.if
--- nsaserefpolicy/policy/modules/services/cron.if 2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/services/cron.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/cron.if 2010-03-09 18:51:11.000000000 -0500
@@ -12,6 +12,10 @@
##
#
@@ -14458,9 +14194,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
+
+ manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.7.12/policy/modules/services/cron.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.7.13/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/cron.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/cron.te 2010-03-09 18:51:11.000000000 -0500
@@ -38,8 +38,10 @@
type cron_var_lib_t;
files_type(cron_var_lib_t)
@@ -14738,9 +14474,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
unconfined_domain(system_cronjob_t)
userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.7.12/policy/modules/services/cups.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.7.13/policy/modules/services/cups.fc
--- nsaserefpolicy/policy/modules/services/cups.fc 2009-07-28 15:51:13.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/services/cups.fc 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/cups.fc 2010-03-09 18:51:11.000000000 -0500
@@ -13,10 +13,14 @@
/etc/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/rc\.d/init\.d/cups -- gen_context(system_u:object_r:cupsd_initrc_exec_t,s0)
@@ -14787,9 +14523,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
+/usr/local/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.7.12/policy/modules/services/cups.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.7.13/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/services/cups.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/cups.te 2010-03-09 18:51:11.000000000 -0500
@@ -23,6 +23,9 @@
type cupsd_initrc_exec_t;
init_script_file(cupsd_initrc_exec_t)
@@ -15039,9 +14775,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
dev_read_sysfs(hplip_t)
dev_rw_printer(hplip_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.7.12/policy/modules/services/cvs.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.7.13/policy/modules/services/cvs.te
--- nsaserefpolicy/policy/modules/services/cvs.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/services/cvs.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/cvs.te 2010-03-09 18:51:11.000000000 -0500
@@ -93,6 +93,7 @@
auth_can_read_shadow_passwords(cvs_t)
tunable_policy(`allow_cvs_read_shadow',`
@@ -15056,9 +14792,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.
manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
+ files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir })
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.te serefpolicy-3.7.12/policy/modules/services/cyrus.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.te serefpolicy-3.7.13/policy/modules/services/cyrus.te
--- nsaserefpolicy/policy/modules/services/cyrus.te 2010-01-07 14:53:53.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/cyrus.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/cyrus.te 2010-03-09 18:51:11.000000000 -0500
@@ -75,6 +75,7 @@
corenet_tcp_bind_mail_port(cyrus_t)
corenet_tcp_bind_lmtp_port(cyrus_t)
@@ -15075,9 +14811,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyru
snmp_read_snmp_var_lib_files(cyrus_t)
snmp_dontaudit_write_snmp_var_lib_files(cyrus_t)
snmp_stream_connect(cyrus_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.7.12/policy/modules/services/dbus.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.7.13/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if 2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/services/dbus.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/dbus.if 2010-03-09 18:51:11.000000000 -0500
@@ -42,8 +42,10 @@
gen_require(`
class dbus { send_msg acquire_svc };
@@ -15213,9 +14949,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
+ manage_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.7.12/policy/modules/services/dbus.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.7.13/policy/modules/services/dbus.te
--- nsaserefpolicy/policy/modules/services/dbus.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/dbus.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/dbus.te 2010-03-09 18:51:11.000000000 -0500
@@ -86,6 +86,7 @@
dev_read_sysfs(system_dbusd_t)
@@ -15274,9 +15010,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
+ xserver_rw_xdm_pipes(session_bus_type)
+ xserver_append_xdm_home_files(session_bus_type)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.7.12/policy/modules/services/dcc.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.7.13/policy/modules/services/dcc.te
--- nsaserefpolicy/policy/modules/services/dcc.te 2010-01-07 14:53:53.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/dcc.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/dcc.te 2010-03-09 18:51:11.000000000 -0500
@@ -81,7 +81,7 @@
# dcc daemon controller local policy
#
@@ -15286,9 +15022,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.
allow cdcc_t self:unix_dgram_socket create_socket_perms;
allow cdcc_t self:udp_socket create_socket_perms;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.fc serefpolicy-3.7.12/policy/modules/services/denyhosts.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.fc serefpolicy-3.7.13/policy/modules/services/denyhosts.fc
--- nsaserefpolicy/policy/modules/services/denyhosts.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/denyhosts.fc 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/denyhosts.fc 2010-03-09 18:51:11.000000000 -0500
@@ -0,0 +1,7 @@
+/etc/rc\.d/init\.d/denyhosts -- gen_context(system_u:object_r:denyhosts_initrc_exec_t, s0)
+
@@ -15297,9 +15033,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/deny
+/var/lib/denyhosts(/.*)? gen_context(system_u:object_r:denyhosts_var_lib_t, s0)
+/var/lock/subsys/denyhosts -- gen_context(system_u:object_r:denyhosts_var_lock_t, s0)
+/var/log/denyhosts(/.*)? gen_context(system_u:object_r:denyhosts_var_log_t, s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.if serefpolicy-3.7.12/policy/modules/services/denyhosts.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.if serefpolicy-3.7.13/policy/modules/services/denyhosts.if
--- nsaserefpolicy/policy/modules/services/denyhosts.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/denyhosts.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/denyhosts.if 2010-03-09 18:51:11.000000000 -0500
@@ -0,0 +1,90 @@
+## Deny Hosts.
+##
@@ -15391,9 +15127,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/deny
+ ps_process_pattern($1, denyhosts_t)
+ read_lnk_files_pattern($1, denyhosts_t, denyhosts_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.te serefpolicy-3.7.12/policy/modules/services/denyhosts.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.te serefpolicy-3.7.13/policy/modules/services/denyhosts.te
--- nsaserefpolicy/policy/modules/services/denyhosts.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/denyhosts.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/denyhosts.te 2010-03-09 18:51:11.000000000 -0500
@@ -0,0 +1,72 @@
+
+policy_module(denyhosts, 1.0.0)
@@ -15467,9 +15203,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/deny
+optional_policy(`
+ cron_system_entry(denyhosts_t, denyhosts_exec_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.fc serefpolicy-3.7.12/policy/modules/services/devicekit.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.fc serefpolicy-3.7.13/policy/modules/services/devicekit.fc
--- nsaserefpolicy/policy/modules/services/devicekit.fc 2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/services/devicekit.fc 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/devicekit.fc 2010-03-09 18:51:11.000000000 -0500
@@ -1,8 +1,12 @@
/usr/libexec/devkit-daemon -- gen_context(system_u:object_r:devicekit_exec_t,s0)
/usr/libexec/devkit-disks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
@@ -15484,9 +15220,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
-/var/run/DeviceKit-disk(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
+/var/run/DeviceKit-disks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
+/var/run/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.if serefpolicy-3.7.12/policy/modules/services/devicekit.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.if serefpolicy-3.7.13/policy/modules/services/devicekit.if
--- nsaserefpolicy/policy/modules/services/devicekit.if 2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/services/devicekit.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/devicekit.if 2010-03-09 18:51:11.000000000 -0500
@@ -139,6 +139,26 @@
########################################
@@ -15523,9 +15259,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
')
allow $1 devicekit_t:process { ptrace signal_perms getattr };
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.7.12/policy/modules/services/devicekit.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.7.13/policy/modules/services/devicekit.te
--- nsaserefpolicy/policy/modules/services/devicekit.te 2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/services/devicekit.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/devicekit.te 2010-03-09 18:51:11.000000000 -0500
@@ -42,6 +42,8 @@
files_read_etc_files(devicekit_t)
@@ -15743,9 +15479,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
+optional_policy(`
vbetool_domtrans(devicekit_power_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.te serefpolicy-3.7.12/policy/modules/services/dhcp.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.te serefpolicy-3.7.13/policy/modules/services/dhcp.te
--- nsaserefpolicy/policy/modules/services/dhcp.te 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/dhcp.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/dhcp.te 2010-03-09 18:51:11.000000000 -0500
@@ -112,6 +112,10 @@
')
@@ -15757,9 +15493,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp
dbus_system_bus_client(dhcpd_t)
dbus_connect_system_bus(dhcpd_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbdns.if serefpolicy-3.7.12/policy/modules/services/djbdns.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbdns.if serefpolicy-3.7.13/policy/modules/services/djbdns.if
--- nsaserefpolicy/policy/modules/services/djbdns.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/services/djbdns.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/djbdns.if 2010-03-09 18:51:11.000000000 -0500
@@ -26,6 +26,8 @@
daemontools_read_svc(djbdns_$1_t)
@@ -15809,9 +15545,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbd
+
+ allow $1 djbdns_tinydn_t:key link;
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbdns.te serefpolicy-3.7.12/policy/modules/services/djbdns.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbdns.te serefpolicy-3.7.13/policy/modules/services/djbdns.te
--- nsaserefpolicy/policy/modules/services/djbdns.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/services/djbdns.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/djbdns.te 2010-03-09 18:51:11.000000000 -0500
@@ -42,3 +42,11 @@
files_search_var(djbdns_axfrdns_t)
@@ -15824,9 +15560,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbd
+
+init_dontaudit_use_script_fds(djbdns_tinydns_t)
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.fc serefpolicy-3.7.12/policy/modules/services/dnsmasq.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.fc serefpolicy-3.7.13/policy/modules/services/dnsmasq.fc
--- nsaserefpolicy/policy/modules/services/dnsmasq.fc 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/dnsmasq.fc 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/dnsmasq.fc 2010-03-09 18:51:11.000000000 -0500
@@ -6,5 +6,7 @@
/var/lib/misc/dnsmasq\.leases -- gen_context(system_u:object_r:dnsmasq_lease_t,s0)
/var/lib/dnsmasq(/.*)? gen_context(system_u:object_r:dnsmasq_lease_t,s0)
@@ -15835,9 +15571,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsm
+
/var/run/dnsmasq\.pid -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
/var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.if serefpolicy-3.7.12/policy/modules/services/dnsmasq.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.if serefpolicy-3.7.13/policy/modules/services/dnsmasq.if
--- nsaserefpolicy/policy/modules/services/dnsmasq.if 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/dnsmasq.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/dnsmasq.if 2010-03-09 18:51:11.000000000 -0500
@@ -111,7 +111,7 @@
type dnsmasq_etc_t;
')
@@ -15856,9 +15592,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsm
files_search_etc($1)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.7.12/policy/modules/services/dnsmasq.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.7.13/policy/modules/services/dnsmasq.te
--- nsaserefpolicy/policy/modules/services/dnsmasq.te 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/dnsmasq.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/dnsmasq.te 2010-03-09 18:51:11.000000000 -0500
@@ -19,6 +19,9 @@
type dnsmasq_lease_t;
files_type(dnsmasq_lease_t)
@@ -15914,9 +15650,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsm
seutil_sigchld_newrole(dnsmasq_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.7.12/policy/modules/services/dovecot.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.7.13/policy/modules/services/dovecot.fc
--- nsaserefpolicy/policy/modules/services/dovecot.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/services/dovecot.fc 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/dovecot.fc 2010-03-09 18:51:11.000000000 -0500
@@ -34,6 +34,7 @@
/var/lib/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_lib_t,s0)
@@ -15925,9 +15661,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
/var/log/dovecot\.log.* gen_context(system_u:object_r:dovecot_var_log_t,s0)
/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.7.12/policy/modules/services/dovecot.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.7.13/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te 2010-01-07 14:53:53.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/dovecot.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/dovecot.te 2010-03-09 18:51:11.000000000 -0500
@@ -73,14 +73,21 @@
can_exec(dovecot_t, dovecot_exec_t)
@@ -16045,29 +15781,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
fs_manage_cifs_files(dovecot_t)
fs_manage_cifs_symlinks(dovecot_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.7.12/policy/modules/services/exim.te
---- nsaserefpolicy/policy/modules/services/exim.te 2010-03-04 11:17:25.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/exim.te 2010-03-05 17:18:52.000000000 -0500
-@@ -1,5 +1,5 @@
-
--policy_module(exim, 1.4.2)
-+policy_module(exim, 1.4.1)
-
- ########################################
- #
-@@ -192,9 +192,6 @@
- ')
-
- optional_policy(`
-- # https://bugzilla.redhat.com/show_bug.cgi?id=512710
-- # uses sendmail for outgoing mail and exim
-- # for incoming mail
- sendmail_manage_tmp_files(exim_t)
- ')
-
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.if serefpolicy-3.7.12/policy/modules/services/fail2ban.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.if serefpolicy-3.7.13/policy/modules/services/fail2ban.if
--- nsaserefpolicy/policy/modules/services/fail2ban.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/services/fail2ban.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/fail2ban.if 2010-03-09 18:51:11.000000000 -0500
@@ -98,6 +98,46 @@
allow $1 fail2ban_var_run_t:file read_file_perms;
')
@@ -16137,9 +15853,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail
+
+ allow $1 fail2ban_t:unix_stream_socket { getattr read write ioctl };
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-3.7.12/policy/modules/services/fetchmail.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-3.7.13/policy/modules/services/fetchmail.te
--- nsaserefpolicy/policy/modules/services/fetchmail.te 2010-01-07 14:53:53.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/fetchmail.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/fetchmail.te 2010-03-09 18:51:11.000000000 -0500
@@ -48,6 +48,7 @@
kernel_dontaudit_read_system_state(fetchmail_t)
@@ -16148,9 +15864,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetc
corenet_all_recvfrom_unlabeled(fetchmail_t)
corenet_all_recvfrom_netlabel(fetchmail_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.7.12/policy/modules/services/fprintd.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.7.13/policy/modules/services/fprintd.te
--- nsaserefpolicy/policy/modules/services/fprintd.te 2010-01-07 14:53:53.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/fprintd.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/fprintd.te 2010-03-09 18:51:11.000000000 -0500
@@ -55,4 +55,6 @@
policykit_read_lib(fprintd_t)
policykit_dbus_chat(fprintd_t)
@@ -16158,9 +15874,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fpri
+ policykit_dbus_chat_auth(fprintd_t)
')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.fc serefpolicy-3.7.12/policy/modules/services/ftp.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.fc serefpolicy-3.7.13/policy/modules/services/ftp.fc
--- nsaserefpolicy/policy/modules/services/ftp.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/services/ftp.fc 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/ftp.fc 2010-03-09 18:51:11.000000000 -0500
@@ -22,7 +22,7 @@
#
# /var
@@ -16170,9 +15886,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
/var/log/muddleftpd\.log.* -- gen_context(system_u:object_r:xferlog_t,s0)
/var/log/proftpd(/.*)? gen_context(system_u:object_r:xferlog_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.if serefpolicy-3.7.12/policy/modules/services/ftp.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.if serefpolicy-3.7.13/policy/modules/services/ftp.if
--- nsaserefpolicy/policy/modules/services/ftp.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/services/ftp.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/ftp.if 2010-03-09 18:51:11.000000000 -0500
@@ -115,6 +115,44 @@
role $2 types ftpdctl_t;
')
@@ -16218,9 +15934,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
########################################
##
## All of the rules required to administrate
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.7.12/policy/modules/services/ftp.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.7.13/policy/modules/services/ftp.te
--- nsaserefpolicy/policy/modules/services/ftp.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/services/ftp.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/ftp.te 2010-03-09 18:51:11.000000000 -0500
@@ -41,11 +41,51 @@
##
@@ -16469,9 +16185,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
+ fs_read_nfs_files(sftpd_t)
+ fs_read_nfs_symlinks(ftpd_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.fc serefpolicy-3.7.12/policy/modules/services/git.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.fc serefpolicy-3.7.13/policy/modules/services/git.fc
--- nsaserefpolicy/policy/modules/services/git.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/services/git.fc 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/git.fc 2010-03-09 18:51:11.000000000 -0500
@@ -1,3 +1,16 @@
-/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_script_rw_t,s0)
-/var/lib/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0)
@@ -16492,9 +16208,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
+
+/var/lib/git(/.*)? gen_context(system_u:object_r:git_system_content_t, s0)
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.if serefpolicy-3.7.12/policy/modules/services/git.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.if serefpolicy-3.7.13/policy/modules/services/git.if
--- nsaserefpolicy/policy/modules/services/git.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/services/git.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/git.if 2010-03-09 18:51:11.000000000 -0500
@@ -1 +1,535 @@
-## GIT revision control system
+## Git - Fast Version Control System.
@@ -17032,9 +16748,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
+ userdom_search_user_home_dirs($1)
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.te serefpolicy-3.7.12/policy/modules/services/git.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.te serefpolicy-3.7.13/policy/modules/services/git.te
--- nsaserefpolicy/policy/modules/services/git.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/services/git.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/git.te 2010-03-09 18:51:11.000000000 -0500
@@ -1,9 +1,182 @@
-policy_module(git, 1.0)
@@ -17221,9 +16937,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
-apache_content_template(git)
+#git_role_template(git_shell)
+#gen_user(git_shell_u, user, git_shell_r, s0, s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.te serefpolicy-3.7.12/policy/modules/services/gpsd.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.te serefpolicy-3.7.13/policy/modules/services/gpsd.te
--- nsaserefpolicy/policy/modules/services/gpsd.te 2010-01-07 14:53:53.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/gpsd.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/gpsd.te 2010-03-09 18:51:11.000000000 -0500
@@ -25,7 +25,7 @@
# gpsd local policy
#
@@ -17233,9 +16949,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd
allow gpsd_t self:process setsched;
allow gpsd_t self:shm create_shm_perms;
allow gpsd_t self:unix_dgram_socket { create_socket_perms sendto };
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.7.12/policy/modules/services/hal.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.7.13/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/hal.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/hal.te 2010-03-09 18:51:11.000000000 -0500
@@ -55,6 +55,9 @@
type hald_var_lib_t;
files_type(hald_var_lib_t)
@@ -17348,9 +17064,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
########################################
#
# Local hald dccm policy
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/howl.te serefpolicy-3.7.12/policy/modules/services/howl.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/howl.te serefpolicy-3.7.13/policy/modules/services/howl.te
--- nsaserefpolicy/policy/modules/services/howl.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/services/howl.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/howl.te 2010-03-09 18:51:11.000000000 -0500
@@ -30,7 +30,7 @@
kernel_read_network_state(howl_t)
@@ -17360,9 +17076,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/howl
kernel_list_proc(howl_t)
kernel_read_proc_symlinks(howl_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icecast.fc serefpolicy-3.7.12/policy/modules/services/icecast.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icecast.fc serefpolicy-3.7.13/policy/modules/services/icecast.fc
--- nsaserefpolicy/policy/modules/services/icecast.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/icecast.fc 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/icecast.fc 2010-03-09 18:51:11.000000000 -0500
@@ -0,0 +1,7 @@
+/etc/rc\.d/init\.d/icecast -- gen_context(system_u:object_r:icecast_initrc_exec_t,s0)
+
@@ -17371,9 +17087,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icec
+/var/log/icecast(/.*)? gen_context(system_u:object_r:icecast_log_t,s0)
+
+/var/run/icecast(/.*)? gen_context(system_u:object_r:icecast_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icecast.if serefpolicy-3.7.12/policy/modules/services/icecast.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icecast.if serefpolicy-3.7.13/policy/modules/services/icecast.if
--- nsaserefpolicy/policy/modules/services/icecast.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/icecast.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/icecast.if 2010-03-09 18:51:11.000000000 -0500
@@ -0,0 +1,199 @@
+
+## ShoutCast compatible streaming media server
@@ -17574,9 +17290,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icec
+ icecast_manage_log($1)
+
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icecast.te serefpolicy-3.7.12/policy/modules/services/icecast.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icecast.te serefpolicy-3.7.13/policy/modules/services/icecast.te
--- nsaserefpolicy/policy/modules/services/icecast.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/icecast.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/icecast.te 2010-03-09 18:51:11.000000000 -0500
@@ -0,0 +1,59 @@
+policy_module(icecast,1.0.0)
+
@@ -17637,9 +17353,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icec
+optional_policy(`
+ rtkit_daemon_system_domain(icecast_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn.te serefpolicy-3.7.12/policy/modules/services/inn.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn.te serefpolicy-3.7.13/policy/modules/services/inn.te
--- nsaserefpolicy/policy/modules/services/inn.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/services/inn.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/inn.te 2010-03-09 18:51:11.000000000 -0500
@@ -106,6 +106,7 @@
userdom_dontaudit_use_unpriv_user_fds(innd_t)
@@ -17648,9 +17364,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn.
mta_send_mail(innd_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.7.12/policy/modules/services/kerberos.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.7.13/policy/modules/services/kerberos.if
--- nsaserefpolicy/policy/modules/services/kerberos.if 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/services/kerberos.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/kerberos.if 2010-03-09 18:51:11.000000000 -0500
@@ -74,7 +74,7 @@
')
@@ -17671,9 +17387,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
tunable_policy(`allow_kerberos',`
allow $1 self:tcp_socket create_socket_perms;
allow $1 self:udp_socket create_socket_perms;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.7.12/policy/modules/services/kerberos.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.7.13/policy/modules/services/kerberos.te
--- nsaserefpolicy/policy/modules/services/kerberos.te 2009-12-18 11:38:25.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/kerberos.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/kerberos.te 2010-03-09 18:51:11.000000000 -0500
@@ -112,6 +112,7 @@
kernel_read_kernel_sysctls(kadmind_t)
@@ -17691,18 +17407,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
allow kpropd_t krb5_keytab_t:file read_file_perms;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.fc serefpolicy-3.7.12/policy/modules/services/ksmtuned.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.fc serefpolicy-3.7.13/policy/modules/services/ksmtuned.fc
--- nsaserefpolicy/policy/modules/services/ksmtuned.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/ksmtuned.fc 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/ksmtuned.fc 2010-03-09 18:51:11.000000000 -0500
@@ -0,0 +1,5 @@
+/etc/rc\.d/init\.d/ksmtuned -- gen_context(system_u:object_r:ksmtuned_initrc_exec_t,s0)
+
+/usr/sbin/ksmtuned -- gen_context(system_u:object_r:ksmtuned_exec_t,s0)
+
+/var/run/ksmtune\.pid -- gen_context(system_u:object_r:ksmtuned_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.if serefpolicy-3.7.12/policy/modules/services/ksmtuned.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.if serefpolicy-3.7.13/policy/modules/services/ksmtuned.if
--- nsaserefpolicy/policy/modules/services/ksmtuned.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/ksmtuned.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/ksmtuned.if 2010-03-09 18:51:11.000000000 -0500
@@ -0,0 +1,76 @@
+
+## policy for Kernel Samepage Merging (KSM) Tuning Daemon
@@ -17780,9 +17496,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmt
+ allow $2 system_r;
+
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.te serefpolicy-3.7.12/policy/modules/services/ksmtuned.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.te serefpolicy-3.7.13/policy/modules/services/ksmtuned.te
--- nsaserefpolicy/policy/modules/services/ksmtuned.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/ksmtuned.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/ksmtuned.te 2010-03-09 18:51:11.000000000 -0500
@@ -0,0 +1,44 @@
+policy_module(ksmtuned,1.0.0)
+
@@ -17828,9 +17544,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmt
+files_read_etc_files(ksmtuned_t)
+
+miscfiles_read_localization(ksmtuned_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.fc serefpolicy-3.7.12/policy/modules/services/ldap.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.fc serefpolicy-3.7.13/policy/modules/services/ldap.fc
--- nsaserefpolicy/policy/modules/services/ldap.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/services/ldap.fc 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/ldap.fc 2010-03-09 18:51:11.000000000 -0500
@@ -1,5 +1,7 @@
/etc/ldap/slapd\.conf -- gen_context(system_u:object_r:slapd_etc_t,s0)
@@ -17844,9 +17560,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap
/var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0)
/var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0)
+#/var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.if serefpolicy-3.7.12/policy/modules/services/ldap.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.if serefpolicy-3.7.13/policy/modules/services/ldap.if
--- nsaserefpolicy/policy/modules/services/ldap.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/services/ldap.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/ldap.if 2010-03-09 18:51:11.000000000 -0500
@@ -1,5 +1,43 @@
## OpenLDAP directory server
@@ -17891,9 +17607,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap
########################################
##
## Read the contents of the OpenLDAP
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.te serefpolicy-3.7.12/policy/modules/services/ldap.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.te serefpolicy-3.7.13/policy/modules/services/ldap.te
--- nsaserefpolicy/policy/modules/services/ldap.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/services/ldap.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/ldap.te 2010-03-09 18:51:11.000000000 -0500
@@ -28,9 +28,15 @@
type slapd_replog_t;
files_type(slapd_replog_t)
@@ -17928,9 +17644,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap
manage_files_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t)
manage_sock_files_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t)
files_pid_filetrans(slapd_t, slapd_var_run_t, { file sock_file })
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.7.12/policy/modules/services/lircd.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.7.13/policy/modules/services/lircd.te
--- nsaserefpolicy/policy/modules/services/lircd.te 2010-01-11 09:40:36.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/lircd.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/lircd.te 2010-03-09 18:51:11.000000000 -0500
@@ -24,8 +24,11 @@
# lircd local policy
#
@@ -17979,9 +17695,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lirc
+
+sysnet_dns_name_resolve(lircd_t)
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.fc serefpolicy-3.7.12/policy/modules/services/mailman.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.fc serefpolicy-3.7.13/policy/modules/services/mailman.fc
--- nsaserefpolicy/policy/modules/services/mailman.fc 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/services/mailman.fc 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/mailman.fc 2010-03-09 18:51:11.000000000 -0500
@@ -1,4 +1,4 @@
-/usr/lib/mailman/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+/usr/lib(64)?/mailman/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
@@ -18003,9 +17719,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail
/var/spool/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memcached.te serefpolicy-3.7.12/policy/modules/services/memcached.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memcached.te serefpolicy-3.7.13/policy/modules/services/memcached.te
--- nsaserefpolicy/policy/modules/services/memcached.te 2009-12-18 11:38:25.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/memcached.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/memcached.te 2010-03-09 18:51:11.000000000 -0500
@@ -22,9 +22,12 @@
#
@@ -18036,9 +17752,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memc
+term_dontaudit_use_all_ptys(memcached_t)
+term_dontaudit_use_all_ttys(memcached_t)
+term_dontaudit_use_console(memcached_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/modemmanager.te serefpolicy-3.7.12/policy/modules/services/modemmanager.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/modemmanager.te serefpolicy-3.7.13/policy/modules/services/modemmanager.te
--- nsaserefpolicy/policy/modules/services/modemmanager.te 2009-12-18 11:38:25.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/modemmanager.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/modemmanager.te 2010-03-09 18:51:11.000000000 -0500
@@ -16,8 +16,8 @@
#
# ModemManager local policy
@@ -18058,9 +17774,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mode
term_use_unallocated_ttys(modemmanager_t)
miscfiles_read_localization(modemmanager_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.7.12/policy/modules/services/mta.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.7.13/policy/modules/services/mta.fc
--- nsaserefpolicy/policy/modules/services/mta.fc 2010-01-07 14:53:53.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/mta.fc 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/mta.fc 2010-03-09 18:51:11.000000000 -0500
@@ -13,6 +13,8 @@
/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
@@ -18070,9 +17786,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
/usr/lib(64)?/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
/usr/lib/courier/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.7.12/policy/modules/services/mta.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.7.13/policy/modules/services/mta.if
--- nsaserefpolicy/policy/modules/services/mta.if 2010-01-07 14:53:53.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/mta.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/mta.if 2010-03-09 18:51:11.000000000 -0500
@@ -220,6 +220,25 @@
application_executable_file($1)
')
@@ -18188,9 +17904,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
## Read the mail queue.
##
##
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.7.12/policy/modules/services/mta.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.7.13/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2010-01-07 14:53:53.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/mta.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/mta.te 2010-03-09 18:51:11.000000000 -0500
@@ -63,6 +63,9 @@
can_exec(system_mail_t, mta_exec_type)
@@ -18264,9 +17980,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
read_files_pattern(mailserver_delivery, mail_forward_t, mail_forward_t)
read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.7.12/policy/modules/services/munin.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.7.13/policy/modules/services/munin.fc
--- nsaserefpolicy/policy/modules/services/munin.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/services/munin.fc 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/munin.fc 2010-03-09 18:51:11.000000000 -0500
@@ -9,3 +9,6 @@
/var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0)
/var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0)
@@ -18274,9 +17990,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
+/var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0)
+/var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:httpd_munin_script_exec_t,s0)
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.7.12/policy/modules/services/munin.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.7.13/policy/modules/services/munin.te
--- nsaserefpolicy/policy/modules/services/munin.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/services/munin.te 2010-03-06 10:17:33.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/munin.te 2010-03-09 18:51:11.000000000 -0500
@@ -33,7 +33,7 @@
# Local policy
#
@@ -18327,9 +18043,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
')
optional_policy(`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.if serefpolicy-3.7.12/policy/modules/services/mysql.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.if serefpolicy-3.7.13/policy/modules/services/mysql.if
--- nsaserefpolicy/policy/modules/services/mysql.if 2010-03-01 15:12:54.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/mysql.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/mysql.if 2010-03-09 18:51:11.000000000 -0500
@@ -1,5 +1,43 @@
## Policy for MySQL
@@ -18374,9 +18090,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
########################################
##
## Send a generic signal to MySQL.
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.7.12/policy/modules/services/mysql.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.7.13/policy/modules/services/mysql.te
--- nsaserefpolicy/policy/modules/services/mysql.te 2010-03-01 15:12:54.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/mysql.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/mysql.te 2010-03-09 18:51:11.000000000 -0500
@@ -1,6 +1,13 @@
policy_module(mysql, 1.11.2)
@@ -18449,9 +18165,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
mysql_read_config(mysqld_safe_t)
mysql_search_pid_files(mysqld_safe_t)
mysql_write_log(mysqld_safe_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.7.12/policy/modules/services/nagios.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.7.13/policy/modules/services/nagios.fc
--- nsaserefpolicy/policy/modules/services/nagios.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/services/nagios.fc 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/nagios.fc 2010-03-09 18:51:11.000000000 -0500
@@ -1,16 +1,89 @@
/etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0)
/etc/nagios/nrpe\.cfg -- gen_context(system_u:object_r:nrpe_etc_t,s0)
@@ -18547,9 +18263,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
+
+# unconfined plugins
+/usr/lib(64)?/nagios/plugins/check_by_ssh -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.7.12/policy/modules/services/nagios.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.7.13/policy/modules/services/nagios.if
--- nsaserefpolicy/policy/modules/services/nagios.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/services/nagios.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/nagios.if 2010-03-09 18:51:11.000000000 -0500
@@ -64,8 +64,8 @@
########################################
@@ -18713,9 +18429,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
+
+ admin_pattern($1, nrpe_etc_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.7.12/policy/modules/services/nagios.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.7.13/policy/modules/services/nagios.te
--- nsaserefpolicy/policy/modules/services/nagios.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/services/nagios.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/nagios.te 2010-03-09 18:51:11.000000000 -0500
@@ -6,17 +6,23 @@
# Declarations
#
@@ -19100,9 +18816,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
+optional_policy(`
+ init_read_utmp(nagios_system_plugin_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.7.12/policy/modules/services/networkmanager.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.7.13/policy/modules/services/networkmanager.fc
--- nsaserefpolicy/policy/modules/services/networkmanager.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/services/networkmanager.fc 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/networkmanager.fc 2010-03-09 18:51:11.000000000 -0500
@@ -1,12 +1,32 @@
+/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t, s0)
+/etc/NetworkManager/dispatcher\.d(/.*) gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
@@ -19136,9 +18852,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
/var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+/var/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.7.12/policy/modules/services/networkmanager.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.7.13/policy/modules/services/networkmanager.if
--- nsaserefpolicy/policy/modules/services/networkmanager.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/services/networkmanager.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/networkmanager.if 2010-03-09 18:51:11.000000000 -0500
@@ -118,6 +118,24 @@
########################################
@@ -19164,7 +18880,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
## Read NetworkManager PID files.
##
##
-@@ -134,3 +152,50 @@
+@@ -134,3 +152,71 @@
files_search_pids($1)
allow $1 NetworkManager_var_run_t:file read_file_perms;
')
@@ -19215,9 +18931,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
+ role $2 types NetworkManager_t;
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.7.12/policy/modules/services/networkmanager.te
++
++#######################################
++##
++## Allow caller to relabel tun_socket
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`networkmanager_attach_tun_iface',`
++ gen_require(`
++ type NetworkManager_t;
++ ')
++
++ allow $1 NetworkManager_t:tun_socket relabelfrom;
++ allow $1 self:tun_socket relabelto;
++')
++
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.7.13/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/services/networkmanager.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/networkmanager.te 2010-03-09 18:51:11.000000000 -0500
@@ -19,6 +19,9 @@
type NetworkManager_tmp_t;
files_tmp_file(NetworkManager_tmp_t)
@@ -19461,9 +19198,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
')
########################################
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.7.12/policy/modules/services/nis.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.7.13/policy/modules/services/nis.fc
--- nsaserefpolicy/policy/modules/services/nis.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/services/nis.fc 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/nis.fc 2010-03-09 18:51:11.000000000 -0500
@@ -1,4 +1,7 @@
-
+/etc/rc\.d/init\.d/ypbind -- gen_context(system_u:object_r:ypbind_initrc_exec_t,s0)
@@ -19482,9 +19219,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.
+/var/run/ypbind.* -- gen_context(system_u:object_r:ypbind_var_run_t,s0)
+/var/run/ypserv.* -- gen_context(system_u:object_r:ypserv_var_run_t,s0)
+/var/run/yppass.* -- gen_context(system_u:object_r:yppasswdd_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.7.12/policy/modules/services/nis.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.7.13/policy/modules/services/nis.if
--- nsaserefpolicy/policy/modules/services/nis.if 2010-03-03 23:26:37.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/nis.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/nis.if 2010-03-09 18:51:11.000000000 -0500
@@ -28,7 +28,7 @@
type var_yp_t;
')
@@ -19602,9 +19339,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.
+ nis_domtrans_ypbind($1)
+ role $2 types ypbind_t;
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.7.12/policy/modules/services/nis.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.7.13/policy/modules/services/nis.te
--- nsaserefpolicy/policy/modules/services/nis.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/services/nis.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/nis.te 2010-03-09 18:51:11.000000000 -0500
@@ -13,6 +13,9 @@
type ypbind_exec_t;
init_daemon_domain(ypbind_t, ypbind_exec_t)
@@ -19676,9 +19413,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.
corenet_tcp_bind_all_rpc_ports(ypxfr_t)
corenet_udp_bind_all_rpc_ports(ypxfr_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.7.12/policy/modules/services/nscd.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.7.13/policy/modules/services/nscd.if
--- nsaserefpolicy/policy/modules/services/nscd.if 2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/services/nscd.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/nscd.if 2010-03-09 18:51:11.000000000 -0500
@@ -121,6 +121,24 @@
########################################
@@ -19713,9 +19450,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd
')
########################################
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.7.12/policy/modules/services/nscd.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.7.13/policy/modules/services/nscd.te
--- nsaserefpolicy/policy/modules/services/nscd.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/nscd.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/nscd.te 2010-03-09 18:51:11.000000000 -0500
@@ -1,10 +1,17 @@
-policy_module(nscd, 1.10.0)
@@ -19760,9 +19497,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd
+optional_policy(`
+ unconfined_dontaudit_rw_packet_sockets(nscd_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntop.fc serefpolicy-3.7.12/policy/modules/services/ntop.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntop.fc serefpolicy-3.7.13/policy/modules/services/ntop.fc
--- nsaserefpolicy/policy/modules/services/ntop.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/services/ntop.fc 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/ntop.fc 2010-03-09 18:51:11.000000000 -0500
@@ -1,7 +1,6 @@
/etc/ntop(/.*)? gen_context(system_u:object_r:ntop_etc_t,s0)
@@ -19771,9 +19508,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntop
/var/lib/ntop(/.*)? gen_context(system_u:object_r:ntop_var_lib_t,s0)
/var/run/ntop\.pid -- gen_context(system_u:object_r:ntop_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntop.te serefpolicy-3.7.12/policy/modules/services/ntop.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntop.te serefpolicy-3.7.13/policy/modules/services/ntop.te
--- nsaserefpolicy/policy/modules/services/ntop.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/services/ntop.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/ntop.te 2010-03-09 18:51:11.000000000 -0500
@@ -11,12 +11,12 @@
init_daemon_domain(ntop_t, ntop_exec_t)
application_domain(ntop_t, ntop_exec_t)
@@ -19864,9 +19601,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntop
seutil_sigchld_newrole(ntop_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.7.12/policy/modules/services/ntp.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.7.13/policy/modules/services/ntp.te
--- nsaserefpolicy/policy/modules/services/ntp.te 2010-01-07 14:53:53.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/ntp.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/ntp.te 2010-03-09 18:51:11.000000000 -0500
@@ -100,6 +100,8 @@
fs_getattr_all_fs(ntpd_t)
@@ -19876,9 +19613,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.
term_use_ptmx(ntpd_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.te serefpolicy-3.7.12/policy/modules/services/nut.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.te serefpolicy-3.7.13/policy/modules/services/nut.te
--- nsaserefpolicy/policy/modules/services/nut.te 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/nut.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/nut.te 2010-03-09 18:51:11.000000000 -0500
@@ -29,7 +29,8 @@
# Local policy for upsd
#
@@ -19921,9 +19658,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.
+
+ sysnet_dns_name_resolve(httpd_nutups_cgi_script_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.fc serefpolicy-3.7.12/policy/modules/services/nx.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.fc serefpolicy-3.7.13/policy/modules/services/nx.fc
--- nsaserefpolicy/policy/modules/services/nx.fc 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/nx.fc 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/nx.fc 2010-03-09 18:51:11.000000000 -0500
@@ -1,7 +1,15 @@
/opt/NX/bin/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0)
@@ -19942,9 +19679,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.f
+/var/lib/nxserver(/.*)? gen_context(system_u:object_r:nx_server_var_lib_t,s0)
+
/usr/libexec/nx/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.if serefpolicy-3.7.12/policy/modules/services/nx.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.if serefpolicy-3.7.13/policy/modules/services/nx.if
--- nsaserefpolicy/policy/modules/services/nx.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/services/nx.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/nx.if 2010-03-09 18:51:11.000000000 -0500
@@ -17,3 +17,70 @@
spec_domtrans_pattern($1, nx_server_exec_t, nx_server_t)
@@ -20016,9 +19753,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.i
+
+ filetrans_pattern($1, nx_server_var_lib_t, $2, $3)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.te serefpolicy-3.7.12/policy/modules/services/nx.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.te serefpolicy-3.7.13/policy/modules/services/nx.te
--- nsaserefpolicy/policy/modules/services/nx.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/services/nx.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/nx.te 2010-03-09 18:51:11.000000000 -0500
@@ -25,6 +25,12 @@
type nx_server_var_run_t;
files_pid_file(nx_server_var_run_t)
@@ -20053,9 +19790,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.t
kernel_read_system_state(nx_server_t)
kernel_read_kernel_sysctls(nx_server_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.if serefpolicy-3.7.12/policy/modules/services/oddjob.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.if serefpolicy-3.7.13/policy/modules/services/oddjob.if
--- nsaserefpolicy/policy/modules/services/oddjob.if 2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/services/oddjob.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/oddjob.if 2010-03-09 18:51:11.000000000 -0500
@@ -44,6 +44,7 @@
')
@@ -20064,9 +19801,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddj
')
########################################
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.te serefpolicy-3.7.12/policy/modules/services/oddjob.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.te serefpolicy-3.7.13/policy/modules/services/oddjob.te
--- nsaserefpolicy/policy/modules/services/oddjob.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/services/oddjob.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/oddjob.te 2010-03-09 18:51:11.000000000 -0500
@@ -100,8 +100,7 @@
# Add/remove user home directories
@@ -20078,9 +19815,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddj
+userdom_manage_user_home_content_dirs(oddjob_mkhomedir_t)
+userdom_manage_user_home_content(oddjob_mkhomedir_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.7.12/policy/modules/services/openvpn.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.7.13/policy/modules/services/openvpn.te
--- nsaserefpolicy/policy/modules/services/openvpn.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/openvpn.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/openvpn.te 2010-03-09 18:51:11.000000000 -0500
@@ -41,7 +41,7 @@
# openvpn local policy
#
@@ -20116,9 +19853,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open
sysnet_etc_filetrans_config(openvpn_t)
userdom_use_user_terminals(openvpn_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.if serefpolicy-3.7.12/policy/modules/services/pcscd.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.if serefpolicy-3.7.13/policy/modules/services/pcscd.if
--- nsaserefpolicy/policy/modules/services/pcscd.if 2009-12-18 11:38:25.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/pcscd.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/pcscd.if 2010-03-09 18:51:11.000000000 -0500
@@ -39,6 +39,44 @@
########################################
@@ -20164,9 +19901,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcsc
## Connect to pcscd over an unix stream socket.
##
##
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.7.12/policy/modules/services/pegasus.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.7.13/policy/modules/services/pegasus.te
--- nsaserefpolicy/policy/modules/services/pegasus.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/services/pegasus.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/pegasus.te 2010-03-09 18:51:11.000000000 -0500
@@ -30,7 +30,7 @@
# Local policy
#
@@ -20238,9 +19975,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pega
+ xen_stream_connect(pegasus_t)
+ xen_stream_connect_xenstore(pegasus_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouthd.fc serefpolicy-3.7.12/policy/modules/services/plymouthd.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouthd.fc serefpolicy-3.7.13/policy/modules/services/plymouthd.fc
--- nsaserefpolicy/policy/modules/services/plymouthd.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/plymouthd.fc 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/plymouthd.fc 2010-03-09 18:51:11.000000000 -0500
@@ -0,0 +1,9 @@
+/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t, s0)
+
@@ -20251,9 +19988,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plym
+/var/lib/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_lib_t, s0)
+
+/var/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t, s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouthd.if serefpolicy-3.7.12/policy/modules/services/plymouthd.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouthd.if serefpolicy-3.7.13/policy/modules/services/plymouthd.if
--- nsaserefpolicy/policy/modules/services/plymouthd.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/plymouthd.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/plymouthd.if 2010-03-09 18:51:11.000000000 -0500
@@ -0,0 +1,322 @@
+## policy for plymouthd
+
@@ -20577,9 +20314,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plym
+
+ allow $1 plymouthd_t:unix_stream_socket connectto;
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouthd.te serefpolicy-3.7.12/policy/modules/services/plymouthd.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouthd.te serefpolicy-3.7.13/policy/modules/services/plymouthd.te
--- nsaserefpolicy/policy/modules/services/plymouthd.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/plymouthd.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/plymouthd.te 2010-03-09 18:51:11.000000000 -0500
@@ -0,0 +1,105 @@
+policy_module(plymouthd, 1.0.0)
+
@@ -20608,7 +20345,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plym
+
+type plymouth_t;
+type plymouth_exec_t;
-+init_daemon_domain(plymouth_t, plymouth_exec_t)
++application_domain(plymouth_t, plymouth_exec_t)
+
+########################################
+#
@@ -20686,9 +20423,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plym
+ hal_dontaudit_rw_pipes(plymouth_t)
+')
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.fc serefpolicy-3.7.12/policy/modules/services/policykit.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.fc serefpolicy-3.7.13/policy/modules/services/policykit.fc
--- nsaserefpolicy/policy/modules/services/policykit.fc 2009-08-18 11:41:14.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/services/policykit.fc 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/policykit.fc 2010-03-09 18:51:11.000000000 -0500
@@ -6,10 +6,13 @@
/usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
/usr/libexec/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0)
@@ -20704,9 +20441,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
/var/run/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.if serefpolicy-3.7.12/policy/modules/services/policykit.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.if serefpolicy-3.7.13/policy/modules/services/policykit.if
--- nsaserefpolicy/policy/modules/services/policykit.if 2009-08-18 18:39:50.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/services/policykit.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/policykit.if 2010-03-09 18:51:11.000000000 -0500
@@ -17,12 +17,37 @@
class dbus send_msg;
')
@@ -20803,9 +20540,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
+
+ allow $1 policykit_auth_t:process signal;
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.7.12/policy/modules/services/policykit.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.7.13/policy/modules/services/policykit.te
--- nsaserefpolicy/policy/modules/services/policykit.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/policykit.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/policykit.te 2010-03-09 18:51:11.000000000 -0500
@@ -36,11 +36,12 @@
# policykit local policy
#
@@ -20967,9 +20704,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
allow policykit_resolve_t self:unix_dgram_socket create_socket_perms;
allow policykit_resolve_t self:unix_stream_socket create_stream_socket_perms;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.te serefpolicy-3.7.12/policy/modules/services/portreserve.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.te serefpolicy-3.7.13/policy/modules/services/portreserve.te
--- nsaserefpolicy/policy/modules/services/portreserve.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/services/portreserve.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/portreserve.te 2010-03-09 18:51:11.000000000 -0500
@@ -21,6 +21,7 @@
# Portreserve local policy
#
@@ -20987,9 +20724,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/port
corenet_all_recvfrom_unlabeled(portreserve_t)
corenet_all_recvfrom_netlabel(portreserve_t)
corenet_tcp_bind_generic_node(portreserve_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.7.12/policy/modules/services/postfix.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.7.13/policy/modules/services/postfix.fc
--- nsaserefpolicy/policy/modules/services/postfix.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/services/postfix.fc 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/postfix.fc 2010-03-09 18:51:11.000000000 -0500
@@ -29,12 +29,10 @@
/usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
/usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
@@ -21003,9 +20740,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
/usr/sbin/postdrop -- gen_context(system_u:object_r:postfix_postdrop_exec_t,s0)
/usr/sbin/postfix -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
/usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.7.12/policy/modules/services/postfix.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.7.13/policy/modules/services/postfix.if
--- nsaserefpolicy/policy/modules/services/postfix.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/services/postfix.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/postfix.if 2010-03-09 18:51:11.000000000 -0500
@@ -46,6 +46,7 @@
allow postfix_$1_t postfix_etc_t:dir list_dir_perms;
@@ -21300,9 +21037,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
+ role $2 types postfix_postdrop_t;
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.7.12/policy/modules/services/postfix.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.7.13/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/postfix.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/postfix.te 2010-03-09 18:51:11.000000000 -0500
@@ -6,6 +6,15 @@
# Declarations
#
@@ -21703,9 +21440,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
+userdom_manage_user_home_content(postfix_virtual_t)
+userdom_home_filetrans_user_home_dir(postfix_virtual_t)
+userdom_user_home_dir_filetrans_user_home_content(postfix_virtual_t, {file dir })
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.7.12/policy/modules/services/postgresql.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.7.13/policy/modules/services/postgresql.fc
--- nsaserefpolicy/policy/modules/services/postgresql.fc 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/postgresql.fc 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/postgresql.fc 2010-03-09 18:51:11.000000000 -0500
@@ -3,6 +3,7 @@
#
/etc/postgresql(/.*)? gen_context(system_u:object_r:postgresql_etc_t,s0)
@@ -21732,9 +21469,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
/var/run/postgresql(/.*)? gen_context(system_u:object_r:postgresql_var_run_t,s0)
+
+/var/run/postmaster.* gen_context(system_u:object_r:postgresql_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.7.12/policy/modules/services/postgresql.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.7.13/policy/modules/services/postgresql.if
--- nsaserefpolicy/policy/modules/services/postgresql.if 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/postgresql.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/postgresql.if 2010-03-09 18:51:11.000000000 -0500
@@ -125,6 +125,23 @@
typeattribute $1 sepgsql_table_type;
')
@@ -21759,9 +21496,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
########################################
##
## Marks as a SE-PostgreSQL system table/column/tuple object type
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.7.12/policy/modules/services/postgresql.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.7.13/policy/modules/services/postgresql.te
--- nsaserefpolicy/policy/modules/services/postgresql.te 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/postgresql.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/postgresql.te 2010-03-09 18:51:11.000000000 -0500
@@ -150,6 +150,7 @@
dontaudit postgresql_t self:capability { sys_tty_config sys_admin };
allow postgresql_t self:process signal_perms;
@@ -21796,9 +21533,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
miscfiles_read_localization(postgresql_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.fc serefpolicy-3.7.12/policy/modules/services/ppp.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.fc serefpolicy-3.7.13/policy/modules/services/ppp.fc
--- nsaserefpolicy/policy/modules/services/ppp.fc 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/services/ppp.fc 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/ppp.fc 2010-03-09 18:51:11.000000000 -0500
@@ -3,6 +3,7 @@
#
/etc/rc\.d/init\.d/ppp -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0)
@@ -21807,9 +21544,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.
/etc/ppp -d gen_context(system_u:object_r:pppd_etc_t,s0)
/etc/ppp(/.*)? -- gen_context(system_u:object_r:pppd_etc_rw_t,s0)
/etc/ppp/peers(/.*)? gen_context(system_u:object_r:pppd_etc_rw_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.7.12/policy/modules/services/ppp.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.7.13/policy/modules/services/ppp.if
--- nsaserefpolicy/policy/modules/services/ppp.if 2010-01-18 15:04:31.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/ppp.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/ppp.if 2010-03-09 18:51:13.000000000 -0500
@@ -182,6 +182,10 @@
ppp_domtrans($1)
role $2 types pppd_t;
@@ -21821,9 +21558,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.
')
########################################
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.7.12/policy/modules/services/ppp.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.7.13/policy/modules/services/ppp.te
--- nsaserefpolicy/policy/modules/services/ppp.te 2010-01-18 15:04:31.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/ppp.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/ppp.te 2010-03-09 18:51:13.000000000 -0500
@@ -71,9 +71,9 @@
# PPPD Local policy
#
@@ -21861,9 +21598,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.
optional_policy(`
consoletype_exec(pppd_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.7.12/policy/modules/services/prelude.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.7.13/policy/modules/services/prelude.te
--- nsaserefpolicy/policy/modules/services/prelude.te 2009-12-18 11:38:25.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/prelude.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/prelude.te 2010-03-09 18:51:13.000000000 -0500
@@ -90,6 +90,7 @@
corenet_tcp_bind_prelude_port(prelude_t)
corenet_tcp_connect_prelude_port(prelude_t)
@@ -21881,9 +21618,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
fs_rw_anon_inodefs_files(prelude_lml_t)
auth_use_nsswitch(prelude_lml_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.7.12/policy/modules/services/procmail.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.7.13/policy/modules/services/procmail.te
--- nsaserefpolicy/policy/modules/services/procmail.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/services/procmail.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/procmail.te 2010-03-09 18:51:13.000000000 -0500
@@ -22,7 +22,7 @@
# Local policy
#
@@ -21931,9 +21668,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc
')
optional_policy(`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.7.12/policy/modules/services/pyzor.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.7.13/policy/modules/services/pyzor.fc
--- nsaserefpolicy/policy/modules/services/pyzor.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/services/pyzor.fc 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/pyzor.fc 2010-03-09 18:51:13.000000000 -0500
@@ -1,6 +1,10 @@
/etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0)
+/etc/rc\.d/init\.d/pyzord -- gen_context(system_u:object_r:pyzord_initrc_exec_t,s0)
@@ -21945,9 +21682,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo
/usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0)
/usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.7.12/policy/modules/services/pyzor.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.7.13/policy/modules/services/pyzor.if
--- nsaserefpolicy/policy/modules/services/pyzor.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/services/pyzor.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/pyzor.if 2010-03-09 18:51:13.000000000 -0500
@@ -88,3 +88,50 @@
corecmd_search_bin($1)
can_exec($1, pyzor_exec_t)
@@ -21999,9 +21736,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo
+')
+
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.7.12/policy/modules/services/pyzor.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.7.13/policy/modules/services/pyzor.te
--- nsaserefpolicy/policy/modules/services/pyzor.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/services/pyzor.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/pyzor.te 2010-03-09 18:51:13.000000000 -0500
@@ -6,6 +6,38 @@
# Declarations
#
@@ -22066,9 +21803,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo
userdom_dontaudit_search_user_home_dirs(pyzor_t)
optional_policy(`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radvd.te serefpolicy-3.7.12/policy/modules/services/radvd.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radvd.te serefpolicy-3.7.13/policy/modules/services/radvd.te
--- nsaserefpolicy/policy/modules/services/radvd.te 2009-12-18 11:38:25.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/radvd.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/radvd.te 2010-03-09 18:51:13.000000000 -0500
@@ -22,9 +22,9 @@
#
# Local policy
@@ -22104,17 +21841,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radv
seutil_sigchld_newrole(radvd_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.fc serefpolicy-3.7.12/policy/modules/services/razor.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.fc serefpolicy-3.7.13/policy/modules/services/razor.fc
--- nsaserefpolicy/policy/modules/services/razor.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/services/razor.fc 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/razor.fc 2010-03-09 18:51:13.000000000 -0500
@@ -1,3 +1,4 @@
+/root/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0)
HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0)
/etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.7.12/policy/modules/services/razor.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.7.13/policy/modules/services/razor.if
--- nsaserefpolicy/policy/modules/services/razor.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/services/razor.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/razor.if 2010-03-09 18:51:13.000000000 -0500
@@ -157,3 +157,45 @@
domtrans_pattern($1, razor_exec_t, razor_t)
@@ -22161,9 +21898,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razo
+ read_files_pattern($1, razor_var_lib_t, razor_var_lib_t)
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.7.12/policy/modules/services/razor.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.7.13/policy/modules/services/razor.te
--- nsaserefpolicy/policy/modules/services/razor.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/services/razor.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/razor.te 2010-03-09 18:51:13.000000000 -0500
@@ -6,6 +6,32 @@
# Declarations
#
@@ -22215,9 +21952,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razo
+')
+
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rdisc.if serefpolicy-3.7.12/policy/modules/services/rdisc.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rdisc.if serefpolicy-3.7.13/policy/modules/services/rdisc.if
--- nsaserefpolicy/policy/modules/services/rdisc.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/services/rdisc.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/rdisc.if 2010-03-09 18:51:13.000000000 -0500
@@ -1 +1,20 @@
## Network router discovery daemon
+
@@ -22239,9 +21976,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rdis
+ corecmd_search_bin($1)
+ can_exec($1,rdisc_exec_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.fc serefpolicy-3.7.12/policy/modules/services/rgmanager.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.fc serefpolicy-3.7.13/policy/modules/services/rgmanager.fc
--- nsaserefpolicy/policy/modules/services/rgmanager.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/rgmanager.fc 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/rgmanager.fc 2010-03-09 18:51:13.000000000 -0500
@@ -0,0 +1,8 @@
+
+/usr/sbin/rgmanager -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
@@ -22251,9 +21988,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma
+/var/run/rgmanager\.pid -- gen_context(system_u:object_r:rgmanager_var_run_t,s0)
+
+/var/run/cluster/rgmanager\.sk -s gen_context(system_u:object_r:rgmanager_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.if serefpolicy-3.7.12/policy/modules/services/rgmanager.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.if serefpolicy-3.7.13/policy/modules/services/rgmanager.if
--- nsaserefpolicy/policy/modules/services/rgmanager.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/rgmanager.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/rgmanager.if 2010-03-09 18:51:13.000000000 -0500
@@ -0,0 +1,98 @@
+## SELinux policy for rgmanager
+
@@ -22353,9 +22090,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma
+ manage_files_pattern($1, rgmanager_tmp_t, rgmanager_tmp_t)
+ manage_lnk_files_pattern($1, rgmanager_tmp_t, rgmanager_tmp_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.te serefpolicy-3.7.12/policy/modules/services/rgmanager.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.te serefpolicy-3.7.13/policy/modules/services/rgmanager.te
--- nsaserefpolicy/policy/modules/services/rgmanager.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/rgmanager.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/rgmanager.te 2010-03-09 18:51:13.000000000 -0500
@@ -0,0 +1,223 @@
+
+policy_module(rgmanager,1.0.0)
@@ -22580,9 +22317,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma
+optional_policy(`
+ xen_domtrans_xm(rgmanager_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.fc serefpolicy-3.7.12/policy/modules/services/rhcs.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.fc serefpolicy-3.7.13/policy/modules/services/rhcs.fc
--- nsaserefpolicy/policy/modules/services/rhcs.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/rhcs.fc 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/rhcs.fc 2010-03-09 18:51:13.000000000 -0500
@@ -0,0 +1,23 @@
+/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0)
+/var/log/cluster/dlm_controld\.log.* -- gen_context(system_u:object_r:dlm_controld_var_log_t,s0)
@@ -22607,9 +22344,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
+/var/log/cluster/qdiskd\.log.* -- gen_context(system_u:object_r:qdiskd_var_log_t,s0)
+/var/run/qdiskd\.pid -- gen_context(system_u:object_r:qdiskd_var_run_t,s0)
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.if serefpolicy-3.7.12/policy/modules/services/rhcs.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.if serefpolicy-3.7.13/policy/modules/services/rhcs.if
--- nsaserefpolicy/policy/modules/services/rhcs.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/rhcs.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/rhcs.if 2010-03-09 18:51:13.000000000 -0500
@@ -0,0 +1,424 @@
+## SELinux policy for RHCS - Red Hat Cluster Suite
+
@@ -23035,9 +22772,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
+')
+
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.te serefpolicy-3.7.12/policy/modules/services/rhcs.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.te serefpolicy-3.7.13/policy/modules/services/rhcs.te
--- nsaserefpolicy/policy/modules/services/rhcs.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/rhcs.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/rhcs.te 2010-03-09 18:51:13.000000000 -0500
@@ -0,0 +1,248 @@
+
+policy_module(rhcs,1.1.0)
@@ -23287,9 +23024,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
+optional_policy(`
+ corosync_stream_connect(cluster_domain)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.7.12/policy/modules/services/ricci.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.7.13/policy/modules/services/ricci.te
--- nsaserefpolicy/policy/modules/services/ricci.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/services/ricci.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/ricci.te 2010-03-09 18:51:13.000000000 -0500
@@ -194,10 +194,13 @@
# ricci_modcluster local policy
#
@@ -23399,9 +23136,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
ccs_stream_connect(ricci_modstorage_t)
ccs_read_config(ricci_modstorage_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.fc serefpolicy-3.7.12/policy/modules/services/rpc.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.fc serefpolicy-3.7.13/policy/modules/services/rpc.fc
--- nsaserefpolicy/policy/modules/services/rpc.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/services/rpc.fc 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/rpc.fc 2010-03-09 18:51:13.000000000 -0500
@@ -1,6 +1,10 @@
#
# /etc
@@ -23413,9 +23150,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
/etc/exports -- gen_context(system_u:object_r:exports_t,s0)
#
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.7.12/policy/modules/services/rpc.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.7.13/policy/modules/services/rpc.if
--- nsaserefpolicy/policy/modules/services/rpc.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/services/rpc.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/rpc.if 2010-03-09 18:51:13.000000000 -0500
@@ -54,7 +54,7 @@
allow $1_t self:unix_dgram_socket create_socket_perms;
allow $1_t self:unix_stream_socket create_stream_socket_perms;
@@ -23509,9 +23246,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
+ allow $1 var_lib_nfs_t:file { relabelfrom relabelto };
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.7.12/policy/modules/services/rpc.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.7.13/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/services/rpc.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/rpc.te 2010-03-09 18:51:13.000000000 -0500
@@ -8,7 +8,7 @@
##
@@ -23646,9 +23383,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
')
optional_policy(`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.if serefpolicy-3.7.12/policy/modules/services/rsync.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.if serefpolicy-3.7.13/policy/modules/services/rsync.if
--- nsaserefpolicy/policy/modules/services/rsync.if 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/rsync.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/rsync.if 2010-03-09 18:51:13.000000000 -0500
@@ -119,7 +119,7 @@
type rsync_etc_t;
')
@@ -23666,9 +23403,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn
+ write_files_pattern($1, rsync_etc_t, rsync_etc_t)
files_search_etc($1)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.7.12/policy/modules/services/rsync.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.7.13/policy/modules/services/rsync.te
--- nsaserefpolicy/policy/modules/services/rsync.te 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/rsync.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/rsync.te 2010-03-09 18:51:13.000000000 -0500
@@ -8,6 +8,13 @@
##
@@ -23720,9 +23457,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn
+')
+
auth_can_read_shadow_passwords(rsync_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit.if serefpolicy-3.7.12/policy/modules/services/rtkit.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit.if serefpolicy-3.7.13/policy/modules/services/rtkit.if
--- nsaserefpolicy/policy/modules/services/rtkit.if 2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/services/rtkit.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/rtkit.if 2010-03-09 18:51:13.000000000 -0500
@@ -38,3 +38,23 @@
allow $1 rtkit_daemon_t:dbus send_msg;
allow rtkit_daemon_t $1:dbus send_msg;
@@ -23747,9 +23484,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtki
+ allow rtkit_daemon_t $1:process { getsched setsched };
+ rtkit_daemon_dbus_chat($1)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit.te serefpolicy-3.7.12/policy/modules/services/rtkit.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit.te serefpolicy-3.7.13/policy/modules/services/rtkit.te
--- nsaserefpolicy/policy/modules/services/rtkit.te 2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/services/rtkit.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/rtkit.te 2010-03-09 18:51:13.000000000 -0500
@@ -17,9 +17,11 @@
allow rtkit_daemon_t self:capability { dac_read_search setuid sys_chroot setgid sys_nice sys_ptrace };
@@ -23771,9 +23508,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtki
optional_policy(`
policykit_dbus_chat(rtkit_daemon_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.7.12/policy/modules/services/samba.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.7.13/policy/modules/services/samba.fc
--- nsaserefpolicy/policy/modules/services/samba.fc 2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/services/samba.fc 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/samba.fc 2010-03-09 18:51:13.000000000 -0500
@@ -51,3 +51,7 @@
/var/run/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
@@ -23782,9 +23519,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
+ifndef(`enable_mls',`
+/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.7.12/policy/modules/services/samba.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.7.13/policy/modules/services/samba.if
--- nsaserefpolicy/policy/modules/services/samba.if 2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/services/samba.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/samba.if 2010-03-09 18:51:13.000000000 -0500
@@ -62,6 +62,25 @@
########################################
@@ -23998,9 +23735,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
admin_pattern($1, winbind_var_run_t)
+ admin_pattern($1, samba_unconfined_script_exec_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.7.12/policy/modules/services/samba.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.7.13/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/services/samba.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/samba.te 2010-03-09 18:51:13.000000000 -0500
@@ -66,6 +66,13 @@
##
gen_tunable(samba_share_nfs, false)
@@ -24320,9 +24057,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
+',`
+ can_exec(smbd_t, samba_unconfined_script_exec_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.7.12/policy/modules/services/sasl.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.7.13/policy/modules/services/sasl.te
--- nsaserefpolicy/policy/modules/services/sasl.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/services/sasl.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/sasl.te 2010-03-09 18:51:13.000000000 -0500
@@ -31,7 +31,7 @@
# Local policy
#
@@ -24385,9 +24122,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl
seutil_sigchld_newrole(saslauthd_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.7.12/policy/modules/services/sendmail.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.7.13/policy/modules/services/sendmail.if
--- nsaserefpolicy/policy/modules/services/sendmail.if 2010-01-11 09:40:36.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/sendmail.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/sendmail.if 2010-03-09 18:51:13.000000000 -0500
@@ -277,3 +277,22 @@
sendmail_domtrans_unconfined($1)
role $2 types unconfined_sendmail_t;
@@ -24411,9 +24148,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
+ domtrans_pattern($1, sendmail_exec_t, unconfined_sendmail_t)
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.7.12/policy/modules/services/sendmail.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.7.13/policy/modules/services/sendmail.te
--- nsaserefpolicy/policy/modules/services/sendmail.te 2010-01-11 09:40:36.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/sendmail.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/sendmail.te 2010-03-09 18:51:13.000000000 -0500
@@ -30,7 +30,7 @@
#
@@ -24492,18 +24229,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
+ unconfined_domain_noaudit(unconfined_sendmail_t)
')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.fc serefpolicy-3.7.12/policy/modules/services/setroubleshoot.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.fc serefpolicy-3.7.13/policy/modules/services/setroubleshoot.fc
--- nsaserefpolicy/policy/modules/services/setroubleshoot.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/services/setroubleshoot.fc 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/setroubleshoot.fc 2010-03-09 18:51:13.000000000 -0500
@@ -5,3 +5,5 @@
/var/log/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_log_t,s0)
/var/lib/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_lib_t,s0)
+
+/usr/share/setroubleshoot/SetroubleshootFixit\.py* -- gen_context(system_u:object_r:setroubleshoot_fixit_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-3.7.12/policy/modules/services/setroubleshoot.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-3.7.13/policy/modules/services/setroubleshoot.if
--- nsaserefpolicy/policy/modules/services/setroubleshoot.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/services/setroubleshoot.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/setroubleshoot.if 2010-03-09 18:51:13.000000000 -0500
@@ -16,8 +16,8 @@
')
@@ -24641,9 +24378,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr
+ files_list_pids($1)
+ admin_pattern($1, setroubleshoot_var_run_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.7.12/policy/modules/services/setroubleshoot.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.7.13/policy/modules/services/setroubleshoot.te
--- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/setroubleshoot.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/setroubleshoot.te 2010-03-09 18:51:13.000000000 -0500
@@ -22,13 +22,19 @@
type setroubleshoot_var_run_t;
files_pid_file(setroubleshoot_var_run_t)
@@ -24789,9 +24526,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr
+ policykit_dbus_chat(setroubleshoot_fixit_t)
+ userdom_read_all_users_state(setroubleshoot_fixit_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smokeping.fc serefpolicy-3.7.12/policy/modules/services/smokeping.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smokeping.fc serefpolicy-3.7.13/policy/modules/services/smokeping.fc
--- nsaserefpolicy/policy/modules/services/smokeping.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/smokeping.fc 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/smokeping.fc 2010-03-09 18:51:13.000000000 -0500
@@ -0,0 +1,12 @@
+
+/etc/rc\.d/init\.d/smokeping -- gen_context(system_u:object_r:smokeping_initrc_exec_t,s0)
@@ -24805,9 +24542,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smok
+/var/run/smokeping(/.*)? gen_context(system_u:object_r:smokeping_var_run_t,s0)
+
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smokeping.if serefpolicy-3.7.12/policy/modules/services/smokeping.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smokeping.if serefpolicy-3.7.13/policy/modules/services/smokeping.if
--- nsaserefpolicy/policy/modules/services/smokeping.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/smokeping.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/smokeping.if 2010-03-09 18:51:13.000000000 -0500
@@ -0,0 +1,193 @@
+
+## policy for smokeping
@@ -25002,9 +24739,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smok
+ smokeping_manage_var_lib($1)
+
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smokeping.te serefpolicy-3.7.12/policy/modules/services/smokeping.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smokeping.te serefpolicy-3.7.13/policy/modules/services/smokeping.te
--- nsaserefpolicy/policy/modules/services/smokeping.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/smokeping.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/smokeping.te 2010-03-09 18:51:13.000000000 -0500
@@ -0,0 +1,81 @@
+
+policy_module(smokeping,1.0.0)
@@ -25087,9 +24824,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smok
+
+ sysnet_dns_name_resolve(httpd_smokeping_cgi_script_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.7.12/policy/modules/services/snmp.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.7.13/policy/modules/services/snmp.te
--- nsaserefpolicy/policy/modules/services/snmp.te 2010-01-07 14:53:53.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/snmp.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/snmp.te 2010-03-09 18:51:13.000000000 -0500
@@ -25,7 +25,7 @@
#
# Local policy
@@ -25099,9 +24836,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp
dontaudit snmpd_t self:capability { sys_module sys_tty_config };
allow snmpd_t self:process { signal_perms getsched setsched };
allow snmpd_t self:fifo_file rw_fifo_file_perms;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.te serefpolicy-3.7.12/policy/modules/services/snort.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.te serefpolicy-3.7.13/policy/modules/services/snort.te
--- nsaserefpolicy/policy/modules/services/snort.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/services/snort.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/snort.te 2010-03-09 18:51:13.000000000 -0500
@@ -37,6 +37,7 @@
allow snort_t self:tcp_socket create_stream_socket_perms;
allow snort_t self:udp_socket create_socket_perms;
@@ -25135,9 +24872,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snor
domain_use_interactive_fds(snort_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.7.12/policy/modules/services/spamassassin.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.7.13/policy/modules/services/spamassassin.fc
--- nsaserefpolicy/policy/modules/services/spamassassin.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/services/spamassassin.fc 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/spamassassin.fc 2010-03-09 18:51:13.000000000 -0500
@@ -1,15 +1,26 @@
-HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamassassin_home_t,s0)
+HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
@@ -25167,9 +24904,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
/var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
+/var/spool/MD-Quarantine(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
+/var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.7.12/policy/modules/services/spamassassin.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.7.13/policy/modules/services/spamassassin.if
--- nsaserefpolicy/policy/modules/services/spamassassin.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/services/spamassassin.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/spamassassin.if 2010-03-09 18:51:13.000000000 -0500
@@ -111,6 +111,45 @@
')
@@ -25296,9 +25033,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
+ files_list_pids($1)
+ admin_pattern($1, spamd_var_run_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.7.12/policy/modules/services/spamassassin.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.7.13/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/services/spamassassin.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/spamassassin.te 2010-03-09 18:51:13.000000000 -0500
@@ -20,6 +20,35 @@
##
gen_tunable(spamd_enable_home_dirs, true)
@@ -25604,9 +25341,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
+optional_policy(`
udev_read_db(spamd_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.7.12/policy/modules/services/squid.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.7.13/policy/modules/services/squid.te
--- nsaserefpolicy/policy/modules/services/squid.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/services/squid.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/squid.te 2010-03-09 18:51:13.000000000 -0500
@@ -67,7 +67,9 @@
can_exec(squid_t, squid_exec_t)
@@ -25635,18 +25372,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi
-#squid requires the following when run in diskd mode, the recommended setting
-allow squid_t tmpfs_t:file { read write };
-') dnl end TODO
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.fc serefpolicy-3.7.12/policy/modules/services/ssh.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.fc serefpolicy-3.7.13/policy/modules/services/ssh.fc
--- nsaserefpolicy/policy/modules/services/ssh.fc 2010-01-18 15:04:31.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/ssh.fc 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/ssh.fc 2010-03-09 18:51:13.000000000 -0500
@@ -14,3 +14,5 @@
/usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0)
/var/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0)
+
+/root/\.ssh(/.*)? gen_context(system_u:object_r:home_ssh_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.7.12/policy/modules/services/ssh.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.7.13/policy/modules/services/ssh.if
--- nsaserefpolicy/policy/modules/services/ssh.if 2010-02-18 14:06:31.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/ssh.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/ssh.if 2010-03-09 18:51:13.000000000 -0500
@@ -36,6 +36,7 @@
gen_require(`
attribute ssh_server;
@@ -25814,9 +25551,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
#######################################
##
## Delete from the ssh temp files.
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.7.12/policy/modules/services/ssh.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.7.13/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2010-02-18 14:06:31.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/ssh.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/ssh.te 2010-03-09 18:51:13.000000000 -0500
@@ -114,6 +114,7 @@
manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t)
manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
@@ -25949,9 +25686,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
ifdef(`TODO',`
tunable_policy(`ssh_sysadm_login',`
# Relabel and access ptys created by sshd
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.fc serefpolicy-3.7.12/policy/modules/services/sssd.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.fc serefpolicy-3.7.13/policy/modules/services/sssd.fc
--- nsaserefpolicy/policy/modules/services/sssd.fc 2010-01-07 14:53:53.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/sssd.fc 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/sssd.fc 2010-03-09 18:51:13.000000000 -0500
@@ -4,6 +4,8 @@
/var/lib/sss(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0)
@@ -25961,9 +25698,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd
/var/log/sssd(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0)
/var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.if serefpolicy-3.7.12/policy/modules/services/sssd.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.if serefpolicy-3.7.13/policy/modules/services/sssd.if
--- nsaserefpolicy/policy/modules/services/sssd.if 2010-01-07 14:53:53.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/sssd.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/sssd.if 2010-03-09 18:51:13.000000000 -0500
@@ -38,6 +38,25 @@
########################################
@@ -26042,9 +25779,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd
+
+ admin_pattern($1, sssd_public_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.7.12/policy/modules/services/sssd.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.7.13/policy/modules/services/sssd.te
--- nsaserefpolicy/policy/modules/services/sssd.te 2010-01-07 14:53:53.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/sssd.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/sssd.te 2010-03-09 18:51:13.000000000 -0500
@@ -13,6 +13,9 @@
type sssd_initrc_exec_t;
init_script_file(sssd_initrc_exec_t)
@@ -26099,9 +25836,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd
optional_policy(`
dbus_system_bus_client(sssd_t)
dbus_connect_system_bus(sssd_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sysstat.te serefpolicy-3.7.12/policy/modules/services/sysstat.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sysstat.te serefpolicy-3.7.13/policy/modules/services/sysstat.te
--- nsaserefpolicy/policy/modules/services/sysstat.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/services/sysstat.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/sysstat.te 2010-03-09 18:51:13.000000000 -0500
@@ -19,14 +19,15 @@
# Local policy
#
@@ -26120,9 +25857,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/syss
logging_log_filetrans(sysstat_t, sysstat_log_t, { file dir })
# get info from /proc
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/telnet.te serefpolicy-3.7.12/policy/modules/services/telnet.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/telnet.te serefpolicy-3.7.13/policy/modules/services/telnet.te
--- nsaserefpolicy/policy/modules/services/telnet.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/services/telnet.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/telnet.te 2010-03-09 18:51:13.000000000 -0500
@@ -85,6 +85,7 @@
remotelogin_domtrans(telnetd_t)
@@ -26131,9 +25868,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/teln
optional_policy(`
kerberos_keytab_template(telnetd, telnetd_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.te serefpolicy-3.7.12/policy/modules/services/tftp.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.te serefpolicy-3.7.13/policy/modules/services/tftp.te
--- nsaserefpolicy/policy/modules/services/tftp.te 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/tftp.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/tftp.te 2010-03-09 18:51:13.000000000 -0500
@@ -50,9 +50,8 @@
manage_files_pattern(tftpd_t, tftpd_var_run_t, tftpd_var_run_t)
files_pid_filetrans(tftpd_t, tftpd_var_run_t, file)
@@ -26145,45 +25882,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp
corenet_all_recvfrom_unlabeled(tftpd_t)
corenet_all_recvfrom_netlabel(tftpd_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd.if serefpolicy-3.7.12/policy/modules/services/tgtd.if
---- nsaserefpolicy/policy/modules/services/tgtd.if 2009-11-12 12:51:51.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/tgtd.if 2010-03-05 17:18:52.000000000 -0500
-@@ -9,3 +9,20 @@
- ##
- ##
-
-+#####################################
-+##
-+## Allow read and write access to tgtd semaphores.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`tgtd_rw_semaphores',`
-+ gen_require(`
-+ type tgtd_t;
-+ ')
-+
-+ allow $1 tgtd_t:sem { rw_sem_perms };
-+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd.te serefpolicy-3.7.12/policy/modules/services/tgtd.te
---- nsaserefpolicy/policy/modules/services/tgtd.te 2009-11-12 12:51:51.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/tgtd.te 2010-03-05 17:18:52.000000000 -0500
-@@ -60,7 +60,7 @@
-
- files_read_etc_files(tgtd_t)
-
--storage_getattr_fixed_disk_dev(tgtd_t)
-+storage_manage_fixed_disk(tgtd_t)
-
- logging_send_syslog_msg(tgtd_t)
-
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.te serefpolicy-3.7.12/policy/modules/services/tor.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.te serefpolicy-3.7.13/policy/modules/services/tor.te
--- nsaserefpolicy/policy/modules/services/tor.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/services/tor.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/tor.te 2010-03-09 18:51:13.000000000 -0500
@@ -6,6 +6,14 @@
# Declarations
#
@@ -26215,9 +25916,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.
+tunable_policy(`tor_bind_all_unreserved_ports', `
+ corenet_tcp_bind_all_unreserved_ports(tor_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tuned.fc serefpolicy-3.7.12/policy/modules/services/tuned.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tuned.fc serefpolicy-3.7.13/policy/modules/services/tuned.fc
--- nsaserefpolicy/policy/modules/services/tuned.fc 2009-11-12 12:51:51.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/tuned.fc 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/tuned.fc 2010-03-09 18:51:13.000000000 -0500
@@ -2,4 +2,7 @@
/usr/sbin/tuned -- gen_context(system_u:object_r:tuned_exec_t,s0)
@@ -26226,9 +25927,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tune
+/var/log/tuned\.log -- gen_context(system_u:object_r:tuned_log_t,s0)
+
/var/run/tuned\.pid -- gen_context(system_u:object_r:tuned_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tuned.te serefpolicy-3.7.12/policy/modules/services/tuned.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tuned.te serefpolicy-3.7.13/policy/modules/services/tuned.te
--- nsaserefpolicy/policy/modules/services/tuned.te 2009-12-18 11:38:25.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/tuned.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/tuned.te 2010-03-09 18:51:13.000000000 -0500
@@ -13,6 +13,9 @@
type tuned_initrc_exec_t;
init_script_file(tuned_initrc_exec_t)
@@ -26282,9 +25983,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tune
# to allow network interface tuning
optional_policy(`
sysnet_domtrans_ifconfig(tuned_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ucspitcp.te serefpolicy-3.7.12/policy/modules/services/ucspitcp.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ucspitcp.te serefpolicy-3.7.13/policy/modules/services/ucspitcp.te
--- nsaserefpolicy/policy/modules/services/ucspitcp.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/services/ucspitcp.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/ucspitcp.te 2010-03-09 18:51:13.000000000 -0500
@@ -92,3 +92,8 @@
daemontools_service_domain(ucspitcp_t, ucspitcp_exec_t)
daemontools_read_svc(ucspitcp_t)
@@ -26294,17 +25995,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ucsp
+ daemontools_sigchld_run(ucspitcp_t)
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.fc serefpolicy-3.7.12/policy/modules/services/usbmuxd.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.fc serefpolicy-3.7.13/policy/modules/services/usbmuxd.fc
--- nsaserefpolicy/policy/modules/services/usbmuxd.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/usbmuxd.fc 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/usbmuxd.fc 2010-03-09 18:51:13.000000000 -0500
@@ -0,0 +1,4 @@
+
+/usr/sbin/usbmuxd -- gen_context(system_u:object_r:usbmuxd_exec_t,s0)
+
+/var/run/usbmuxd -s gen_context(system_u:object_r:usbmuxd_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.if serefpolicy-3.7.12/policy/modules/services/usbmuxd.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.if serefpolicy-3.7.13/policy/modules/services/usbmuxd.if
--- nsaserefpolicy/policy/modules/services/usbmuxd.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/usbmuxd.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/usbmuxd.if 2010-03-09 18:51:13.000000000 -0500
@@ -0,0 +1,39 @@
+## Daemon for communicating with Apple's iPod Touch and iPhone
+
@@ -26345,10 +26046,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbm
+ files_search_pids($1)
+ stream_connect_pattern($1, usbmuxd_var_run_t, usbmuxd_var_run_t, usbmuxd_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.te serefpolicy-3.7.12/policy/modules/services/usbmuxd.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.te serefpolicy-3.7.13/policy/modules/services/usbmuxd.te
--- nsaserefpolicy/policy/modules/services/usbmuxd.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/usbmuxd.te 2010-03-05 17:18:52.000000000 -0500
-@@ -0,0 +1,48 @@
++++ serefpolicy-3.7.13/policy/modules/services/usbmuxd.te 2010-03-09 18:51:13.000000000 -0500
+@@ -0,0 +1,50 @@
+policy_module(usbmuxd,1.0.0)
+
+########################################
@@ -26372,7 +26073,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbm
+#
+
+allow usbmuxd_t self:capability { kill setgid setuid };
-+allow usbmuxd_t self:process { fork };
++allow usbmuxd_t self:process { fork signal signull };
+
+# Init script handling
+domain_use_interactive_fds(usbmuxd_t)
@@ -26386,8 +26087,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbm
+manage_sock_files_pattern(usbmuxd_t, usbmuxd_var_run_t, usbmuxd_var_run_t)
+files_pid_filetrans(usbmuxd_t, usbmuxd_var_run_t, { file dir sock_file })
+
++kernel_read_kernel_sysctls(usbmuxd_t)
+kernel_read_system_state(usbmuxd_t)
+
++dev_read_sysfs(usbmuxd_t)
+dev_rw_generic_usb_dev(usbmuxd_t)
+
+files_read_etc_files(usbmuxd_t)
@@ -26397,9 +26100,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbm
+auth_use_nsswitch(usbmuxd_t)
+
+logging_send_syslog_msg(usbmuxd_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.7.12/policy/modules/services/uucp.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.7.13/policy/modules/services/uucp.te
--- nsaserefpolicy/policy/modules/services/uucp.te 2010-01-11 09:40:36.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/uucp.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/uucp.te 2010-03-09 18:51:13.000000000 -0500
@@ -90,6 +90,7 @@
fs_getattr_xattr_fs(uucpd_t)
@@ -26417,9 +26120,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp
optional_policy(`
cron_system_entry(uucpd_t, uucpd_exec_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.fc serefpolicy-3.7.12/policy/modules/services/vhostmd.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.fc serefpolicy-3.7.13/policy/modules/services/vhostmd.fc
--- nsaserefpolicy/policy/modules/services/vhostmd.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/vhostmd.fc 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/vhostmd.fc 2010-03-09 18:51:13.000000000 -0500
@@ -0,0 +1,6 @@
+
+/usr/sbin/vhostmd -- gen_context(system_u:object_r:vhostmd_exec_t,s0)
@@ -26427,9 +26130,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhos
+/etc/rc.d/init.d/vhostmd -- gen_context(system_u:object_r:vhostmd_initrc_exec_t,s0)
+/var/run/vhostmd.pid -- gen_context(system_u:object_r:vhostmd_var_run_t,s0)
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.if serefpolicy-3.7.12/policy/modules/services/vhostmd.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.if serefpolicy-3.7.13/policy/modules/services/vhostmd.if
--- nsaserefpolicy/policy/modules/services/vhostmd.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/vhostmd.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/vhostmd.if 2010-03-09 18:51:13.000000000 -0500
@@ -0,0 +1,228 @@
+
+## policy for vhostmd
@@ -26659,9 +26362,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhos
+ vhostmd_manage_var_run($1)
+
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.te serefpolicy-3.7.12/policy/modules/services/vhostmd.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.te serefpolicy-3.7.13/policy/modules/services/vhostmd.te
--- nsaserefpolicy/policy/modules/services/vhostmd.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/vhostmd.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/vhostmd.te 2010-03-09 18:51:13.000000000 -0500
@@ -0,0 +1,84 @@
+
+policy_module(vhostmd,1.0.0)
@@ -26747,9 +26450,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhos
+ xen_stream_connect_xenstore(vhostmd_t)
+ xen_stream_connect_xm(vhostmd_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.7.12/policy/modules/services/virt.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.7.13/policy/modules/services/virt.fc
--- nsaserefpolicy/policy/modules/services/virt.fc 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/virt.fc 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/virt.fc 2010-03-09 18:51:13.000000000 -0500
@@ -8,6 +8,10 @@
/etc/libvirt/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0)
/etc/rc\.d/init\.d/libvirtd -- gen_context(system_u:object_r:virtd_initrc_exec_t,s0)
@@ -26761,9 +26464,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
/usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0)
/var/cache/libvirt(/.*)? gen_context(system_u:object_r:svirt_cache_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.7.12/policy/modules/services/virt.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.7.13/policy/modules/services/virt.if
--- nsaserefpolicy/policy/modules/services/virt.if 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/virt.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/virt.if 2010-03-09 18:51:13.000000000 -0500
@@ -22,6 +22,11 @@
domain_type($1_t)
role system_r types $1_t;
@@ -26837,9 +26540,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
+ ptchown_run(svirt_t, $2)
+ ')
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.7.12/policy/modules/services/virt.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.7.13/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/virt.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/virt.te 2010-03-09 18:51:13.000000000 -0500
@@ -15,6 +15,13 @@
##
@@ -27030,9 +26733,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
auth_use_nsswitch(virt_domain)
logging_send_syslog_msg(virt_domain)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.te serefpolicy-3.7.12/policy/modules/services/w3c.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.te serefpolicy-3.7.13/policy/modules/services/w3c.te
--- nsaserefpolicy/policy/modules/services/w3c.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/services/w3c.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/w3c.te 2010-03-09 18:51:13.000000000 -0500
@@ -8,11 +8,18 @@
apache_content_template(w3c_validator)
@@ -27052,9 +26755,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.
corenet_tcp_connect_ftp_port(httpd_w3c_validator_script_t)
corenet_tcp_sendrecv_ftp_port(httpd_w3c_validator_script_t)
corenet_tcp_connect_http_port(httpd_w3c_validator_script_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.7.12/policy/modules/services/xserver.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.7.13/policy/modules/services/xserver.fc
--- nsaserefpolicy/policy/modules/services/xserver.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/services/xserver.fc 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/xserver.fc 2010-03-09 18:51:13.000000000 -0500
@@ -3,12 +3,21 @@
#
HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0)
@@ -27162,9 +26865,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+/var/lib/pqsql/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.7.12/policy/modules/services/xserver.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.7.13/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/xserver.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/xserver.if 2010-03-09 18:51:13.000000000 -0500
@@ -19,7 +19,7 @@
interface(`xserver_restricted_role',`
gen_require(`
@@ -27663,9 +27366,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+
+ manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.7.12/policy/modules/services/xserver.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.7.13/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/services/xserver.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/xserver.te 2010-03-10 09:11:20.000000000 -0500
@@ -36,6 +36,13 @@
##
@@ -27963,10 +27666,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Allow gdm to run gdm-binary
can_exec(xdm_t, xdm_exec_t)
-@@ -334,24 +425,42 @@
+@@ -332,26 +423,45 @@
+
+ manage_dirs_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
manage_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
++manage_lnk_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
- files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file })
+-files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file })
++files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file lnk_file })
+relabelfrom_dirs_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
+relabelfrom_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
@@ -28010,7 +27717,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
allow xdm_t xserver_t:unix_stream_socket connectto;
allow xdm_t xserver_tmp_t:sock_file rw_sock_file_perms;
-@@ -359,10 +468,13 @@
+@@ -359,10 +469,13 @@
# transition to the xdm xserver
domtrans_pattern(xdm_t, xserver_exec_t, xserver_t)
@@ -28024,7 +27731,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -371,10 +483,14 @@
+@@ -371,10 +484,14 @@
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
@@ -28040,7 +27747,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
kernel_read_system_state(xdm_t)
kernel_read_kernel_sysctls(xdm_t)
-@@ -394,11 +510,13 @@
+@@ -394,11 +511,13 @@
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t)
@@ -28054,7 +27761,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
dev_read_rand(xdm_t)
dev_read_sysfs(xdm_t)
dev_getattr_framebuffer_dev(xdm_t)
-@@ -406,6 +524,7 @@
+@@ -406,6 +525,7 @@
dev_getattr_mouse_dev(xdm_t)
dev_setattr_mouse_dev(xdm_t)
dev_rw_apm_bios(xdm_t)
@@ -28062,7 +27769,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
dev_setattr_apm_bios_dev(xdm_t)
dev_rw_dri(xdm_t)
dev_rw_agp(xdm_t)
-@@ -414,18 +533,21 @@
+@@ -414,18 +534,21 @@
dev_getattr_misc_dev(xdm_t)
dev_setattr_misc_dev(xdm_t)
dev_dontaudit_rw_misc(xdm_t)
@@ -28087,7 +27794,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -436,9 +558,15 @@
+@@ -436,9 +559,15 @@
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -28103,7 +27810,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -447,14 +575,18 @@
+@@ -447,14 +576,18 @@
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -28122,7 +27829,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
auth_rw_faillog(xdm_t)
auth_write_login_records(xdm_t)
-@@ -465,10 +597,12 @@
+@@ -465,10 +598,12 @@
logging_read_generic_logs(xdm_t)
@@ -28137,7 +27844,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -477,6 +611,11 @@
+@@ -477,6 +612,11 @@
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -28149,7 +27856,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
xserver_rw_session(xdm_t, xdm_tmpfs_t)
xserver_unconfined(xdm_t)
-@@ -509,10 +648,12 @@
+@@ -509,10 +649,12 @@
optional_policy(`
alsa_domtrans(xdm_t)
@@ -28162,7 +27869,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
optional_policy(`
-@@ -520,12 +661,49 @@
+@@ -520,12 +662,49 @@
')
optional_policy(`
@@ -28212,7 +27919,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
hostname_exec(xdm_t)
')
-@@ -543,9 +721,43 @@
+@@ -543,9 +722,43 @@
')
optional_policy(`
@@ -28256,7 +27963,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
optional_policy(`
seutil_sigchld_newrole(xdm_t)
')
-@@ -555,8 +767,9 @@
+@@ -555,8 +768,9 @@
')
optional_policy(`
@@ -28268,7 +27975,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
-@@ -565,7 +778,6 @@
+@@ -565,7 +779,6 @@
ifdef(`distro_rhel4',`
allow xdm_t self:process { execheap execmem };
')
@@ -28276,7 +27983,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
optional_policy(`
userhelper_dontaudit_search_config(xdm_t)
-@@ -576,6 +788,10 @@
+@@ -576,6 +789,10 @@
')
optional_policy(`
@@ -28287,7 +27994,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
xfs_stream_connect(xdm_t)
')
-@@ -600,10 +816,9 @@
+@@ -600,10 +817,9 @@
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -28299,7 +28006,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
allow xserver_t self:sock_file read_sock_file_perms;
-@@ -615,6 +830,18 @@
+@@ -615,6 +831,18 @@
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -28318,7 +28025,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -634,12 +861,19 @@
+@@ -634,12 +862,19 @@
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -28340,7 +28047,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -673,7 +907,6 @@
+@@ -673,7 +908,6 @@
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -28348,7 +28055,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
dev_create_generic_dirs(xserver_t)
dev_setattr_generic_dirs(xserver_t)
# raw memory access is needed if not using the frame buffer
-@@ -683,9 +916,12 @@
+@@ -683,9 +917,12 @@
dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
@@ -28362,7 +28069,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
files_read_etc_files(xserver_t)
files_read_etc_runtime_files(xserver_t)
-@@ -700,8 +936,13 @@
+@@ -700,8 +937,13 @@
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -28376,7 +28083,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -723,11 +964,14 @@
+@@ -723,11 +965,14 @@
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -28391,7 +28098,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -779,12 +1023,24 @@
+@@ -779,12 +1024,24 @@
')
optional_policy(`
@@ -28417,7 +28124,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
unconfined_domtrans(xserver_t)
')
-@@ -811,7 +1067,7 @@
+@@ -811,7 +1068,7 @@
allow xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xserver_t xdm_var_lib_t:dir search;
@@ -28426,7 +28133,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -832,9 +1088,14 @@
+@@ -832,9 +1089,14 @@
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -28441,7 +28148,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
fs_manage_nfs_files(xserver_t)
-@@ -849,11 +1110,14 @@
+@@ -849,11 +1111,14 @@
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -28458,7 +28165,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
optional_policy(`
-@@ -999,3 +1263,33 @@
+@@ -999,3 +1264,33 @@
allow xserver_unconfined_type xextension_type:x_extension *;
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
@@ -28492,9 +28199,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+tunable_policy(`use_samba_home_dirs',`
+ fs_append_cifs_files(xdmhomewriter)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zebra.if serefpolicy-3.7.12/policy/modules/services/zebra.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zebra.if serefpolicy-3.7.13/policy/modules/services/zebra.if
--- nsaserefpolicy/policy/modules/services/zebra.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/services/zebra.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/services/zebra.if 2010-03-09 18:51:13.000000000 -0500
@@ -24,6 +24,26 @@
########################################
@@ -28522,9 +28229,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zebr
## All of the rules required to administrate
## an zebra environment
##
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.7.12/policy/modules/system/application.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.7.13/policy/modules/system/application.te
--- nsaserefpolicy/policy/modules/system/application.te 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/system/application.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/system/application.te 2010-03-09 18:51:13.000000000 -0500
@@ -7,6 +7,17 @@
# Executables to be run by user
attribute application_exec_type;
@@ -28543,9 +28250,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/applic
optional_policy(`
ssh_sigchld(application_domain_type)
ssh_rw_stream_sockets(application_domain_type)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.7.12/policy/modules/system/authlogin.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.7.13/policy/modules/system/authlogin.fc
--- nsaserefpolicy/policy/modules/system/authlogin.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/system/authlogin.fc 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/system/authlogin.fc 2010-03-09 18:51:13.000000000 -0500
@@ -7,12 +7,10 @@
/etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0)
/etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0)
@@ -28570,9 +28277,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
+/var/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
/var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.7.12/policy/modules/system/authlogin.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.7.13/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2010-03-03 23:26:37.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/system/authlogin.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/system/authlogin.if 2010-03-09 18:51:13.000000000 -0500
@@ -40,17 +40,76 @@
##
##
@@ -28897,9 +28604,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
')
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.7.12/policy/modules/system/authlogin.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.7.13/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te 2010-03-01 15:12:54.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/system/authlogin.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/system/authlogin.te 2010-03-09 18:51:13.000000000 -0500
@@ -103,8 +103,10 @@
fs_dontaudit_getattr_xattr_fs(chkpwd_t)
@@ -28930,9 +28637,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
########################################
#
# PAM local policy
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemontools.if serefpolicy-3.7.12/policy/modules/system/daemontools.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemontools.if serefpolicy-3.7.13/policy/modules/system/daemontools.if
--- nsaserefpolicy/policy/modules/system/daemontools.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/system/daemontools.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/system/daemontools.if 2010-03-09 18:51:13.000000000 -0500
@@ -71,6 +71,32 @@
domtrans_pattern($1, svc_start_exec_t, svc_start_t)
')
@@ -29013,9 +28720,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemon
+
+ allow $1 svc_run_t:process sigchld;
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemontools.te serefpolicy-3.7.12/policy/modules/system/daemontools.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemontools.te serefpolicy-3.7.13/policy/modules/system/daemontools.te
--- nsaserefpolicy/policy/modules/system/daemontools.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/system/daemontools.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/system/daemontools.te 2010-03-09 18:51:13.000000000 -0500
@@ -39,7 +39,10 @@
# multilog creates /service/*/log/status
manage_files_pattern(svc_multilog_t, svc_svc_t, svc_svc_t)
@@ -29088,19 +28795,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemon
+
daemontools_domtrans_run(svc_start_t)
daemontools_manage_svc(svc_start_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.7.12/policy/modules/system/fstools.fc
---- nsaserefpolicy/policy/modules/system/fstools.fc 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/system/fstools.fc 2010-03-05 17:18:52.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.7.13/policy/modules/system/fstools.fc
+--- nsaserefpolicy/policy/modules/system/fstools.fc 2010-03-09 15:39:06.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/system/fstools.fc 2010-03-09 18:51:13.000000000 -0500
@@ -1,4 +1,3 @@
-/sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/blockdev -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-@@ -19,10 +18,10 @@
- /sbin/make_reiser4 -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/mkdosfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/mke2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/sbin/mke4fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+@@ -23,7 +22,6 @@
/sbin/mkfs.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
@@ -29108,17 +28811,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool
/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-@@ -40,6 +39,7 @@
- /usr/bin/scsi_unique_id -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/bin/syslinux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-
-+/usr/sbin/clubufflush -- gen_context(system_u:object_r:fsadm_exec_t,s0)
- /usr/sbin/smartctl -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-
- /var/log/fsck(/.*)? gen_context(system_u:object_r:fsadm_log_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.7.12/policy/modules/system/fstools.te
---- nsaserefpolicy/policy/modules/system/fstools.te 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/system/fstools.te 2010-03-05 17:18:52.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.7.13/policy/modules/system/fstools.te
+--- nsaserefpolicy/policy/modules/system/fstools.te 2010-03-09 15:39:06.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/system/fstools.te 2010-03-09 18:51:13.000000000 -0500
@@ -118,6 +118,8 @@
fs_search_tmpfs(fsadm_t)
fs_getattr_tmpfs_dirs(fsadm_t)
@@ -29128,19 +28823,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool
# Recreate /mnt/cdrom.
files_manage_mnt_dirs(fsadm_t)
# for tune2fs
-@@ -148,8 +150,7 @@
+@@ -148,7 +150,7 @@
seutil_read_config(fsadm_t)
-userdom_use_user_terminals(fsadm_t)
--userdom_use_unpriv_users_fds(fsadm_t)
+term_use_all_terms(fsadm_t)
ifdef(`distro_redhat',`
optional_policy(`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.te serefpolicy-3.7.12/policy/modules/system/getty.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.te serefpolicy-3.7.13/policy/modules/system/getty.te
--- nsaserefpolicy/policy/modules/system/getty.te 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/system/getty.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/system/getty.te 2010-03-09 18:51:13.000000000 -0500
@@ -56,11 +56,10 @@
manage_files_pattern(getty_t, getty_var_run_t, getty_var_run_t)
files_pid_filetrans(getty_t, getty_var_run_t, file)
@@ -29156,9 +28850,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.
dev_read_sysfs(getty_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-3.7.12/policy/modules/system/hostname.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-3.7.13/policy/modules/system/hostname.te
--- nsaserefpolicy/policy/modules/system/hostname.te 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/system/hostname.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/system/hostname.te 2010-03-09 18:51:13.000000000 -0500
@@ -27,15 +27,18 @@
dev_read_sysfs(hostname_t)
@@ -29178,19 +28872,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostna
fs_dontaudit_use_tmpfs_chr_dev(hostname_t)
term_dontaudit_use_console(hostname_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplug.te serefpolicy-3.7.12/policy/modules/system/hotplug.te
---- nsaserefpolicy/policy/modules/system/hotplug.te 2010-03-04 11:17:25.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/system/hotplug.te 2010-03-05 17:18:52.000000000 -0500
-@@ -1,5 +1,5 @@
-
--policy_module(hotplug, 1.12.1)
-+policy_module(hotplug, 1.12.0)
-
- ########################################
- #
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.7.12/policy/modules/system/init.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.7.13/policy/modules/system/init.fc
--- nsaserefpolicy/policy/modules/system/init.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/system/init.fc 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/system/init.fc 2010-03-09 18:51:13.000000000 -0500
@@ -4,10 +4,10 @@
/etc/init\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
@@ -29214,9 +28898,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.f
#
# /var
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.7.12/policy/modules/system/init.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.7.13/policy/modules/system/init.if
--- nsaserefpolicy/policy/modules/system/init.if 2010-03-01 15:12:54.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/system/init.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/system/init.if 2010-03-09 18:51:13.000000000 -0500
@@ -193,8 +193,10 @@
gen_require(`
attribute direct_run_init, direct_init, direct_init_entry;
@@ -29543,9 +29227,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
+ init_dontaudit_use_script_fds($1)
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.7.12/policy/modules/system/init.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.7.13/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2010-02-18 14:06:31.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/system/init.te 2010-03-07 08:32:09.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/system/init.te 2010-03-09 18:51:13.000000000 -0500
@@ -17,6 +17,20 @@
##
gen_tunable(init_upstart, false)
@@ -29943,7 +29627,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
+
+# system-config-services causes avc messages that should be dontaudited
+tunable_policy(`allow_daemons_dump_core',`
-+ files_manage_root(daemon)
++ files_manage_root_files(daemon)
+')
+
+optional_policy(`
@@ -30151,9 +29835,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
+optional_policy(`
+ fail2ban_read_lib_files(daemon)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.fc serefpolicy-3.7.12/policy/modules/system/ipsec.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.fc serefpolicy-3.7.13/policy/modules/system/ipsec.fc
--- nsaserefpolicy/policy/modules/system/ipsec.fc 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/system/ipsec.fc 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/system/ipsec.fc 2010-03-09 18:51:13.000000000 -0500
@@ -37,6 +37,8 @@
/var/racoon(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0)
@@ -30164,9 +29848,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
+/var/run/racoon\.pid -- gen_context(system_u:object_r:ipsec_var_run_t,s0)
-/var/run/racoon.pid -- gen_context(system_u:object_r:ipsec_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.if serefpolicy-3.7.12/policy/modules/system/ipsec.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.if serefpolicy-3.7.13/policy/modules/system/ipsec.if
--- nsaserefpolicy/policy/modules/system/ipsec.if 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/system/ipsec.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/system/ipsec.if 2010-03-09 18:51:13.000000000 -0500
@@ -39,6 +39,25 @@
########################################
@@ -30193,9 +29877,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
## Get the attributes of an IPSEC key socket.
##
##
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.7.12/policy/modules/system/ipsec.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.7.13/policy/modules/system/ipsec.te
--- nsaserefpolicy/policy/modules/system/ipsec.te 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/system/ipsec.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/system/ipsec.te 2010-03-09 18:51:13.000000000 -0500
@@ -29,9 +29,15 @@
type ipsec_key_file_t;
files_type(ipsec_key_file_t)
@@ -30242,20 +29926,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
kernel_read_kernel_sysctls(ipsec_t)
kernel_list_proc(ipsec_t)
-@@ -171,8 +183,10 @@
+@@ -171,8 +183,9 @@
# ipsec_mgmt Local policy
#
-allow ipsec_mgmt_t self:capability { net_admin sys_tty_config dac_override dac_read_search };
-allow ipsec_mgmt_t self:process { signal setrlimit };
-+allow ipsec_mgmt_t self:process setsched;
+allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice };
+dontaudit ipsec_mgmt_t self:capability sys_tty_config;
-+allow ipsec_mgmt_t self:process { getsched ptrace setrlimit signal };
++allow ipsec_mgmt_t self:process { getsched ptrace setrlimit setsched signal };
allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
allow ipsec_mgmt_t self:udp_socket create_socket_perms;
-@@ -182,6 +196,13 @@
+@@ -182,6 +195,13 @@
allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file)
@@ -30269,7 +29952,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)
-@@ -209,7 +230,6 @@
+@@ -209,7 +229,6 @@
# whack needs to connect to pluto
stream_connect_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t, ipsec_t)
@@ -30277,7 +29960,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
can_exec(ipsec_mgmt_t, ipsec_mgmt_exec_t)
allow ipsec_mgmt_t ipsec_mgmt_exec_t:lnk_file read;
-@@ -247,8 +267,10 @@
+@@ -247,8 +266,10 @@
files_read_etc_files(ipsec_mgmt_t)
files_exec_etc_files(ipsec_mgmt_t)
files_read_etc_runtime_files(ipsec_mgmt_t)
@@ -30288,7 +29971,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
fs_getattr_xattr_fs(ipsec_mgmt_t)
fs_list_tmpfs(ipsec_mgmt_t)
-@@ -259,6 +281,7 @@
+@@ -259,6 +280,7 @@
init_use_script_ptys(ipsec_mgmt_t)
init_exec_script_files(ipsec_mgmt_t)
init_use_fds(ipsec_mgmt_t)
@@ -30296,7 +29979,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
logging_send_syslog_msg(ipsec_mgmt_t)
-@@ -323,6 +346,7 @@
+@@ -323,6 +345,7 @@
kernel_read_system_state(racoon_t)
kernel_read_network_state(racoon_t)
@@ -30304,7 +29987,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
corecmd_exec_shell(racoon_t)
corecmd_exec_bin(racoon_t)
-@@ -362,6 +386,8 @@
+@@ -362,6 +385,8 @@
sysnet_exec_ifconfig(racoon_t)
@@ -30313,7 +29996,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
auth_can_read_shadow_passwords(racoon_t)
tunable_policy(`racoon_read_shadow',`
auth_tunable_read_shadow(racoon_t)
-@@ -380,12 +406,15 @@
+@@ -380,12 +405,15 @@
read_files_pattern(setkey_t, ipsec_conf_file_t, ipsec_conf_file_t)
read_lnk_files_pattern(setkey_t, ipsec_conf_file_t, ipsec_conf_file_t)
@@ -30329,14 +30012,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
# allow setkey to set the context for ipsec SAs and policy.
ipsec_setcontext_default_spd(setkey_t)
-@@ -397,3 +426,4 @@
+@@ -397,3 +425,4 @@
seutil_read_config(setkey_t)
userdom_use_user_terminals(setkey_t)
+userdom_read_user_tmp_files(setkey_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.fc serefpolicy-3.7.12/policy/modules/system/iptables.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.fc serefpolicy-3.7.13/policy/modules/system/iptables.fc
--- nsaserefpolicy/policy/modules/system/iptables.fc 2010-02-12 16:41:05.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/system/iptables.fc 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/system/iptables.fc 2010-03-09 18:51:13.000000000 -0500
@@ -1,6 +1,4 @@
/etc/rc\.d/init\.d/ip6?tables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
-/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
@@ -30344,9 +30027,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl
/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
/sbin/ip6?tables -- gen_context(system_u:object_r:iptables_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.if serefpolicy-3.7.12/policy/modules/system/iptables.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.if serefpolicy-3.7.13/policy/modules/system/iptables.if
--- nsaserefpolicy/policy/modules/system/iptables.if 2009-12-04 09:43:33.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/system/iptables.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/system/iptables.if 2010-03-09 18:51:13.000000000 -0500
@@ -17,6 +17,10 @@
corecmd_search_bin($1)
@@ -30358,9 +30041,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl
')
########################################
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.7.12/policy/modules/system/iptables.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.7.13/policy/modules/system/iptables.te
--- nsaserefpolicy/policy/modules/system/iptables.te 2009-12-04 09:43:33.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/system/iptables.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/system/iptables.te 2010-03-09 18:51:13.000000000 -0500
@@ -14,9 +14,6 @@
type iptables_initrc_exec_t;
init_script_file(iptables_initrc_exec_t)
@@ -30434,92 +30117,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl
udev_read_db(iptables_t)
')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.fc serefpolicy-3.7.12/policy/modules/system/iscsi.fc
---- nsaserefpolicy/policy/modules/system/iscsi.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/system/iscsi.fc 2010-03-05 17:18:52.000000000 -0500
-@@ -1,5 +1,9 @@
- /sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0)
-+/sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
-
- /var/lib/iscsi(/.*)? gen_context(system_u:object_r:iscsi_var_lib_t,s0)
- /var/lock/iscsi(/.*)? gen_context(system_u:object_r:iscsi_lock_t,s0)
-+
-+/var/log/brcm-iscsi\.log -- gen_context(system_u:object_r:iscsi_log_t,s0)
-+
- /var/run/iscsid\.pid -- gen_context(system_u:object_r:iscsi_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.7.12/policy/modules/system/iscsi.te
---- nsaserefpolicy/policy/modules/system/iscsi.te 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/system/iscsi.te 2010-03-05 17:18:52.000000000 -0500
-@@ -14,6 +14,9 @@
- type iscsi_lock_t;
- files_lock_file(iscsi_lock_t)
-
-+type iscsi_log_t;
-+logging_log_file(iscsi_log_t)
-+
- type iscsi_tmp_t;
- files_tmp_file(iscsi_tmp_t)
-
-@@ -36,15 +39,21 @@
- allow iscsid_t self:sem create_sem_perms;
- allow iscsid_t self:shm create_shm_perms;
- allow iscsid_t self:netlink_socket create_socket_perms;
-+allow iscsid_t self:netlink_kobject_uevent_socket create_socket_perms;
- allow iscsid_t self:netlink_route_socket rw_netlink_socket_perms;
- allow iscsid_t self:tcp_socket create_stream_socket_perms;
-
-+can_exec(iscsid_t, iscsid_exec_t)
-+
- manage_files_pattern(iscsid_t, iscsi_lock_t, iscsi_lock_t)
- files_lock_filetrans(iscsid_t, iscsi_lock_t, file)
-
--allow iscsid_t iscsi_tmp_t:dir manage_dir_perms;
--allow iscsid_t iscsi_tmp_t:file manage_file_perms;
--fs_tmpfs_filetrans(iscsid_t, iscsi_tmp_t, file )
-+manage_files_pattern(iscsid_t, iscsi_log_t, iscsi_log_t)
-+logging_log_filetrans(iscsid_t, iscsi_log_t, file)
-+
-+manage_dirs_pattern(iscsid_t, iscsi_tmp_t, iscsi_tmp_t)
-+manage_files_pattern(iscsid_t, iscsi_tmp_t, iscsi_tmp_t)
-+fs_tmpfs_filetrans(iscsid_t, iscsi_tmp_t, { dir file } )
-
- allow iscsid_t iscsi_var_lib_t:dir list_dir_perms;
- read_files_pattern(iscsid_t, iscsi_var_lib_t, iscsi_var_lib_t)
-@@ -54,8 +63,8 @@
- manage_files_pattern(iscsid_t, iscsi_var_run_t, iscsi_var_run_t)
- files_pid_filetrans(iscsid_t, iscsi_var_run_t, file)
-
-+kernel_read_network_state(iscsid_t)
- kernel_read_system_state(iscsid_t)
--kernel_search_debugfs(iscsid_t)
-
- corenet_all_recvfrom_unlabeled(iscsid_t)
- corenet_all_recvfrom_netlabel(iscsid_t)
-@@ -67,13 +76,21 @@
- corenet_tcp_connect_isns_port(iscsid_t)
-
- dev_rw_sysfs(iscsid_t)
-+dev_rw_userio_dev(iscsid_t)
-
- domain_use_interactive_fds(iscsid_t)
-+domain_dontaudit_read_all_domains_state(iscsid_t)
-
- files_read_etc_files(iscsid_t)
-
-+init_stream_connect_script(iscsid_t)
-+
- logging_send_syslog_msg(iscsid_t)
-
- auth_use_nsswitch(iscsid_t)
-
- miscfiles_read_localization(iscsid_t)
-+
-+optional_policy(`
-+ tgtd_rw_semaphores(iscsid_t)
-+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.7.12/policy/modules/system/libraries.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.7.13/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/system/libraries.fc 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/system/libraries.fc 2010-03-09 18:51:13.000000000 -0500
@@ -60,12 +60,15 @@
#
# /opt
@@ -30880,9 +30480,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
+/usr/lib(64)?/vdpau/libvdpau_nvidia\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/libGTL.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.if serefpolicy-3.7.12/policy/modules/system/libraries.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.if serefpolicy-3.7.13/policy/modules/system/libraries.if
--- nsaserefpolicy/policy/modules/system/libraries.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/system/libraries.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/system/libraries.if 2010-03-10 09:40:07.000000000 -0500
@@ -17,6 +17,7 @@
corecmd_search_bin($1)
@@ -30909,9 +30509,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
allow $1 lib_t:dir list_dir_perms;
read_lnk_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
mmap_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.7.12/policy/modules/system/libraries.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.7.13/policy/modules/system/libraries.te
--- nsaserefpolicy/policy/modules/system/libraries.te 2010-02-18 14:06:31.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/system/libraries.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/system/libraries.te 2010-03-09 18:51:13.000000000 -0500
@@ -58,11 +58,11 @@
# ldconfig local policy
#
@@ -30984,9 +30584,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
+optional_policy(`
+ unconfined_domain(ldconfig_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.7.12/policy/modules/system/locallogin.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.7.13/policy/modules/system/locallogin.te
--- nsaserefpolicy/policy/modules/system/locallogin.te 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/system/locallogin.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/system/locallogin.te 2010-03-09 18:51:13.000000000 -0500
@@ -33,9 +33,8 @@
# Local login local policy
#
@@ -31087,9 +30687,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall
-optional_policy(`
- nscd_socket_use(sulogin_t)
-')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.7.12/policy/modules/system/logging.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.7.13/policy/modules/system/logging.fc
--- nsaserefpolicy/policy/modules/system/logging.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/system/logging.fc 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/system/logging.fc 2010-03-09 18:51:13.000000000 -0500
@@ -17,6 +17,10 @@
/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
@@ -31129,9 +30729,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
/var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
+/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.7.12/policy/modules/system/logging.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.7.13/policy/modules/system/logging.if
--- nsaserefpolicy/policy/modules/system/logging.if 2010-03-01 15:12:54.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/system/logging.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/system/logging.if 2010-03-09 18:51:13.000000000 -0500
@@ -96,6 +96,20 @@
########################################
@@ -31191,9 +30791,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
')
########################################
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.7.12/policy/modules/system/logging.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.7.13/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2010-02-18 14:06:31.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/system/logging.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/system/logging.te 2010-03-09 18:51:13.000000000 -0500
@@ -101,6 +101,7 @@
kernel_read_kernel_sysctls(auditctl_t)
@@ -31336,9 +30936,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
udev_read_db(syslogd_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc serefpolicy-3.7.12/policy/modules/system/lvm.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc serefpolicy-3.7.13/policy/modules/system/lvm.fc
--- nsaserefpolicy/policy/modules/system/lvm.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/system/lvm.fc 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/system/lvm.fc 2010-03-09 18:51:13.000000000 -0500
@@ -28,6 +28,7 @@
#
/lib/lvm-10/.* -- gen_context(system_u:object_r:lvm_exec_t,s0)
@@ -31347,9 +30947,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc
#
# /sbin
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.if serefpolicy-3.7.12/policy/modules/system/lvm.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.if serefpolicy-3.7.13/policy/modules/system/lvm.if
--- nsaserefpolicy/policy/modules/system/lvm.if 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/system/lvm.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/system/lvm.if 2010-03-09 18:51:13.000000000 -0500
@@ -34,7 +34,7 @@
type lvm_exec_t;
')
@@ -31359,9 +30959,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.if
can_exec($1, lvm_exec_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.7.12/policy/modules/system/lvm.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.7.13/policy/modules/system/lvm.te
--- nsaserefpolicy/policy/modules/system/lvm.te 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/system/lvm.te 2010-03-07 08:47:06.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/system/lvm.te 2010-03-09 18:51:13.000000000 -0500
@@ -142,6 +142,11 @@
')
@@ -31421,144 +31021,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
bootloader_rw_tmp_files(lvm_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.fc serefpolicy-3.7.12/policy/modules/system/miscfiles.fc
---- nsaserefpolicy/policy/modules/system/miscfiles.fc 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/system/miscfiles.fc 2010-03-05 17:18:52.000000000 -0500
-@@ -42,6 +42,7 @@
- /usr/man(/.*)? gen_context(system_u:object_r:man_t,s0)
-
- /usr/share/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
-+/usr/share/X11/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
- /usr/share/ghostscript/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
- /usr/share/locale(/.*)? gen_context(system_u:object_r:locale_t,s0)
- /usr/share/man(/.*)? gen_context(system_u:object_r:man_t,s0)
-@@ -70,13 +71,15 @@
-
- /var/lib/texmf(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
-
--/var/cache/fontconfig(/.*)? gen_context(system_u:object_r:fonts_t,s0)
-+/var/cache/fontconfig(/.*)? gen_context(system_u:object_r:fonts_cache_t,s0)
- /var/cache/fonts(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
- /var/cache/man(/.*)? gen_context(system_u:object_r:man_t,s0)
-
--/var/www/cobbler/images(/.*)? gen_context(system_u:object_r:public_content_rw_t, s0)
- /var/lib/cobbler/webui_sessions(/.*)? gen_context(system_u:object_r:public_content_rw_t, s0)
-
-+/var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
-+
-+/var/www/cobbler/images(/.*)? gen_context(system_u:object_r:public_content_rw_t, s0)
- /var/spool/texmf(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
-
- ifdef(`distro_debian',`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.7.12/policy/modules/system/miscfiles.if
---- nsaserefpolicy/policy/modules/system/miscfiles.if 2010-03-01 15:12:54.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/system/miscfiles.if 2010-03-05 17:18:52.000000000 -0500
-@@ -73,7 +73,8 @@
- #
- interface(`miscfiles_read_fonts',`
- gen_require(`
-- type fonts_t;
-+ type fonts_t, fonts_cache_t;
-+
- ')
-
- # cjp: fonts can be in either of these dirs
-@@ -83,6 +84,10 @@
- allow $1 fonts_t:dir list_dir_perms;
- read_files_pattern($1, fonts_t, fonts_t)
- read_lnk_files_pattern($1, fonts_t, fonts_t)
-+
-+ allow $1 fonts_cache_t:dir list_dir_perms;
-+ read_files_pattern($1, fonts_cache_t, fonts_cache_t)
-+ read_lnk_files_pattern($1, fonts_cache_t, fonts_cache_t)
- ')
-
- ########################################
-@@ -167,6 +172,68 @@
- manage_dirs_pattern($1, fonts_t, fonts_t)
- manage_files_pattern($1, fonts_t, fonts_t)
- manage_lnk_files_pattern($1, fonts_t, fonts_t)
-+ miscfiles_manage_fonts_cache($1)
-+')
-+
-+########################################
-+##
-+## Set the attributes on a fonts cache directory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`miscfiles_setattr_fonts_cache_dirs',`
-+ gen_require(`
-+ type fonts_cache_t;
-+ ')
-+
-+ allow $1 fonts_cache_t:dir setattr;
-+')
-+
-+########################################
-+##
-+## Dontaudit attempts to set the attributes on a fonts cache directory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`miscfiles_dontaudit_setattr_fonts_cache_dirs',`
-+ gen_require(`
-+ type fonts_cache_t;
-+ ')
-+
-+ allow $1 fonts_cache_t:dir setattr;
-+')
-+
-+########################################
-+##
-+## Create, read, write, and delete fonts cache.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+#
-+interface(`miscfiles_manage_fonts_cache',`
-+ gen_require(`
-+ type fonts_cache_t;
-+ ')
-+
-+ files_search_var($1)
-+
-+ manage_dirs_pattern($1, fonts_cache_t, fonts_cache_t)
-+ manage_files_pattern($1, fonts_cache_t, fonts_cache_t)
-+ manage_lnk_files_pattern($1, fonts_cache_t, fonts_cache_t)
- ')
-
- ########################################
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.te serefpolicy-3.7.12/policy/modules/system/miscfiles.te
---- nsaserefpolicy/policy/modules/system/miscfiles.te 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/system/miscfiles.te 2010-03-05 17:18:52.000000000 -0500
-@@ -19,6 +19,9 @@
- type fonts_t;
- files_type(fonts_t)
-
-+type fonts_cache_t;
-+files_type(fonts_cache_t)
-+
- #
- # type for /usr/share/hwdata
- #
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.7.12/policy/modules/system/modutils.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.7.13/policy/modules/system/modutils.te
--- nsaserefpolicy/policy/modules/system/modutils.te 2010-02-18 14:06:31.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/system/modutils.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/system/modutils.te 2010-03-09 18:51:13.000000000 -0500
@@ -19,6 +19,7 @@
type insmod_exec_t;
application_domain(insmod_t, insmod_exec_t)
@@ -31664,9 +31129,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
')
optional_policy(`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.7.12/policy/modules/system/mount.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.7.13/policy/modules/system/mount.fc
--- nsaserefpolicy/policy/modules/system/mount.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/system/mount.fc 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/system/mount.fc 2010-03-09 18:51:13.000000000 -0500
@@ -1,4 +1,10 @@
/bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
/bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
@@ -31679,9 +31144,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
-/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0)
+/var/cache/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
+/var/run/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.7.12/policy/modules/system/mount.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.7.13/policy/modules/system/mount.if
--- nsaserefpolicy/policy/modules/system/mount.if 2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/system/mount.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/system/mount.if 2010-03-09 18:51:13.000000000 -0500
@@ -16,6 +16,14 @@
')
@@ -31706,7 +31171,43 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
optional_policy(`
samba_run_smbmount($1, $2)
')
-@@ -84,9 +94,11 @@
+@@ -51,6 +61,35 @@
+
+ ########################################
+ ##
++## Execute fusermount in the mount domain, and
++## allow the specified role the mount domain,
++## and use the caller's terminal.
++##
++##
++##
++## The type of the process performing this action.
++##
++##
++##
++##
++## The role to be allowed the mount domain.
++##
++##
++##
++#
++interface(`mount_run_fusermount',`
++ gen_require(`
++ type mount_t;
++ ')
++
++ mount_domtrans_fusermount($1)
++ role $2 types mount_t;
++
++ fstools_run(mount_t, $2)
++')
++
++########################################
++##
+ ## Execute mount in the caller domain.
+ ##
+ ##
+@@ -84,9 +123,11 @@
interface(`mount_signal',`
gen_require(`
type mount_t;
@@ -31718,7 +31219,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
')
########################################
-@@ -177,3 +189,100 @@
+@@ -177,3 +218,100 @@
mount_domtrans_unconfined($1)
role $2 types unconfined_mount_t;
')
@@ -31819,9 +31320,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
+ mount_domtrans_showmount($1)
+ role $2 types showmount_t;
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.7.12/policy/modules/system/mount.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.7.13/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/system/mount.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/system/mount.te 2010-03-09 18:51:13.000000000 -0500
@@ -18,8 +18,15 @@
init_system_domain(mount_t, mount_exec_t)
role system_r types mount_t;
@@ -32096,9 +31597,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
+sysnet_dns_name_resolve(showmount_t)
+
+userdom_use_user_terminals(showmount_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.7.12/policy/modules/system/raid.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.7.13/policy/modules/system/raid.te
--- nsaserefpolicy/policy/modules/system/raid.te 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/system/raid.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/system/raid.te 2010-03-09 18:51:13.000000000 -0500
@@ -51,11 +51,13 @@
dev_dontaudit_getattr_generic_chr_files(mdadm_t)
dev_dontaudit_getattr_generic_blk_files(mdadm_t)
@@ -32113,9 +31614,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.t
fs_search_auto_mountpoints(mdadm_t)
fs_dontaudit_list_tmpfs(mdadm_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.7.12/policy/modules/system/selinuxutil.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.7.13/policy/modules/system/selinuxutil.fc
--- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/system/selinuxutil.fc 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/system/selinuxutil.fc 2010-03-09 18:51:13.000000000 -0500
@@ -6,13 +6,13 @@
/etc/selinux(/.*)? gen_context(system_u:object_r:selinux_config_t,s0)
/etc/selinux/([^/]*/)?contexts(/.*)? gen_context(system_u:object_r:default_context_t,s0)
@@ -32155,9 +31656,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
+
+/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
+/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.7.12/policy/modules/system/selinuxutil.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.7.13/policy/modules/system/selinuxutil.if
--- nsaserefpolicy/policy/modules/system/selinuxutil.if 2010-03-03 23:26:37.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/system/selinuxutil.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/system/selinuxutil.if 2010-03-09 18:51:13.000000000 -0500
@@ -361,6 +361,27 @@
########################################
@@ -32534,9 +32035,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
+ hotplug_use_fds($1)
+')
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.7.12/policy/modules/system/selinuxutil.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.7.13/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2010-02-18 14:06:31.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/system/selinuxutil.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/system/selinuxutil.te 2010-03-09 18:51:13.000000000 -0500
@@ -23,6 +23,9 @@
type selinux_config_t;
files_type(selinux_config_t)
@@ -32921,9 +32422,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
- hotplug_use_fds(setfiles_t)
+ unconfined_domain(setfiles_mac_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.7.12/policy/modules/system/sysnetwork.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.7.13/policy/modules/system/sysnetwork.fc
--- nsaserefpolicy/policy/modules/system/sysnetwork.fc 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/system/sysnetwork.fc 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/system/sysnetwork.fc 2010-03-09 18:51:13.000000000 -0500
@@ -13,6 +13,9 @@
/etc/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
/etc/dhcp/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
@@ -32957,9 +32458,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
')
+
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.7.12/policy/modules/system/sysnetwork.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.7.13/policy/modules/system/sysnetwork.if
--- nsaserefpolicy/policy/modules/system/sysnetwork.if 2010-03-01 15:12:54.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/system/sysnetwork.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/system/sysnetwork.if 2010-03-09 18:51:13.000000000 -0500
@@ -43,6 +43,41 @@
sysnet_domtrans_dhcpc($1)
@@ -33163,9 +32664,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
+
+ role_transition $1 dhcpc_exec_t system_r;
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.7.12/policy/modules/system/sysnetwork.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.7.13/policy/modules/system/sysnetwork.te
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2010-02-18 14:06:31.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/system/sysnetwork.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/system/sysnetwork.te 2010-03-09 18:51:13.000000000 -0500
@@ -20,6 +20,9 @@
init_daemon_domain(dhcpc_t, dhcpc_exec_t)
role system_r types dhcpc_t;
@@ -33378,9 +32879,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
+ hal_dontaudit_rw_pipes(ifconfig_t)
+ hal_dontaudit_rw_dgram_sockets(ifconfig_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.if serefpolicy-3.7.12/policy/modules/system/udev.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.if serefpolicy-3.7.13/policy/modules/system/udev.if
--- nsaserefpolicy/policy/modules/system/udev.if 2010-03-03 23:26:37.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/system/udev.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/system/udev.if 2010-03-09 18:51:13.000000000 -0500
@@ -192,6 +192,7 @@
dev_list_all_dev_nodes($1)
@@ -33389,9 +32890,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.i
')
########################################
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.7.12/policy/modules/system/udev.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.7.13/policy/modules/system/udev.te
--- nsaserefpolicy/policy/modules/system/udev.te 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/system/udev.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/system/udev.te 2010-03-09 18:51:13.000000000 -0500
@@ -50,6 +50,7 @@
allow udev_t self:unix_stream_socket connectto;
allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -33451,9 +32952,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t
kernel_write_xen_state(udev_t)
kernel_read_xen_state(udev_t)
xen_manage_log(udev_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.7.12/policy/modules/system/unconfined.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.7.13/policy/modules/system/unconfined.fc
--- nsaserefpolicy/policy/modules/system/unconfined.fc 2010-02-22 08:30:53.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/system/unconfined.fc 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/system/unconfined.fc 2010-03-09 18:51:13.000000000 -0500
@@ -1,15 +1 @@
# Add programs here which should not be confined by SELinux
-# e.g.:
@@ -33470,9 +32971,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
-ifdef(`distro_gentoo',`
-/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.7.12/policy/modules/system/unconfined.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.7.13/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2010-03-01 15:12:54.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/system/unconfined.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/system/unconfined.if 2010-03-09 18:51:13.000000000 -0500
@@ -12,14 +12,13 @@
#
interface(`unconfined_domain_noaudit',`
@@ -33967,9 +33468,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
-
- allow $1 unconfined_t:dbus acquire_svc;
-')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.7.12/policy/modules/system/unconfined.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.7.13/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2010-02-22 08:30:53.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/system/unconfined.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/system/unconfined.te 2010-03-09 18:51:13.000000000 -0500
@@ -5,227 +5,5 @@
#
# Declarations
@@ -34199,9 +33700,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
- hal_dbus_chat(unconfined_execmem_t)
- ')
-')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.7.12/policy/modules/system/userdomain.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.7.13/policy/modules/system/userdomain.fc
--- nsaserefpolicy/policy/modules/system/userdomain.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.12/policy/modules/system/userdomain.fc 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/system/userdomain.fc 2010-03-09 18:51:13.000000000 -0500
@@ -1,4 +1,11 @@
HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
+HOME_DIR -l gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
@@ -34215,9 +33716,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+HOME_DIR/\.cert(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
+HOME_DIR/\.pki(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
+HOME_DIR/\.gvfs(/.*)? <>
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.7.12/policy/modules/system/userdomain.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.7.13/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2010-03-03 23:26:37.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/system/userdomain.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/system/userdomain.if 2010-03-09 18:51:13.000000000 -0500
@@ -30,8 +30,9 @@
')
@@ -34669,7 +34170,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
##############################
#
-@@ -508,182 +526,213 @@
+@@ -508,182 +526,217 @@
# evolution and gnome-session try to create a netlink socket
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
@@ -34800,44 +34301,48 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
- # Allow graphical boot to check battery lifespan
- apm_stream_connect($1_t)
+ canna_stream_connect($1_usertype)
- ')
-
- optional_policy(`
-- canna_stream_connect($1_t)
++ ')
++
++ optional_policy(`
+ chrome_role($1_r, $1_usertype)
- ')
-
- optional_policy(`
-- dbus_system_bus_client($1_t)
++ ')
++
++ optional_policy(`
+ dbus_system_bus_client($1_usertype)
+
+ allow $1_usertype $1_usertype:dbus send_msg;
-
- optional_policy(`
-- bluetooth_dbus_chat($1_t)
++
++ optional_policy(`
+ avahi_dbus_chat($1_usertype)
+ ')
+
+ optional_policy(`
+ bluetooth_dbus_chat($1_usertype)
-+ ')
-+
-+ optional_policy(`
+ ')
+
+ optional_policy(`
+- canna_stream_connect($1_t)
+ consolekit_dbus_chat($1_usertype)
+ consolekit_read_log($1_usertype)
-+ ')
-+
-+ optional_policy(`
+ ')
+
+ optional_policy(`
+- dbus_system_bus_client($1_t)
+ devicekit_dbus_chat($1_usertype)
+ devicekit_dbus_chat_power($1_usertype)
+ devicekit_dbus_chat_disk($1_usertype)
++ ')
+
+ optional_policy(`
+- bluetooth_dbus_chat($1_t)
++ evolution_dbus_chat($1_usertype)
++ evolution_alarm_dbus_chat($1_usertype)
')
optional_policy(`
- evolution_dbus_chat($1_t)
- evolution_alarm_dbus_chat($1_t)
-+ evolution_dbus_chat($1_usertype)
-+ evolution_alarm_dbus_chat($1_usertype)
++ gnome_dbus_chat_gconfdefault($1_usertype)
')
optional_policy(`
@@ -34882,21 +34387,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
optional_policy(`
- modutils_read_module_config($1_t)
+ modutils_read_module_config($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ mta_rw_spool($1_usertype)
-+ mta_manage_queue($1_usertype)
')
optional_policy(`
- mta_rw_spool($1_t)
-+ nsplugin_role($1_r, $1_usertype)
++ mta_rw_spool($1_usertype)
++ mta_manage_queue($1_usertype)
')
optional_policy(`
- tunable_policy(`allow_user_mysql_connect',`
- mysql_stream_connect($1_t)
++ nsplugin_role($1_r, $1_usertype)
++ ')
++
++ optional_policy(`
+ tunable_policy(`allow_user_postgresql_connect',`
+ postgresql_stream_connect($1_usertype)
')
@@ -34956,18 +34461,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
#######################################
-@@ -711,13 +760,26 @@
+@@ -711,13 +764,26 @@
userdom_base_user_template($1)
- userdom_manage_home_role($1_r, $1_t)
+ userdom_manage_home_role($1_r, $1_usertype)
-+
-+ userdom_manage_tmp_role($1_r, $1_usertype)
-+ userdom_manage_tmpfs_role($1_r, $1_usertype)
- userdom_manage_tmp_role($1_r, $1_t)
- userdom_manage_tmpfs_role($1_r, $1_t)
++ userdom_manage_tmp_role($1_r, $1_usertype)
++ userdom_manage_tmpfs_role($1_r, $1_usertype)
+
+- userdom_exec_user_tmp_files($1_t)
+- userdom_exec_user_home_content_files($1_t)
+ ifelse(`$1',`unconfined',`',`
+ gen_tunable(allow_$1_exec_content, true)
+
@@ -34978,9 +34485,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+ tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',`
+ fs_exec_nfs_files($1_usertype)
+ ')
-
-- userdom_exec_user_tmp_files($1_t)
-- userdom_exec_user_home_content_files($1_t)
++
+ tunable_policy(`allow_$1_exec_content && use_samba_home_dirs',`
+ fs_exec_cifs_files($1_usertype)
+ ')
@@ -34988,7 +34493,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
userdom_change_password_template($1)
-@@ -735,70 +797,72 @@
+@@ -735,70 +801,72 @@
allow $1_t self:context contains;
@@ -35094,7 +34599,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
')
-@@ -826,6 +890,8 @@
+@@ -826,6 +894,8 @@
')
userdom_login_user_template($1)
@@ -35103,7 +34608,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
-@@ -836,6 +902,26 @@
+@@ -836,6 +906,26 @@
#
optional_policy(`
@@ -35130,7 +34635,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
loadkeys_run($1_t,$1_r)
')
')
-@@ -865,51 +951,83 @@
+@@ -865,51 +955,83 @@
userdom_restricted_user_template($1)
@@ -35144,11 +34649,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
auth_role($1_r, $1_t)
- auth_search_pam_console_data($1_t)
+ auth_search_pam_console_data($1_usertype)
++
++ xserver_role($1_r, $1_t)
- dev_read_sound($1_t)
- dev_write_sound($1_t)
-+ xserver_role($1_r, $1_t)
-+
+ dev_read_sound($1_usertype)
+ dev_write_sound($1_usertype)
# gnome keyring wants to read this.
@@ -35179,12 +34684,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+ seutil_exec_restorecond($1_t)
+ seutil_read_file_contexts($1_t)
+ seutil_read_default_contexts($1_t)
-
-- xserver_restricted_role($1_r, $1_t)
++
+ optional_policy(`
+ alsa_read_rw_config($1_usertype)
+ ')
-+
+
+- xserver_restricted_role($1_r, $1_t)
+ optional_policy(`
+ apache_role($1_r, $1_usertype)
+ ')
@@ -35227,7 +34732,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
')
-@@ -943,8 +1061,8 @@
+@@ -943,8 +1065,8 @@
# Declarations
#
@@ -35237,7 +34742,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
userdom_common_user_template($1)
##############################
-@@ -953,54 +1071,73 @@
+@@ -953,54 +1075,73 @@
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -35320,7 +34825,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+ ')
+
+ optional_policy(`
-+ mount_run($1_t, $1_r)
++ mount_run_fusermount($1_t, $1_r)
+ ')
+
+ optional_policy(`
@@ -35340,7 +34845,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
')
-@@ -1036,7 +1173,7 @@
+@@ -1036,7 +1177,7 @@
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -35349,7 +34854,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
##############################
-@@ -1045,8 +1182,7 @@
+@@ -1045,8 +1186,7 @@
#
# Inherit rules for ordinary users.
@@ -35359,7 +34864,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
domain_obj_id_change_exemption($1_t)
role system_r types $1_t;
-@@ -1071,6 +1207,9 @@
+@@ -1071,6 +1211,9 @@
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -35369,7 +34874,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1085,6 +1224,7 @@
+@@ -1085,6 +1228,7 @@
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -35377,7 +34882,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1092,8 +1232,6 @@
+@@ -1092,8 +1236,6 @@
dev_getattr_generic_blk_files($1_t)
dev_getattr_generic_chr_files($1_t)
@@ -35386,7 +34891,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
# Allow MAKEDEV to work
dev_create_all_blk_files($1_t)
dev_create_all_chr_files($1_t)
-@@ -1120,12 +1258,11 @@
+@@ -1120,12 +1262,11 @@
files_exec_usr_src_files($1_t)
fs_getattr_all_fs($1_t)
@@ -35401,7 +34906,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
term_use_all_terms($1_t)
auth_getattr_shadow($1_t)
-@@ -1148,20 +1285,6 @@
+@@ -1148,20 +1289,6 @@
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -35422,7 +34927,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1207,6 +1330,8 @@
+@@ -1207,6 +1334,8 @@
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -35431,7 +34936,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1272,11 +1397,15 @@
+@@ -1272,11 +1401,15 @@
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -35447,7 +34952,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1313,7 +1442,7 @@
+@@ -1313,7 +1446,7 @@
type user_devpts_t;
')
@@ -35456,7 +34961,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1387,26 +1516,19 @@
+@@ -1387,26 +1520,19 @@
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -35486,7 +34991,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
#
interface(`userdom_dontaudit_search_user_home_dirs',`
gen_require(`
-@@ -1433,6 +1555,14 @@
+@@ -1433,6 +1559,14 @@
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -35501,7 +35006,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1448,9 +1578,11 @@
+@@ -1448,9 +1582,11 @@
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -35513,7 +35018,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1507,6 +1639,42 @@
+@@ -1507,6 +1643,42 @@
allow $1 user_home_dir_t:dir relabelto;
')
@@ -35556,7 +35061,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
########################################
##
## Create directories in the home dir root with
-@@ -1581,11 +1749,14 @@
+@@ -1581,11 +1753,14 @@
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -35572,7 +35077,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
##
##
##
-@@ -1593,18 +1764,18 @@
+@@ -1593,18 +1768,18 @@
##
##
#
@@ -35596,7 +35101,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
##
##
##
-@@ -1612,18 +1783,17 @@
+@@ -1612,18 +1787,17 @@
##
##
#
@@ -35619,7 +35124,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
##
##
##
-@@ -1631,12 +1801,12 @@
+@@ -1631,12 +1805,12 @@
##
##
#
@@ -35634,7 +35139,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1655,7 +1825,7 @@
+@@ -1655,7 +1829,7 @@
type user_home_t;
')
@@ -35643,7 +35148,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1692,6 +1862,7 @@
+@@ -1692,6 +1866,7 @@
type user_home_dir_t, user_home_t;
')
@@ -35651,7 +35156,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
files_search_home($1)
')
-@@ -1708,11 +1879,14 @@
+@@ -1708,11 +1883,14 @@
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -35669,7 +35174,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1730,7 +1904,7 @@
+@@ -1730,7 +1908,7 @@
type user_home_t;
')
@@ -35678,7 +35183,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1748,7 +1922,7 @@
+@@ -1748,7 +1926,7 @@
type user_home_t;
')
@@ -35687,7 +35192,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1819,19 +1993,32 @@
+@@ -1819,19 +1997,32 @@
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -35727,7 +35232,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1849,7 +2036,7 @@
+@@ -1849,7 +2040,7 @@
type user_home_t;
')
@@ -35736,7 +35241,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1866,6 +2053,7 @@
+@@ -1866,6 +2057,7 @@
interface(`userdom_manage_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -35744,7 +35249,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
manage_files_pattern($1, user_home_t, user_home_t)
-@@ -2077,7 +2265,7 @@
+@@ -2077,7 +2269,7 @@
type user_tmp_t;
')
@@ -35753,7 +35258,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
files_search_tmp($1)
')
-@@ -2102,7 +2290,7 @@
+@@ -2102,7 +2294,7 @@
########################################
##
@@ -35762,7 +35267,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## temporary directories.
##
##
-@@ -2111,17 +2299,17 @@
+@@ -2111,17 +2303,17 @@
##
##
#
@@ -35783,7 +35288,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## temporary directories.
##
##
-@@ -2130,18 +2318,37 @@
+@@ -2130,12 +2322,31 @@
##
##
#
@@ -35795,12 +35300,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
- dontaudit $1 user_tmp_t:dir manage_dir_perms;
+ dontaudit $1 user_tmp_t:dir list_dir_perms;
- ')
-
- ########################################
- ##
--## Read user temporary files.
--##
++')
++
++########################################
++##
+## Do not audit attempts to manage users
+## temporary directories.
+##
@@ -35816,16 +35319,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+ ')
+
+ dontaudit $1 user_tmp_t:dir manage_dir_perms;
-+')
-+
-+########################################
-+##
-+## Read user temporary files.
-+##
- ##
- ##
- ## Domain allowed access.
-@@ -2193,7 +2400,7 @@
+ ')
+
+ ########################################
+@@ -2193,7 +2404,7 @@
type user_tmp_t;
')
@@ -35834,7 +35331,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2218,6 +2425,25 @@
+@@ -2218,6 +2429,25 @@
########################################
##
@@ -35860,7 +35357,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Do not audit attempts to manage users
## temporary files.
##
-@@ -2298,6 +2524,46 @@
+@@ -2298,6 +2528,46 @@
########################################
##
## Create, read, write, and delete user
@@ -35907,7 +35404,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## temporary symbolic links.
##
##
-@@ -2413,7 +2679,7 @@
+@@ -2413,7 +2683,7 @@
########################################
##
@@ -35916,7 +35413,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
##
##
##
-@@ -2421,19 +2687,21 @@
+@@ -2421,19 +2691,21 @@
##
##
#
@@ -35942,7 +35439,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
##
##
##
-@@ -2441,15 +2709,14 @@
+@@ -2441,15 +2713,14 @@
##
##
#
@@ -35962,7 +35459,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2467,7 +2734,7 @@
+@@ -2467,7 +2738,7 @@
type user_tty_device_t;
')
@@ -35971,7 +35468,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2485,7 +2752,7 @@
+@@ -2485,7 +2756,7 @@
type user_tty_device_t;
')
@@ -35980,7 +35477,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2503,7 +2770,7 @@
+@@ -2503,7 +2774,7 @@
type user_tty_device_t;
')
@@ -35989,7 +35486,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2521,7 +2788,7 @@
+@@ -2521,7 +2792,7 @@
type user_tty_device_t;
')
@@ -35998,7 +35495,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2787,7 +3054,7 @@
+@@ -2787,7 +3058,7 @@
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -36007,7 +35504,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2803,11 +3070,33 @@
+@@ -2803,11 +3074,33 @@
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -36043,7 +35540,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2848,23 +3137,14 @@
+@@ -2848,23 +3141,14 @@
########################################
##
@@ -36070,7 +35567,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
#
interface(`userdom_dontaudit_use_unpriv_user_fds',`
gen_require(`
-@@ -2931,6 +3211,25 @@
+@@ -2931,6 +3215,25 @@
########################################
##
@@ -36096,7 +35593,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Write all users files in /tmp
##
##
-@@ -2944,7 +3243,43 @@
+@@ -2944,7 +3247,43 @@
type user_tmp_t;
')
@@ -36141,7 +35638,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2981,6 +3316,7 @@
+@@ -2981,6 +3320,7 @@
')
read_files_pattern($1, userdomain, userdomain)
@@ -36149,7 +35646,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
kernel_search_proc($1)
')
-@@ -3111,3 +3447,674 @@
+@@ -3111,3 +3451,674 @@
allow $1 userdomain:dbus send_msg;
')
@@ -36824,9 +36321,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+
+ dontaudit $1 admin_home_t:file getattr;
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.7.12/policy/modules/system/userdomain.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.7.13/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2010-03-03 23:26:37.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/system/userdomain.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/system/userdomain.te 2010-03-09 18:51:13.000000000 -0500
@@ -8,13 +8,6 @@
##
@@ -36915,9 +36412,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+')
+
+allow userdomain userdomain:process signull;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.7.12/policy/modules/system/xen.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.7.13/policy/modules/system/xen.if
--- nsaserefpolicy/policy/modules/system/xen.if 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/system/xen.if 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/system/xen.if 2010-03-09 18:51:13.000000000 -0500
@@ -180,6 +180,25 @@
########################################
@@ -36954,9 +36451,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if
+ typeattribute $1 xm_transition_domain;
domtrans_pattern($1, xm_exec_t, xm_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.7.12/policy/modules/system/xen.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.7.13/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.12/policy/modules/system/xen.te 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/modules/system/xen.te 2010-03-09 18:51:13.000000000 -0500
@@ -5,6 +5,7 @@
#
# Declarations
@@ -37056,9 +36553,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te
#Should have a boolean wrapping these
fs_list_auto_mountpoints(xend_t)
files_search_mnt(xend_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/misc_patterns.spt serefpolicy-3.7.12/policy/support/misc_patterns.spt
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/misc_patterns.spt serefpolicy-3.7.13/policy/support/misc_patterns.spt
--- nsaserefpolicy/policy/support/misc_patterns.spt 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.12/policy/support/misc_patterns.spt 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/support/misc_patterns.spt 2010-03-09 18:51:13.000000000 -0500
@@ -15,7 +15,7 @@
domain_transition_pattern($1,$2,$3)
@@ -37077,9 +36574,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/misc_patterns
allow $3 $1:process sigchld;
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.7.12/policy/support/obj_perm_sets.spt
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.7.13/policy/support/obj_perm_sets.spt
--- nsaserefpolicy/policy/support/obj_perm_sets.spt 2010-03-04 11:44:07.000000000 -0500
-+++ serefpolicy-3.7.12/policy/support/obj_perm_sets.spt 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/support/obj_perm_sets.spt 2010-03-09 18:51:13.000000000 -0500
@@ -28,7 +28,7 @@
#
# All socket classes.
@@ -37170,9 +36667,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets
+define(`all_dbus_perms', `{ acquire_svc send_msg } ')
+define(`all_passwd_perms', `{ passwd chfn chsh rootok crontab } ')
+define(`all_association_perms', `{ sendto recvfrom setcontext polmatch } ')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.7.12/policy/users
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.7.13/policy/users
--- nsaserefpolicy/policy/users 2009-12-18 11:38:25.000000000 -0500
-+++ serefpolicy-3.7.12/policy/users 2010-03-05 17:18:52.000000000 -0500
++++ serefpolicy-3.7.13/policy/users 2010-03-09 18:51:13.000000000 -0500
@@ -6,7 +6,7 @@
#
# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 68294da..540adc8 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
%define CHECKPOLICYVER 2.0.21-1
Summary: SELinux policy configuration
Name: selinux-policy
-Version: 3.7.12
+Version: 3.7.13
Release: 1%{?dist}
License: GPLv2+
Group: System Environment/Base
@@ -466,9 +466,11 @@ exit 0
%endif
%changelog
-* Thu Mar 4 2010 Dan Walsh 3.7.12-1
+* Tue Mar 9 2010 Dan Walsh 3.7.13-1
- Update to upstream
+* Thu Mar 4 2010 Dan Walsh 3.7.12-1
+- Update to upstream
* Thu Mar 4 2010 Dan Walsh 3.7.11-1
- Update to upstream - These are merges of my patches
diff --git a/sources b/sources
index 72def95..7979a58 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
4c7d323036f1662a06a7a4f2a7da57a5 config.tgz
-c284968623d7634e4ce08e803d599dd7 serefpolicy-3.7.12.tgz
+384318cbf208033c62ef3a21bdfdd8c7 serefpolicy-3.7.13.tgz