rpms/selinux-policy/devel policy-F12.patch, 1.10, 1.11 selinux-policy.spec, 1.864, 1.865
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Jun 18 14:42:35 UTC 2009
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv6691
Modified Files:
policy-F12.patch selinux-policy.spec
Log Message:
* Tue Jun 16 2009 Dan Walsh <dwalsh at redhat.com> 3.6.16-3
- Add label for udev-acl
policy-F12.patch:
Index: policy-F12.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-F12.patch,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -p -r1.10 -r1.11
--- policy-F12.patch 15 Jun 2009 20:04:06 -0000 1.10
+++ policy-F12.patch 18 Jun 2009 14:42:33 -0000 1.11
@@ -2739,7 +2739,7 @@ diff -b -B --ignore-all-space --exclude-
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.6.16/policy/modules/apps/mozilla.te
--- nsaserefpolicy/policy/modules/apps/mozilla.te 2009-01-19 11:03:28.000000000 -0500
-+++ serefpolicy-3.6.16/policy/modules/apps/mozilla.te 2009-06-12 15:59:08.000000000 -0400
++++ serefpolicy-3.6.16/policy/modules/apps/mozilla.te 2009-06-18 09:37:19.000000000 -0400
@@ -105,6 +105,7 @@
# Should not need other ports
corenet_dontaudit_tcp_sendrecv_generic_port(mozilla_t)
@@ -2794,7 +2794,7 @@ diff -b -B --ignore-all-space --exclude-
+/usr/lib(64)?/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.6.16/policy/modules/apps/nsplugin.if
--- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.16/policy/modules/apps/nsplugin.if 2009-06-12 15:59:08.000000000 -0400
++++ serefpolicy-3.6.16/policy/modules/apps/nsplugin.if 2009-06-18 09:57:45.000000000 -0400
@@ -0,0 +1,313 @@
+
+## <summary>policy for nsplugin</summary>
@@ -3111,8 +3111,8 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.6.16/policy/modules/apps/nsplugin.te
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.16/policy/modules/apps/nsplugin.te 2009-06-12 15:59:08.000000000 -0400
-@@ -0,0 +1,286 @@
++++ serefpolicy-3.6.16/policy/modules/apps/nsplugin.te 2009-06-16 11:25:06.000000000 -0400
+@@ -0,0 +1,287 @@
+
+policy_module(nsplugin, 1.0.0)
+
@@ -3236,6 +3236,7 @@ diff -b -B --ignore-all-space --exclude-
+fs_getattr_xattr_fs(nsplugin_t)
+fs_search_auto_mountpoints(nsplugin_t)
+fs_rw_anon_inodefs_files(nsplugin_t)
++fs_list_inotifyfs(nsplugin_t)
+
+storage_dontaudit_getattr_fixed_disk_dev(nsplugin_t)
+
@@ -4440,38 +4441,18 @@ diff -b -B --ignore-all-space --exclude-
+permissive sambagui_t;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.fc serefpolicy-3.6.16/policy/modules/apps/sandbox.fc
--- nsaserefpolicy/policy/modules/apps/sandbox.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.16/policy/modules/apps/sandbox.fc 2009-06-12 15:59:08.000000000 -0400
++++ serefpolicy-3.6.16/policy/modules/apps/sandbox.fc 2009-06-18 08:40:18.000000000 -0400
@@ -0,0 +1 @@
+# No types are sandbox_exec_t
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.6.16/policy/modules/apps/sandbox.if
--- nsaserefpolicy/policy/modules/apps/sandbox.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.16/policy/modules/apps/sandbox.if 2009-06-12 15:59:08.000000000 -0400
-@@ -0,0 +1,105 @@
++++ serefpolicy-3.6.16/policy/modules/apps/sandbox.if 2009-06-18 10:32:27.000000000 -0400
+@@ -0,0 +1,145 @@
+
+## <summary>policy for sandbox</summary>
+
+########################################
+## <summary>
-+## Execute a domain transition to run sandbox.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed to transition.
-+## </summary>
-+## </param>
-+#
-+interface(`sandbox_domtrans',`
-+ gen_require(`
-+ type sandbox_t;
-+ type sandbox_exec_t;
-+ ')
-+
-+ domtrans_pattern($1,sandbox_exec_t,sandbox_t)
-+')
-+
-+
-+########################################
-+## <summary>
+## Execute sandbox in the sandbox domain, and
+## allow the specified role the sandbox domain.
+## </summary>
@@ -4486,41 +4467,47 @@ diff -b -B --ignore-all-space --exclude-
+## </summary>
+## </param>
+#
-+interface(`sandbox_run',`
++interface(`sandbox_transition',`
+ gen_require(`
-+ type sandbox_t;
++ type sandbox_xserver_t;
++ attribute sandbox_domain;
+ ')
+
-+ sandbox_domtrans($1)
-+ role $2 types sandbox_t;
++ allow $1 sandbox_domain:process transition;
++ dontaudit $1 sandbox_domain:process { noatsecure siginh rlimitinh };
++ role $2 types sandbox_domain;
++ role $2 types sandbox_xserver_t;
+')
+
+########################################
+## <summary>
-+## Role access for sandbox
++## Creates types and rules for a basic
++## qemu process domain.
+## </summary>
-+## <param name="role">
-+## <summary>
-+## Role allowed access
-+## </summary>
-+## </param>
-+## <param name="domain">
++## <param name="prefix">
+## <summary>
-+## User domain for the role
++## Prefix for the domain.
+## </summary>
+## </param>
+#
-+interface(`sandbox_role',`
++template(`sandbox_domain_template',`
++
+ gen_require(`
-+ type sandbox_t;
++ attribute sandbox_domain;
+ ')
+
-+ role $2 types sandbox_t;
++ type $1_t, sandbox_domain;
++ domain_type($1_t)
+
-+ sandbox_domtrans($1)
++ type $1_file_t;
++ files_type($1_file_t)
+
-+ ps_process_pattern($2, sandbox_t)
-+ allow $2 sandbox_t:process signal;
++ can_exec($1_t, $1_file_t)
++ manage_dirs_pattern($1_t, $1_file_t, $1_file_t)
++ manage_files_pattern($1_t, $1_file_t, $1_file_t)
++ manage_lnk_files_pattern($1_t, $1_file_t, $1_file_t)
++ manage_fifo_files_pattern($1_t, $1_file_t, $1_file_t)
++ manage_sock_files_pattern($1_t, $1_file_t, $1_file_t)
+')
+
+########################################
@@ -4534,31 +4521,87 @@ diff -b -B --ignore-all-space --exclude-
+## </summary>
+## </param>
+#
-+template(`sandbox_domain_template',`
-+
++template(`sandbox_x_domain_template',`
+ gen_require(`
-+ attribute sandbox_domain;
++ type xserver_exec_t;
++ type sandbox_xserver_t;
++ attribute sandbox_domain, sandbox_x_domain;
+ ')
+
-+ type $1_t, sandbox_domain;
-+ domain_type($1_t)
++ sandbox_domain_template($1)
+
-+ type $1_file_t;
-+ files_type($1_file_t)
++
++ typeattribute $1_t sandbox_x_domain;
+
-+ manage_dirs_pattern($1_t, $1_file_t, $1_file_t)
-+ manage_files_pattern($1_t, $1_file_t, $1_file_t)
-+ manage_lnk_files_pattern($1_t, $1_file_t, $1_file_t)
-+ manage_fifo_files_pattern($1_t, $1_file_t, $1_file_t)
-+ manage_sock_files_pattern($1_t, $1_file_t, $1_file_t)
++ # window manager
++ miscfiles_setattr_fonts($1_t)
++ allow $1_t self:capability setuid;
++
++ type $1_client_t, sandbox_x_domain, sandbox_domain;
++ domain_type($1_client_t)
++
++ type $1_client_tmpfs_t;
++ files_tmpfs_file($1_client_tmpfs_t)
++
++ allow $1_client_t sandbox_devpts_t:chr_file { rw_term_perms setattr };
++ term_create_pty($1_client_t,sandbox_devpts_t)
++
++ manage_files_pattern($1_client_t, $1_client_tmpfs_t, $1_client_tmpfs_t)
++ fs_tmpfs_filetrans($1_client_t, $1_client_tmpfs_t, file )
++ allow sandbox_xserver_t $1_client_tmpfs_t:file { read write };
++
++ domtrans_pattern($1_t, xserver_exec_t, sandbox_xserver_t)
++ allow $1_t sandbox_xserver_t:process sigkill;
++
++ domtrans_pattern($1_t, $1_file_t, $1_client_t)
++ domain_entry_file($1_client_t, $1_file_t)
++
++ manage_dirs_pattern(sandbox_xserver_t, $1_file_t, $1_file_t)
++ manage_files_pattern(sandbox_xserver_t, $1_file_t, $1_file_t)
++ manage_sock_files_pattern(sandbox_xserver_t, $1_file_t, $1_file_t)
++ allow sandbox_xserver_t $1_file_t:sock_file create_sock_file_perms;
++ ps_process_pattern(sandbox_xserver_t, $1_client_t)
++ ps_process_pattern(sandbox_xserver_t, $1_t)
++ allow sandbox_xserver_t $1_client_t:shm rw_shm_perms;
++ allow sandbox_xserver_t $1_t:shm rw_shm_perms;
++
++ can_exec($1_client_t, $1_file_t)
++ manage_dirs_pattern($1_client_t, $1_file_t, $1_file_t)
++ manage_files_pattern($1_client_t, $1_file_t, $1_file_t)
++ manage_lnk_files_pattern($1_client_t, $1_file_t, $1_file_t)
++ manage_fifo_files_pattern($1_client_t, $1_file_t, $1_file_t)
++ manage_sock_files_pattern($1_client_t, $1_file_t, $1_file_t)
++
++# permissive $1_client_t;
+')
++
++########################################
++## <summary>
++## allow domain to read,
++## write sandbox_xserver tmp files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`sandbox_rw_xserver_tmpfs_files',`
++ gen_require(`
++ type sandbox_xserver_tmpfs_t;
++ ')
++
++ allow $1 sandbox_xserver_tmpfs_t:file rw_file_perms;
++')
+Binary files nsaserefpolicy/policy/modules/apps/sandbox.pp and serefpolicy-3.6.16/policy/modules/apps/sandbox.pp differ
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.6.16/policy/modules/apps/sandbox.te
--- nsaserefpolicy/policy/modules/apps/sandbox.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.16/policy/modules/apps/sandbox.te 2009-06-12 15:59:08.000000000 -0400
-@@ -0,0 +1,32 @@
++++ serefpolicy-3.6.16/policy/modules/apps/sandbox.te 2009-06-18 10:32:16.000000000 -0400
+@@ -0,0 +1,274 @@
+policy_module(sandbox,1.0.0)
-+
++dbus_stub()
+attribute sandbox_domain;
++attribute sandbox_x_domain;
+
+########################################
+#
@@ -4566,9 +4609,76 @@ diff -b -B --ignore-all-space --exclude-
+#
+
+sandbox_domain_template(sandbox)
-+sandbox_domain_template(sandbox_x)
-+role system_r types sandbox_t;
-+role system_r types sandbox_x_t;
++sandbox_x_domain_template(sandbox_x)
++sandbox_x_domain_template(sandbox_web)
++sandbox_x_domain_template(sandbox_net)
++
++type sandbox_xserver_t;
++domain_type(sandbox_xserver_t)
++xserver_common_app(sandbox_xserver_t)
++permissive sandbox_xserver_t;
++
++type sandbox_xserver_tmpfs_t;
++files_tmpfs_file(sandbox_xserver_tmpfs_t)
++
++type sandbox_devpts_t;
++term_pty(sandbox_devpts_t)
++files_type(sandbox_devpts_t)
++
++########################################
++#
++# sandbox xserver policy
++#
++allow sandbox_xserver_t self:fifo_file manage_fifo_file_perms;
++allow sandbox_xserver_t self:shm create_shm_perms;
++allow sandbox_xserver_t self:tcp_socket create_socket_perms;
++
++manage_dirs_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
++manage_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
++manage_lnk_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
++manage_fifo_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
++manage_sock_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
++fs_tmpfs_filetrans(sandbox_xserver_t, sandbox_xserver_tmpfs_t, { dir file lnk_file sock_file fifo_file })
++
++corecmd_exec_bin(sandbox_xserver_t)
++corecmd_exec_shell(sandbox_xserver_t)
++
++corenet_all_recvfrom_unlabeled(sandbox_xserver_t)
++corenet_all_recvfrom_netlabel(sandbox_xserver_t)
++corenet_tcp_sendrecv_generic_if(sandbox_xserver_t)
++corenet_udp_sendrecv_generic_if(sandbox_xserver_t)
++corenet_tcp_sendrecv_generic_node(sandbox_xserver_t)
++corenet_udp_sendrecv_generic_node(sandbox_xserver_t)
++corenet_tcp_sendrecv_all_ports(sandbox_xserver_t)
++corenet_udp_sendrecv_all_ports(sandbox_xserver_t)
++corenet_tcp_bind_generic_node(sandbox_xserver_t)
++corenet_tcp_bind_xserver_port(sandbox_xserver_t)
++corenet_sendrecv_xserver_server_packets(sandbox_xserver_t)
++corenet_sendrecv_all_client_packets(sandbox_xserver_t)
++
++files_read_etc_files(sandbox_xserver_t)
++files_read_usr_files(sandbox_xserver_t)
++files_search_home(sandbox_xserver_t)
++fs_dontaudit_rw_tmpfs_files(sandbox_xserver_t)
++
++miscfiles_read_fonts(sandbox_xserver_t)
++miscfiles_read_localization(sandbox_xserver_t)
++
++kernel_read_system_state(sandbox_xserver_t)
++
++auth_use_nsswitch(sandbox_xserver_t)
++
++userdom_use_user_terminals(sandbox_xserver_t)
++
++xserver_entry_type(sandbox_xserver_t)
++
++optional_policy(`
++ dbus_system_bus_client(sandbox_xserver_t)
++
++ optional_policy(`
++ hal_dbus_chat(sandbox_xserver_t)
++ ')
++')
+
+########################################
+#
@@ -4584,10 +4694,184 @@ diff -b -B --ignore-all-space --exclude-
+
+miscfiles_read_localization(sandbox_domain)
+
-+userdom_use_user_ptys(sandbox_domain)
-+
+kernel_dontaudit_read_system_state(sandbox_domain)
+corecmd_exec_all_executables(sandbox_domain)
++
++
++########################################
++#
++# sandbox_x_domain local policy
++#
++allow sandbox_x_domain self:process { signal_perms getsched setpgid };
++allow sandbox_x_domain self:shm create_shm_perms;
++allow sandbox_x_domain self:unix_stream_socket { connectto create_stream_socket_perms };
++allow sandbox_x_domain self:unix_dgram_socket create_socket_perms;
++allow sandbox_x_domain sandbox_xserver_t:unix_stream_socket connectto;
++dontaudit sandbox_x_domain self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
++
++dev_read_urand(sandbox_x_domain)
++dev_dontaudit_read_rand(sandbox_x_domain)
++
++files_read_etc_files(sandbox_x_domain)
++files_read_usr_files(sandbox_x_domain)
++files_read_usr_symlinks(sandbox_x_domain)
++
++fs_getattr_tmpfs(sandbox_x_domain)
++fs_getattr_xattr_fs(sandbox_x_domain)
++
++auth_dontaudit_read_login_records(sandbox_x_domain)
++
++init_read_utmp(sandbox_x_domain)
++
++term_getattr_pty_fs(sandbox_x_domain)
++term_use_ptmx(sandbox_x_domain)
++
++logging_send_syslog_msg(sandbox_x_domain)
++
++miscfiles_read_fonts(sandbox_x_domain)
++
++optional_policy(`
++ gnome_read_gconf_config(sandbox_x_domain)
++')
++
++optional_policy(`
++ cups_stream_connect(sandbox_x_domain)
++ cups_read_rw_config(sandbox_x_domain)
++')
++
++########################################
++#
++# sandbox_x_client_t local policy
++#
++allow sandbox_x_client_t self:tcp_socket create_socket_perms;
++allow sandbox_x_client_t self:udp_socket create_socket_perms;
++allow sandbox_x_client_t self:dbus { acquire_svc send_msg };
++allow sandbox_x_client_t self:netlink_selinux_socket create_socket_perms;
++
++dev_read_rand(sandbox_x_client_t)
++
++corenet_tcp_connect_ipp_port(sandbox_x_client_t)
++
++auth_use_nsswitch(sandbox_x_client_t)
++
++dbus_system_bus_client(sandbox_x_client_t)
++dbus_read_config(sandbox_x_client_t)
++selinux_get_fs_mount(sandbox_x_client_t)
++selinux_validate_context(sandbox_x_client_t)
++selinux_compute_access_vector(sandbox_x_client_t)
++selinux_compute_create_context(sandbox_x_client_t)
++selinux_compute_relabel_context(sandbox_x_client_t)
++selinux_compute_user_contexts(sandbox_x_client_t)
++seutil_read_default_contexts(sandbox_x_client_t)
++
++optional_policy(`
++ hal_dbus_chat(sandbox_x_client_t)
++')
++
++########################################
++#
++# sandbox_web_client_t local policy
++#
++allow sandbox_web_client_t self:capability { setuid setgid };
++allow sandbox_web_client_t self:netlink_audit_socket nlmsg_relay;
++allow sandbox_web_client_t self:process setsched;
++
++allow sandbox_web_client_t self:tcp_socket create_socket_perms;
++allow sandbox_web_client_t self:udp_socket create_socket_perms;
++allow sandbox_web_client_t self:dbus { acquire_svc send_msg };
++allow sandbox_web_client_t self:netlink_selinux_socket create_socket_perms;
++
++dev_read_rand(sandbox_web_client_t)
++
++# Browse the web, connect to printer
++corenet_all_recvfrom_unlabeled(sandbox_web_client_t)
++corenet_all_recvfrom_netlabel(sandbox_web_client_t)
++corenet_tcp_sendrecv_generic_if(sandbox_web_client_t)
++corenet_raw_sendrecv_generic_if(sandbox_web_client_t)
++corenet_tcp_sendrecv_generic_node(sandbox_web_client_t)
++corenet_raw_sendrecv_generic_node(sandbox_web_client_t)
++corenet_tcp_sendrecv_http_port(sandbox_web_client_t)
++corenet_tcp_sendrecv_http_cache_port(sandbox_web_client_t)
++corenet_tcp_sendrecv_ftp_port(sandbox_web_client_t)
++corenet_tcp_sendrecv_ipp_port(sandbox_web_client_t)
++corenet_tcp_connect_http_port(sandbox_web_client_t)
++corenet_tcp_connect_http_cache_port(sandbox_web_client_t)
++corenet_tcp_connect_ftp_port(sandbox_web_client_t)
++corenet_tcp_connect_ipp_port(sandbox_web_client_t)
++corenet_tcp_connect_generic_port(sandbox_web_client_t)
++corenet_sendrecv_http_client_packets(sandbox_web_client_t)
++corenet_sendrecv_http_cache_client_packets(sandbox_web_client_t)
++corenet_sendrecv_ftp_client_packets(sandbox_web_client_t)
++corenet_sendrecv_ipp_client_packets(sandbox_web_client_t)
++corenet_sendrecv_generic_client_packets(sandbox_web_client_t)
++# Should not need other ports
++corenet_dontaudit_tcp_sendrecv_generic_port(sandbox_web_client_t)
++corenet_dontaudit_tcp_bind_generic_port(sandbox_web_client_t)
++corenet_tcp_connect_speech_port(sandbox_web_client_t)
++
++auth_use_nsswitch(sandbox_web_client_t)
++
++dbus_system_bus_client(sandbox_web_client_t)
++dbus_read_config(sandbox_web_client_t)
++selinux_get_fs_mount(sandbox_web_client_t)
++selinux_validate_context(sandbox_web_client_t)
++selinux_compute_access_vector(sandbox_web_client_t)
++selinux_compute_create_context(sandbox_web_client_t)
++selinux_compute_relabel_context(sandbox_web_client_t)
++selinux_compute_user_contexts(sandbox_web_client_t)
++seutil_read_default_contexts(sandbox_web_client_t)
++
++optional_policy(`
++ nsplugin_read_rw_files(sandbox_web_client_t)
++ nsplugin_rw_exec(sandbox_web_client_t)
++')
++
++optional_policy(`
++ hal_dbus_chat(sandbox_web_client_t)
++')
++
++########################################
++#
++# sandbox_net_client_t local policy
++#
++allow sandbox_net_client_t self:tcp_socket create_socket_perms;
++allow sandbox_net_client_t self:udp_socket create_socket_perms;
++allow sandbox_net_client_t self:dbus { acquire_svc send_msg };
++allow sandbox_net_client_t self:netlink_selinux_socket create_socket_perms;
++
++dev_read_rand(sandbox_net_client_t)
++
++corenet_all_recvfrom_unlabeled(sandbox_net_client_t)
++corenet_all_recvfrom_netlabel(sandbox_net_client_t)
++corenet_tcp_sendrecv_generic_if(sandbox_net_client_t)
++corenet_udp_sendrecv_generic_if(sandbox_net_client_t)
++corenet_tcp_sendrecv_generic_node(sandbox_net_client_t)
++corenet_udp_sendrecv_generic_node(sandbox_net_client_t)
++corenet_tcp_sendrecv_all_ports(sandbox_net_client_t)
++corenet_udp_sendrecv_all_ports(sandbox_net_client_t)
++corenet_tcp_connect_all_ports(sandbox_net_client_t)
++corenet_sendrecv_all_client_packets(sandbox_net_client_t)
++
++auth_use_nsswitch(sandbox_net_client_t)
++
++dbus_system_bus_client(sandbox_net_client_t)
++dbus_read_config(sandbox_net_client_t)
++selinux_get_fs_mount(sandbox_net_client_t)
++selinux_validate_context(sandbox_net_client_t)
++selinux_compute_access_vector(sandbox_net_client_t)
++selinux_compute_create_context(sandbox_net_client_t)
++selinux_compute_relabel_context(sandbox_net_client_t)
++selinux_compute_user_contexts(sandbox_net_client_t)
++seutil_read_default_contexts(sandbox_net_client_t)
++
++optional_policy(`
++ nsplugin_read_rw_files(sandbox_web_client_t)
++ nsplugin_rw_exec(sandbox_web_client_t)
++')
++
++optional_policy(`
++ hal_dbus_chat(sandbox_net_client_t)
++')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.6.16/policy/modules/apps/screen.if
--- nsaserefpolicy/policy/modules/apps/screen.if 2009-01-19 11:03:28.000000000 -0500
+++ serefpolicy-3.6.16/policy/modules/apps/screen.if 2009-06-12 15:59:08.000000000 -0400
@@ -5019,7 +5303,7 @@ diff -b -B --ignore-all-space --exclude-
+corecmd_executable_file(wm_exec_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.16/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2009-06-12 09:08:48.000000000 -0400
-+++ serefpolicy-3.6.16/policy/modules/kernel/corecommands.fc 2009-06-12 15:59:08.000000000 -0400
++++ serefpolicy-3.6.16/policy/modules/kernel/corecommands.fc 2009-06-18 09:27:34.000000000 -0400
@@ -139,6 +139,9 @@
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
')
@@ -5030,7 +5314,7 @@ diff -b -B --ignore-all-space --exclude-
#
# /usr
#
-@@ -312,3 +315,20 @@
+@@ -312,3 +315,21 @@
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -5051,6 +5335,7 @@ diff -b -B --ignore-all-space --exclude-
+/usr/lib(64)?/rpm/rpmk -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0)
+
++/usr/lib(64)?/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.6.16/policy/modules/kernel/corecommands.if
--- nsaserefpolicy/policy/modules/kernel/corecommands.if 2009-01-05 15:39:38.000000000 -0500
+++ serefpolicy-3.6.16/policy/modules/kernel/corecommands.if 2009-06-12 15:59:08.000000000 -0400
@@ -5472,7 +5757,7 @@ diff -b -B --ignore-all-space --exclude-
## <param name="domain">
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.6.16/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2009-06-12 09:08:48.000000000 -0400
-+++ serefpolicy-3.6.16/policy/modules/kernel/domain.te 2009-06-12 15:59:08.000000000 -0400
++++ serefpolicy-3.6.16/policy/modules/kernel/domain.te 2009-06-17 09:16:36.000000000 -0400
@@ -5,6 +5,13 @@
#
# Declarations
@@ -5543,7 +5828,7 @@ diff -b -B --ignore-all-space --exclude-
# Act upon any other process.
allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
-@@ -153,3 +174,49 @@
+@@ -153,3 +174,50 @@
# receive from all domains over labeled networking
domain_all_recvfrom_all_domains(unconfined_domain_type)
@@ -5559,6 +5844,7 @@ diff -b -B --ignore-all-space --exclude-
+ cron_rw_system_job_pipes(domain)
+
+ifdef(`hide_broken_symptoms',`
++ fs_list_inotifyfs(domain)
+ allow domain domain:key { link search };
+')
+')
@@ -5628,7 +5914,7 @@ diff -b -B --ignore-all-space --exclude-
/var/lib/nfs/rpc_pipefs(/.*)? <<none>>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.16/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2009-06-12 09:08:48.000000000 -0400
-+++ serefpolicy-3.6.16/policy/modules/kernel/files.if 2009-06-15 10:43:32.000000000 -0400
++++ serefpolicy-3.6.16/policy/modules/kernel/files.if 2009-06-18 09:21:59.000000000 -0400
@@ -110,6 +110,11 @@
## </param>
#
@@ -6328,8 +6614,8 @@ diff -b -B --ignore-all-space --exclude-
+gen_user(guest_u, user, guest_r, s0, s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.6.16/policy/modules/roles/staff.te
--- nsaserefpolicy/policy/modules/roles/staff.te 2008-11-11 16:13:47.000000000 -0500
-+++ serefpolicy-3.6.16/policy/modules/roles/staff.te 2009-06-12 15:59:08.000000000 -0400
-@@ -15,156 +15,99 @@
++++ serefpolicy-3.6.16/policy/modules/roles/staff.te 2009-06-18 08:41:56.000000000 -0400
+@@ -15,156 +15,103 @@
# Local policy
#
@@ -6352,7 +6638,11 @@ diff -b -B --ignore-all-space --exclude-
-optional_policy(`
- cdrecord_role(staff_r, staff_t)
-')
--
++kernel_read_ring_buffer(staff_t)
++kernel_getattr_core_if(staff_t)
++kernel_getattr_message_if(staff_t)
++kernel_read_software_raid_state(staff_t)
+
-optional_policy(`
- cron_role(staff_r, staff_t)
-')
@@ -6360,11 +6650,13 @@ diff -b -B --ignore-all-space --exclude-
-optional_policy(`
- dbus_role_template(staff, staff_r, staff_t)
-')
--
++auth_domtrans_pam_console(staff_t)
+
-optional_policy(`
- ethereal_role(staff_r, staff_t)
-')
--
++libs_manage_shared_libs(staff_t)
+
-optional_policy(`
- evolution_role(staff_r, staff_t)
-')
@@ -6376,133 +6668,128 @@ diff -b -B --ignore-all-space --exclude-
-optional_policy(`
- gift_role(staff_r, staff_t)
-')
-+kernel_read_ring_buffer(staff_t)
-+kernel_getattr_core_if(staff_t)
-+kernel_getattr_message_if(staff_t)
-+kernel_read_software_raid_state(staff_t)
-
--optional_policy(`
-- gnome_role(staff_r, staff_t)
--')
-+auth_domtrans_pam_console(staff_t)
-
--optional_policy(`
-- gpg_role(staff_r, staff_t)
--')
-+libs_manage_shared_libs(staff_t)
-
--optional_policy(`
-- irc_role(staff_r, staff_t)
--')
+seutil_run_newrole(staff_t, staff_r)
+netutils_run_ping(staff_t, staff_r)
optional_policy(`
-- java_role(staff_r, staff_t)
+- gnome_role(staff_r, staff_t)
+ sudo_role_template(staff, staff_r, staff_t)
')
optional_policy(`
-- lockdev_role(staff_r, staff_t)
+- gpg_role(staff_r, staff_t)
+ auditadm_role_change(staff_r)
')
optional_policy(`
-- lpd_role(staff_r, staff_t)
+- irc_role(staff_r, staff_t)
+ kerneloops_manage_tmp_files(staff_t)
')
optional_policy(`
-- mozilla_role(staff_r, staff_t)
+- java_role(staff_r, staff_t)
+ logadm_role_change(staff_r)
')
optional_policy(`
-- mplayer_role(staff_r, staff_t)
+- lockdev_role(staff_r, staff_t)
+ postgresql_role(staff_r, staff_t)
')
optional_policy(`
-- mta_role(staff_r, staff_t)
+- lpd_role(staff_r, staff_t)
+ secadm_role_change(staff_r)
')
optional_policy(`
-- oident_manage_user_content(staff_t)
-- oident_relabel_user_content(staff_t)
+- mozilla_role(staff_r, staff_t)
+ ssh_role_template(staff, staff_r, staff_t)
')
optional_policy(`
-- pyzor_role(staff_r, staff_t)
+- mplayer_role(staff_r, staff_t)
+ sysadm_role_change(staff_r)
')
optional_policy(`
-- razor_role(staff_r, staff_t)
+- mta_role(staff_r, staff_t)
+ usernetctl_run(staff_t, staff_r)
')
optional_policy(`
-- rssh_role(staff_r, staff_t)
+- oident_manage_user_content(staff_t)
+- oident_relabel_user_content(staff_t)
+ unconfined_role_change(staff_r)
')
optional_policy(`
-- screen_role_template(staff, staff_r, staff_t)
+- pyzor_role(staff_r, staff_t)
+ webadm_role_change(staff_r)
')
-optional_policy(`
-- secadm_role_change(staff_r)
+- razor_role(staff_r, staff_t)
-')
+domain_read_all_domains_state(staff_t)
+domain_getattr_all_domains(staff_t)
+domain_obj_id_change_exemption(staff_t)
-optional_policy(`
-- spamassassin_role(staff_r, staff_t)
+- rssh_role(staff_r, staff_t)
-')
+files_read_kernel_modules(staff_t)
-optional_policy(`
-- ssh_role_template(staff, staff_r, staff_t)
+- screen_role_template(staff, staff_r, staff_t)
-')
+kernel_read_fs_sysctls(staff_t)
-optional_policy(`
-- su_role_template(staff, staff_r, staff_t)
+- secadm_role_change(staff_r)
-')
+modutils_read_module_config(staff_t)
+modutils_read_module_deps(staff_t)
-optional_policy(`
-- sudo_role_template(staff, staff_r, staff_t)
+- spamassassin_role(staff_r, staff_t)
+-')
+-
+-optional_policy(`
+- ssh_role_template(staff, staff_r, staff_t)
+-')
+-
+-optional_policy(`
+- su_role_template(staff, staff_r, staff_t)
-')
+miscfiles_read_hwdata(staff_t)
-optional_policy(`
-- sysadm_role_change(staff_r)
-- userdom_dontaudit_use_user_terminals(staff_t)
+- sudo_role_template(staff, staff_r, staff_t)
-')
+term_use_unallocated_ttys(staff_t)
optional_policy(`
-- thunderbird_role(staff_r, staff_t)
+- sysadm_role_change(staff_r)
+- userdom_dontaudit_use_user_terminals(staff_t)
+ gnomeclock_dbus_chat(staff_t)
')
optional_policy(`
-- tvtime_role(staff_r, staff_t)
+- thunderbird_role(staff_r, staff_t)
+ kerneloops_dbus_chat(staff_t)
')
optional_policy(`
-- uml_role(staff_r, staff_t)
+- tvtime_role(staff_r, staff_t)
+ rpm_dbus_chat(staff_usertype)
')
optional_policy(`
+- uml_role(staff_r, staff_t)
++ sandbox_transition(staff_t, staff_r)
+ ')
+
+ optional_policy(`
- userhelper_role_template(staff, staff_r, staff_t)
+ screen_manage_var_run(staff_t)
')
@@ -7539,7 +7826,7 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.16/policy/modules/roles/unconfineduser.te
--- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.16/policy/modules/roles/unconfineduser.te 2009-06-15 15:37:34.000000000 -0400
++++ serefpolicy-3.6.16/policy/modules/roles/unconfineduser.te 2009-06-18 08:41:31.000000000 -0400
@@ -0,0 +1,407 @@
+policy_module(unconfineduser, 1.0.0)
+
@@ -7826,7 +8113,7 @@ diff -b -B --ignore-all-space --exclude-
+')
+
+optional_policy(`
-+ sandbox_run(unconfined_t, unconfined_r)
++ sandbox_transition(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
@@ -7950,8 +8237,8 @@ diff -b -B --ignore-all-space --exclude-
+gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.6.16/policy/modules/roles/unprivuser.te
--- nsaserefpolicy/policy/modules/roles/unprivuser.te 2008-11-11 16:13:47.000000000 -0500
-+++ serefpolicy-3.6.16/policy/modules/roles/unprivuser.te 2009-06-12 15:59:08.000000000 -0400
-@@ -14,142 +14,13 @@
++++ serefpolicy-3.6.16/policy/modules/roles/unprivuser.te 2009-06-18 08:42:17.000000000 -0400
+@@ -14,142 +14,17 @@
userdom_unpriv_user_template(user)
optional_policy(`
@@ -7966,9 +8253,10 @@ diff -b -B --ignore-all-space --exclude-
optional_policy(`
- bluetooth_role(user_r, user_t)
--')
--
--optional_policy(`
++ sandbox_transition(user_t, user_r)
+ ')
+
+ optional_policy(`
- cdrecord_role(user_r, user_t)
-')
-
@@ -10007,8 +10295,16 @@ diff -b -B --ignore-all-space --exclude-
miscfiles_read_localization(bitlbee_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.6.16/policy/modules/services/bluetooth.te
--- nsaserefpolicy/policy/modules/services/bluetooth.te 2009-03-23 13:47:11.000000000 -0400
-+++ serefpolicy-3.6.16/policy/modules/services/bluetooth.te 2009-06-12 15:59:08.000000000 -0400
-@@ -152,6 +152,10 @@
++++ serefpolicy-3.6.16/policy/modules/services/bluetooth.te 2009-06-17 09:19:22.000000000 -0400
+@@ -64,6 +64,7 @@
+ allow bluetooth_t self:unix_stream_socket { connectto create_stream_socket_perms };
+ allow bluetooth_t self:tcp_socket create_stream_socket_perms;
+ allow bluetooth_t self:udp_socket create_socket_perms;
++allow bluetooth_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+ read_files_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_t)
+
+@@ -152,6 +153,10 @@
optional_policy(`
hal_dbus_chat(bluetooth_t)
')
@@ -10295,7 +10591,7 @@ diff -b -B --ignore-all-space --exclude-
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.6.16/policy/modules/services/consolekit.te
--- nsaserefpolicy/policy/modules/services/consolekit.te 2009-05-21 08:43:08.000000000 -0400
-+++ serefpolicy-3.6.16/policy/modules/services/consolekit.te 2009-06-12 15:59:08.000000000 -0400
++++ serefpolicy-3.6.16/policy/modules/services/consolekit.te 2009-06-17 11:27:29.000000000 -0400
@@ -11,7 +11,7 @@
init_daemon_domain(consolekit_t, consolekit_exec_t)
@@ -10345,7 +10641,7 @@ diff -b -B --ignore-all-space --exclude-
hal_dbus_chat(consolekit_t)
')
-@@ -97,11 +106,23 @@
+@@ -97,11 +106,27 @@
')
optional_policy(`
@@ -10362,6 +10658,10 @@ diff -b -B --ignore-all-space --exclude-
+ xserver_ptrace_xdm(consolekit_t)
+ xserver_common_app(consolekit_t)
+ corenet_tcp_connect_xserver_port(consolekit_t)
++')
++
++optional_policy(`
++ udev_domtrans(consolekit_t)
')
optional_policy(`
@@ -13118,8 +13418,8 @@ diff -b -B --ignore-all-space --exclude-
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.6.16/policy/modules/services/fprintd.te
--- nsaserefpolicy/policy/modules/services/fprintd.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.16/policy/modules/services/fprintd.te 2009-06-12 15:59:08.000000000 -0400
-@@ -0,0 +1,54 @@
++++ serefpolicy-3.6.16/policy/modules/services/fprintd.te 2009-06-17 09:18:32.000000000 -0400
+@@ -0,0 +1,55 @@
+policy_module(fprintd,1.0.0)
+
+########################################
@@ -13167,16 +13467,17 @@ diff -b -B --ignore-all-space --exclude-
+')
+
+optional_policy(`
-+ polkit_read_reload(fprintd_t)
-+ polkit_read_lib(fprintd_t)
++ polkit_dbus_chat(fprintd_t)
+ polkit_domtrans_auth(fprintd_t)
++ polkit_read_lib(fprintd_t)
++ polkit_read_reload(fprintd_t)
+')
+
+permissive fprintd_t;
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.6.16/policy/modules/services/ftp.te
--- nsaserefpolicy/policy/modules/services/ftp.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.16/policy/modules/services/ftp.te 2009-06-12 15:59:08.000000000 -0400
++++ serefpolicy-3.6.16/policy/modules/services/ftp.te 2009-06-16 08:25:34.000000000 -0400
@@ -26,7 +26,7 @@
## <desc>
## <p>
@@ -13216,7 +13517,17 @@ diff -b -B --ignore-all-space --exclude-
allow ftpd_t ftpd_etc_t:file read_file_perms;
-@@ -160,6 +168,7 @@
+@@ -121,8 +129,7 @@
+ allow ftpd_t ftpdctl_tmp_t:sock_file { getattr unlink };
+
+ # Create and modify /var/log/xferlog.
+-allow ftpd_t xferlog_t:dir search_dir_perms;
+-allow ftpd_t xferlog_t:file manage_file_perms;
++manage_files_pattern(ftpd_t, xferlog_t, xferlog_t)
+ logging_log_filetrans(ftpd_t, xferlog_t, file)
+
+ kernel_read_kernel_sysctls(ftpd_t)
+@@ -160,6 +167,7 @@
fs_search_auto_mountpoints(ftpd_t)
fs_getattr_all_fs(ftpd_t)
@@ -13224,7 +13535,7 @@ diff -b -B --ignore-all-space --exclude-
auth_use_nsswitch(ftpd_t)
auth_domtrans_chk_passwd(ftpd_t)
-@@ -222,9 +231,15 @@
+@@ -222,9 +230,15 @@
userdom_manage_user_home_content_dirs(ftpd_t)
userdom_manage_user_home_content_files(ftpd_t)
userdom_manage_user_home_content_symlinks(ftpd_t)
@@ -13241,7 +13552,7 @@ diff -b -B --ignore-all-space --exclude-
tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
fs_manage_nfs_files(ftpd_t)
fs_read_nfs_symlinks(ftpd_t)
-@@ -258,7 +273,26 @@
+@@ -258,7 +272,26 @@
')
optional_policy(`
@@ -13269,7 +13580,7 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -270,6 +304,14 @@
+@@ -270,6 +303,14 @@
')
optional_policy(`
@@ -15087,7 +15398,7 @@ diff -b -B --ignore-all-space --exclude-
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.6.16/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.16/policy/modules/services/networkmanager.te 2009-06-15 08:31:33.000000000 -0400
++++ serefpolicy-3.6.16/policy/modules/services/networkmanager.te 2009-06-16 11:24:19.000000000 -0400
@@ -19,6 +19,9 @@
type NetworkManager_tmp_t;
files_tmp_file(NetworkManager_tmp_t)
@@ -15818,6 +16129,217 @@ diff -b -B --ignore-all-space --exclude-
+ samba_read_config(nscd_t)
+ samba_read_var_files(nscd_t)
+')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.fc serefpolicy-3.6.16/policy/modules/services/nslcd.fc
+--- nsaserefpolicy/policy/modules/services/nslcd.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.16/policy/modules/services/nslcd.fc 2009-06-18 10:39:36.000000000 -0400
+@@ -0,0 +1,4 @@
++/usr/sbin/nslcd -- gen_context(system_u:object_r:nslcd_exec_t,s0)
++/etc/nss-ldapd.conf -- gen_context(system_u:object_r:nslcd_conf_t,s0)
++/etc/rc\.d/init\.d/nslcd -- gen_context(system_u:object_r:nslcd_initrc_exec_t,s0)
++/var/run/nslcd(/.*)? gen_context(system_u:object_r:nslcd_var_run_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.if serefpolicy-3.6.16/policy/modules/services/nslcd.if
+--- nsaserefpolicy/policy/modules/services/nslcd.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.16/policy/modules/services/nslcd.if 2009-06-18 10:39:36.000000000 -0400
+@@ -0,0 +1,145 @@
++
++## <summary>policy for nslcd</summary>
++
++########################################
++## <summary>
++## Execute a domain transition to run nslcd.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`nslcd_domtrans',`
++ gen_require(`
++ type nslcd_t;
++ type nslcd_exec_t;
++ ')
++
++ domtrans_pattern($1,nslcd_exec_t,nslcd_t)
++')
++
++
++########################################
++## <summary>
++## Execute nslcd server in the nslcd domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`nslcd_initrc_domtrans',`
++ gen_require(`
++ type nslcd_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1,nslcd_initrc_exec_t)
++')
++
++########################################
++## <summary>
++## Read nslcd PID files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`nslcd_read_pid_files',`
++ gen_require(`
++ type nslcd_var_run_t;
++ ')
++
++ files_search_pids($1)
++ allow $1 nslcd_var_run_t:file read_file_perms;
++')
++
++########################################
++## <summary>
++## Manage nslcd var_run files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`nslcd_manage_var_run',`
++ gen_require(`
++ type nslcd_var_run_t;
++ ')
++
++ manage_dirs_pattern($1,nslcd_var_run_t,nslcd_var_run_t)
++ manage_files_pattern($1,nslcd_var_run_t,nslcd_var_run_t)
++ manage_lnk_files_pattern($1,nslcd_var_run_t,nslcd_var_run_t)
++')
++
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an nslcd environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to be allowed to manage the nslcd domain.
++## </summary>
++## </param>
++## <param name="terminal">
++## <summary>
++## The type of the user terminal.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`nslcd_admin',`
++ gen_require(`
++ type nslcd_t;
++ ')
++
++ allow $1 nslcd_t:process { ptrace signal_perms getattr };
++ read_files_pattern($1, nslcd_t, nslcd_t)
++ allow $1 nslcd_conf_t:file read_file_perms;
++
++ gen_require(`
++ type nslcd_initrc_exec_t;
++ ')
++
++ # Allow nslcd_t to restart the apache service
++ nslcd_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 nslcd_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ nslcd_manage_var_run($1)
++')
++
++
++########################################
++## <summary>
++## Connect to nslcd over an unix stream socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`nslcd_use',`
++ gen_require(`
++ type nslcd_t, var_run_t, nslcd_var_run_t;
++ ')
++
++# list_dirs_pattern($1, var_run_t, nslcd_var_run_t)
++ write_sock_files_pattern($1, nslcd_var_run_t, nslcd_var_run_t)
++ allow $1 nslcd_t:unix_stream_socket connectto;
++')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.te serefpolicy-3.6.16/policy/modules/services/nslcd.te
+--- nsaserefpolicy/policy/modules/services/nslcd.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.16/policy/modules/services/nslcd.te 2009-06-18 10:39:36.000000000 -0400
+@@ -0,0 +1,50 @@
++policy_module(nslcd,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type nslcd_t;
++type nslcd_exec_t;
++init_daemon_domain(nslcd_t, nslcd_exec_t)
++
++#permissive nslcd_t;
++
++type nslcd_initrc_exec_t;
++init_script_file(nslcd_initrc_exec_t)
++
++type nslcd_var_run_t;
++files_pid_file(nslcd_var_run_t)
++
++type nslcd_conf_t;
++files_type(nslcd_conf_t)
++allow nslcd_t nslcd_conf_t:file read_file_perms;
++
++########################################
++#
++# nslcd local policy
++#
++
++allow nslcd_t self:capability { setgid setuid dac_override };
++
++# Init script handling
++domain_use_interactive_fds(nslcd_t)
++
++# internal communication is often done using fifo and unix sockets.
++allow nslcd_t self:sock_file rw_file_perms;
++allow nslcd_t self:unix_stream_socket create_stream_socket_perms;
++allow nslcd_t self:process signal;
++
++files_read_etc_files(nslcd_t)
++
++miscfiles_read_localization(nslcd_t)
++
++manage_dirs_pattern(nslcd_t, nslcd_var_run_t, nslcd_var_run_t)
++manage_files_pattern(nslcd_t, nslcd_var_run_t, nslcd_var_run_t)
++files_pid_filetrans(nslcd_t,nslcd_var_run_t, { file dir })
++allow nslcd_t nslcd_var_run_t:sock_file manage_sock_file_perms;
++
++auth_use_nsswitch(nslcd_t)
++
++logging_send_syslog_msg(nslcd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.if serefpolicy-3.6.16/policy/modules/services/ntp.if
--- nsaserefpolicy/policy/modules/services/ntp.if 2009-06-08 15:22:17.000000000 -0400
+++ serefpolicy-3.6.16/policy/modules/services/ntp.if 2009-06-12 15:59:08.000000000 -0400
@@ -16224,6 +16746,26 @@ diff -b -B --ignore-all-space --exclude-
+optional_policy(`
+ prelude_manage_spool(pads_t)
+')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.6.16/policy/modules/services/pcscd.te
+--- nsaserefpolicy/policy/modules/services/pcscd.te 2009-03-23 13:47:11.000000000 -0400
++++ serefpolicy-3.6.16/policy/modules/services/pcscd.te 2009-06-16 09:52:14.000000000 -0400
+@@ -29,6 +29,7 @@
+
+ manage_dirs_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
+ manage_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
++manage_fifo_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
+ manage_sock_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
+ files_pid_filetrans(pcscd_t, pcscd_var_run_t, { file sock_file dir })
+
+@@ -46,6 +47,8 @@
+ files_read_etc_files(pcscd_t)
+ files_read_etc_runtime_files(pcscd_t)
+
++kernel_read_system_state(pcscd_t)
++
+ term_use_unallocated_ttys(pcscd_t)
+ term_dontaudit_getattr_pty_dirs(pcscd_t)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.6.16/policy/modules/services/pegasus.te
--- nsaserefpolicy/policy/modules/services/pegasus.te 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.16/policy/modules/services/pegasus.te 2009-06-12 15:59:08.000000000 -0400
@@ -16300,13 +16842,13 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.fc serefpolicy-3.6.16/policy/modules/services/polkit.fc
--- nsaserefpolicy/policy/modules/services/polkit.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.16/policy/modules/services/polkit.fc 2009-06-12 15:59:08.000000000 -0400
++++ serefpolicy-3.6.16/policy/modules/services/polkit.fc 2009-06-15 16:34:08.000000000 -0400
@@ -0,0 +1,11 @@
+
+/usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:polkit_auth_exec_t,s0)
+/usr/libexec/polkit-grant-helper.* -- gen_context(system_u:object_r:polkit_grant_exec_t,s0)
+/usr/libexec/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:polkit_resolve_exec_t,s0)
-+/usr/libexec/polkitd -- gen_context(system_u:object_r:polkit_exec_t,s0)
++/usr/libexec/polkitd.* -- gen_context(system_u:object_r:polkit_exec_t,s0)
+
+/var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:polkit_var_lib_t,s0)
+/var/run/PolicyKit(/.*)? gen_context(system_u:object_r:polkit_var_run_t,s0)
@@ -16315,7 +16857,7 @@ diff -b -B --ignore-all-space --exclude-
+/var/lib/misc/PolicyKit.reload gen_context(system_u:object_r:polkit_reload_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.6.16/policy/modules/services/polkit.if
--- nsaserefpolicy/policy/modules/services/polkit.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.16/policy/modules/services/polkit.if 2009-06-12 15:59:08.000000000 -0400
++++ serefpolicy-3.6.16/policy/modules/services/polkit.if 2009-06-17 09:17:36.000000000 -0400
@@ -0,0 +1,241 @@
+
+## <summary>policy for polkit_auth</summary>
@@ -20174,7 +20716,7 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.6.16/policy/modules/services/setroubleshoot.te
--- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.16/policy/modules/services/setroubleshoot.te 2009-06-12 15:59:08.000000000 -0400
++++ serefpolicy-3.6.16/policy/modules/services/setroubleshoot.te 2009-06-18 09:22:05.000000000 -0400
@@ -11,6 +11,9 @@
domain_type(setroubleshootd_t)
init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t)
@@ -20209,7 +20751,7 @@ diff -b -B --ignore-all-space --exclude-
corecmd_exec_bin(setroubleshootd_t)
corecmd_exec_shell(setroubleshootd_t)
-@@ -68,16 +76,24 @@
+@@ -68,16 +76,25 @@
dev_read_urand(setroubleshootd_t)
dev_read_sysfs(setroubleshootd_t)
@@ -20225,6 +20767,7 @@ diff -b -B --ignore-all-space --exclude-
files_getattr_all_files(setroubleshootd_t)
+files_getattr_all_pipes(setroubleshootd_t)
+files_getattr_all_sockets(setroubleshootd_t)
++files_read_all_symlinks(setroubleshootd_t)
fs_getattr_all_dirs(setroubleshootd_t)
fs_getattr_all_files(setroubleshootd_t)
@@ -20235,7 +20778,7 @@ diff -b -B --ignore-all-space --exclude-
selinux_get_enforce_mode(setroubleshootd_t)
selinux_validate_context(setroubleshootd_t)
-@@ -94,22 +110,28 @@
+@@ -94,22 +111,28 @@
locallogin_dontaudit_use_fds(setroubleshootd_t)
@@ -21833,8 +22376,8 @@ diff -b -B --ignore-all-space --exclude-
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.6.16/policy/modules/services/sssd.te
--- nsaserefpolicy/policy/modules/services/sssd.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.16/policy/modules/services/sssd.te 2009-06-12 15:59:08.000000000 -0400
-@@ -0,0 +1,72 @@
++++ serefpolicy-3.6.16/policy/modules/services/sssd.te 2009-06-16 11:24:47.000000000 -0400
+@@ -0,0 +1,74 @@
+policy_module(sssd,1.0.0)
+
+########################################
@@ -21892,6 +22435,8 @@ diff -b -B --ignore-all-space --exclude-
+files_read_etc_files(sssd_t)
+files_read_usr_files(sssd_t)
+
++fs_list_inotifyfs(sssd_t)
++
+auth_use_nsswitch(sssd_t)
+auth_domtrans_chk_passwd(sssd_t)
+auth_domtrans_upd_passwd(sssd_t)
@@ -22484,7 +23029,7 @@ diff -b -B --ignore-all-space --exclude-
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.16/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.16/policy/modules/services/virt.te 2009-06-12 15:59:08.000000000 -0400
++++ serefpolicy-3.6.16/policy/modules/services/virt.te 2009-06-16 11:25:30.000000000 -0400
@@ -8,19 +8,31 @@
## <desc>
@@ -22599,7 +23144,7 @@ diff -b -B --ignore-all-space --exclude-
corecmd_exec_bin(virtd_t)
corecmd_exec_shell(virtd_t)
-@@ -96,30 +140,50 @@
+@@ -96,30 +140,51 @@
corenet_tcp_sendrecv_generic_node(virtd_t)
corenet_tcp_sendrecv_all_ports(virtd_t)
corenet_tcp_bind_generic_node(virtd_t)
@@ -22640,6 +23185,7 @@ diff -b -B --ignore-all-space --exclude-
fs_list_auto_mountpoints(virtd_t)
+fs_getattr_xattr_fs(virtd_t)
+fs_rw_anon_inodefs_files(virtd_t)
++fs_list_inotifyfs(virtd_t)
+storage_manage_fixed_disk(virtd_t)
+storage_relabel_fixed_disk(virtd_t)
@@ -22653,7 +23199,7 @@ diff -b -B --ignore-all-space --exclude-
term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
-@@ -129,7 +193,15 @@
+@@ -129,7 +194,15 @@
logging_send_syslog_msg(virtd_t)
@@ -22669,7 +23215,7 @@ diff -b -B --ignore-all-space --exclude-
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -167,22 +239,34 @@
+@@ -167,22 +240,34 @@
dnsmasq_domtrans(virtd_t)
dnsmasq_signal(virtd_t)
dnsmasq_kill(virtd_t)
@@ -22709,7 +23255,7 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -195,8 +279,86 @@
+@@ -195,8 +280,86 @@
xen_stream_connect(virtd_t)
xen_stream_connect_xenstore(virtd_t)
@@ -22820,7 +23366,7 @@ diff -b -B --ignore-all-space --exclude-
corenet_tcp_connect_http_port(httpd_w3c_validator_script_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.6.16/policy/modules/services/xserver.fc
--- nsaserefpolicy/policy/modules/services/xserver.fc 2009-01-05 15:39:43.000000000 -0500
-+++ serefpolicy-3.6.16/policy/modules/services/xserver.fc 2009-06-12 15:59:08.000000000 -0400
++++ serefpolicy-3.6.16/policy/modules/services/xserver.fc 2009-06-18 08:45:33.000000000 -0400
@@ -3,12 +3,16 @@
#
HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0)
@@ -22850,15 +23396,17 @@ diff -b -B --ignore-all-space --exclude-
#
# /opt
#
-@@ -61,6 +60,7 @@
+@@ -61,7 +60,9 @@
/usr/(s)?bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0)
+/usr/bin/slim -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/Xair -- gen_context(system_u:object_r:xserver_exec_t,s0)
++/usr/bin/Xephyr -- gen_context(system_u:object_r:xserver_exec_t,s0)
/usr/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0)
/usr/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0)
-@@ -89,16 +89,26 @@
+ ifdef(`distro_debian', `
+@@ -89,16 +90,26 @@
/var/[xgk]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
@@ -22890,7 +23438,7 @@ diff -b -B --ignore-all-space --exclude-
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.16/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2009-01-05 15:39:43.000000000 -0500
-+++ serefpolicy-3.6.16/policy/modules/services/xserver.if 2009-06-12 15:59:08.000000000 -0400
++++ serefpolicy-3.6.16/policy/modules/services/xserver.if 2009-06-18 08:45:02.000000000 -0400
@@ -90,7 +90,7 @@
allow $2 xauth_home_t:file manage_file_perms;
allow $2 xauth_home_t:file { relabelfrom relabelto };
@@ -23117,7 +23665,32 @@ diff -b -B --ignore-all-space --exclude-
## Make an X session script an entrypoint for the specified domain.
## </summary>
## <param name="domain">
-@@ -872,6 +936,27 @@
+@@ -797,6 +861,24 @@
+
+ ########################################
+ ## <summary>
++## Make an X executable an entrypoint for the specified domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## The domain for which the shell is an entrypoint.
++## </summary>
++## </param>
++#
++interface(`xserver_entry_type',`
++ gen_require(`
++ type xserver_exec_t;
++ ')
++
++ domain_entry_file($1, xserver_exec_t)
++')
++
++########################################
++## <summary>
+ ## Execute an X session in the target domain. This
+ ## is an explicit transition, requiring the
+ ## caller to use setexeccon().
+@@ -872,6 +954,27 @@
########################################
## <summary>
@@ -23145,7 +23718,7 @@ diff -b -B --ignore-all-space --exclude-
## Do not audit attempts to write the X server
## log files.
## </summary>
-@@ -1018,10 +1103,11 @@
+@@ -1018,10 +1121,11 @@
#
interface(`xserver_domtrans',`
gen_require(`
@@ -23158,7 +23731,7 @@ diff -b -B --ignore-all-space --exclude-
domtrans_pattern($1, xserver_exec_t, xserver_t)
')
-@@ -1159,6 +1245,275 @@
+@@ -1159,6 +1263,275 @@
########################################
## <summary>
@@ -23434,7 +24007,7 @@ diff -b -B --ignore-all-space --exclude-
## Interface to provide X object permissions on a given X server to
## an X client domain. Gives the domain complete control over the
## display.
-@@ -1172,7 +1527,103 @@
+@@ -1172,7 +1545,103 @@
interface(`xserver_unconfined',`
gen_require(`
attribute xserver_unconfined_type;
@@ -23465,7 +24038,7 @@ diff -b -B --ignore-all-space --exclude-
+ gen_require(`
+ class x_drawable all_x_drawable_perms;
+ class x_resource all_x_resource_perms;
- ')
++')
+
+ allow $1 $2:x_drawable all_x_drawable_perms;
+ allow $2 $1:x_drawable all_x_drawable_perms;
@@ -23496,7 +24069,7 @@ diff -b -B --ignore-all-space --exclude-
+ class x_selection all_x_selection_perms;
+ class x_event all_x_event_perms;
+ class x_synthetic_event all_x_synthetic_event_perms;
-+ ')
+ ')
+
+ # Type attributes
+ typeattribute $1 x_domain;
@@ -23540,7 +24113,7 @@ diff -b -B --ignore-all-space --exclude-
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.16/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.16/policy/modules/services/xserver.te 2009-06-12 15:59:08.000000000 -0400
++++ serefpolicy-3.6.16/policy/modules/services/xserver.te 2009-06-18 08:43:27.000000000 -0400
@@ -34,6 +34,13 @@
## <desc>
@@ -24122,7 +24695,7 @@ diff -b -B --ignore-all-space --exclude-
range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh;
')
-@@ -774,12 +924,16 @@
+@@ -774,12 +924,20 @@
')
optional_policy(`
@@ -24136,11 +24709,15 @@ diff -b -B --ignore-all-space --exclude-
optional_policy(`
- unconfined_domain_noaudit(xserver_t)
++ sandbox_rw_xserver_tmpfs_files(xserver_t)
++')
++
++optional_policy(`
+ unconfined_domain(xserver_t)
unconfined_domtrans(xserver_t)
')
-@@ -806,7 +960,7 @@
+@@ -806,7 +964,7 @@
allow xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xserver_t xdm_var_lib_t:dir search;
@@ -24149,7 +24726,7 @@ diff -b -B --ignore-all-space --exclude-
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -827,9 +981,14 @@
+@@ -827,9 +985,14 @@
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -24164,7 +24741,7 @@ diff -b -B --ignore-all-space --exclude-
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
fs_manage_nfs_files(xserver_t)
-@@ -844,11 +1003,14 @@
+@@ -844,11 +1007,14 @@
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -24180,7 +24757,7 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -856,6 +1018,11 @@
+@@ -856,6 +1022,11 @@
rhgb_rw_tmpfs_files(xserver_t)
')
@@ -24192,7 +24769,7 @@ diff -b -B --ignore-all-space --exclude-
########################################
#
# Rules common to all X window domains
-@@ -881,6 +1048,8 @@
+@@ -881,6 +1052,8 @@
# X Server
# can read server-owned resources
allow x_domain xserver_t:x_resource read;
@@ -24201,7 +24778,7 @@ diff -b -B --ignore-all-space --exclude-
# can mess with own clients
allow x_domain self:x_client { manage destroy };
-@@ -905,6 +1074,8 @@
+@@ -905,6 +1078,8 @@
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -24210,7 +24787,7 @@ diff -b -B --ignore-all-space --exclude-
# X Colormaps
# can use the default colormap
allow x_domain rootwindow_t:x_colormap { read use add_color };
-@@ -972,17 +1143,49 @@
+@@ -972,17 +1147,49 @@
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
@@ -24358,7 +24935,7 @@ diff -b -B --ignore-all-space --exclude-
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.16/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2009-06-12 15:45:03.000000000 -0400
-+++ serefpolicy-3.6.16/policy/modules/system/authlogin.if 2009-06-15 15:31:30.000000000 -0400
++++ serefpolicy-3.6.16/policy/modules/system/authlogin.if 2009-06-18 10:39:36.000000000 -0400
@@ -46,11 +46,23 @@
')
@@ -24440,12 +25017,12 @@ diff -b -B --ignore-all-space --exclude-
+
+ optional_policy(`
+ nis_authenticate($1)
-+ ')
+ ')
+
+ optional_policy(`
+ ssh_agent_exec($1)
+ userdom_read_user_home_content_files($1)
- ')
++ ')
+
')
@@ -24464,11 +25041,11 @@ diff -b -B --ignore-all-space --exclude-
- sysnet_dns_name_resolve($1)
- sysnet_use_ldap($1)
-
- optional_policy(`
+- optional_policy(`
- kerberos_use($1)
- ')
-
-- optional_policy(`
+ optional_policy(`
- nis_use_ypbind($1)
+ kerberos_read_keytab($1)
+ kerberos_connect_524($1)
@@ -24546,7 +25123,33 @@ diff -b -B --ignore-all-space --exclude-
## Manage all files on the filesystem, except
## the shadow passwords and listed exceptions.
## </summary>
-@@ -1395,6 +1494,14 @@
+@@ -1254,6 +1353,25 @@
+
+ ########################################
+ ## <summary>
++## dontaudit read login records files (/var/log/wtmp).
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`auth_dontaudit_read_login_records',`
++ gen_require(`
++ type wtmp_t;
++ ')
++
++ dontaudit $1 wtmp_t:file read_file_perms;
++')
++
++########################################
++## <summary>
+ ## Do not audit attempts to write to
+ ## login records files.
+ ## </summary>
+@@ -1395,6 +1513,14 @@
')
optional_policy(`
@@ -24561,10 +25164,14 @@ diff -b -B --ignore-all-space --exclude-
nis_use_ypbind($1)
')
-@@ -1403,8 +1510,13 @@
+@@ -1403,8 +1529,17 @@
')
optional_policy(`
++ nslcd_use($1)
++ ')
++
++ optional_policy(`
+ sssd_stream_connect($1)
+ ')
+
@@ -24896,7 +25503,7 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.16/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.16/policy/modules/system/init.te 2009-06-15 10:43:51.000000000 -0400
++++ serefpolicy-3.6.16/policy/modules/system/init.te 2009-06-18 08:29:05.000000000 -0400
@@ -17,6 +17,20 @@
## </desc>
gen_tunable(init_upstart,false)
@@ -25442,7 +26049,7 @@ diff -b -B --ignore-all-space --exclude-
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.6.16/policy/modules/system/iscsi.te
--- nsaserefpolicy/policy/modules/system/iscsi.te 2009-03-20 12:39:39.000000000 -0400
-+++ serefpolicy-3.6.16/policy/modules/system/iscsi.te 2009-06-12 15:59:08.000000000 -0400
++++ serefpolicy-3.6.16/policy/modules/system/iscsi.te 2009-06-16 09:44:00.000000000 -0400
@@ -55,6 +55,7 @@
files_pid_filetrans(iscsid_t,iscsi_var_run_t,file)
@@ -25451,7 +26058,13 @@ diff -b -B --ignore-all-space --exclude-
corenet_all_recvfrom_unlabeled(iscsid_t)
corenet_all_recvfrom_netlabel(iscsid_t)
-@@ -73,6 +74,6 @@
+@@ -68,11 +69,12 @@
+ dev_rw_sysfs(iscsid_t)
+
+ domain_use_interactive_fds(iscsid_t)
++domain_read_all_domains_state(iscsid_t)
+
+ files_read_etc_files(iscsid_t)
logging_send_syslog_msg(iscsid_t)
@@ -27713,6 +28326,18 @@ diff -b -B --ignore-all-space --exclude-
kernel_read_xen_state(ifconfig_t)
kernel_write_xen_state(ifconfig_t)
xen_append_log(ifconfig_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.fc serefpolicy-3.6.16/policy/modules/system/udev.fc
+--- nsaserefpolicy/policy/modules/system/udev.fc 2009-03-20 12:39:40.000000000 -0400
++++ serefpolicy-3.6.16/policy/modules/system/udev.fc 2009-06-16 12:04:16.000000000 -0400
+@@ -8,6 +8,8 @@
+
+ /etc/udev/scripts/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
+
++/lib/udev/udev-acl -- gen_context(system_u:object_r:udev_exec_t,s0)
++
+ /sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0)
+ /sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0)
+ /sbin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.6.16/policy/modules/system/udev.te
--- nsaserefpolicy/policy/modules/system/udev.te 2009-04-07 15:53:36.000000000 -0400
+++ serefpolicy-3.6.16/policy/modules/system/udev.te 2009-06-15 11:24:20.000000000 -0400
@@ -28578,7 +29203,7 @@ diff -b -B --ignore-all-space --exclude-
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.16/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.16/policy/modules/system/userdomain.if 2009-06-12 15:59:08.000000000 -0400
++++ serefpolicy-3.6.16/policy/modules/system/userdomain.if 2009-06-18 09:38:54.000000000 -0400
@@ -30,8 +30,9 @@
')
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.864
retrieving revision 1.865
diff -u -p -r1.864 -r1.865
--- selinux-policy.spec 15 Jun 2009 20:04:07 -0000 1.864
+++ selinux-policy.spec 18 Jun 2009 14:42:34 -0000 1.865
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.16
-Release: 2%{?dist}
+Release: 3%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -473,6 +473,9 @@ exit 0
%endif
%changelog
+* Tue Jun 16 2009 Dan Walsh <dwalsh at redhat.com> 3.6.16-3
+- Add label for udev-acl
+
* Mon Jun 15 2009 Dan Walsh <dwalsh at redhat.com> 3.6.16-2
- Additional rules for consolekit/udev, privoxy and various other fixes
More information about the fedora-extras-commits
mailing list