rpms/selinux-policy/F-12 policy-F12.patch, 1.160, 1.161 selinux-policy.spec, 1.987, 1.988
Daniel J Walsh
dwalsh at fedoraproject.org
Wed Dec 23 18:42:32 UTC 2009
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-12
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv2279
Modified Files:
policy-F12.patch selinux-policy.spec
Log Message:
* Wed Dec 23 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-64
- Update to Rawhide filesystem.if file
- Allow abrt to read nfs
- Allow cups to search fusefs
- Allow dovecot_auth to search var_log
- Fix label on ksmtuned.pid
- Dontaudit policykit looking at mount points
- Allow xdm to manage /var/cache/fontconfig
- Allow xenstored to search xenfs
policy-F12.patch:
Makefile | 2
policy/flask/access_vectors | 1
policy/global_tunables | 24
policy/mcs | 10
policy/modules/admin/alsa.te | 2
policy/modules/admin/anaconda.te | 3
policy/modules/admin/brctl.te | 2
policy/modules/admin/certwatch.te | 2
policy/modules/admin/consoletype.te | 3
policy/modules/admin/dmesg.fc | 2
policy/modules/admin/dmesg.te | 10
policy/modules/admin/firstboot.te | 6
policy/modules/admin/kismet.fc | 2
policy/modules/admin/kismet.te | 14
policy/modules/admin/logrotate.te | 27
policy/modules/admin/logwatch.te | 8
policy/modules/admin/mrtg.te | 1
policy/modules/admin/netutils.te | 2
policy/modules/admin/portage.te | 2
policy/modules/admin/prelink.fc | 1
policy/modules/admin/prelink.if | 23
policy/modules/admin/prelink.te | 77 +
policy/modules/admin/readahead.te | 1
policy/modules/admin/rpm.fc | 21
policy/modules/admin/rpm.if | 344 ++++++
policy/modules/admin/rpm.te | 98 +
policy/modules/admin/shorewall.fc | 6
policy/modules/admin/shorewall.if | 40
policy/modules/admin/shorewall.te | 9
policy/modules/admin/smoltclient.fc | 4
policy/modules/admin/smoltclient.if | 1
policy/modules/admin/smoltclient.te | 66 +
policy/modules/admin/sudo.if | 13
policy/modules/admin/tmpreaper.te | 12
policy/modules/admin/tzdata.te | 2
policy/modules/admin/usermanage.if | 11
policy/modules/admin/usermanage.te | 35
policy/modules/admin/vbetool.te | 14
policy/modules/admin/vpn.te | 4
policy/modules/apps/calamaris.te | 7
policy/modules/apps/chrome.fc | 2
policy/modules/apps/chrome.if | 86 +
policy/modules/apps/chrome.te | 82 +
policy/modules/apps/cpufreqselector.te | 2
policy/modules/apps/execmem.fc | 42
policy/modules/apps/execmem.if | 104 +
policy/modules/apps/execmem.te | 11
policy/modules/apps/firewallgui.fc | 3
policy/modules/apps/firewallgui.if | 23
policy/modules/apps/firewallgui.te | 64 +
policy/modules/apps/gitosis.if | 45
policy/modules/apps/gnome.fc | 12
policy/modules/apps/gnome.if | 188 +++
policy/modules/apps/gnome.te | 99 +
policy/modules/apps/gpg.te | 20
policy/modules/apps/java.fc | 24
policy/modules/apps/java.if | 114 +-
policy/modules/apps/java.te | 19
policy/modules/apps/kdumpgui.fc | 2
policy/modules/apps/kdumpgui.if | 2
policy/modules/apps/kdumpgui.te | 67 +
policy/modules/apps/livecd.fc | 2
policy/modules/apps/livecd.if | 52
policy/modules/apps/livecd.te | 28
policy/modules/apps/loadkeys.te | 6
policy/modules/apps/mono.fc | 2
policy/modules/apps/mono.if | 101 +
policy/modules/apps/mono.te | 9
policy/modules/apps/mozilla.fc | 1
policy/modules/apps/mozilla.if | 68 +
policy/modules/apps/mozilla.te | 28
policy/modules/apps/nsplugin.fc | 11
policy/modules/apps/nsplugin.if | 323 +++++
policy/modules/apps/nsplugin.te | 295 +++++
policy/modules/apps/openoffice.fc | 3
policy/modules/apps/openoffice.if | 93 +
policy/modules/apps/openoffice.te | 11
policy/modules/apps/podsleuth.te | 4
policy/modules/apps/ptchown.if | 25
policy/modules/apps/pulseaudio.if | 2
policy/modules/apps/pulseaudio.te | 13
policy/modules/apps/qemu.fc | 4
policy/modules/apps/qemu.if | 189 +++
policy/modules/apps/qemu.te | 85 +
policy/modules/apps/sambagui.fc | 1
policy/modules/apps/sambagui.if | 2
policy/modules/apps/sambagui.te | 60 +
policy/modules/apps/sandbox.fc | 1
policy/modules/apps/sandbox.if | 189 +++
policy/modules/apps/sandbox.te | 338 +++++
policy/modules/apps/screen.if | 8
policy/modules/apps/sectoolm.fc | 6
policy/modules/apps/sectoolm.if | 3
policy/modules/apps/sectoolm.te | 120 ++
policy/modules/apps/seunshare.fc | 2
policy/modules/apps/seunshare.if | 81 +
policy/modules/apps/seunshare.te | 42
policy/modules/apps/slocate.te | 1
policy/modules/apps/vmware.te | 1
policy/modules/apps/wine.fc | 24
policy/modules/apps/wine.if | 115 ++
policy/modules/apps/wine.te | 34
policy/modules/kernel/corecommands.fc | 49
policy/modules/kernel/corecommands.if | 21
policy/modules/kernel/corenetwork.te.in | 50
policy/modules/kernel/devices.fc | 12
policy/modules/kernel/devices.if | 309 +++++
policy/modules/kernel/devices.te | 25
policy/modules/kernel/domain.if | 170 ++
policy/modules/kernel/domain.te | 91 +
policy/modules/kernel/files.fc | 5
policy/modules/kernel/files.if | 475 ++++++++
policy/modules/kernel/files.te | 7
policy/modules/kernel/filesystem.fc | 2
policy/modules/kernel/filesystem.if | 423 +++++++
policy/modules/kernel/filesystem.te | 16
policy/modules/kernel/kernel.if | 98 +
policy/modules/kernel/kernel.te | 32
policy/modules/kernel/selinux.if | 25
policy/modules/kernel/storage.fc | 2
policy/modules/kernel/storage.if | 3
policy/modules/kernel/terminal.fc | 1
policy/modules/kernel/terminal.if | 65 +
policy/modules/kernel/terminal.te | 1
policy/modules/roles/guest.te | 8
policy/modules/roles/staff.te | 124 --
policy/modules/roles/sysadm.te | 125 --
policy/modules/roles/unconfineduser.fc | 8
policy/modules/roles/unconfineduser.if | 667 +++++++++++
policy/modules/roles/unconfineduser.te | 442 +++++++
policy/modules/roles/unprivuser.te | 127 --
policy/modules/roles/xguest.te | 69 +
policy/modules/services/abrt.fc | 8
policy/modules/services/abrt.if | 139 ++
policy/modules/services/abrt.te | 120 +-
policy/modules/services/afs.fc | 1
policy/modules/services/afs.te | 3
policy/modules/services/aisexec.fc | 12
policy/modules/services/aisexec.if | 106 +
policy/modules/services/aisexec.te | 112 +
policy/modules/services/amavis.te | 2
policy/modules/services/apache.fc | 57 -
policy/modules/services/apache.if | 466 +++++---
policy/modules/services/apache.te | 457 ++++++--
policy/modules/services/apm.te | 6
policy/modules/services/arpwatch.te | 2
policy/modules/services/asterisk.if | 38
policy/modules/services/asterisk.te | 36
policy/modules/services/automount.te | 2
policy/modules/services/avahi.te | 13
policy/modules/services/bind.if | 40
policy/modules/services/bitlbee.te | 2
policy/modules/services/bluetooth.if | 21
policy/modules/services/bluetooth.te | 12
policy/modules/services/ccs.fc | 8
policy/modules/services/ccs.te | 33
policy/modules/services/certmaster.fc | 3
policy/modules/services/certmaster.te | 2
policy/modules/services/certmonger.fc | 6
policy/modules/services/certmonger.if | 217 +++
policy/modules/services/certmonger.te | 74 +
policy/modules/services/chronyd.fc | 11
policy/modules/services/chronyd.if | 105 +
policy/modules/services/chronyd.te | 67 +
policy/modules/services/clamav.te | 18
policy/modules/services/clogd.fc | 4
policy/modules/services/clogd.if | 98 +
policy/modules/services/clogd.te | 62 +
policy/modules/services/cobbler.fc | 2
policy/modules/services/cobbler.if | 44
policy/modules/services/cobbler.te | 5
policy/modules/services/consolekit.fc | 3
policy/modules/services/consolekit.if | 39
policy/modules/services/consolekit.te | 25
policy/modules/services/corosync.fc | 13
policy/modules/services/corosync.if | 108 +
policy/modules/services/corosync.te | 110 +
policy/modules/services/courier.if | 18
policy/modules/services/courier.te | 1
policy/modules/services/cron.fc | 6
policy/modules/services/cron.if | 74 +
policy/modules/services/cron.te | 84 +
policy/modules/services/cups.fc | 14
policy/modules/services/cups.te | 53
policy/modules/services/cvs.te | 1
policy/modules/services/cyrus.te | 3
policy/modules/services/dbus.if | 54
policy/modules/services/dbus.te | 25
policy/modules/services/dcc.te | 8
policy/modules/services/ddclient.if | 25
policy/modules/services/devicekit.fc | 2
policy/modules/services/devicekit.if | 22
policy/modules/services/devicekit.te | 60 -
policy/modules/services/dnsmasq.te | 12
policy/modules/services/dovecot.fc | 1
policy/modules/services/dovecot.te | 35
policy/modules/services/exim.te | 5
policy/modules/services/fail2ban.if | 40
policy/modules/services/fail2ban.te | 2
policy/modules/services/fetchmail.te | 3
policy/modules/services/fprintd.te | 5
policy/modules/services/ftp.te | 64 -
policy/modules/services/git.fc | 8
policy/modules/services/git.if | 286 +++++
policy/modules/services/git.te | 166 ++
policy/modules/services/gpm.te | 3
policy/modules/services/gpsd.fc | 5
policy/modules/services/gpsd.if | 27
policy/modules/services/gpsd.te | 14
policy/modules/services/hal.fc | 1
policy/modules/services/hal.if | 18
policy/modules/services/hal.te | 53
policy/modules/services/howl.te | 2
policy/modules/services/inetd.fc | 2
policy/modules/services/inetd.te | 4
policy/modules/services/irqbalance.te | 4
policy/modules/services/kerberos.if | 6
policy/modules/services/kerberos.te | 18
policy/modules/services/kerneloops.te | 2
policy/modules/services/ksmtuned.fc | 5
policy/modules/services/ksmtuned.if | 76 +
policy/modules/services/ksmtuned.te | 46
policy/modules/services/ktalk.te | 1
policy/modules/services/ldap.if | 38
policy/modules/services/lircd.fc | 2
policy/modules/services/lircd.if | 9
policy/modules/services/lircd.te | 25
policy/modules/services/mailman.te | 4
policy/modules/services/memcached.te | 4
policy/modules/services/milter.if | 2
policy/modules/services/modemmanager.te | 5
policy/modules/services/mta.fc | 2
policy/modules/services/mta.if | 32
policy/modules/services/mta.te | 36
policy/modules/services/munin.fc | 3
policy/modules/services/munin.te | 6
policy/modules/services/mysql.fc | 1
policy/modules/services/mysql.if | 38
policy/modules/services/mysql.te | 25
policy/modules/services/nagios.fc | 46
policy/modules/services/nagios.if | 126 ++
policy/modules/services/nagios.te | 193 ++-
policy/modules/services/networkmanager.fc | 15
policy/modules/services/networkmanager.if | 65 +
policy/modules/services/networkmanager.te | 118 +-
policy/modules/services/nis.fc | 5
policy/modules/services/nis.if | 87 +
policy/modules/services/nis.te | 13
policy/modules/services/nscd.if | 18
policy/modules/services/nscd.te | 21
policy/modules/services/nslcd.if | 8
policy/modules/services/ntop.fc | 1
policy/modules/services/ntop.te | 32
policy/modules/services/ntp.if | 46
policy/modules/services/ntp.te | 8
policy/modules/services/nut.fc | 16
policy/modules/services/nut.if | 58 +
policy/modules/services/nut.te | 188 +++
policy/modules/services/nx.fc | 10
policy/modules/services/nx.if | 67 +
policy/modules/services/nx.te | 13
policy/modules/services/oddjob.if | 1
policy/modules/services/oddjob.te | 5
policy/modules/services/openvpn.te | 4
policy/modules/services/pcscd.if | 41
policy/modules/services/pcscd.te | 4
policy/modules/services/pegasus.te | 28
policy/modules/services/plymouth.fc | 5
policy/modules/services/plymouth.if | 304 +++++
policy/modules/services/plymouth.te | 102 +
policy/modules/services/policykit.fc | 5
policy/modules/services/policykit.if | 71 +
policy/modules/services/policykit.te | 68 -
policy/modules/services/portreserve.te | 3
policy/modules/services/postfix.fc | 2
policy/modules/services/postfix.if | 150 ++
policy/modules/services/postfix.te | 142 ++
policy/modules/services/postgresql.fc | 16
policy/modules/services/postgresql.if | 60 +
policy/modules/services/postgresql.te | 9
policy/modules/services/ppp.if | 6
policy/modules/services/ppp.te | 16
policy/modules/services/prelude.te | 3
policy/modules/services/privoxy.fc | 3
policy/modules/services/privoxy.te | 3
policy/modules/services/procmail.te | 12
policy/modules/services/pyzor.fc | 4
policy/modules/services/pyzor.if | 47
policy/modules/services/pyzor.te | 37
policy/modules/services/radvd.te | 1
policy/modules/services/razor.fc | 1
policy/modules/services/razor.if | 42
policy/modules/services/razor.te | 32
policy/modules/services/rdisc.if | 19
policy/modules/services/rgmanager.fc | 8
policy/modules/services/rgmanager.if | 59 +
policy/modules/services/rgmanager.te | 187 +++
policy/modules/services/rhcs.fc | 22
policy/modules/services/rhcs.if | 367 ++++++
policy/modules/services/rhcs.te | 410 +++++++
policy/modules/services/ricci.te | 30
policy/modules/services/rpc.fc | 4
policy/modules/services/rpc.if | 45
policy/modules/services/rpc.te | 27
policy/modules/services/rpcbind.if | 20
policy/modules/services/rpcbind.te | 1
policy/modules/services/rsync.te | 23
policy/modules/services/rtkit.if | 20
policy/modules/services/rtkit.te | 4
policy/modules/services/samba.fc | 4
policy/modules/services/samba.if | 138 ++
policy/modules/services/samba.te | 91 +
policy/modules/services/sasl.te | 15
policy/modules/services/sendmail.if | 137 ++
policy/modules/services/sendmail.te | 87 +
policy/modules/services/setroubleshoot.fc | 2
policy/modules/services/setroubleshoot.if | 124 ++
policy/modules/services/setroubleshoot.te | 83 +
policy/modules/services/smartmon.te | 17
policy/modules/services/snmp.if | 38
policy/modules/services/snmp.te | 4
policy/modules/services/snort.te | 1
policy/modules/services/spamassassin.fc | 15
policy/modules/services/spamassassin.if | 89 +
policy/modules/services/spamassassin.te | 139 ++
policy/modules/services/squid.te | 9
policy/modules/services/ssh.fc | 2
policy/modules/services/ssh.if | 207 +++
policy/modules/services/ssh.te | 155 ++
policy/modules/services/sssd.fc | 5
policy/modules/services/sssd.if | 62 +
policy/modules/services/sssd.te | 17
policy/modules/services/sysstat.te | 5
policy/modules/services/tftp.fc | 2
policy/modules/services/tgtd.fc | 3
policy/modules/services/tgtd.if | 28
policy/modules/services/tgtd.te | 69 +
policy/modules/services/tor.te | 13
policy/modules/services/tuned.fc | 6
policy/modules/services/tuned.if | 140 ++
policy/modules/services/tuned.te | 60 +
policy/modules/services/uucp.te | 10
policy/modules/services/vhostmd.fc | 6
policy/modules/services/vhostmd.if | 228 ++++
policy/modules/services/vhostmd.te | 87 +
policy/modules/services/virt.fc | 14
policy/modules/services/virt.if | 210 +++
policy/modules/services/virt.te | 285 ++++-
policy/modules/services/w3c.te | 7
policy/modules/services/xserver.fc | 45
policy/modules/services/xserver.if | 665 ++++++++++-
policy/modules/services/xserver.te | 384 +++++-
policy/modules/services/zebra.if | 20
policy/modules/system/application.if | 20
policy/modules/system/application.te | 12
policy/modules/system/authlogin.fc | 9
policy/modules/system/authlogin.if | 210 +++
policy/modules/system/authlogin.te | 11
policy/modules/system/fstools.fc | 3
policy/modules/system/fstools.te | 7
policy/modules/system/init.fc | 7
policy/modules/system/init.if | 184 +++
policy/modules/system/init.te | 292 +++--
policy/modules/system/ipsec.fc | 7
policy/modules/system/ipsec.if | 45
policy/modules/system/ipsec.te | 78 +
policy/modules/system/iptables.fc | 17
policy/modules/system/iptables.if | 97 +
policy/modules/system/iptables.te | 23
policy/modules/system/iscsi.if | 40
policy/modules/system/iscsi.te | 8
policy/modules/system/kdump.te | 5
policy/modules/system/libraries.fc | 195 ++-
policy/modules/system/libraries.if | 5
policy/modules/system/libraries.te | 18
policy/modules/system/locallogin.te | 30
policy/modules/system/logging.fc | 12
policy/modules/system/logging.if | 20
policy/modules/system/logging.te | 38
policy/modules/system/lvm.if | 39
policy/modules/system/lvm.te | 31
policy/modules/system/miscfiles.fc | 3
policy/modules/system/miscfiles.if | 93 +
policy/modules/system/miscfiles.te | 5
policy/modules/system/modutils.fc | 1
policy/modules/system/modutils.if | 47
policy/modules/system/modutils.te | 56
policy/modules/system/mount.fc | 7
policy/modules/system/mount.if | 83 +
policy/modules/system/mount.te | 87 +
policy/modules/system/raid.fc | 2
policy/modules/system/raid.te | 8
policy/modules/system/selinuxutil.fc | 17
policy/modules/system/selinuxutil.if | 309 +++++
policy/modules/system/selinuxutil.te | 229 +---
policy/modules/system/setrans.if | 20
policy/modules/system/sysnetwork.fc | 10
policy/modules/system/sysnetwork.if | 114 +-
policy/modules/system/sysnetwork.te | 80 +
policy/modules/system/udev.fc | 3
policy/modules/system/udev.if | 39
policy/modules/system/udev.te | 39
policy/modules/system/unconfined.fc | 15
policy/modules/system/unconfined.if | 443 -------
policy/modules/system/unconfined.te | 224 ---
policy/modules/system/userdomain.fc | 7
policy/modules/system/userdomain.if | 1702 +++++++++++++++++++++++-------
policy/modules/system/userdomain.te | 51
policy/modules/system/xen.fc | 6
policy/modules/system/xen.if | 47
policy/modules/system/xen.te | 146 ++
policy/support/obj_perm_sets.spt | 31
policy/users | 13
413 files changed, 21983 insertions(+), 2838 deletions(-)
Index: policy-F12.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-12/policy-F12.patch,v
retrieving revision 1.160
retrieving revision 1.161
diff -u -p -r1.160 -r1.161
--- policy-F12.patch 22 Dec 2009 21:23:31 -0000 1.160
+++ policy-F12.patch 23 Dec 2009 18:42:31 -0000 1.161
@@ -4816,7 +4816,7 @@ diff -b -B --ignore-all-space --exclude-
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.te serefpolicy-3.6.32/policy/modules/apps/sambagui.te
--- nsaserefpolicy/policy/modules/apps/sambagui.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/apps/sambagui.te 2009-12-17 11:20:45.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/apps/sambagui.te 2009-12-23 12:39:44.000000000 -0500
@@ -0,0 +1,60 @@
+policy_module(sambagui,1.0.0)
+
@@ -4833,7 +4833,7 @@ diff -b -B --ignore-all-space --exclude-
+#
+# system-config-samba local policy
+#
-+
++allow sambagui_t self:capability dac_override;
+allow sambagui_t self:fifo_file rw_fifo_file_perms;
+allow sambagui_t self:unix_dgram_socket create_socket_perms;
+
@@ -5078,8 +5078,8 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.6.32/policy/modules/apps/sandbox.te
--- nsaserefpolicy/policy/modules/apps/sandbox.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/apps/sandbox.te 2009-12-21 14:31:10.000000000 -0500
-@@ -0,0 +1,336 @@
++++ serefpolicy-3.6.32/policy/modules/apps/sandbox.te 2009-12-23 12:55:36.000000000 -0500
+@@ -0,0 +1,338 @@
+policy_module(sandbox,1.0.0)
+dbus_stub()
+attribute sandbox_domain;
@@ -5318,6 +5318,8 @@ diff -b -B --ignore-all-space --exclude-
+allow sandbox_web_client_t self:dbus { acquire_svc send_msg };
+allow sandbox_web_client_t self:netlink_selinux_socket create_socket_perms;
+
++kernel_dontaudit_search_kernel_sysctl(sandbox_web_client_t)
++
+dev_read_rand(sandbox_web_client_t)
+
+# Browse the web, connect to printer
@@ -7015,7 +7017,7 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.6.32/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/kernel/domain.te 2009-12-17 11:20:45.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/kernel/domain.te 2009-12-23 07:51:15.000000000 -0500
@@ -5,6 +5,13 @@
#
# Declarations
@@ -7875,22 +7877,13 @@ diff -b -B --ignore-all-space --exclude-
+/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.6.32/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/kernel/filesystem.if 2009-12-18 15:27:02.000000000 -0500
-@@ -290,7 +290,7 @@
-
- ########################################
- ## <summary>
--## Read and write files on anon_inodefs
-+## Dontaudit Read and write files on anon_inodefs
- ## file systems.
- ## </summary>
- ## <param name="domain">
++++ serefpolicy-3.6.32/policy/modules/kernel/filesystem.if 2009-12-23 12:11:00.000000000 -0500
@@ -310,6 +310,26 @@
########################################
## <summary>
-+## Dontaudit Read and write files on anon_inodefs
-+## file systems.
++## Do not audit attempts to read or write files on
++## anon_inodefs file systems.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -7904,7 +7897,7 @@ diff -b -B --ignore-all-space --exclude-
+
+ ')
+
-+ dontaudit $1 anon_inodefs_t:file { read write };
++ dontaudit $1 anon_inodefs_t:file rw_file_perms;
+')
+
+########################################
@@ -7927,40 +7920,40 @@ diff -b -B --ignore-all-space --exclude-
+#######################################
+## <summary>
-+## Create, read, write, and delete dirs
-+## on a configfs filesystem.
++## Create, read, write, and delete dirs
++## on a configfs filesystem.
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
+## </param>
+#
+interface(`fs_manage_configfs_dirs',`
-+ gen_require(`
-+ type configfs_t;
-+ ')
++ gen_require(`
++ type configfs_t;
++ ')
+
-+ manage_dirs_pattern($1,configfs_t,configfs_t)
++ manage_dirs_pattern($1, configfs_t, configfs_t)
+')
+
+#######################################
+## <summary>
-+## Create, read, write, and delete files
-+## on a configfs filesystem.
++## Create, read, write, and delete files
++## on a configfs filesystem.
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
+## </param>
+#
+interface(`fs_manage_configfs_files',`
-+ gen_require(`
-+ type configfs_t;
-+ ')
++ gen_require(`
++ type configfs_t;
++ ')
+
-+ manage_files_pattern($1,configfs_t,configfs_t)
++ manage_files_pattern($1, configfs_t, configfs_t)
+')
+
########################################
@@ -8061,7 +8054,7 @@ diff -b -B --ignore-all-space --exclude-
+ type nfsd_fs_t;
+ ')
+
-+ allow $1 nfsd_fs_t:file getattr;
++ getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
+')
+
+########################################
@@ -8069,34 +8062,29 @@ diff -b -B --ignore-all-space --exclude-
## Read and write NFS server files.
## </summary>
## <param name="domain">
-@@ -3971,3 +4102,159 @@
- relabelfrom_blk_files_pattern($1, noxattrfs, noxattrfs)
- relabelfrom_chr_files_pattern($1, noxattrfs, noxattrfs)
- ')
-+
-+########################################
-+## <summary>
-+## Do not audit attempts to read
-+## dirs on a CIFS or SMB filesystem.
+@@ -3572,6 +3703,122 @@
+
+ ########################################
+ ## <summary>
++## Mount a XENFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain to not audit.
++## Domain allowed access.
+## </summary>
+## </param>
+#
-+interface(`fs_dontaudit_list_cifs_dirs',`
++interface(`fs_mount_xenfs',`
+ gen_require(`
-+ type cifs_t;
++ type xenfs_t;
+ ')
+
-+ dontaudit $1 cifs_t:dir list_dir_perms;
++ allow $1 xenfs_t:filesystem mount;
+')
+
-+
+########################################
+## <summary>
-+## Mount a XENFS filesystem.
++## Search the XENFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -8104,12 +8092,12 @@ diff -b -B --ignore-all-space --exclude-
+## </summary>
+## </param>
+#
-+interface(`fs_mount_xenfs',`
++interface(`fs_search_xenfs',`
+ gen_require(`
+ type xenfs_t;
+ ')
+
-+ allow $1 xenfs_t:filesystem mount;
++ allow $1 xenfs_t:dir search_dir_perms;
+')
+
+########################################
@@ -8194,6 +8182,55 @@ diff -b -B --ignore-all-space --exclude-
+
+########################################
+## <summary>
+ ## Mount all filesystems.
+ ## </summary>
+ ## <param name="domain">
+@@ -3971,3 +4218,175 @@
+ relabelfrom_blk_files_pattern($1, noxattrfs, noxattrfs)
+ relabelfrom_chr_files_pattern($1, noxattrfs, noxattrfs)
+ ')
++
++########################################
++## <summary>
++## list dirs on cgroup
++## file systems.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_list_cgroup_dirs', `
++ gen_require(`
++ type cgroup_t;
++
++ ')
++
++ list_dirs_pattern($1, cgroup_t, cgroup_t)
++')
++
++########################################
++## <summary>
++## Do not audit attempts to read
++## dirs on a CIFS or SMB filesystem.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`fs_dontaudit_list_cifs_dirs',`
++ gen_require(`
++ type cifs_t;
++ ')
++
++ dontaudit $1 cifs_t:dir list_dir_perms;
++')
++
++########################################
++## <summary>
+## Manage dirs on cgroup file systems.
+## </summary>
+## <param name="domain">
@@ -8229,6 +8266,101 @@ diff -b -B --ignore-all-space --exclude-
+
+ rw_files_pattern($1, cgroup_t, cgroup_t)
+')
++########################################
++## <summary>
++## Mount a cgroup filesystem.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_mount_cgroup_fs', `
++ gen_require(`
++ type cgroup_t;
++ ')
++
++ allow $1 cgroup_t:filesystem mount;
++')
++
++########################################
++## <summary>
++## Remount a cgroup filesystem This allows
++## some mount options to be changed.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_remount_cgroup_fs', `
++ gen_require(`
++ type cgroup_t;
++ ')
++
++ allow $1 cgroup_t:filesystem remount;
++')
++
++########################################
++## <summary>
++## Unmount a cgroup file system.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_unmount_cgroup_fs', `
++ gen_require(`
++ type cgroup_t;
++ ')
++
++ allow $1 cgroup_t:filesystem unmount;
++')
++
++########################################
++## <summary>
++## Set attributes of files on cgroup
++## file systems.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_setattr_cgroup_files',`
++ gen_require(`
++ type cgroup_t;
++
++ ')
++
++ setattr_files_pattern($1, cgroup_t, cgroup_t)
++')
++
++########################################
++## <summary>
++## Write files on cgroup
++## file systems.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_write_cgroup_files', `
++ gen_require(`
++ type cgroup_t;
++
++ ')
++
++ write_files_pattern($1, cgroup_t, cgroup_t)
++')
++
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.6.32/policy/modules/kernel/filesystem.te
--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2009-09-16 10:01:19.000000000 -0400
+++ serefpolicy-3.6.32/policy/modules/kernel/filesystem.te 2009-12-17 11:20:45.000000000 -0500
@@ -8308,7 +8440,7 @@ diff -b -B --ignore-all-space --exclude-
# Rules for all filesystem types
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.6.32/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/kernel/kernel.if 2009-12-17 11:20:45.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/kernel/kernel.if 2009-12-23 12:55:00.000000000 -0500
@@ -485,6 +485,25 @@
########################################
@@ -10901,7 +11033,7 @@ diff -b -B --ignore-all-space --exclude-
## All of the rules required to administrate
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.6.32/policy/modules/services/abrt.te
--- nsaserefpolicy/policy/modules/services/abrt.te 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2009-12-22 08:42:28.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2009-12-23 07:13:32.000000000 -0500
@@ -33,12 +33,24 @@
type abrt_var_run_t;
files_pid_file(abrt_var_run_t)
@@ -10949,7 +11081,7 @@ diff -b -B --ignore-all-space --exclude-
files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir })
kernel_read_ring_buffer(abrt_t)
-@@ -75,18 +90,34 @@
+@@ -75,18 +90,35 @@
corecmd_exec_bin(abrt_t)
corecmd_exec_shell(abrt_t)
@@ -10980,11 +11112,12 @@ diff -b -B --ignore-all-space --exclude-
fs_getattr_all_fs(abrt_t)
fs_getattr_all_dirs(abrt_t)
+fs_read_fusefs_files(abrt_t)
++fs_read_nfs_files(abrt_t)
+fs_search_all(abrt_t)
sysnet_read_config(abrt_t)
-@@ -96,22 +127,90 @@
+@@ -96,22 +128,90 @@
miscfiles_read_certs(abrt_t)
miscfiles_read_localization(abrt_t)
@@ -15219,7 +15352,7 @@ diff -b -B --ignore-all-space --exclude-
+/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.32/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/cups.te 2009-12-17 11:20:45.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/services/cups.te 2009-12-23 12:11:24.000000000 -0500
@@ -23,6 +23,9 @@
type cupsd_initrc_exec_t;
init_script_file(cupsd_initrc_exec_t)
@@ -15281,7 +15414,15 @@ diff -b -B --ignore-all-space --exclude-
corenet_tcp_bind_reserved_port(cupsd_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
corenet_tcp_bind_all_rpc_ports(cupsd_t)
-@@ -232,6 +244,7 @@
+@@ -191,6 +203,7 @@
+
+ fs_getattr_all_fs(cupsd_t)
+ fs_search_auto_mountpoints(cupsd_t)
++fs_search_fusefs(cupsd_t)
+ fs_read_anon_inodefs_files(cupsd_t)
+
+ mls_file_downgrade(cupsd_t)
+@@ -232,6 +245,7 @@
selinux_compute_access_vector(cupsd_t)
selinux_validate_context(cupsd_t)
@@ -15289,7 +15430,7 @@ diff -b -B --ignore-all-space --exclude-
init_exec_script_files(cupsd_t)
init_read_utmp(cupsd_t)
-@@ -250,6 +263,7 @@
+@@ -250,6 +264,7 @@
miscfiles_read_localization(cupsd_t)
# invoking ghostscript needs to read fonts
miscfiles_read_fonts(cupsd_t)
@@ -15297,7 +15438,7 @@ diff -b -B --ignore-all-space --exclude-
seutil_read_config(cupsd_t)
sysnet_exec_ifconfig(cupsd_t)
-@@ -317,6 +331,10 @@
+@@ -317,6 +332,10 @@
')
optional_policy(`
@@ -15308,7 +15449,7 @@ diff -b -B --ignore-all-space --exclude-
udev_read_db(cupsd_t)
')
-@@ -327,7 +345,7 @@
+@@ -327,7 +346,7 @@
allow cupsd_config_t self:capability { chown dac_override sys_tty_config };
dontaudit cupsd_config_t self:capability sys_tty_config;
@@ -15317,7 +15458,7 @@ diff -b -B --ignore-all-space --exclude-
allow cupsd_config_t self:fifo_file rw_fifo_file_perms;
allow cupsd_config_t self:unix_stream_socket create_socket_perms;
allow cupsd_config_t self:unix_dgram_socket create_socket_perms;
-@@ -378,6 +396,8 @@
+@@ -378,6 +397,8 @@
dev_read_rand(cupsd_config_t)
dev_rw_generic_usb_dev(cupsd_config_t)
@@ -15326,7 +15467,7 @@ diff -b -B --ignore-all-space --exclude-
fs_getattr_all_fs(cupsd_config_t)
fs_search_auto_mountpoints(cupsd_config_t)
-@@ -407,6 +427,7 @@
+@@ -407,6 +428,7 @@
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
@@ -15334,7 +15475,7 @@ diff -b -B --ignore-all-space --exclude-
cups_stream_connect(cupsd_config_t)
-@@ -419,12 +440,15 @@
+@@ -419,12 +441,15 @@
')
optional_policy(`
@@ -15352,7 +15493,7 @@ diff -b -B --ignore-all-space --exclude-
optional_policy(`
hal_dbus_chat(cupsd_config_t)
-@@ -446,6 +470,10 @@
+@@ -446,6 +471,10 @@
')
optional_policy(`
@@ -15363,7 +15504,7 @@ diff -b -B --ignore-all-space --exclude-
rpm_read_db(cupsd_config_t)
')
-@@ -457,6 +485,10 @@
+@@ -457,6 +486,10 @@
udev_read_db(cupsd_config_t)
')
@@ -15374,7 +15515,7 @@ diff -b -B --ignore-all-space --exclude-
########################################
#
# Cups lpd support
-@@ -542,6 +574,8 @@
+@@ -542,6 +575,8 @@
manage_dirs_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t)
files_tmp_filetrans(cups_pdf_t, cups_pdf_tmp_t, { file dir })
@@ -15383,7 +15524,7 @@ diff -b -B --ignore-all-space --exclude-
kernel_read_system_state(cups_pdf_t)
files_read_etc_files(cups_pdf_t)
-@@ -556,11 +590,15 @@
+@@ -556,11 +591,15 @@
miscfiles_read_fonts(cups_pdf_t)
userdom_home_filetrans_user_home_dir(cups_pdf_t)
@@ -15399,7 +15540,7 @@ diff -b -B --ignore-all-space --exclude-
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(cups_pdf_t)
-@@ -601,6 +639,9 @@
+@@ -601,6 +640,9 @@
read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
files_search_etc(hplip_t)
@@ -15409,7 +15550,7 @@ diff -b -B --ignore-all-space --exclude-
manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file )
-@@ -627,6 +668,7 @@
+@@ -627,6 +669,7 @@
corenet_tcp_connect_ipp_port(hplip_t)
corenet_sendrecv_hplip_client_packets(hplip_t)
corenet_receive_hplip_server_packets(hplip_t)
@@ -15973,7 +16114,7 @@ diff -b -B --ignore-all-space --exclude-
/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.6.32/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/dovecot.te 2009-12-22 15:39:34.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/services/dovecot.te 2009-12-23 12:50:16.000000000 -0500
@@ -56,7 +56,7 @@
allow dovecot_t self:capability { dac_override dac_read_search chown net_bind_service setgid setuid sys_chroot };
@@ -16046,7 +16187,15 @@ diff -b -B --ignore-all-space --exclude-
allow dovecot_deliver_t dovecot_etc_t:file read_file_perms;
allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
-@@ -260,3 +274,18 @@
+@@ -247,6 +261,7 @@
+ dovecot_stream_connect_auth(dovecot_deliver_t)
+
+ files_search_tmp(dovecot_deliver_t)
++files_search_var_log(dovecot_auth_t)
+
+ fs_getattr_all_fs(dovecot_deliver_t)
+
+@@ -260,3 +275,17 @@
optional_policy(`
mta_manage_spool(dovecot_deliver_t)
')
@@ -16064,7 +16213,6 @@ diff -b -B --ignore-all-space --exclude-
+ fs_manage_cifs_files(dovecot_t)
+ fs_manage_cifs_symlinks(dovecot_t)
+')
-+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.6.32/policy/modules/services/exim.te
--- nsaserefpolicy/policy/modules/services/exim.te 2009-09-16 10:01:19.000000000 -0400
+++ serefpolicy-3.6.32/policy/modules/services/exim.te 2009-12-17 11:20:45.000000000 -0500
@@ -17271,13 +17419,13 @@ diff -b -B --ignore-all-space --exclude-
manage_files_pattern(kerneloops_t, kerneloops_tmp_t, kerneloops_tmp_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.fc serefpolicy-3.6.32/policy/modules/services/ksmtuned.fc
--- nsaserefpolicy/policy/modules/services/ksmtuned.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/services/ksmtuned.fc 2009-12-17 11:20:45.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/services/ksmtuned.fc 2009-12-23 07:41:19.000000000 -0500
@@ -0,0 +1,5 @@
+/etc/rc\.d/init\.d/ksmtuned -- gen_context(system_u:object_r:ksmtuned_initrc_exec_t,s0)
+
+/usr/sbin/ksmtuned -- gen_context(system_u:object_r:ksmtuned_exec_t,s0)
+
-+/var/run/ksmtune\.pid -- gen_context(system_u:object_r:ntpd_var_run_t,s0)
++/var/run/ksmtune\.pid -- gen_context(system_u:object_r:ksmtuned_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.if serefpolicy-3.6.32/policy/modules/services/ksmtuned.if
--- nsaserefpolicy/policy/modules/services/ksmtuned.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.32/policy/modules/services/ksmtuned.if 2009-12-17 11:20:45.000000000 -0500
@@ -17917,7 +18065,7 @@ diff -b -B --ignore-all-space --exclude-
## Send a generic signal to MySQL.
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.6.32/policy/modules/services/mysql.te
--- nsaserefpolicy/policy/modules/services/mysql.te 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/mysql.te 2009-12-17 11:20:45.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/services/mysql.te 2009-12-23 12:06:27.000000000 -0500
@@ -1,6 +1,13 @@
policy_module(mysql, 1.11.0)
@@ -20519,7 +20667,7 @@ diff -b -B --ignore-all-space --exclude-
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.6.32/policy/modules/services/policykit.te
--- nsaserefpolicy/policy/modules/services/policykit.te 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/policykit.te 2009-12-17 11:20:45.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/services/policykit.te 2009-12-23 12:07:34.000000000 -0500
@@ -36,11 +36,12 @@
# policykit local policy
#
@@ -20537,13 +20685,14 @@ diff -b -B --ignore-all-space --exclude-
policykit_domtrans_auth(policykit_t)
-@@ -57,32 +58,53 @@
+@@ -57,32 +58,54 @@
manage_files_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
files_pid_filetrans(policykit_t, policykit_var_run_t, { file dir })
+kernel_read_system_state(policykit_t)
kernel_read_kernel_sysctls(policykit_t)
++files_dontaudit_search_all_mountpoints(policykit_t)
files_read_etc_files(policykit_t)
files_read_usr_files(policykit_t)
@@ -20595,7 +20744,7 @@ diff -b -B --ignore-all-space --exclude-
rw_files_pattern(policykit_auth_t, policykit_reload_t, policykit_reload_t)
-@@ -92,21 +114,25 @@
+@@ -92,21 +115,25 @@
manage_files_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
files_pid_filetrans(policykit_auth_t, policykit_var_run_t, { file dir })
@@ -20624,7 +20773,7 @@ diff -b -B --ignore-all-space --exclude-
dbus_session_bus_client(policykit_auth_t)
optional_policy(`
-@@ -119,6 +145,14 @@
+@@ -119,6 +146,14 @@
hal_read_state(policykit_auth_t)
')
@@ -20639,7 +20788,7 @@ diff -b -B --ignore-all-space --exclude-
########################################
#
# polkit_grant local policy
-@@ -126,7 +160,8 @@
+@@ -126,7 +161,8 @@
allow policykit_grant_t self:capability setuid;
allow policykit_grant_t self:process getattr;
@@ -20649,7 +20798,7 @@ diff -b -B --ignore-all-space --exclude-
allow policykit_grant_t self:unix_dgram_socket create_socket_perms;
allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms;
-@@ -156,9 +191,12 @@
+@@ -156,9 +192,12 @@
userdom_read_all_users_state(policykit_grant_t)
optional_policy(`
@@ -20663,7 +20812,7 @@ diff -b -B --ignore-all-space --exclude-
consolekit_dbus_chat(policykit_grant_t)
')
')
-@@ -170,7 +208,8 @@
+@@ -170,7 +209,8 @@
allow policykit_resolve_t self:capability { setuid sys_nice sys_ptrace };
allow policykit_resolve_t self:process getattr;
@@ -28585,7 +28734,7 @@ diff -b -B --ignore-all-space --exclude-
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.32/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/xserver.te 2009-12-21 17:51:39.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/services/xserver.te 2009-12-23 09:07:45.000000000 -0500
@@ -34,6 +34,13 @@
## <desc>
@@ -29006,7 +29155,7 @@ diff -b -B --ignore-all-space --exclude-
auth_rw_faillog(xdm_t)
auth_write_login_records(xdm_t)
-@@ -460,10 +565,12 @@
+@@ -460,10 +565,13 @@
logging_read_generic_logs(xdm_t)
@@ -29016,12 +29165,13 @@ diff -b -B --ignore-all-space --exclude-
miscfiles_read_fonts(xdm_t)
-
-sysnet_read_config(xdm_t)
++miscfiles_manage_fonts_cache(xdm_t)
+miscfiles_manage_localization(xdm_t)
+miscfiles_read_hwdata(xdm_t)
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -472,6 +579,10 @@
+@@ -472,6 +580,10 @@
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -29032,7 +29182,7 @@ diff -b -B --ignore-all-space --exclude-
xserver_rw_session(xdm_t, xdm_tmpfs_t)
xserver_unconfined(xdm_t)
-@@ -504,10 +615,12 @@
+@@ -504,10 +616,12 @@
optional_policy(`
alsa_domtrans(xdm_t)
@@ -29045,7 +29195,7 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -515,12 +628,47 @@
+@@ -515,12 +629,47 @@
')
optional_policy(`
@@ -29093,7 +29243,7 @@ diff -b -B --ignore-all-space --exclude-
hostname_exec(xdm_t)
')
-@@ -535,6 +683,7 @@
+@@ -535,6 +684,7 @@
optional_policy(`
# Do not audit attempts to check whether user root has email
mta_dontaudit_getattr_spool_files(xdm_t)
@@ -29101,7 +29251,7 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -542,6 +691,39 @@
+@@ -542,6 +692,39 @@
')
optional_policy(`
@@ -29141,7 +29291,7 @@ diff -b -B --ignore-all-space --exclude-
seutil_sigchld_newrole(xdm_t)
')
-@@ -550,8 +732,9 @@
+@@ -550,8 +733,9 @@
')
optional_policy(`
@@ -29153,7 +29303,7 @@ diff -b -B --ignore-all-space --exclude-
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
-@@ -560,7 +743,6 @@
+@@ -560,7 +744,6 @@
ifdef(`distro_rhel4',`
allow xdm_t self:process { execheap execmem };
')
@@ -29161,7 +29311,7 @@ diff -b -B --ignore-all-space --exclude-
optional_policy(`
userhelper_dontaudit_search_config(xdm_t)
-@@ -571,6 +753,10 @@
+@@ -571,6 +754,10 @@
')
optional_policy(`
@@ -29172,7 +29322,7 @@ diff -b -B --ignore-all-space --exclude-
xfs_stream_connect(xdm_t)
')
-@@ -587,10 +773,9 @@
+@@ -587,10 +774,9 @@
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -29184,7 +29334,7 @@ diff -b -B --ignore-all-space --exclude-
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
allow xserver_t self:sock_file read_sock_file_perms;
-@@ -602,9 +787,12 @@
+@@ -602,9 +788,12 @@
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -29197,7 +29347,7 @@ diff -b -B --ignore-all-space --exclude-
allow xserver_t { input_xevent_t input_xevent_type }:x_event send;
-@@ -616,13 +804,14 @@
+@@ -616,13 +805,14 @@
type_transition xserver_t xserver_t:{ x_drawable x_colormap } rootwindow_t;
allow xserver_t { rootwindow_t x_domain }:x_drawable send;
@@ -29213,7 +29363,7 @@ diff -b -B --ignore-all-space --exclude-
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -635,9 +824,19 @@
+@@ -635,9 +825,19 @@
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -29233,7 +29383,7 @@ diff -b -B --ignore-all-space --exclude-
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -671,7 +870,6 @@
+@@ -671,7 +871,6 @@
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -29241,7 +29391,7 @@ diff -b -B --ignore-all-space --exclude-
dev_create_generic_dirs(xserver_t)
dev_setattr_generic_dirs(xserver_t)
# raw memory access is needed if not using the frame buffer
-@@ -681,9 +879,12 @@
+@@ -681,9 +880,12 @@
dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
@@ -29255,7 +29405,7 @@ diff -b -B --ignore-all-space --exclude-
files_read_etc_files(xserver_t)
files_read_etc_runtime_files(xserver_t)
-@@ -698,8 +899,12 @@
+@@ -698,8 +900,12 @@
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -29268,7 +29418,7 @@ diff -b -B --ignore-all-space --exclude-
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -721,6 +926,8 @@
+@@ -721,6 +927,8 @@
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -29277,7 +29427,7 @@ diff -b -B --ignore-all-space --exclude-
modutils_domtrans_insmod(xserver_t)
-@@ -743,7 +950,7 @@
+@@ -743,7 +951,7 @@
')
ifdef(`enable_mls',`
@@ -29286,7 +29436,7 @@ diff -b -B --ignore-all-space --exclude-
range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh;
')
-@@ -775,12 +982,20 @@
+@@ -775,12 +983,20 @@
')
optional_policy(`
@@ -29308,7 +29458,7 @@ diff -b -B --ignore-all-space --exclude-
unconfined_domtrans(xserver_t)
')
-@@ -807,12 +1022,12 @@
+@@ -807,12 +1023,12 @@
allow xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xserver_t xdm_var_lib_t:dir search;
@@ -29325,7 +29475,7 @@ diff -b -B --ignore-all-space --exclude-
# Run xkbcomp.
allow xserver_t xkb_var_lib_t:lnk_file read;
-@@ -828,9 +1043,14 @@
+@@ -828,9 +1044,14 @@
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -29340,7 +29490,7 @@ diff -b -B --ignore-all-space --exclude-
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
fs_manage_nfs_files(xserver_t)
-@@ -845,11 +1065,14 @@
+@@ -845,11 +1066,14 @@
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -29356,7 +29506,7 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -882,6 +1105,8 @@
+@@ -882,6 +1106,8 @@
# X Server
# can read server-owned resources
allow x_domain xserver_t:x_resource read;
@@ -29365,7 +29515,7 @@ diff -b -B --ignore-all-space --exclude-
# can mess with own clients
allow x_domain self:x_client { manage destroy };
-@@ -906,6 +1131,8 @@
+@@ -906,6 +1132,8 @@
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -29374,7 +29524,7 @@ diff -b -B --ignore-all-space --exclude-
# X Colormaps
# can use the default colormap
allow x_domain rootwindow_t:x_colormap { read use add_color };
-@@ -973,17 +1200,49 @@
+@@ -973,17 +1201,49 @@
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
@@ -31475,7 +31625,7 @@ diff -b -B --ignore-all-space --exclude-
+permissive kdump_t;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.32/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/libraries.fc 2009-12-22 08:51:17.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/system/libraries.fc 2009-12-23 12:43:17.000000000 -0500
@@ -60,12 +60,15 @@
#
# /opt
@@ -31683,7 +31833,7 @@ diff -b -B --ignore-all-space --exclude-
') dnl end distro_redhat
#
-@@ -307,10 +309,115 @@
+@@ -307,10 +309,117 @@
/var/mailman/pythonlib(/.*)?/.+\.so(\..*)? -- gen_context(system_u:object_r:lib_t,s0)
@@ -31799,6 +31949,8 @@ diff -b -B --ignore-all-space --exclude-
+/usr/lib(64)?/nmm/liba52\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/chromium-browser/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/python.*/site-packages/pymedia/muxer\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/local/games/darwinia/lib/libSDL.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.if serefpolicy-3.6.32/policy/modules/system/libraries.if
--- nsaserefpolicy/policy/modules/system/libraries.if 2009-09-16 10:01:19.000000000 -0400
+++ serefpolicy-3.6.32/policy/modules/system/libraries.if 2009-12-17 11:20:47.000000000 -0500
@@ -32350,22 +32502,49 @@ diff -b -B --ignore-all-space --exclude-
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.fc serefpolicy-3.6.32/policy/modules/system/miscfiles.fc
--- nsaserefpolicy/policy/modules/system/miscfiles.fc 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/miscfiles.fc 2009-12-17 11:20:47.000000000 -0500
-@@ -41,6 +41,7 @@
-
++++ serefpolicy-3.6.32/policy/modules/system/miscfiles.fc 2009-12-23 09:06:30.000000000 -0500
+@@ -42,6 +42,7 @@
/usr/man(/.*)? gen_context(system_u:object_r:man_t,s0)
-+/usr/share/X11/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
/usr/share/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
++/usr/share/X11/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
/usr/share/ghostscript/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
/usr/share/locale(/.*)? gen_context(system_u:object_r:locale_t,s0)
+ /usr/share/man(/.*)? gen_context(system_u:object_r:man_t,s0)
+@@ -70,7 +71,7 @@
+
+ /var/lib/texmf(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
+
+-/var/cache/fontconfig(/.*)? gen_context(system_u:object_r:fonts_t,s0)
++/var/cache/fontconfig(/.*)? gen_context(system_u:object_r:fonts_cache_t,s0)
+ /var/cache/fonts(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
+ /var/cache/man(/.*)? gen_context(system_u:object_r:man_t,s0)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.6.32/policy/modules/system/miscfiles.if
--- nsaserefpolicy/policy/modules/system/miscfiles.if 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/miscfiles.if 2009-12-17 11:20:47.000000000 -0500
-@@ -87,6 +87,45 @@
++++ serefpolicy-3.6.32/policy/modules/system/miscfiles.if 2009-12-23 09:06:09.000000000 -0500
+@@ -73,7 +73,8 @@
+ #
+ interface(`miscfiles_read_fonts',`
+ gen_require(`
+- type fonts_t;
++ type fonts_t, fonts_cache_t;
++
+ ')
- ########################################
- ## <summary>
+ # cjp: fonts can be in either of these dirs
+@@ -83,6 +84,49 @@
+ allow $1 fonts_t:dir list_dir_perms;
+ read_files_pattern($1, fonts_t, fonts_t)
+ read_lnk_files_pattern($1, fonts_t, fonts_t)
++
++ allow $1 fonts_cache_t:dir list_dir_perms;
++ read_files_pattern($1, fonts_cache_t, fonts_cache_t)
++ read_lnk_files_pattern($1, fonts_cache_t, fonts_cache_t)
++')
++
++########################################
++## <summary>
+## Set the attributes on a fonts directory.
+## </summary>
+## <param name="domain">
@@ -32401,14 +32580,43 @@ diff -b -B --ignore-all-space --exclude-
+ ')
+
+ dontaudit $1 fonts_t:dir setattr;
+ ')
+
+ ########################################
+@@ -128,6 +172,32 @@
+ manage_dirs_pattern($1, fonts_t, fonts_t)
+ manage_files_pattern($1, fonts_t, fonts_t)
+ manage_lnk_files_pattern($1, fonts_t, fonts_t)
++ miscfiles_manage_fonts_cache($1)
+')
+
+########################################
+## <summary>
- ## Do not audit attempts to write fonts.
- ## </summary>
- ## <param name="domain">
-@@ -255,6 +294,25 @@
++## Create, read, write, and delete fonts cache.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`miscfiles_manage_fonts_cache',`
++ gen_require(`
++ type fonts_t;
++ ')
++
++ # cjp: fonts can be in either of these dirs
++ files_search_usr($1)
++ libs_search_lib($1)
++
++ manage_dirs_pattern($1, fonts_cache_t, fonts_cache_t)
++ manage_files_pattern($1, fonts_cache_t, fonts_cache_t)
++ manage_lnk_files_pattern($1, fonts_cache_t, fonts_cache_t)
+ ')
+
+ ########################################
+@@ -255,6 +325,25 @@
########################################
## <summary>
@@ -32434,7 +32642,7 @@ diff -b -B --ignore-all-space --exclude-
## Do not audit attempts to search man pages.
## </summary>
## <param name="domain">
-@@ -268,7 +326,7 @@
+@@ -268,7 +357,7 @@
type man_t;
')
@@ -32445,7 +32653,7 @@ diff -b -B --ignore-all-space --exclude-
########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.te serefpolicy-3.6.32/policy/modules/system/miscfiles.te
--- nsaserefpolicy/policy/modules/system/miscfiles.te 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/miscfiles.te 2009-12-17 11:20:47.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/system/miscfiles.te 2009-12-23 09:05:40.000000000 -0500
@@ -1,5 +1,5 @@
-policy_module(miscfiles, 1.7.0)
@@ -32453,6 +32661,16 @@ diff -b -B --ignore-all-space --exclude-
########################################
#
+@@ -19,6 +19,9 @@
+ type fonts_t;
+ files_type(fonts_t)
+
++type fonts_cache_t;
++files_type(fonts_cache_t)
++
+ #
+ # type for /usr/share/hwdata
+ #
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.fc serefpolicy-3.6.32/policy/modules/system/modutils.fc
--- nsaserefpolicy/policy/modules/system/modutils.fc 2009-09-16 10:01:19.000000000 -0400
+++ serefpolicy-3.6.32/policy/modules/system/modutils.fc 2009-12-17 11:20:47.000000000 -0500
@@ -35283,7 +35501,7 @@ diff -b -B --ignore-all-space --exclude-
+HOME_DIR/\.gvfs(/.*)? <<none>>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.32/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-12-21 14:36:02.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-12-23 07:52:17.000000000 -0500
@@ -30,8 +30,9 @@
')
@@ -36329,7 +36547,7 @@ diff -b -B --ignore-all-space --exclude-
userdom_common_user_template($1)
##############################
-@@ -953,58 +1086,68 @@
+@@ -953,58 +1086,70 @@
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -36346,12 +36564,7 @@ diff -b -B --ignore-all-space --exclude-
- ifndef(`enable_mls',`
- fs_exec_noxattr($1_t)
-+ # Allow users to run TCP servers (bind to ports and accept connection from
-+ # the same domain and outside users) disabling this forces FTP passive mode
-+ # and may change other protocols
-+ tunable_policy(`user_tcp_server',`
-+ corenet_tcp_bind_all_unreserved_ports($1_usertype)
-+ ')
++ fs_list_cgroup_dirs($1_usertype)
- tunable_policy(`user_rw_noexattrfile',`
- fs_manage_noxattr_fs_files($1_t)
@@ -36361,12 +36574,15 @@ diff -b -B --ignore-all-space --exclude-
- storage_raw_write_removable_device($1_t)
- ',`
- storage_raw_read_removable_device($1_t)
-+ optional_policy(`
-+ cdrecord_role($1_r, $1_t)
++ # Allow users to run TCP servers (bind to ports and accept connection from
++ # the same domain and outside users) disabling this forces FTP passive mode
++ # and may change other protocols
++ tunable_policy(`user_tcp_server',`
++ corenet_tcp_bind_all_unreserved_ports($1_usertype)
')
+
+ optional_policy(`
-+ cron_role($1_r, $1_t)
++ cdrecord_role($1_r, $1_t)
')
- tunable_policy(`user_dmesg',`
@@ -36374,7 +36590,7 @@ diff -b -B --ignore-all-space --exclude-
- ',`
- kernel_dontaudit_read_ring_buffer($1_t)
+ optional_policy(`
-+ games_rw_data($1_usertype)
++ cron_role($1_r, $1_t)
')
- # Allow users to run TCP servers (bind to ports and accept connection from
@@ -36384,28 +36600,32 @@ diff -b -B --ignore-all-space --exclude-
- corenet_tcp_bind_generic_node($1_t)
- corenet_tcp_bind_generic_port($1_t)
+ optional_policy(`
-+ gpg_role($1_r, $1_usertype)
++ games_rw_data($1_usertype)
')
optional_policy(`
- netutils_run_ping_cond($1_t,$1_r)
- netutils_run_traceroute_cond($1_t,$1_r)
-+ gpm_stream_connect($1_usertype)
++ gpg_role($1_r, $1_usertype)
')
optional_policy(`
- postgresql_role($1_r,$1_t)
-+ execmem_role_template($1, $1_r, $1_t)
++ gpm_stream_connect($1_usertype)
')
- # Run pppd in pppd_t by default for user
optional_policy(`
- ppp_run_cond($1_t,$1_r)
-+ java_role_template($1, $1_r, $1_t)
++ execmem_role_template($1, $1_r, $1_t)
')
optional_policy(`
- setroubleshoot_stream_connect($1_t)
++ java_role_template($1, $1_r, $1_t)
++ ')
++
++ optional_policy(`
+ mono_role_template($1, $1_r, $1_t)
+ ')
+
@@ -36428,7 +36648,7 @@ diff -b -B --ignore-all-space --exclude-
')
')
-@@ -1040,7 +1183,7 @@
+@@ -1040,7 +1185,7 @@
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -36437,7 +36657,7 @@ diff -b -B --ignore-all-space --exclude-
')
##############################
-@@ -1049,8 +1192,7 @@
+@@ -1049,8 +1194,7 @@
#
# Inherit rules for ordinary users.
@@ -36447,7 +36667,7 @@ diff -b -B --ignore-all-space --exclude-
domain_obj_id_change_exemption($1_t)
role system_r types $1_t;
-@@ -1075,6 +1217,9 @@
+@@ -1075,6 +1219,9 @@
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -36457,7 +36677,7 @@ diff -b -B --ignore-all-space --exclude-
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1089,6 +1234,7 @@
+@@ -1089,6 +1236,7 @@
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -36465,7 +36685,7 @@ diff -b -B --ignore-all-space --exclude-
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1096,8 +1242,6 @@
+@@ -1096,8 +1244,6 @@
dev_getattr_generic_blk_files($1_t)
dev_getattr_generic_chr_files($1_t)
@@ -36474,7 +36694,7 @@ diff -b -B --ignore-all-space --exclude-
# Allow MAKEDEV to work
dev_create_all_blk_files($1_t)
dev_create_all_chr_files($1_t)
-@@ -1124,12 +1268,11 @@
+@@ -1124,12 +1270,11 @@
files_exec_usr_src_files($1_t)
fs_getattr_all_fs($1_t)
@@ -36489,7 +36709,7 @@ diff -b -B --ignore-all-space --exclude-
term_use_all_terms($1_t)
auth_getattr_shadow($1_t)
-@@ -1152,20 +1295,6 @@
+@@ -1152,20 +1297,6 @@
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -36510,7 +36730,7 @@ diff -b -B --ignore-all-space --exclude-
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1211,6 +1340,7 @@
+@@ -1211,6 +1342,7 @@
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -36518,7 +36738,7 @@ diff -b -B --ignore-all-space --exclude-
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1276,11 +1406,15 @@
+@@ -1276,11 +1408,15 @@
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -36534,7 +36754,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -1391,12 +1525,13 @@
+@@ -1391,12 +1527,13 @@
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -36549,7 +36769,7 @@ diff -b -B --ignore-all-space --exclude-
## </summary>
## <param name="domain">
## <summary>
-@@ -1429,6 +1564,14 @@
+@@ -1429,6 +1566,14 @@
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -36564,7 +36784,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -1444,9 +1587,11 @@
+@@ -1444,9 +1589,11 @@
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -36576,7 +36796,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -1503,6 +1648,42 @@
+@@ -1503,6 +1650,42 @@
allow $1 user_home_dir_t:dir relabelto;
')
@@ -36619,7 +36839,7 @@ diff -b -B --ignore-all-space --exclude-
########################################
## <summary>
## Create directories in the home dir root with
-@@ -1577,6 +1758,8 @@
+@@ -1577,6 +1760,8 @@
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -36628,7 +36848,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -1619,6 +1802,24 @@
+@@ -1619,6 +1804,24 @@
########################################
## <summary>
@@ -36653,7 +36873,7 @@ diff -b -B --ignore-all-space --exclude-
## Do not audit attempts to set the
## attributes of user home files.
## </summary>
-@@ -1670,6 +1871,7 @@
+@@ -1670,6 +1873,7 @@
type user_home_dir_t, user_home_t;
')
@@ -36661,7 +36881,7 @@ diff -b -B --ignore-all-space --exclude-
read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
files_search_home($1)
')
-@@ -1686,11 +1888,11 @@
+@@ -1686,11 +1890,11 @@
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -36676,7 +36896,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -1797,19 +1999,32 @@
+@@ -1797,19 +2001,32 @@
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -36716,7 +36936,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -1844,6 +2059,7 @@
+@@ -1844,6 +2061,7 @@
interface(`userdom_manage_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -36724,7 +36944,7 @@ diff -b -B --ignore-all-space --exclude-
')
manage_files_pattern($1, user_home_t, user_home_t)
-@@ -2196,7 +2412,7 @@
+@@ -2196,7 +2414,7 @@
########################################
## <summary>
@@ -36733,7 +36953,7 @@ diff -b -B --ignore-all-space --exclude-
## temporary files.
## </summary>
## <param name="domain">
-@@ -2205,21 +2421,40 @@
+@@ -2205,17 +2423,36 @@
## </summary>
## </param>
#
@@ -36752,10 +36972,9 @@ diff -b -B --ignore-all-space --exclude-
-## Read user temporary symbolic links.
+## Do not audit attempts to manage users
+## temporary files.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain allowed access.
++## </summary>
++## <param name="domain">
++## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
@@ -36771,14 +36990,10 @@ diff -b -B --ignore-all-space --exclude-
+########################################
+## <summary>
+## Read user temporary symbolic links.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
- ## </summary>
- ## </param>
- #
-@@ -2276,6 +2511,46 @@
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -2276,6 +2513,46 @@
########################################
## <summary>
## Create, read, write, and delete user
@@ -36825,7 +37040,7 @@ diff -b -B --ignore-all-space --exclude-
## temporary symbolic links.
## </summary>
## <param name="domain">
-@@ -2391,7 +2666,7 @@
+@@ -2391,7 +2668,7 @@
########################################
## <summary>
@@ -36834,7 +37049,7 @@ diff -b -B --ignore-all-space --exclude-
## </summary>
## <param name="domain">
## <summary>
-@@ -2399,19 +2674,20 @@
+@@ -2399,19 +2676,20 @@
## </summary>
## </param>
#
@@ -36858,7 +37073,7 @@ diff -b -B --ignore-all-space --exclude-
## </summary>
## <param name="domain">
## <summary>
-@@ -2419,7 +2695,7 @@
+@@ -2419,7 +2697,7 @@
## </summary>
## </param>
#
@@ -36867,7 +37082,7 @@ diff -b -B --ignore-all-space --exclude-
gen_require(`
type user_tmpfs_t;
')
-@@ -2430,6 +2706,26 @@
+@@ -2430,6 +2708,26 @@
fs_search_tmpfs($1)
')
@@ -36894,7 +37109,7 @@ diff -b -B --ignore-all-space --exclude-
########################################
## <summary>
## Get the attributes of a user domain tty.
-@@ -2749,7 +3045,7 @@
+@@ -2749,7 +3047,7 @@
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -36903,7 +37118,7 @@ diff -b -B --ignore-all-space --exclude-
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2765,11 +3061,33 @@
+@@ -2765,11 +3063,33 @@
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -36939,7 +37154,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -2897,7 +3215,43 @@
+@@ -2897,7 +3217,43 @@
type user_tmp_t;
')
@@ -36984,7 +37199,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -2934,6 +3288,7 @@
+@@ -2934,6 +3290,7 @@
')
read_files_pattern($1, userdomain, userdomain)
@@ -36992,7 +37207,7 @@ diff -b -B --ignore-all-space --exclude-
kernel_search_proc($1)
')
-@@ -3064,3 +3419,656 @@
+@@ -3064,3 +3421,656 @@
allow $1 userdomain:dbus send_msg;
')
@@ -37844,7 +38059,7 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.6.32/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/xen.te 2009-12-17 11:20:47.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/system/xen.te 2009-12-23 08:59:21.000000000 -0500
@@ -6,6 +6,13 @@
# Declarations
#
@@ -38032,7 +38247,16 @@ diff -b -B --ignore-all-space --exclude-
kernel_write_xen_state(xenstored_t)
kernel_read_xen_state(xenstored_t)
-@@ -304,6 +351,7 @@
+@@ -282,6 +329,8 @@
+
+ files_read_usr_files(xenstored_t)
+
++fs_search_xenfs(xenstored_t)
++
+ storage_raw_read_fixed_disk(xenstored_t)
+ storage_raw_write_fixed_disk(xenstored_t)
+ storage_raw_read_removable_device(xenstored_t)
+@@ -304,6 +353,7 @@
#
allow xm_t self:capability { dac_override ipc_lock sys_tty_config };
@@ -38040,7 +38264,7 @@ diff -b -B --ignore-all-space --exclude-
# internal communication is often done using fifo and unix sockets.
allow xm_t self:fifo_file rw_fifo_file_perms;
-@@ -312,24 +360,29 @@
+@@ -312,24 +362,29 @@
manage_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t)
manage_fifo_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t)
@@ -38071,7 +38295,7 @@ diff -b -B --ignore-all-space --exclude-
files_read_etc_runtime_files(xm_t)
files_read_usr_files(xm_t)
-@@ -339,15 +392,76 @@
+@@ -339,15 +394,76 @@
storage_raw_read_fixed_disk(xm_t)
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-12/selinux-policy.spec,v
retrieving revision 1.987
retrieving revision 1.988
diff -u -p -r1.987 -r1.988
--- selinux-policy.spec 22 Dec 2009 21:23:32 -0000 1.987
+++ selinux-policy.spec 23 Dec 2009 18:42:31 -0000 1.988
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.32
-Release: 63%{?dist}
+Release: 64%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -449,7 +449,18 @@ exit 0
%endif
%changelog
-* Tue Dec 21 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-63
+* Wed Dec 23 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-64
+- Update to Rawhide filesystem.if file
+- Allow abrt to read nfs
+- Allow cups to search fusefs
+- Allow dovecot_auth to search var_log
+- Fix label on ksmtuned.pid
+- Dontaudit policykit looking at mount points
+- Allow xdm to manage /var/cache/fontconfig
+- Allow xenstored to search xenfs
+
+
+* Tue Dec 22 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-63
- Allow sendmail setpgid
- Allow dovecot to read nfs homedirs
More information about the fedora-extras-commits
mailing list