rpms/selinux-policy-targeted/devel policy-20050712.patch, NONE, 1.1 .cvsignore, 1.113, 1.114 policy-20050706.patch, 1.8, 1.9 selinux-policy-targeted.spec, 1.344, 1.345 sources, 1.119, 1.120

fedora-cvs-commits at redhat.com fedora-cvs-commits at redhat.com
Tue Jul 12 19:17:47 UTC 2005


Author: dwalsh

Update of /cvs/dist/rpms/selinux-policy-targeted/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv18977

Modified Files:
	.cvsignore policy-20050706.patch selinux-policy-targeted.spec 
	sources 
Added Files:
	policy-20050712.patch 
Log Message:
* Tue Jul 12 2005 Dan Walsh <dwalsh at redhat.com> 1.25.2-1
- Update to latest from NSA


policy-20050712.patch:
 assert.te                           |    2 +-
 attrib.te                           |    4 ++++
 domains/program/ifconfig.te         |    1 +
 domains/program/unused/pppd.te      |    8 ++++++++
 domains/program/unused/radvd.te     |    6 +++---
 domains/program/unused/rpcd.te      |    7 ++++---
 domains/program/unused/saslauthd.te |   10 +++++++++-
 domains/program/unused/winbind.te   |    1 +
 file_contexts/program/apache.fc     |    2 ++
 file_contexts/program/i18n_input.fc |    2 +-
 macros/program/chkpwd_macros.te     |    3 +++
 targeted/domains/program/crond.te   |    9 ++++++---
 tunables/distro.tun                 |    2 +-
 tunables/tunable.tun                |    4 ++--
 14 files changed, 46 insertions(+), 15 deletions(-)

--- NEW FILE policy-20050712.patch ---
diff --exclude-from=exclude -N -u -r nsapolicy/assert.te policy-1.25.1/assert.te
--- nsapolicy/assert.te	2005-05-25 11:28:09.000000000 -0400
+++ policy-1.25.1/assert.te	2005-07-11 14:28:39.000000000 -0400
@@ -41,7 +41,7 @@
 
 #
 # Verify that only appropriate domains can access /etc/shadow
-neverallow { domain -auth -auth_write -unrestricted } shadow_t:file ~getattr;
+neverallow { domain -auth_bool -auth -auth_write -unrestricted } shadow_t:file ~getattr;
 neverallow { domain -auth_write -unrestricted } shadow_t:file ~r_file_perms;
 
 #
diff --exclude-from=exclude -N -u -r nsapolicy/attrib.te policy-1.25.1/attrib.te
--- nsapolicy/attrib.te	2005-07-06 17:15:06.000000000 -0400
+++ policy-1.25.1/attrib.te	2005-07-11 14:28:39.000000000 -0400
@@ -141,6 +141,10 @@
 # to read /etc/shadow, and grants the permission.
 attribute auth;
 
+# The auth_bool attribute identifies every domain that can 
+# read /etc/shadow if its boolean is set;
+attribute auth_bool;
+
 # The auth_write attribute identifies every domain that can have write or
 # relabel access to /etc/shadow, but does not grant it.
 attribute auth_write;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ifconfig.te policy-1.25.1/domains/program/ifconfig.te
--- nsapolicy/domains/program/ifconfig.te	2005-05-07 00:41:08.000000000 -0400
+++ policy-1.25.1/domains/program/ifconfig.te	2005-07-11 14:36:20.000000000 -0400
@@ -26,6 +26,7 @@
 ')
 
 # for /sbin/ip
+allow ifconfig_t self:packet_socket create_socket_perms;
 allow ifconfig_t self:netlink_route_socket rw_netlink_socket_perms;
 allow ifconfig_t self:tcp_socket { create ioctl };
 allow ifconfig_t etc_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pppd.te policy-1.25.1/domains/program/unused/pppd.te
--- nsapolicy/domains/program/unused/pppd.te	2005-07-12 08:50:43.000000000 -0400
+++ policy-1.25.1/domains/program/unused/pppd.te	2005-07-12 06:05:04.000000000 -0400
@@ -102,3 +102,11 @@
 allow pppd_t self:netlink_route_socket r_netlink_socket_perms;
 allow pppd_t initrc_var_run_t:file r_file_perms;
 dontaudit pppd_t initrc_var_run_t:file { lock write };
+
+# pppd needs to load kernel modules for certain modems
+bool pppd_can_insmod false;
+if (pppd_can_insmod) {
+ifdef(`modutil.te', `
+domain_auto_trans(pppd_t, insmod_exec_t, insmod_t)
+')
+}
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/radvd.te policy-1.25.1/domains/program/unused/radvd.te
--- nsapolicy/domains/program/unused/radvd.te	2005-07-12 08:50:43.000000000 -0400
+++ policy-1.25.1/domains/program/unused/radvd.te	2005-07-12 06:12:53.000000000 -0400
@@ -15,15 +15,15 @@
 
 allow radvd_t self:{ rawip_socket unix_dgram_socket } rw_socket_perms;
 
-allow radvd_t self:capability { net_raw setgid };
+allow radvd_t self:capability { setgid setuid net_raw setgid };
 allow radvd_t self:{ unix_dgram_socket rawip_socket } create;
 allow radvd_t self:unix_stream_socket create_socket_perms;
 
 can_network_server(radvd_t)
 can_ypbind(radvd_t)
 
-allow radvd_t proc_t:dir r_dir_perms;
-allow radvd_t proc_t:file { getattr read };
+allow radvd_t { proc_t proc_net_t }:dir r_dir_perms;
+allow radvd_t { proc_t proc_net_t }:file { getattr read };
 allow radvd_t etc_t:lnk_file read;
 
 allow radvd_t sysctl_net_t:file r_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rpcd.te policy-1.25.1/domains/program/unused/rpcd.te
--- nsapolicy/domains/program/unused/rpcd.te	2005-07-12 08:50:43.000000000 -0400
+++ policy-1.25.1/domains/program/unused/rpcd.te	2005-07-12 06:09:33.000000000 -0400
@@ -93,7 +93,8 @@
 bool nfs_export_all_rw false;
 
 if(nfs_export_all_rw) {
-allow nfsd_t { file_type -shadow_t }:dir r_dir_perms;
+allow nfsd_t { noexattrfile file_type -shadow_t }:dir r_dir_perms;
+r_dir_file(kernel_t, noexattrfile)
 create_dir_file(kernel_t,{ file_type -shadow_t })
 }
 
@@ -102,8 +103,8 @@
 bool nfs_export_all_ro false;
 
 if(nfs_export_all_ro) {
-allow nfsd_t { file_type -shadow_t }:dir r_dir_perms;
-r_dir_file(kernel_t,{ file_type -shadow_t })
+allow nfsd_t { noexattrfile file_type -shadow_t }:dir r_dir_perms;
+r_dir_file(kernel_t,{ noexattrfile file_type -shadow_t })
 }
 
 allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir r_dir_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/saslauthd.te policy-1.25.1/domains/program/unused/saslauthd.te
--- nsapolicy/domains/program/unused/saslauthd.te	2005-05-25 11:28:10.000000000 -0400
+++ policy-1.25.1/domains/program/unused/saslauthd.te	2005-07-11 14:28:39.000000000 -0400
@@ -3,7 +3,7 @@
 # Author: Colin Walters <walters at verbum.org>
 #
 
-daemon_domain(saslauthd, `, auth_chkpwd')
+daemon_domain(saslauthd, `, auth_chkpwd, auth_bool')
 
 allow saslauthd_t self:fifo_file { read write };
 allow saslauthd_t self:unix_dgram_socket create_socket_perms;
@@ -21,3 +21,11 @@
 
 # Needs investigation
 dontaudit saslauthd_t home_root_t:dir getattr;
+can_network_client_tcp(saslauthd_t)
+allow saslauthd_t pop_port_t:tcp_socket name_connect;
+
+bool allow_saslauthd_read_shadow false;
+
+if (allow_saslauthd_read_shadow) {
+allow saslauthd_t shadow_t:file r_file_perms;
+}
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/winbind.te policy-1.25.1/domains/program/unused/winbind.te
--- nsapolicy/domains/program/unused/winbind.te	2005-07-12 08:50:43.000000000 -0400
+++ policy-1.25.1/domains/program/unused/winbind.te	2005-07-11 14:28:39.000000000 -0400
@@ -10,6 +10,7 @@
 
 daemon_domain(winbind, `, privhome, auth_chkpwd, nscd_client_domain')
 log_domain(winbind)
+tmp_domain(winbind)
 allow winbind_t etc_t:file r_file_perms;
 allow winbind_t etc_t:lnk_file read;
 can_network(winbind_t)
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/apache.fc policy-1.25.1/file_contexts/program/apache.fc
--- nsapolicy/file_contexts/program/apache.fc	2005-07-06 17:15:07.000000000 -0400
+++ policy-1.25.1/file_contexts/program/apache.fc	2005-07-12 06:21:24.000000000 -0400
@@ -50,3 +50,5 @@
 ifdef(`targeted_policy', `', `
 /var/spool/cron/apache		-- 	system_u:object_r:user_cron_spool_t
 ')
+/usr/sbin/apachectl		-- 	system_u:object_r:initrc_exec_t
+
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/i18n_input.fc policy-1.25.1/file_contexts/program/i18n_input.fc
--- nsapolicy/file_contexts/program/i18n_input.fc	2005-05-02 14:06:56.000000000 -0400
+++ policy-1.25.1/file_contexts/program/i18n_input.fc	2005-07-11 14:29:05.000000000 -0400
@@ -1,7 +1,7 @@
 # i18n_input.fc
 /usr/sbin/htt                   --     system_u:object_r:i18n_input_exec_t
 /usr/sbin/htt_server            --     system_u:object_r:i18n_input_exec_t
-/usr/bin/iiimd		        --     system_u:object_r:i18n_input_exec_t
+/usr/bin/iiimd\.bin	        --     system_u:object_r:i18n_input_exec_t
 /usr/bin/httx                   --     system_u:object_r:i18n_input_exec_t
 /usr/bin/htt_xbe                --     system_u:object_r:i18n_input_exec_t
 /usr/bin/iiimx                  --     system_u:object_r:i18n_input_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/chkpwd_macros.te policy-1.25.1/macros/program/chkpwd_macros.te
--- nsapolicy/macros/program/chkpwd_macros.te	2005-07-12 08:50:43.000000000 -0400
+++ policy-1.25.1/macros/program/chkpwd_macros.te	2005-07-11 14:28:39.000000000 -0400
@@ -42,6 +42,9 @@
 ifdef(`winbind.te', `
 r_dir_file(auth_chkpwd, winbind_var_run_t)
 ')
+r_dir_file(auth_chkpwd, cert_t)
+r_dir_file($1_chkpwd_t, cert_t)
+allow $1_chkpwd_t { random_device_t urandom_device_t }:chr_file { getattr read };
 ', `
 domain_auto_trans($1_t, chkpwd_exec_t, $1_chkpwd_t)
 allow $1_t sbin_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/crond.te policy-1.25.1/targeted/domains/program/crond.te
--- nsapolicy/targeted/domains/program/crond.te	2005-06-29 16:36:19.000000000 -0400
+++ policy-1.25.1/targeted/domains/program/crond.te	2005-07-11 14:28:39.000000000 -0400
@@ -11,7 +11,7 @@
 # This domain is defined just for targeted policy.
 #
 type crond_exec_t, file_type, sysadmfile, exec_type;
-type crond_t, domain, privuser, privrole, privowner;
+type crond_t, domain, privuser, privrole, privfd, privowner;
 typealias crond_t alias system_crond_t;
 type anacron_exec_t, file_type, sysadmfile, exec_type;
 type system_crond_tmp_t, file_type, tmpfile, sysadmfile;
@@ -20,11 +20,14 @@
 role system_r types crond_t;
 domain_auto_trans(initrc_t, crond_exec_t, crond_t)
 domain_auto_trans(initrc_t, anacron_exec_t, crond_t)
-unconfined_domain(crond_t)
 # Access log files
 file_type_auto_trans(crond_t, user_home_dir_t, user_home_t)
 file_type_auto_trans(crond_t, tmp_t, system_crond_tmp_t)
+var_run_domain(crond)
+
+ifdef(`targeted_policy', `
+unconfined_domain(crond_t)
 allow crond_t initrc_t:dbus send_msg;
 allow crond_t unconfined_t:dbus send_msg;
 allow crond_t unconfined_t:process transition;
-var_run_domain(crond)
+')
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.25.1/tunables/distro.tun
--- nsapolicy/tunables/distro.tun	2005-02-24 14:51:09.000000000 -0500
+++ policy-1.25.1/tunables/distro.tun	2005-07-11 14:28:39.000000000 -0400
@@ -5,7 +5,7 @@
 # appropriate ifdefs.
 
 
-dnl define(`distro_redhat')
+define(`distro_redhat')
 
 dnl define(`distro_suse')
 
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.25.1/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun	2005-05-25 11:28:11.000000000 -0400
+++ policy-1.25.1/tunables/tunable.tun	2005-07-11 14:28:39.000000000 -0400
@@ -2,7 +2,7 @@
 dnl define(`user_can_mount')
 
 # Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
+define(`unlimitedRPM')
 
 # Allow privileged utilities like hotplug and insmod to run unconfined.
 dnl define(`unlimitedUtils')
@@ -20,7 +20,7 @@
 
 # Do not audit things that we know to be broken but which
 # are not security risks
-dnl define(`hide_broken_symptoms')
+define(`hide_broken_symptoms')
 
 # Allow user_r to reach sysadm_r via su, sudo, or userhelper.
 # Otherwise, only staff_r can do so.


Index: .cvsignore
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-targeted/devel/.cvsignore,v
retrieving revision 1.113
retrieving revision 1.114
diff -u -r1.113 -r1.114
--- .cvsignore	6 Jul 2005 21:41:13 -0000	1.113
+++ .cvsignore	12 Jul 2005 19:17:42 -0000	1.114
@@ -78,3 +78,4 @@
 policy-1.23.18.tgz
 policy-1.24.tgz
 policy-1.25.1.tgz
+policy-1.25.2.tgz

policy-20050706.patch:
 assert.te                            |    2 +-
 attrib.te                            |    4 ++++
 domains/admin.te                     |    5 +++++
 domains/program/getty.te             |    7 +++++++
 domains/program/login.te             |    2 +-
 domains/program/netutils.te          |    2 ++
 domains/program/passwd.te            |    5 +++++
 domains/program/ssh.te               |    2 +-
 domains/program/tmpreaper.te         |    4 ++--
 domains/program/unused/apache.te     |    1 +
 domains/program/unused/apmd.te       |    7 +++++--
 domains/program/unused/bluetooth.te  |    3 ++-
 domains/program/unused/cups.te       |    8 ++++++--
 domains/program/unused/cyrus.te      |    5 +----
 domains/program/unused/dhcpc.te      |    1 +
 domains/program/unused/dovecot.te    |    1 +
 domains/program/unused/ftpd.te       |    2 +-
 domains/program/unused/hald.te       |    3 ++-
 domains/program/unused/hotplug.te    |    4 +++-
 domains/program/unused/hwclock.te    |    3 ---
 domains/program/unused/iceauth.te    |    2 +-
 domains/program/unused/nscd.te       |    1 +
 domains/program/unused/pppd.te       |    7 ++++---
 domains/program/unused/prelink.te    |    7 +------
 domains/program/unused/procmail.te   |    1 +
 domains/program/unused/radvd.te      |    3 ++-
 domains/program/unused/rpcd.te       |    6 +++++-
 domains/program/unused/rpm.te        |    3 +++
 domains/program/unused/samba.te      |   34 ++++++++++++++++++++++++++++++++--
 domains/program/unused/saslauthd.te  |   10 +++++++++-
 domains/program/unused/squid.te      |    3 +++
 domains/program/unused/winbind.te    |   15 ++++++++++++++-
 domains/program/unused/xdm.te        |    2 +-
 file_contexts/program/cups.fc        |    2 ++
 file_contexts/program/i18n_input.fc  |    2 +-
 file_contexts/program/rpcd.fc        |    3 ++-
 file_contexts/program/samba.fc       |    1 +
 file_contexts/program/winbind.fc     |    1 +
 file_contexts/types.fc               |   14 +++++++-------
 macros/admin_macros.te               |    3 ---
 macros/base_user_macros.te           |    5 ++---
 macros/global_macros.te              |    1 +
 macros/network_macros.te             |    7 +++++++
 macros/program/apache_macros.te      |    5 ++---
 macros/program/chkpwd_macros.te      |   10 ++++++++++
 macros/program/dbusd_macros.te       |    2 +-
 macros/program/evolution_macros.te   |    6 ------
 macros/program/games_domain.te       |    3 ---
 macros/program/java_macros.te        |    2 --
 macros/program/mail_client_macros.te |   10 ++++++++--
 macros/program/mozilla_macros.te     |    2 --
 macros/program/mplayer_macros.te     |    2 +-
 macros/program/xserver_macros.te     |    4 ----
 net_contexts                         |    2 ++
 targeted/domains/program/crond.te    |    9 ++++++---
 targeted/domains/unconfined.te       |    5 +++++
 tunables/distro.tun                  |    2 +-
 tunables/tunable.tun                 |    4 ++--
 types/network.te                     |    1 -
 59 files changed, 190 insertions(+), 83 deletions(-)

Index: policy-20050706.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-targeted/devel/policy-20050706.patch,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -r1.8 -r1.9
--- policy-20050706.patch	9 Jul 2005 02:11:37 -0000	1.8
+++ policy-20050706.patch	12 Jul 2005 19:17:42 -0000	1.9
@@ -1,6 +1,32 @@
+diff --exclude-from=exclude -N -u -r nsapolicy/assert.te policy-1.25.1/assert.te
+--- nsapolicy/assert.te	2005-05-25 11:28:09.000000000 -0400
++++ policy-1.25.1/assert.te	2005-07-11 14:28:39.000000000 -0400
+@@ -41,7 +41,7 @@
+ 
+ #
+ # Verify that only appropriate domains can access /etc/shadow
+-neverallow { domain -auth -auth_write -unrestricted } shadow_t:file ~getattr;
++neverallow { domain -auth_bool -auth -auth_write -unrestricted } shadow_t:file ~getattr;
+ neverallow { domain -auth_write -unrestricted } shadow_t:file ~r_file_perms;
+ 
+ #
+diff --exclude-from=exclude -N -u -r nsapolicy/attrib.te policy-1.25.1/attrib.te
+--- nsapolicy/attrib.te	2005-07-06 17:15:06.000000000 -0400
++++ policy-1.25.1/attrib.te	2005-07-11 14:28:39.000000000 -0400
+@@ -141,6 +141,10 @@
+ # to read /etc/shadow, and grants the permission.
+ attribute auth;
+ 
++# The auth_bool attribute identifies every domain that can 
++# read /etc/shadow if its boolean is set;
++attribute auth_bool;
++
+ # The auth_write attribute identifies every domain that can have write or
+ # relabel access to /etc/shadow, but does not grant it.
+ attribute auth_write;
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/admin.te policy-1.25.1/domains/admin.te
 --- nsapolicy/domains/admin.te	2005-04-27 10:28:48.000000000 -0400
-+++ policy-1.25.1/domains/admin.te	2005-07-07 21:12:02.000000000 -0400
++++ policy-1.25.1/domains/admin.te	2005-07-11 14:28:39.000000000 -0400
 @@ -36,3 +36,8 @@
  typeattribute secadm_tty_device_t admin_tty_type;
  typeattribute secadm_devpts_t admin_tty_type;
@@ -12,7 +38,7 @@
 +}
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/getty.te policy-1.25.1/domains/program/getty.te
 --- nsapolicy/domains/program/getty.te	2005-05-02 14:06:54.000000000 -0400
-+++ policy-1.25.1/domains/program/getty.te	2005-07-07 21:12:02.000000000 -0400
++++ policy-1.25.1/domains/program/getty.te	2005-07-11 14:28:39.000000000 -0400
 @@ -52,3 +52,10 @@
  # for mgetty
  var_run_domain(getty)
@@ -26,7 +52,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/login.te policy-1.25.1/domains/program/login.te
 --- nsapolicy/domains/program/login.te	2005-07-06 17:15:06.000000000 -0400
-+++ policy-1.25.1/domains/program/login.te	2005-07-07 21:12:02.000000000 -0400
++++ policy-1.25.1/domains/program/login.te	2005-07-11 14:28:39.000000000 -0400
 @@ -65,7 +65,7 @@
  ')
  
@@ -38,7 +64,7 @@
  
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/netutils.te policy-1.25.1/domains/program/netutils.te
 --- nsapolicy/domains/program/netutils.te	2005-04-27 10:28:49.000000000 -0400
-+++ policy-1.25.1/domains/program/netutils.te	2005-07-07 21:12:02.000000000 -0400
++++ policy-1.25.1/domains/program/netutils.te	2005-07-11 14:28:39.000000000 -0400
 @@ -21,7 +21,9 @@
  tmp_domain(netutils)
  
@@ -51,7 +77,7 @@
  allow netutils_t { userdomain init_t }:fd use;
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/passwd.te policy-1.25.1/domains/program/passwd.te
 --- nsapolicy/domains/program/passwd.te	2005-05-25 11:28:09.000000000 -0400
-+++ policy-1.25.1/domains/program/passwd.te	2005-07-07 21:12:02.000000000 -0400
++++ policy-1.25.1/domains/program/passwd.te	2005-07-11 14:28:39.000000000 -0400
 @@ -149,3 +149,8 @@
  allow passwd_t userdomain:process getattr;
  
@@ -63,7 +89,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ssh.te policy-1.25.1/domains/program/ssh.te
 --- nsapolicy/domains/program/ssh.te	2005-07-06 17:15:06.000000000 -0400
-+++ policy-1.25.1/domains/program/ssh.te	2005-07-07 21:12:02.000000000 -0400
++++ policy-1.25.1/domains/program/ssh.te	2005-07-11 14:28:39.000000000 -0400
 @@ -73,7 +73,7 @@
  allow $1_t port_type:tcp_socket name_connect;
  can_kerberos($1_t)
@@ -75,7 +101,7 @@
  allow $1_t autofs_t:dir { search getattr };
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/tmpreaper.te policy-1.25.1/domains/program/tmpreaper.te
 --- nsapolicy/domains/program/tmpreaper.te	2005-04-27 10:28:49.000000000 -0400
-+++ policy-1.25.1/domains/program/tmpreaper.te	2005-07-07 21:12:02.000000000 -0400
++++ policy-1.25.1/domains/program/tmpreaper.te	2005-07-11 14:28:39.000000000 -0400
 @@ -16,8 +16,8 @@
  system_crond_entry(tmpreaper_exec_t, tmpreaper_t)
  uses_shlib(tmpreaper_t)
@@ -89,7 +115,7 @@
  allow tmpreaper_t self:capability { dac_override dac_read_search fowner };
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.25.1/domains/program/unused/apache.te
 --- nsapolicy/domains/program/unused/apache.te	2005-07-06 17:15:06.000000000 -0400
-+++ policy-1.25.1/domains/program/unused/apache.te	2005-07-07 21:12:02.000000000 -0400
++++ policy-1.25.1/domains/program/unused/apache.te	2005-07-11 14:28:39.000000000 -0400
 @@ -114,6 +114,7 @@
  can_kerberos(httpd_t)
  can_resolve(httpd_t)
@@ -100,7 +126,7 @@
  if (httpd_can_network_connect) {
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apmd.te policy-1.25.1/domains/program/unused/apmd.te
 --- nsapolicy/domains/program/unused/apmd.te	2005-07-06 17:15:06.000000000 -0400
-+++ policy-1.25.1/domains/program/unused/apmd.te	2005-07-07 21:12:02.000000000 -0400
++++ policy-1.25.1/domains/program/unused/apmd.te	2005-07-11 14:28:39.000000000 -0400
 @@ -21,7 +21,7 @@
  allow apm_t privfd:fd use;
  allow apm_t admin_tty_type:chr_file rw_file_perms;
@@ -132,7 +158,7 @@
  
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/bluetooth.te policy-1.25.1/domains/program/unused/bluetooth.te
 --- nsapolicy/domains/program/unused/bluetooth.te	2005-05-25 11:28:09.000000000 -0400
-+++ policy-1.25.1/domains/program/unused/bluetooth.te	2005-07-07 21:12:02.000000000 -0400
++++ policy-1.25.1/domains/program/unused/bluetooth.te	2005-07-11 14:28:39.000000000 -0400
 @@ -26,7 +26,8 @@
  dbusd_client(system, bluetooth)
  allow bluetooth_t system_dbusd_t:dbus send_msg;
@@ -145,7 +171,7 @@
  
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.25.1/domains/program/unused/cups.te
 --- nsapolicy/domains/program/unused/cups.te	2005-07-06 17:15:06.000000000 -0400
-+++ policy-1.25.1/domains/program/unused/cups.te	2005-07-07 21:12:02.000000000 -0400
++++ policy-1.25.1/domains/program/unused/cups.te	2005-07-11 14:28:39.000000000 -0400
 @@ -77,7 +77,7 @@
  allow cupsd_t self:fifo_file rw_file_perms;
  
@@ -182,7 +208,7 @@
  allow cupsd_lpd_t ipp_port_t:tcp_socket name_connect;
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cyrus.te policy-1.25.1/domains/program/unused/cyrus.te
 --- nsapolicy/domains/program/unused/cyrus.te	2005-07-06 17:15:06.000000000 -0400
-+++ policy-1.25.1/domains/program/unused/cyrus.te	2005-07-07 21:12:02.000000000 -0400
++++ policy-1.25.1/domains/program/unused/cyrus.te	2005-07-11 14:28:39.000000000 -0400
 @@ -26,9 +26,7 @@
  read_locale(cyrus_t)
  read_sysctl(cyrus_t)
@@ -203,7 +229,7 @@
  
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dhcpc.te policy-1.25.1/domains/program/unused/dhcpc.te
 --- nsapolicy/domains/program/unused/dhcpc.te	2005-07-06 17:15:06.000000000 -0400
-+++ policy-1.25.1/domains/program/unused/dhcpc.te	2005-07-07 21:12:02.000000000 -0400
++++ policy-1.25.1/domains/program/unused/dhcpc.te	2005-07-11 14:28:39.000000000 -0400
 @@ -153,6 +153,7 @@
  domain_auto_trans(sysadm_t, dhcpc_exec_t, dhcpc_t)
  ifdef(`dbusd.te', `
@@ -214,7 +240,7 @@
  allow { NetworkManager_t initrc_t } dhcpc_t:dbus send_msg;
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dovecot.te policy-1.25.1/domains/program/unused/dovecot.te
 --- nsapolicy/domains/program/unused/dovecot.te	2005-07-06 17:15:06.000000000 -0400
-+++ policy-1.25.1/domains/program/unused/dovecot.te	2005-07-07 21:12:02.000000000 -0400
++++ policy-1.25.1/domains/program/unused/dovecot.te	2005-07-11 14:28:39.000000000 -0400
 @@ -35,6 +35,7 @@
  allow dovecot_t urandom_device_t:chr_file { getattr read };
  allow dovecot_t cert_t:dir search;
@@ -225,7 +251,7 @@
  allow dovecot_t self:fifo_file rw_file_perms;
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ftpd.te policy-1.25.1/domains/program/unused/ftpd.te
 --- nsapolicy/domains/program/unused/ftpd.te	2005-05-25 11:28:09.000000000 -0400
-+++ policy-1.25.1/domains/program/unused/ftpd.te	2005-07-07 21:12:02.000000000 -0400
++++ policy-1.25.1/domains/program/unused/ftpd.te	2005-07-11 14:28:39.000000000 -0400
 @@ -69,7 +69,7 @@
  tmpfs_domain(ftpd)
  
@@ -237,7 +263,7 @@
  allow ftpd_t wtmp_t:file { getattr append };
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hald.te policy-1.25.1/domains/program/unused/hald.te
 --- nsapolicy/domains/program/unused/hald.te	2005-05-25 11:28:10.000000000 -0400
-+++ policy-1.25.1/domains/program/unused/hald.te	2005-07-07 21:12:02.000000000 -0400
++++ policy-1.25.1/domains/program/unused/hald.te	2005-07-11 14:28:39.000000000 -0400
 @@ -65,7 +65,8 @@
  r_dir_file(hald_t, hotplug_etc_t)
  ')
@@ -250,7 +276,7 @@
  allow hald_t initrc_t:dbus send_msg;
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hotplug.te policy-1.25.1/domains/program/unused/hotplug.te
 --- nsapolicy/domains/program/unused/hotplug.te	2005-07-06 17:15:06.000000000 -0400
-+++ policy-1.25.1/domains/program/unused/hotplug.te	2005-07-07 21:12:02.000000000 -0400
++++ policy-1.25.1/domains/program/unused/hotplug.te	2005-07-11 14:28:39.000000000 -0400
 @@ -65,7 +65,7 @@
  allow hotplug_t etc_t:dir r_dir_perms;
  allow hotplug_t etc_t:{ file lnk_file } r_file_perms;
@@ -268,7 +294,7 @@
 +
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hwclock.te policy-1.25.1/domains/program/unused/hwclock.te
 --- nsapolicy/domains/program/unused/hwclock.te	2005-04-27 10:28:51.000000000 -0400
-+++ policy-1.25.1/domains/program/unused/hwclock.te	2005-07-07 21:12:02.000000000 -0400
++++ policy-1.25.1/domains/program/unused/hwclock.te	2005-07-11 14:28:39.000000000 -0400
 @@ -19,9 +19,6 @@
  role sysadm_r types hwclock_t;
  domain_auto_trans(sysadm_t, hwclock_exec_t, hwclock_t)
@@ -281,7 +307,7 @@
  
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/iceauth.te policy-1.25.1/domains/program/unused/iceauth.te
 --- nsapolicy/domains/program/unused/iceauth.te	2005-07-05 15:25:46.000000000 -0400
-+++ policy-1.25.1/domains/program/unused/iceauth.te	2005-07-07 21:12:02.000000000 -0400
++++ policy-1.25.1/domains/program/unused/iceauth.te	2005-07-11 14:28:39.000000000 -0400
 @@ -6,7 +6,7 @@
  #
  # iceauth_exec_t is the type of the xauth executable.
@@ -293,7 +319,7 @@
  # macros/program/iceauth_macros.te.
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/nscd.te policy-1.25.1/domains/program/unused/nscd.te
 --- nsapolicy/domains/program/unused/nscd.te	2005-07-06 17:15:07.000000000 -0400
-+++ policy-1.25.1/domains/program/unused/nscd.te	2005-07-07 21:12:02.000000000 -0400
++++ policy-1.25.1/domains/program/unused/nscd.te	2005-07-11 14:28:39.000000000 -0400
 @@ -75,3 +75,4 @@
  allow nscd_t { urandom_device_t random_device_t }:chr_file { getattr read };
  log_domain(nscd)
@@ -301,7 +327,7 @@
 +allow nscd_t tun_tap_device_t:chr_file { read write };
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pppd.te policy-1.25.1/domains/program/unused/pppd.te
 --- nsapolicy/domains/program/unused/pppd.te	2005-07-06 17:15:07.000000000 -0400
-+++ policy-1.25.1/domains/program/unused/pppd.te	2005-07-07 21:12:02.000000000 -0400
++++ policy-1.25.1/domains/program/unused/pppd.te	2005-07-11 14:28:39.000000000 -0400
 @@ -36,8 +36,7 @@
  can_ypbind(pppd_t)
  
@@ -329,7 +355,7 @@
 +dontaudit pppd_t initrc_var_run_t:file { lock write };
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/prelink.te policy-1.25.1/domains/program/unused/prelink.te
 --- nsapolicy/domains/program/unused/prelink.te	2005-04-27 10:28:52.000000000 -0400
-+++ policy-1.25.1/domains/program/unused/prelink.te	2005-07-07 21:12:02.000000000 -0400
++++ policy-1.25.1/domains/program/unused/prelink.te	2005-07-11 14:28:39.000000000 -0400
 @@ -11,13 +11,8 @@
  #
  daemon_base_domain(prelink, `, admin, privowner')
@@ -347,7 +373,7 @@
  ifdef(`crond.te', `
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/procmail.te policy-1.25.1/domains/program/unused/procmail.te
 --- nsapolicy/domains/program/unused/procmail.te	2005-05-25 11:28:10.000000000 -0400
-+++ policy-1.25.1/domains/program/unused/procmail.te	2005-07-07 21:12:02.000000000 -0400
++++ policy-1.25.1/domains/program/unused/procmail.te	2005-07-11 14:28:39.000000000 -0400
 @@ -20,6 +20,7 @@
  allow procmail_t device_t:dir search;
  can_network_server(procmail_t)
@@ -358,7 +384,7 @@
  
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/radvd.te policy-1.25.1/domains/program/unused/radvd.te
 --- nsapolicy/domains/program/unused/radvd.te	2005-04-27 10:28:52.000000000 -0400
-+++ policy-1.25.1/domains/program/unused/radvd.te	2005-07-07 21:12:02.000000000 -0400
++++ policy-1.25.1/domains/program/unused/radvd.te	2005-07-11 14:28:39.000000000 -0400
 @@ -15,11 +15,12 @@
  
  allow radvd_t self:{ rawip_socket unix_dgram_socket } rw_socket_perms;
@@ -375,7 +401,7 @@
  allow radvd_t proc_t:file { getattr read };
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rpcd.te policy-1.25.1/domains/program/unused/rpcd.te
 --- nsapolicy/domains/program/unused/rpcd.te	2005-07-06 17:15:07.000000000 -0400
-+++ policy-1.25.1/domains/program/unused/rpcd.te	2005-07-07 21:12:02.000000000 -0400
++++ policy-1.25.1/domains/program/unused/rpcd.te	2005-07-11 14:28:39.000000000 -0400
 @@ -11,7 +11,11 @@
  # Rules for the rpcd_t and nfsd_t domain.
  #
@@ -399,7 +425,7 @@
  can_udp_send(portmap_t, nfsd_t)
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rpm.te policy-1.25.1/domains/program/unused/rpm.te
 --- nsapolicy/domains/program/unused/rpm.te	2005-04-27 10:28:52.000000000 -0400
-+++ policy-1.25.1/domains/program/unused/rpm.te	2005-07-07 21:12:02.000000000 -0400
++++ policy-1.25.1/domains/program/unused/rpm.te	2005-07-11 14:28:39.000000000 -0400
 @@ -253,4 +253,7 @@
  typeattribute rpm_script_t auth_write;
  unconfined_domain(rpm_script_t)
@@ -410,7 +436,7 @@
  
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/samba.te policy-1.25.1/domains/program/unused/samba.te
 --- nsapolicy/domains/program/unused/samba.te	2005-07-06 17:15:07.000000000 -0400
-+++ policy-1.25.1/domains/program/unused/samba.te	2005-07-07 21:12:02.000000000 -0400
++++ policy-1.25.1/domains/program/unused/samba.te	2005-07-11 14:28:39.000000000 -0400
 @@ -47,6 +47,9 @@
  
  # Use the network.
@@ -465,7 +491,16 @@
 +allow samba_net_t privfd:fd use;
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/saslauthd.te policy-1.25.1/domains/program/unused/saslauthd.te
 --- nsapolicy/domains/program/unused/saslauthd.te	2005-05-25 11:28:10.000000000 -0400
-+++ policy-1.25.1/domains/program/unused/saslauthd.te	2005-07-08 15:50:42.000000000 -0400
++++ policy-1.25.1/domains/program/unused/saslauthd.te	2005-07-11 14:28:39.000000000 -0400
+@@ -3,7 +3,7 @@
+ # Author: Colin Walters <walters at verbum.org>
+ #
+ 
+-daemon_domain(saslauthd, `, auth_chkpwd')
++daemon_domain(saslauthd, `, auth_chkpwd, auth_bool')
+ 
+ allow saslauthd_t self:fifo_file { read write };
+ allow saslauthd_t self:unix_dgram_socket create_socket_perms;
 @@ -21,3 +21,11 @@
  
  # Needs investigation
@@ -480,7 +515,7 @@
 +}
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/squid.te policy-1.25.1/domains/program/unused/squid.te
 --- nsapolicy/domains/program/unused/squid.te	2005-07-06 17:15:07.000000000 -0400
-+++ policy-1.25.1/domains/program/unused/squid.te	2005-07-07 21:12:02.000000000 -0400
++++ policy-1.25.1/domains/program/unused/squid.te	2005-07-11 14:28:39.000000000 -0400
 @@ -78,3 +78,6 @@
  #squid requires the following when run in diskd mode, the recommended setting
  allow squid_t tmpfs_t:file { read write };
@@ -490,8 +525,16 @@
 +')
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/winbind.te policy-1.25.1/domains/program/unused/winbind.te
 --- nsapolicy/domains/program/unused/winbind.te	2005-05-25 11:28:10.000000000 -0400
-+++ policy-1.25.1/domains/program/unused/winbind.te	2005-07-07 21:12:02.000000000 -0400
-@@ -22,7 +22,7 @@
++++ policy-1.25.1/domains/program/unused/winbind.te	2005-07-11 14:28:39.000000000 -0400
+@@ -10,6 +10,7 @@
+ 
+ daemon_domain(winbind, `, privhome, auth_chkpwd, nscd_client_domain')
+ log_domain(winbind)
++tmp_domain(winbind)
+ allow winbind_t etc_t:file r_file_perms;
+ allow winbind_t etc_t:lnk_file read;
+ can_network(winbind_t)
+@@ -22,7 +23,7 @@
  type samba_var_t, file_type, sysadmfile;
  type samba_secrets_t, file_type, sysadmfile;
  ')
@@ -500,7 +543,7 @@
  rw_dir_create_file(winbind_t, samba_log_t)
  allow winbind_t samba_secrets_t:file rw_file_perms;
  allow winbind_t self:unix_dgram_socket create_socket_perms;
-@@ -33,3 +33,15 @@
+@@ -33,3 +34,15 @@
  can_kerberos(winbind_t)
  allow winbind_t self:netlink_route_socket r_netlink_socket_perms;
  allow winbind_t winbind_var_run_t:sock_file create_file_perms;
@@ -518,7 +561,7 @@
 +allow winbind_helper_t privfd:fd use;
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/xdm.te policy-1.25.1/domains/program/unused/xdm.te
 --- nsapolicy/domains/program/unused/xdm.te	2005-07-06 17:15:07.000000000 -0400
-+++ policy-1.25.1/domains/program/unused/xdm.te	2005-07-07 21:12:02.000000000 -0400
++++ policy-1.25.1/domains/program/unused/xdm.te	2005-07-11 14:28:39.000000000 -0400
 @@ -69,7 +69,7 @@
  
  #
@@ -530,16 +573,28 @@
  
 diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/cups.fc policy-1.25.1/file_contexts/program/cups.fc
 --- nsapolicy/file_contexts/program/cups.fc	2005-07-06 17:15:07.000000000 -0400
-+++ policy-1.25.1/file_contexts/program/cups.fc	2005-07-07 21:12:02.000000000 -0400
++++ policy-1.25.1/file_contexts/program/cups.fc	2005-07-11 14:28:39.000000000 -0400
 @@ -41,3 +41,5 @@
  /usr/share/hplip/hpssd.py	--	system_u:object_r:hplip_exec_t
  /usr/share/foomatic/db/oldprinterids 	--	system_u:object_r:cupsd_rw_etc_t
  /var/cache/foomatic(/.*)? 	--	system_u:object_r:cupsd_rw_etc_t
 +/var/run/hp.*\.pid		--	system_u:object_r:hplip_var_run_t
 +/var/run/hp.*\.port		--	system_u:object_r:hplip_var_run_t
+diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/i18n_input.fc policy-1.25.1/file_contexts/program/i18n_input.fc
+--- nsapolicy/file_contexts/program/i18n_input.fc	2005-05-02 14:06:56.000000000 -0400
++++ policy-1.25.1/file_contexts/program/i18n_input.fc	2005-07-11 14:29:05.000000000 -0400
+@@ -1,7 +1,7 @@
+ # i18n_input.fc
+ /usr/sbin/htt                   --     system_u:object_r:i18n_input_exec_t
+ /usr/sbin/htt_server            --     system_u:object_r:i18n_input_exec_t
+-/usr/bin/iiimd		        --     system_u:object_r:i18n_input_exec_t
++/usr/bin/iiimd\.bin	        --     system_u:object_r:i18n_input_exec_t
+ /usr/bin/httx                   --     system_u:object_r:i18n_input_exec_t
+ /usr/bin/htt_xbe                --     system_u:object_r:i18n_input_exec_t
+ /usr/bin/iiimx                  --     system_u:object_r:i18n_input_exec_t
 diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/rpcd.fc policy-1.25.1/file_contexts/program/rpcd.fc
 --- nsapolicy/file_contexts/program/rpcd.fc	2005-02-24 14:51:09.000000000 -0500
-+++ policy-1.25.1/file_contexts/program/rpcd.fc	2005-07-07 21:12:02.000000000 -0400
++++ policy-1.25.1/file_contexts/program/rpcd.fc	2005-07-11 14:28:39.000000000 -0400
 @@ -1,6 +1,6 @@
  # RPC daemons
  /sbin/rpc\..*		--	system_u:object_r:rpcd_exec_t
@@ -555,7 +610,7 @@
 +
 diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/samba.fc policy-1.25.1/file_contexts/program/samba.fc
 --- nsapolicy/file_contexts/program/samba.fc	2005-02-24 14:51:08.000000000 -0500
-+++ policy-1.25.1/file_contexts/program/samba.fc	2005-07-07 21:12:02.000000000 -0400
++++ policy-1.25.1/file_contexts/program/samba.fc	2005-07-11 14:28:39.000000000 -0400
 @@ -1,6 +1,7 @@
  # samba scripts
  /usr/sbin/smbd		--	system_u:object_r:smbd_exec_t
@@ -566,7 +621,7 @@
  /var/cache/samba(/.*)?		system_u:object_r:samba_var_t
 diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/winbind.fc policy-1.25.1/file_contexts/program/winbind.fc
 --- nsapolicy/file_contexts/program/winbind.fc	2005-02-24 14:51:09.000000000 -0500
-+++ policy-1.25.1/file_contexts/program/winbind.fc	2005-07-07 21:12:02.000000000 -0400
++++ policy-1.25.1/file_contexts/program/winbind.fc	2005-07-11 14:28:39.000000000 -0400
 @@ -8,3 +8,4 @@
  /var/cache/samba(/.*)?		system_u:object_r:samba_var_t
  ')
@@ -574,7 +629,7 @@
 +/usr/bin/ntlm_auth --	system_u:object_r:winbind_helper_exec_t
 diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/types.fc policy-1.25.1/file_contexts/types.fc
 --- nsapolicy/file_contexts/types.fc	2005-07-06 17:15:07.000000000 -0400
-+++ policy-1.25.1/file_contexts/types.fc	2005-07-07 21:12:02.000000000 -0400
++++ policy-1.25.1/file_contexts/types.fc	2005-07-11 14:28:39.000000000 -0400
 @@ -261,13 +261,13 @@
  # /opt
  #
@@ -598,7 +653,7 @@
  # /etc
 diff --exclude-from=exclude -N -u -r nsapolicy/macros/admin_macros.te policy-1.25.1/macros/admin_macros.te
 --- nsapolicy/macros/admin_macros.te	2005-07-06 17:15:07.000000000 -0400
-+++ policy-1.25.1/macros/admin_macros.te	2005-07-07 21:12:02.000000000 -0400
++++ policy-1.25.1/macros/admin_macros.te	2005-07-11 14:28:39.000000000 -0400
 @@ -49,9 +49,6 @@
  # Allow system log read
  allow $1_t kernel_t:system syslog_read;
@@ -611,7 +666,7 @@
  
 diff --exclude-from=exclude -N -u -r nsapolicy/macros/base_user_macros.te policy-1.25.1/macros/base_user_macros.te
 --- nsapolicy/macros/base_user_macros.te	2005-07-06 17:15:07.000000000 -0400
-+++ policy-1.25.1/macros/base_user_macros.te	2005-07-07 21:12:02.000000000 -0400
++++ policy-1.25.1/macros/base_user_macros.te	2005-07-11 14:28:39.000000000 -0400
 @@ -63,10 +63,8 @@
  allow $1_t self:process execstack;
  }
@@ -642,7 +697,7 @@
  #
 diff --exclude-from=exclude -N -u -r nsapolicy/macros/global_macros.te policy-1.25.1/macros/global_macros.te
 --- nsapolicy/macros/global_macros.te	2005-07-06 17:15:07.000000000 -0400
-+++ policy-1.25.1/macros/global_macros.te	2005-07-07 21:12:02.000000000 -0400
++++ policy-1.25.1/macros/global_macros.te	2005-07-11 14:28:39.000000000 -0400
 @@ -106,6 +106,7 @@
  allow $1 ld_so_t:lnk_file r_file_perms;
  allow $1 { texrel_shlib_t shlib_t }:file rx_file_perms;
@@ -653,7 +708,7 @@
  allow $1 null_device_t:chr_file rw_file_perms;
 diff --exclude-from=exclude -N -u -r nsapolicy/macros/network_macros.te policy-1.25.1/macros/network_macros.te
 --- nsapolicy/macros/network_macros.te	2005-07-06 17:15:07.000000000 -0400
-+++ policy-1.25.1/macros/network_macros.te	2005-07-07 21:12:02.000000000 -0400
++++ policy-1.25.1/macros/network_macros.te	2005-07-11 14:28:39.000000000 -0400
 @@ -168,3 +168,10 @@
  allow $1 ldap_port_t:tcp_socket name_connect;
  ')
@@ -667,7 +722,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/apache_macros.te policy-1.25.1/macros/program/apache_macros.te
 --- nsapolicy/macros/program/apache_macros.te	2005-07-06 17:15:07.000000000 -0400
-+++ policy-1.25.1/macros/program/apache_macros.te	2005-07-07 21:12:02.000000000 -0400
++++ policy-1.25.1/macros/program/apache_macros.te	2005-07-11 14:28:39.000000000 -0400
 @@ -78,9 +78,6 @@
  
  allow httpd_$1_script_t { urandom_device_t random_device_t }:chr_file r_file_perms;
@@ -696,8 +751,8 @@
  # apache should set close-on-exec
 diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/chkpwd_macros.te policy-1.25.1/macros/program/chkpwd_macros.te
 --- nsapolicy/macros/program/chkpwd_macros.te	2005-06-01 06:11:23.000000000 -0400
-+++ policy-1.25.1/macros/program/chkpwd_macros.te	2005-07-07 21:12:02.000000000 -0400
-@@ -32,9 +32,16 @@
++++ policy-1.25.1/macros/program/chkpwd_macros.te	2005-07-11 14:28:39.000000000 -0400
+@@ -32,9 +32,19 @@
  domain_auto_trans(auth_chkpwd, chkpwd_exec_t, system_chkpwd_t)
  allow auth_chkpwd sbin_t:dir search;
  allow auth_chkpwd self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
@@ -711,12 +766,15 @@
 +ifdef(`winbind.te', `
 +r_dir_file(auth_chkpwd, winbind_var_run_t)
 +')
++r_dir_file(auth_chkpwd, cert_t)
++r_dir_file($1_chkpwd_t, cert_t)
++allow $1_chkpwd_t { random_device_t urandom_device_t }:chr_file { getattr read };
  ', `
  domain_auto_trans($1_t, chkpwd_exec_t, $1_chkpwd_t)
  allow $1_t sbin_t:dir search;
 diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/dbusd_macros.te policy-1.25.1/macros/program/dbusd_macros.te
 --- nsapolicy/macros/program/dbusd_macros.te	2005-07-06 17:15:07.000000000 -0400
-+++ policy-1.25.1/macros/program/dbusd_macros.te	2005-07-07 21:12:02.000000000 -0400
++++ policy-1.25.1/macros/program/dbusd_macros.te	2005-07-11 14:28:39.000000000 -0400
 @@ -37,7 +37,7 @@
  allow $1_dbusd_t self:unix_dgram_socket create_socket_perms;
  
@@ -728,7 +786,7 @@
  can_getsecurity($1_dbusd_t)
 diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/evolution_macros.te policy-1.25.1/macros/program/evolution_macros.te
 --- nsapolicy/macros/program/evolution_macros.te	2005-07-05 15:25:49.000000000 -0400
-+++ policy-1.25.1/macros/program/evolution_macros.te	2005-07-07 21:12:02.000000000 -0400
++++ policy-1.25.1/macros/program/evolution_macros.te	2005-07-11 14:28:39.000000000 -0400
 @@ -221,12 +221,6 @@
  domain_auto_trans($1_evolution_t, spamassassin_exec_t, $1_spamassassin_t)
  ') dnl spamassasin.te
@@ -744,7 +802,7 @@
  #################################
 diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/games_domain.te policy-1.25.1/macros/program/games_domain.te
 --- nsapolicy/macros/program/games_domain.te	2005-07-06 17:15:07.000000000 -0400
-+++ policy-1.25.1/macros/program/games_domain.te	2005-07-07 21:12:02.000000000 -0400
++++ policy-1.25.1/macros/program/games_domain.te	2005-07-11 14:28:39.000000000 -0400
 @@ -33,10 +33,7 @@
  allow $1_games_t self:process execmem;
  }
@@ -758,7 +816,7 @@
  allow $1_games_t sound_device_t:chr_file rw_file_perms;
 diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/java_macros.te policy-1.25.1/macros/program/java_macros.te
 --- nsapolicy/macros/program/java_macros.te	2005-06-01 06:11:23.000000000 -0400
-+++ policy-1.25.1/macros/program/java_macros.te	2005-07-07 21:12:02.000000000 -0400
++++ policy-1.25.1/macros/program/java_macros.te	2005-07-11 14:28:39.000000000 -0400
 @@ -52,9 +52,7 @@
  can_exec($1_javaplugin_t, java_exec_t)
  
@@ -771,7 +829,7 @@
  }
 diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mail_client_macros.te policy-1.25.1/macros/program/mail_client_macros.te
 --- nsapolicy/macros/program/mail_client_macros.te	2005-07-05 15:25:49.000000000 -0400
-+++ policy-1.25.1/macros/program/mail_client_macros.te	2005-07-07 21:12:02.000000000 -0400
++++ policy-1.25.1/macros/program/mail_client_macros.te	2005-07-11 14:28:39.000000000 -0400
 @@ -21,8 +21,8 @@
  
  # Allow POP/IMAP/SMTP/NNTP/LDAP/IPP(printing)
@@ -796,7 +854,7 @@
  ')
 diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.25.1/macros/program/mozilla_macros.te
 --- nsapolicy/macros/program/mozilla_macros.te	2005-07-06 17:15:07.000000000 -0400
-+++ policy-1.25.1/macros/program/mozilla_macros.te	2005-07-07 21:12:02.000000000 -0400
++++ policy-1.25.1/macros/program/mozilla_macros.te	2005-07-11 14:28:39.000000000 -0400
 @@ -133,9 +133,7 @@
  if (allow_execmem) {
  allow $1_mozilla_t self:process execmem;
@@ -809,7 +867,7 @@
  ifdef(`apache.te', `
 diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mplayer_macros.te policy-1.25.1/macros/program/mplayer_macros.te
 --- nsapolicy/macros/program/mplayer_macros.te	2005-07-06 17:15:07.000000000 -0400
-+++ policy-1.25.1/macros/program/mplayer_macros.te	2005-07-07 21:12:02.000000000 -0400
++++ policy-1.25.1/macros/program/mplayer_macros.te	2005-07-11 14:28:39.000000000 -0400
 @@ -44,8 +44,8 @@
  
  if (allow_execmod) {
@@ -822,7 +880,7 @@
  allow $1_$2_t device_t:dir r_dir_perms;
 diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/xserver_macros.te policy-1.25.1/macros/program/xserver_macros.te
 --- nsapolicy/macros/program/xserver_macros.te	2005-07-06 17:15:07.000000000 -0400
-+++ policy-1.25.1/macros/program/xserver_macros.te	2005-07-07 21:12:02.000000000 -0400
++++ policy-1.25.1/macros/program/xserver_macros.te	2005-07-11 14:28:39.000000000 -0400
 @@ -52,9 +52,7 @@
  
  uses_shlib($1_xserver_t)
@@ -847,7 +905,7 @@
  
 diff --exclude-from=exclude -N -u -r nsapolicy/net_contexts policy-1.25.1/net_contexts
 --- nsapolicy/net_contexts	2005-07-06 17:15:06.000000000 -0400
-+++ policy-1.25.1/net_contexts	2005-07-07 21:12:02.000000000 -0400
++++ policy-1.25.1/net_contexts	2005-07-11 14:28:39.000000000 -0400
 @@ -58,6 +58,8 @@
  
  portcon tcp 80  system_u:object_r:http_port_t
@@ -857,9 +915,38 @@
  
  portcon tcp 106 system_u:object_r:pop_port_t
  portcon tcp 109 system_u:object_r:pop_port_t
+diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/crond.te policy-1.25.1/targeted/domains/program/crond.te
+--- nsapolicy/targeted/domains/program/crond.te	2005-06-29 16:36:19.000000000 -0400
++++ policy-1.25.1/targeted/domains/program/crond.te	2005-07-11 14:28:39.000000000 -0400
+@@ -11,7 +11,7 @@
+ # This domain is defined just for targeted policy.
+ #
+ type crond_exec_t, file_type, sysadmfile, exec_type;
+-type crond_t, domain, privuser, privrole, privowner;
++type crond_t, domain, privuser, privrole, privfd, privowner;
+ typealias crond_t alias system_crond_t;
+ type anacron_exec_t, file_type, sysadmfile, exec_type;
+ type system_crond_tmp_t, file_type, tmpfile, sysadmfile;
+@@ -20,11 +20,14 @@
+ role system_r types crond_t;
+ domain_auto_trans(initrc_t, crond_exec_t, crond_t)
+ domain_auto_trans(initrc_t, anacron_exec_t, crond_t)
+-unconfined_domain(crond_t)
+ # Access log files
+ file_type_auto_trans(crond_t, user_home_dir_t, user_home_t)
+ file_type_auto_trans(crond_t, tmp_t, system_crond_tmp_t)
++var_run_domain(crond)
++
++ifdef(`targeted_policy', `
++unconfined_domain(crond_t)
+ allow crond_t initrc_t:dbus send_msg;
+ allow crond_t unconfined_t:dbus send_msg;
+ allow crond_t unconfined_t:process transition;
+-var_run_domain(crond)
++')
 diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/unconfined.te policy-1.25.1/targeted/domains/unconfined.te
 --- nsapolicy/targeted/domains/unconfined.te	2005-07-06 17:15:07.000000000 -0400
-+++ policy-1.25.1/targeted/domains/unconfined.te	2005-07-07 21:12:02.000000000 -0400
++++ policy-1.25.1/targeted/domains/unconfined.te	2005-07-11 14:28:39.000000000 -0400
 @@ -72,3 +72,8 @@
  
  # allow reading of default file context
@@ -871,7 +958,7 @@
 +
 diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.25.1/tunables/distro.tun
 --- nsapolicy/tunables/distro.tun	2005-02-24 14:51:09.000000000 -0500
-+++ policy-1.25.1/tunables/distro.tun	2005-07-07 21:12:02.000000000 -0400
++++ policy-1.25.1/tunables/distro.tun	2005-07-11 14:28:39.000000000 -0400
 @@ -5,7 +5,7 @@
  # appropriate ifdefs.
  
@@ -883,7 +970,7 @@
  
 diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.25.1/tunables/tunable.tun
 --- nsapolicy/tunables/tunable.tun	2005-05-25 11:28:11.000000000 -0400
-+++ policy-1.25.1/tunables/tunable.tun	2005-07-07 21:12:02.000000000 -0400
++++ policy-1.25.1/tunables/tunable.tun	2005-07-11 14:28:39.000000000 -0400
 @@ -2,7 +2,7 @@
  dnl define(`user_can_mount')
  
@@ -904,7 +991,7 @@
  # Otherwise, only staff_r can do so.
 diff --exclude-from=exclude -N -u -r nsapolicy/types/network.te policy-1.25.1/types/network.te
 --- nsapolicy/types/network.te	2005-07-06 17:15:07.000000000 -0400
-+++ policy-1.25.1/types/network.te	2005-07-07 21:12:02.000000000 -0400
++++ policy-1.25.1/types/network.te	2005-07-11 14:28:39.000000000 -0400
 @@ -158,7 +158,6 @@
  type snmp_port_t, port_type, reserved_port_type;
  type biff_port_t, port_type, reserved_port_type;


Index: selinux-policy-targeted.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-targeted/devel/selinux-policy-targeted.spec,v
retrieving revision 1.344
retrieving revision 1.345
diff -u -r1.344 -r1.345
--- selinux-policy-targeted.spec	9 Jul 2005 02:11:37 -0000	1.344
+++ selinux-policy-targeted.spec	12 Jul 2005 19:17:42 -0000	1.345
@@ -10,15 +10,15 @@
 
 Summary: SELinux %{type} policy configuration
 Name: selinux-policy-%{type}
-Version: 1.25.1
-Release: 8
+Version: 1.25.2
+Release: 1
 License: GPL
 Group: System Environment/Base
 Source: http://www.nsa.gov/selinux/archives/policy-%{version}.tgz
 Source1: booleans
 Prefix: %{_prefix}
 BuildRoot: %{_tmppath}/%{name}-buildroot
-Patch: policy-20050706.patch
+Patch: policy-20050712.patch
 Patch1: policy-%{type}.patch
 
 BuildArch: noarch
@@ -237,6 +237,12 @@
 exit 0
 
 %changelog
+* Tue Jul 12 2005 Dan Walsh <dwalsh at redhat.com> 1.25.2-1
+- Update to latest from NSA
+
+* Mon Jul 11 2005 Dan Walsh <dwalsh at redhat.com> 1.25.1-10
+- Change file context for iiimd -> iiimd.bin
+
 * Fri Jul 8 2005 Dan Walsh <dwalsh at redhat.com> 1.25.1-8
 - Fix saslauthd policy to allow imapd and shadow.
 


Index: sources
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-targeted/devel/sources,v
retrieving revision 1.119
retrieving revision 1.120
diff -u -r1.119 -r1.120
--- sources	6 Jul 2005 21:41:13 -0000	1.119
+++ sources	12 Jul 2005 19:17:42 -0000	1.120
@@ -1 +1 @@
-c796981eb7f40135c19198841f76f0e7  policy-1.25.1.tgz
+35e8a874205a05efeb2b298b48dd8b8b  policy-1.25.2.tgz




More information about the fedora-cvs-commits mailing list