rpms/selinux-policy-strict/FC-4 policy-20050916.patch, 1.11, 1.12 selinux-policy-strict.spec, 1.329, 1.330
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Mon Oct 31 16:20:22 UTC 2005
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy-strict/FC-4
In directory cvs.devel.redhat.com:/tmp/cvs-serv30371
Modified Files:
policy-20050916.patch selinux-policy-strict.spec
Log Message:
* Mon Oct 31 2005 Dan Walsh <dwalsh at redhat.com> 1.27.1-2.12
- Fix Handling of spamd, postfix
policy-20050916.patch:
Makefile | 24 +-
attrib.te | 100 +++++++++-
domains/admin.te | 2
domains/misc/kernel.te | 2
domains/program/crond.te | 2
domains/program/fsadm.te | 9
domains/program/hostname.te | 2
domains/program/ifconfig.te | 5
domains/program/init.te | 2
domains/program/initrc.te | 26 ++
domains/program/ldconfig.te | 3
domains/program/load_policy.te | 11 -
domains/program/login.te | 21 +-
domains/program/logrotate.te | 2
domains/program/modutil.te | 27 +-
domains/program/mount.te | 6
domains/program/netutils.te | 3
domains/program/newrole.te | 4
domains/program/restorecon.te | 6
domains/program/setfiles.te | 4
domains/program/ssh.te | 6
domains/program/su.te | 9
domains/program/syslogd.te | 6
domains/program/tmpreaper.te | 2
domains/program/unused/NetworkManager.te | 13 +
domains/program/unused/alsa.te | 2
domains/program/unused/amanda.te | 74 +------
domains/program/unused/anaconda.te | 5
domains/program/unused/apache.te | 22 +-
domains/program/unused/apmd.te | 19 +
domains/program/unused/auditd.te | 8
domains/program/unused/automount.te | 4
domains/program/unused/avahi.te | 31 +++
domains/program/unused/bluetooth.te | 72 +++++++
domains/program/unused/cups.te | 20 +-
domains/program/unused/cvs.te | 2
domains/program/unused/cyrus.te | 2
domains/program/unused/dbusd.te | 4
domains/program/unused/dcc.te | 5
domains/program/unused/dhcpc.te | 5
domains/program/unused/dhcpd.te | 3
domains/program/unused/dovecot.te | 4
domains/program/unused/exim.te | 309 +++++++++++++++++++++++++++++++
domains/program/unused/ftpd.te | 6
domains/program/unused/hald.te | 5
domains/program/unused/hotplug.te | 5
domains/program/unused/hwclock.te | 1
domains/program/unused/ipsec.te | 2
domains/program/unused/kudzu.te | 5
domains/program/unused/mta.te | 8
domains/program/unused/mysqld.te | 10 -
domains/program/unused/named.te | 27 ++
domains/program/unused/nscd.te | 1
domains/program/unused/ntpd.te | 10 -
domains/program/unused/openct.te | 16 +
domains/program/unused/pamconsole.te | 4
domains/program/unused/pegasus.te | 37 +++
domains/program/unused/ping.te | 2
domains/program/unused/postfix.te | 62 ++++--
domains/program/unused/postgresql.te | 11 -
domains/program/unused/pppd.te | 21 +-
domains/program/unused/procmail.te | 11 -
domains/program/unused/readahead.te | 21 ++
domains/program/unused/rlogind.te | 4
domains/program/unused/roundup.te | 29 ++
domains/program/unused/rpcd.te | 18 +
domains/program/unused/rpm.te | 4
domains/program/unused/rsync.te | 3
domains/program/unused/samba.te | 12 +
domains/program/unused/saslauthd.te | 1
domains/program/unused/sendmail.te | 3
domains/program/unused/snmpd.te | 6
domains/program/unused/spamd.te | 28 --
domains/program/unused/squid.te | 3
domains/program/unused/udev.te | 10 -
domains/program/unused/utempter.te | 2
domains/program/unused/webalizer.te | 3
domains/program/unused/winbind.te | 1
domains/program/unused/xdm.te | 3
domains/program/unused/yppasswdd.te | 40 ++++
domains/program/unused/ypserv.te | 1
domains/program/useradd.te | 5
file_contexts/distros.fc | 2
file_contexts/program/apache.fc | 2
file_contexts/program/bluetooth.fc | 3
file_contexts/program/dhcpc.fc | 2
file_contexts/program/dhcpd.fc | 5
file_contexts/program/ftpd.fc | 5
file_contexts/program/games.fc | 11 -
file_contexts/program/ipsec.fc | 1
file_contexts/program/openct.fc | 2
file_contexts/program/pegasus.fc | 9
file_contexts/program/pppd.fc | 2
file_contexts/program/readahead.fc | 1
file_contexts/program/roundup.fc | 2
file_contexts/program/rpm.fc | 4
file_contexts/program/rshd.fc | 1
file_contexts/program/rsync.fc | 2
file_contexts/program/squid.fc | 3
file_contexts/program/xdm.fc | 2
file_contexts/program/yppasswdd.fc | 2
file_contexts/program/ypserv.fc | 1
file_contexts/types.fc | 4
genfs_contexts | 3
macros/base_user_macros.te | 7
macros/core_macros.te | 9
macros/global_macros.te | 25 +-
macros/home_macros.te | 9
macros/network_macros.te | 17 +
macros/program/apache_macros.te | 13 +
macros/program/bonobo_macros.te | 2
macros/program/cdrecord_macros.te | 6
macros/program/chkpwd_macros.te | 8
macros/program/crontab_macros.te | 2
macros/program/dbusd_macros.te | 7
macros/program/gconf_macros.te | 2
macros/program/gift_macros.te | 2
macros/program/gpg_macros.te | 2
macros/program/i18n_input_macros.te | 21 ++
macros/program/lpr_macros.te | 2
macros/program/mta_macros.te | 4
macros/program/newrole_macros.te | 2
macros/program/pyzor_macros.te | 2
macros/program/razor_macros.te | 2
macros/program/su_macros.te | 4
macros/program/uml_macros.te | 2
macros/program/xdm_macros.te | 2
macros/program/ypbind_macros.te | 1
macros/user_macros.te | 7
man/man8/ftpd_selinux.8 | 19 +
man/man8/httpd_selinux.8 | 9
man/man8/rsync_selinux.8 | 12 -
man/man8/samba_selinux.8 | 9
mcs | 210 ++++++++-------------
mls | 270 ++++++++++-----------------
net_contexts | 8
targeted/appconfig/root_default_contexts | 4
targeted/assert.te | 2
targeted/domains/program/sendmail.te | 1
targeted/domains/program/ssh.te | 3
targeted/domains/program/xdm.te | 4
targeted/domains/unconfined.te | 15 +
tunables/distro.tun | 2
tunables/tunable.tun | 4
types/device.te | 4
types/devpts.te | 4
types/file.te | 45 +---
types/network.te | 13 -
types/nfs.te | 1
types/security.te | 6
150 files changed, 1551 insertions(+), 652 deletions(-)
Index: policy-20050916.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-strict/FC-4/policy-20050916.patch,v
retrieving revision 1.11
retrieving revision 1.12
diff -u -r1.11 -r1.12
--- policy-20050916.patch 27 Oct 2005 04:23:56 -0000 1.11
+++ policy-20050916.patch 31 Oct 2005 16:20:18 -0000 1.12
@@ -186,7 +186,7 @@
# Share state with the init process.
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/crond.te policy-1.27.1/domains/program/crond.te
--- nsapolicy/domains/program/crond.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/crond.te 2005-10-24 10:34:39.000000000 -0400
++++ policy-1.27.1/domains/program/crond.te 2005-10-31 11:17:11.000000000 -0500
@@ -106,7 +106,7 @@
# Inherit and use descriptors from initrc for anacron.
@@ -198,7 +198,7 @@
allow system_crond_t self:capability { dac_read_search chown setgid setuid fowner net_bind_service fsetid };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/fsadm.te policy-1.27.1/domains/program/fsadm.te
--- nsapolicy/domains/program/fsadm.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/fsadm.te 2005-10-24 10:34:39.000000000 -0400
++++ policy-1.27.1/domains/program/fsadm.te 2005-10-31 11:17:11.000000000 -0500
@@ -12,7 +12,7 @@
# administration.
# fsadm_exec_t is the type of the corresponding programs.
@@ -230,7 +230,7 @@
+allow fsadm_t file_type:dir { getattr search };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/hostname.te policy-1.27.1/domains/program/hostname.te
--- nsapolicy/domains/program/hostname.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/hostname.te 2005-10-24 10:34:39.000000000 -0400
++++ policy-1.27.1/domains/program/hostname.te 2005-10-31 11:17:11.000000000 -0500
@@ -24,5 +24,5 @@
ifdef(`distro_redhat', `
allow hostname_t tmpfs_t:chr_file rw_file_perms;
@@ -240,7 +240,7 @@
allow hostname_t initrc_t:fd use;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ifconfig.te policy-1.27.1/domains/program/ifconfig.te
--- nsapolicy/domains/program/ifconfig.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/ifconfig.te 2005-10-24 10:34:39.000000000 -0400
++++ policy-1.27.1/domains/program/ifconfig.te 2005-10-31 11:17:11.000000000 -0500
@@ -52,7 +52,8 @@
allow ifconfig_t self:udp_socket create_socket_perms;
@@ -262,7 +262,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/initrc.te policy-1.27.1/domains/program/initrc.te
--- nsapolicy/domains/program/initrc.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/initrc.te 2005-10-24 10:34:39.000000000 -0400
++++ policy-1.27.1/domains/program/initrc.te 2005-10-31 11:17:11.000000000 -0500
@@ -12,7 +12,7 @@
# initrc_exec_t is the type of the init program.
#
@@ -323,7 +323,7 @@
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/init.te policy-1.27.1/domains/program/init.te
--- nsapolicy/domains/program/init.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/init.te 2005-10-24 10:34:39.000000000 -0400
++++ policy-1.27.1/domains/program/init.te 2005-10-31 11:17:11.000000000 -0500
@@ -14,7 +14,7 @@
# by init during initialization. This pipe is used
# to communicate with init.
@@ -335,7 +335,7 @@
type init_exec_t, file_type, sysadmfile, exec_type;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ldconfig.te policy-1.27.1/domains/program/ldconfig.te
--- nsapolicy/domains/program/ldconfig.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/ldconfig.te 2005-10-24 10:34:39.000000000 -0400
++++ policy-1.27.1/domains/program/ldconfig.te 2005-10-31 11:17:11.000000000 -0500
@@ -16,7 +16,8 @@
domain_auto_trans({ sysadm_t initrc_t }, ldconfig_exec_t, ldconfig_t)
@@ -348,7 +348,7 @@
uses_shlib(ldconfig_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/load_policy.te policy-1.27.1/domains/program/load_policy.te
--- nsapolicy/domains/program/load_policy.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/load_policy.te 2005-10-24 10:34:39.000000000 -0400
++++ policy-1.27.1/domains/program/load_policy.te 2005-10-31 11:17:11.000000000 -0500
@@ -8,6 +8,10 @@
# load_policy_t is the domain type for load_policy
# load_policy_exec_t is the file type for the executable
@@ -378,7 +378,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/login.te policy-1.27.1/domains/program/login.te
--- nsapolicy/domains/program/login.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/login.te 2005-10-24 10:34:39.000000000 -0400
++++ policy-1.27.1/domains/program/login.te 2005-10-31 11:17:11.000000000 -0500
@@ -62,6 +62,11 @@
ifdef(`pamconsole.te', `
@@ -430,7 +430,7 @@
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/logrotate.te policy-1.27.1/domains/program/logrotate.te
--- nsapolicy/domains/program/logrotate.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/logrotate.te 2005-10-24 10:34:39.000000000 -0400
++++ policy-1.27.1/domains/program/logrotate.te 2005-10-31 11:17:11.000000000 -0500
@@ -13,7 +13,7 @@
# logrotate_t is the domain for the logrotate program.
# logrotate_exec_t is the type of the corresponding program.
@@ -442,7 +442,7 @@
uses_shlib(logrotate_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/modutil.te policy-1.27.1/domains/program/modutil.te
--- nsapolicy/domains/program/modutil.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/modutil.te 2005-10-24 10:34:39.000000000 -0400
++++ policy-1.27.1/domains/program/modutil.te 2005-10-31 11:17:11.000000000 -0500
@@ -59,7 +59,8 @@
allow depmod_t modules_object_t:file unlink;
@@ -529,7 +529,7 @@
allow update_modules_t urandom_device_t:chr_file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/mount.te policy-1.27.1/domains/program/mount.te
--- nsapolicy/domains/program/mount.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/mount.te 2005-10-24 10:34:39.000000000 -0400
++++ policy-1.27.1/domains/program/mount.te 2005-10-31 11:17:11.000000000 -0500
@@ -16,13 +16,14 @@
role sysadm_r types mount_t;
role system_r types mount_t;
@@ -555,7 +555,7 @@
allow mount_t proc_t:lnk_file read;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/netutils.te policy-1.27.1/domains/program/netutils.te
--- nsapolicy/domains/program/netutils.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/netutils.te 2005-10-24 10:34:39.000000000 -0400
++++ policy-1.27.1/domains/program/netutils.te 2005-10-31 11:17:11.000000000 -0500
@@ -55,7 +55,8 @@
# Access terminals.
@@ -568,7 +568,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/newrole.te policy-1.27.1/domains/program/newrole.te
--- nsapolicy/domains/program/newrole.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/newrole.te 2005-10-24 10:34:39.000000000 -0400
++++ policy-1.27.1/domains/program/newrole.te 2005-10-31 11:17:11.000000000 -0500
@@ -18,3 +18,7 @@
allow newrole_t initrc_var_run_t:file rw_file_perms;
@@ -579,7 +579,7 @@
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/restorecon.te policy-1.27.1/domains/program/restorecon.te
--- nsapolicy/domains/program/restorecon.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/restorecon.te 2005-10-24 10:34:39.000000000 -0400
++++ policy-1.27.1/domains/program/restorecon.te 2005-10-31 11:17:11.000000000 -0500
@@ -19,7 +19,7 @@
role sysadm_r types restorecon_t;
role secadm_r types restorecon_t;
@@ -589,14 +589,17 @@
allow restorecon_t { tty_device_t admin_tty_type user_tty_type devtty_t }:chr_file { read write ioctl };
domain_auto_trans({ initrc_t sysadm_t secadm_t }, restorecon_exec_t, restorecon_t)
-@@ -63,3 +63,4 @@
+@@ -63,3 +63,7 @@
allow restorecon_t kernel_t:fifo_file { read write };
allow restorecon_t kernel_t:unix_dgram_socket { read write };
r_dir_file(restorecon_t, { selinux_config_t file_context_t default_context_t } )
-+allow restorecon_t autofs_t:dir search;
++allow restorecon_t autofs_t:dir r_dir_perms;
++ifdef(`targeted_policy', `
++allow restorecon_t devpts_t:chr_file getattr;
++')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/setfiles.te policy-1.27.1/domains/program/setfiles.te
--- nsapolicy/domains/program/setfiles.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/setfiles.te 2005-10-24 10:34:39.000000000 -0400
++++ policy-1.27.1/domains/program/setfiles.te 2005-10-31 11:17:11.000000000 -0500
@@ -12,7 +12,7 @@
#
# needs auth_write attribute because it has relabelfrom/relabelto
@@ -617,7 +620,7 @@
allow setfiles_t self:unix_dgram_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ssh.te policy-1.27.1/domains/program/ssh.te
--- nsapolicy/domains/program/ssh.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/ssh.te 2005-10-24 10:34:39.000000000 -0400
++++ policy-1.27.1/domains/program/ssh.te 2005-10-31 11:17:11.000000000 -0500
@@ -153,6 +153,7 @@
#
sshd_program_domain(sshd)
@@ -644,7 +647,7 @@
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/su.te policy-1.27.1/domains/program/su.te
--- nsapolicy/domains/program/su.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/su.te 2005-10-24 10:34:39.000000000 -0400
++++ policy-1.27.1/domains/program/su.te 2005-10-31 11:17:11.000000000 -0500
@@ -12,3 +12,12 @@
# Everything else is in the su_domain macro in
@@ -660,7 +663,7 @@
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/syslogd.te policy-1.27.1/domains/program/syslogd.te
--- nsapolicy/domains/program/syslogd.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/syslogd.te 2005-10-24 10:34:39.000000000 -0400
++++ policy-1.27.1/domains/program/syslogd.te 2005-10-31 11:17:11.000000000 -0500
@@ -14,9 +14,9 @@
# by syslogd.
#
@@ -684,7 +687,7 @@
allow syslogd_t self:capability { dac_override net_admin net_bind_service sys_resource sys_tty_config };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/tmpreaper.te policy-1.27.1/domains/program/tmpreaper.te
--- nsapolicy/domains/program/tmpreaper.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/tmpreaper.te 2005-10-24 10:34:39.000000000 -0400
++++ policy-1.27.1/domains/program/tmpreaper.te 2005-10-31 11:17:11.000000000 -0500
@@ -8,7 +8,7 @@
#
# Rules for the tmpreaper_t domain.
@@ -696,7 +699,7 @@
role system_r types tmpreaper_t;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/alsa.te policy-1.27.1/domains/program/unused/alsa.te
--- nsapolicy/domains/program/unused/alsa.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/alsa.te 2005-10-27 00:08:05.000000000 -0400
++++ policy-1.27.1/domains/program/unused/alsa.te 2005-10-31 11:17:04.000000000 -0500
@@ -11,6 +11,8 @@
allow alsa_t self:unix_stream_socket create_stream_socket_perms;
allow alsa_t self:unix_dgram_socket create_socket_perms;
@@ -708,7 +711,7 @@
allow alsa_t self:capability { setgid setuid ipc_owner };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/amanda.te policy-1.27.1/domains/program/unused/amanda.te
--- nsapolicy/domains/program/unused/amanda.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/amanda.te 2005-10-27 00:08:05.000000000 -0400
++++ policy-1.27.1/domains/program/unused/amanda.te 2005-10-31 11:17:04.000000000 -0500
@@ -84,7 +84,6 @@
# configuration files -> read only
@@ -870,7 +873,7 @@
+allow amanda_t file_type:fifo_file getattr;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/anaconda.te policy-1.27.1/domains/program/unused/anaconda.te
--- nsapolicy/domains/program/unused/anaconda.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/anaconda.te 2005-10-27 00:08:05.000000000 -0400
++++ policy-1.27.1/domains/program/unused/anaconda.te 2005-10-31 11:17:04.000000000 -0500
@@ -17,11 +17,6 @@
role system_r types ldconfig_t;
domain_auto_trans(anaconda_t, ldconfig_exec_t, ldconfig_t)
@@ -885,7 +888,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.27.1/domains/program/unused/apache.te
--- nsapolicy/domains/program/unused/apache.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/apache.te 2005-10-27 00:08:05.000000000 -0400
++++ policy-1.27.1/domains/program/unused/apache.te 2005-10-31 11:17:04.000000000 -0500
@@ -113,9 +113,12 @@
can_network_server(httpd_t)
can_kerberos(httpd_t)
@@ -949,7 +952,7 @@
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apmd.te policy-1.27.1/domains/program/unused/apmd.te
--- nsapolicy/domains/program/unused/apmd.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/apmd.te 2005-10-27 00:08:05.000000000 -0400
++++ policy-1.27.1/domains/program/unused/apmd.te 2005-10-31 11:17:04.000000000 -0500
@@ -47,6 +47,7 @@
# acpid also has a logfile
@@ -982,7 +985,7 @@
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/auditd.te policy-1.27.1/domains/program/unused/auditd.te
--- nsapolicy/domains/program/unused/auditd.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/auditd.te 2005-10-27 00:08:05.000000000 -0400
++++ policy-1.27.1/domains/program/unused/auditd.te 2005-10-31 11:17:04.000000000 -0500
@@ -12,6 +12,12 @@
daemon_domain(auditd)
@@ -1004,7 +1007,7 @@
+can_exec(auditd_t, sbin_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/automount.te policy-1.27.1/domains/program/unused/automount.te
--- nsapolicy/domains/program/unused/automount.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/automount.te 2005-10-27 00:08:05.000000000 -0400
++++ policy-1.27.1/domains/program/unused/automount.te 2005-10-31 11:17:04.000000000 -0500
@@ -34,7 +34,9 @@
can_exec(automount_t, { etc_t automount_etc_t })
@@ -1028,9 +1031,44 @@
allow automount_t var_lib_t:dir search;
allow automount_t var_lib_nfs_t:dir search;
+
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/avahi.te policy-1.27.1/domains/program/unused/avahi.te
+--- nsapolicy/domains/program/unused/avahi.te 1969-12-31 19:00:00.000000000 -0500
++++ policy-1.27.1/domains/program/unused/avahi.te 2005-10-31 11:17:04.000000000 -0500
+@@ -0,0 +1,31 @@
++#DESC avahi - mDNS/DNS-SD daemon implementing Apple’s ZeroConf architecture
++#
++# Author: Dan Walsh <dwalsh at redhat.com>
++#
++
++daemon_domain(avahi, `, privsysmod')
++r_dir_file(avahi_t, proc_net_t)
++can_network_server(avahi_t)
++can_ypbind(avahi_t)
++allow avahi_t self:unix_stream_socket { connectto create_stream_socket_perms };
++allow avahi_t self:unix_dgram_socket create_socket_perms;
++allow avahi_t self:capability { dac_override setgid chown kill setuid };
++allow avahi_t urandom_device_t:chr_file r_file_perms;
++allow avahi_t howl_port_t:{ udp_socket tcp_socket } name_bind;
++allow avahi_t self:fifo_file { read write };
++allow avahi_t self:netlink_route_socket r_netlink_socket_perms;
++allow avahi_t self:process setrlimit;
++allow avahi_t etc_t:file { getattr read };
++allow avahi_t initrc_t:process { signal signull };
++allow avahi_t system_dbusd_t:dbus { acquire_svc send_msg };
++allow avahi_t avahi_var_run_t:dir setattr;
++allow avahi_t avahi_var_run_t:sock_file create_file_perms;
++
++ifdef(`dbusd.te', `
++dbusd_client(system, avahi)
++ifdef(`targeted_policy', `
++allow avahi_t unconfined_t:dbus send_msg;
++allow unconfined_t avahi_t:dbus send_msg;
++')
++')
++
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/bluetooth.te policy-1.27.1/domains/program/unused/bluetooth.te
--- nsapolicy/domains/program/unused/bluetooth.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/bluetooth.te 2005-10-27 00:08:05.000000000 -0400
++++ policy-1.27.1/domains/program/unused/bluetooth.te 2005-10-31 11:17:04.000000000 -0500
@@ -11,16 +11,23 @@
daemon_domain(bluetooth)
@@ -1133,7 +1171,7 @@
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.27.1/domains/program/unused/cups.te
--- nsapolicy/domains/program/unused/cups.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/cups.te 2005-10-27 00:08:05.000000000 -0400
++++ policy-1.27.1/domains/program/unused/cups.te 2005-10-31 11:17:04.000000000 -0500
@@ -48,7 +48,7 @@
# this is not ideal, and allowing setattr access to cupsd_etc_t is wrong
@@ -1207,7 +1245,7 @@
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cvs.te policy-1.27.1/domains/program/unused/cvs.te
--- nsapolicy/domains/program/unused/cvs.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/cvs.te 2005-10-27 00:08:05.000000000 -0400
++++ policy-1.27.1/domains/program/unused/cvs.te 2005-10-31 11:17:04.000000000 -0500
@@ -23,6 +23,8 @@
allow cvs_t etc_runtime_t:file { getattr read };
allow system_mail_t cvs_data_t:file { getattr read };
@@ -1219,7 +1257,7 @@
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cyrus.te policy-1.27.1/domains/program/unused/cyrus.te
--- nsapolicy/domains/program/unused/cyrus.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/cyrus.te 2005-10-27 00:08:05.000000000 -0400
++++ policy-1.27.1/domains/program/unused/cyrus.te 2005-10-31 11:17:04.000000000 -0500
@@ -42,7 +42,7 @@
create_dir_file(cyrus_t, mail_spool_t)
allow cyrus_t var_spool_t:dir search;
@@ -1231,7 +1269,7 @@
allow cyrus_t saslauthd_t:unix_stream_socket { connectto };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dbusd.te policy-1.27.1/domains/program/unused/dbusd.te
--- nsapolicy/domains/program/unused/dbusd.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/dbusd.te 2005-10-27 00:08:05.000000000 -0400
++++ policy-1.27.1/domains/program/unused/dbusd.te 2005-10-31 11:17:04.000000000 -0500
@@ -12,7 +12,7 @@
# dac_override: /var/run/dbus is owned by messagebus on Debian
@@ -1249,7 +1287,7 @@
+allow system_dbusd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dcc.te policy-1.27.1/domains/program/unused/dcc.te
--- nsapolicy/domains/program/unused/dcc.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/dcc.te 2005-10-27 00:08:05.000000000 -0400
++++ policy-1.27.1/domains/program/unused/dcc.te 2005-10-31 11:17:04.000000000 -0500
@@ -200,9 +200,8 @@
can_exec_any(dcc_script_t)
dcc_common(dcc_script)
@@ -1264,7 +1302,7 @@
# the dcc user (even though the default dcc user is root).
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dhcpc.te policy-1.27.1/domains/program/unused/dhcpc.te
--- nsapolicy/domains/program/unused/dhcpc.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/dhcpc.te 2005-10-27 00:08:05.000000000 -0400
++++ policy-1.27.1/domains/program/unused/dhcpc.te 2005-10-31 11:17:04.000000000 -0500
@@ -120,6 +120,7 @@
allow dhcpc_t self:packet_socket create_socket_perms;
allow dhcpc_t var_lib_t:dir search;
@@ -1297,7 +1335,7 @@
+allow dhcpc_t locale_t:file write;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dhcpd.te policy-1.27.1/domains/program/unused/dhcpd.te
--- nsapolicy/domains/program/unused/dhcpd.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/dhcpd.te 2005-10-27 00:08:05.000000000 -0400
++++ policy-1.27.1/domains/program/unused/dhcpd.te 2005-10-31 11:17:04.000000000 -0500
@@ -17,8 +17,6 @@
#
daemon_domain(dhcpd, `, nscd_client_domain')
@@ -1317,7 +1355,7 @@
allow dhcpd_t self:unix_stream_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dovecot.te policy-1.27.1/domains/program/unused/dovecot.te
--- nsapolicy/domains/program/unused/dovecot.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/dovecot.te 2005-10-27 00:08:05.000000000 -0400
++++ policy-1.27.1/domains/program/unused/dovecot.te 2005-10-31 11:17:04.000000000 -0500
@@ -43,7 +43,9 @@
can_kerberos(dovecot_t)
@@ -1331,7 +1369,7 @@
allow dovecot_t mail_spool_t:lnk_file read;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/exim.te policy-1.27.1/domains/program/unused/exim.te
--- nsapolicy/domains/program/unused/exim.te 1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.27.1/domains/program/unused/exim.te 2005-10-27 00:08:05.000000000 -0400
++++ policy-1.27.1/domains/program/unused/exim.te 2005-10-31 11:17:04.000000000 -0500
@@ -0,0 +1,309 @@
+#DESC Exim - Mail server
+#
@@ -1644,7 +1682,7 @@
+rw_dir_file(exim_db_rw_t, exim_spool_db_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ftpd.te policy-1.27.1/domains/program/unused/ftpd.te
--- nsapolicy/domains/program/unused/ftpd.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/ftpd.te 2005-10-27 00:08:05.000000000 -0400
++++ policy-1.27.1/domains/program/unused/ftpd.te 2005-10-31 11:17:04.000000000 -0500
@@ -99,9 +99,11 @@
if (ftp_home_dir) {
@@ -1661,7 +1699,7 @@
r_dir_file(ftpd_t, nfs_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hald.te policy-1.27.1/domains/program/unused/hald.te
--- nsapolicy/domains/program/unused/hald.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/hald.te 2005-10-27 00:08:05.000000000 -0400
++++ policy-1.27.1/domains/program/unused/hald.te 2005-10-31 11:17:05.000000000 -0500
@@ -24,7 +24,8 @@
allow hald_t self:dbus send_msg;
')
@@ -1680,7 +1718,7 @@
+r_dir_file(hald_t, hwdata_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hotplug.te policy-1.27.1/domains/program/unused/hotplug.te
--- nsapolicy/domains/program/unused/hotplug.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/hotplug.te 2005-10-27 00:08:05.000000000 -0400
++++ policy-1.27.1/domains/program/unused/hotplug.te 2005-10-31 11:17:05.000000000 -0500
@@ -11,9 +11,9 @@
# hotplug_exec_t is the type of the hotplug executable.
#
@@ -1703,7 +1741,7 @@
allow hotplug_t printer_device_t:chr_file setattr;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hwclock.te policy-1.27.1/domains/program/unused/hwclock.te
--- nsapolicy/domains/program/unused/hwclock.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/hwclock.te 2005-10-27 00:08:05.000000000 -0400
++++ policy-1.27.1/domains/program/unused/hwclock.te 2005-10-31 11:17:05.000000000 -0500
@@ -47,3 +47,4 @@
# for when /usr is not mounted
dontaudit hwclock_t file_t:dir search;
@@ -1711,7 +1749,7 @@
+r_dir_file(hwclock_t, etc_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ipsec.te policy-1.27.1/domains/program/unused/ipsec.te
--- nsapolicy/domains/program/unused/ipsec.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/ipsec.te 2005-10-27 00:08:05.000000000 -0400
++++ policy-1.27.1/domains/program/unused/ipsec.te 2005-10-31 11:17:05.000000000 -0500
@@ -219,7 +219,7 @@
dontaudit ipsec_mgmt_t selinux_config_t:dir search;
dontaudit ipsec_t ttyfile:chr_file { read write };
@@ -1723,7 +1761,7 @@
allow ipsec_mgmt_t self:{ tcp_socket udp_socket } create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/kudzu.te policy-1.27.1/domains/program/unused/kudzu.te
--- nsapolicy/domains/program/unused/kudzu.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/kudzu.te 2005-10-27 00:08:05.000000000 -0400
++++ policy-1.27.1/domains/program/unused/kudzu.te 2005-10-31 11:17:05.000000000 -0500
@@ -20,7 +20,7 @@
allow kudzu_t ramfs_t:dir search;
allow kudzu_t ramfs_t:sock_file write;
@@ -1752,7 +1790,7 @@
allow kudzu_t initrc_t:unix_stream_socket connectto;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mta.te policy-1.27.1/domains/program/unused/mta.te
--- nsapolicy/domains/program/unused/mta.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/mta.te 2005-10-27 00:08:05.000000000 -0400
++++ policy-1.27.1/domains/program/unused/mta.te 2005-10-31 11:17:05.000000000 -0500
@@ -31,6 +31,10 @@
create_dir_file(system_mail_t, mail_spool_t)
allow system_mail_t mail_spool_t:fifo_file rw_file_perms;
@@ -1774,7 +1812,7 @@
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mysqld.te policy-1.27.1/domains/program/unused/mysqld.te
--- nsapolicy/domains/program/unused/mysqld.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/mysqld.te 2005-10-27 00:08:05.000000000 -0400
++++ policy-1.27.1/domains/program/unused/mysqld.te 2005-10-31 11:17:05.000000000 -0500
@@ -12,7 +12,7 @@
#
daemon_domain(mysqld, `, nscd_client_domain')
@@ -1807,7 +1845,7 @@
# read config files
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/named.te policy-1.27.1/domains/program/unused/named.te
--- nsapolicy/domains/program/unused/named.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/named.te 2005-10-27 00:08:05.000000000 -0400
++++ policy-1.27.1/domains/program/unused/named.te 2005-10-31 11:17:05.000000000 -0500
@@ -36,7 +36,7 @@
allow named_t self:process { setsched setcap setrlimit };
@@ -1863,7 +1901,7 @@
allow ndc_t etc_t:dir r_dir_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/NetworkManager.te policy-1.27.1/domains/program/unused/NetworkManager.te
--- nsapolicy/domains/program/unused/NetworkManager.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/NetworkManager.te 2005-10-27 00:08:05.000000000 -0400
++++ policy-1.27.1/domains/program/unused/NetworkManager.te 2005-10-31 11:17:05.000000000 -0500
@@ -11,7 +11,7 @@
# NetworkManager_t is the domain for the NetworkManager daemon.
# NetworkManager_exec_t is the type of the NetworkManager executable.
@@ -1898,7 +1936,7 @@
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/nscd.te policy-1.27.1/domains/program/unused/nscd.te
--- nsapolicy/domains/program/unused/nscd.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/nscd.te 2005-10-27 00:08:05.000000000 -0400
++++ policy-1.27.1/domains/program/unused/nscd.te 2005-10-31 11:17:05.000000000 -0500
@@ -76,3 +76,4 @@
log_domain(nscd)
r_dir_file(nscd_t, cert_t)
@@ -1906,7 +1944,7 @@
+allow nscd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ntpd.te policy-1.27.1/domains/program/unused/ntpd.te
--- nsapolicy/domains/program/unused/ntpd.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/ntpd.te 2005-10-27 00:08:05.000000000 -0400
++++ policy-1.27.1/domains/program/unused/ntpd.te 2005-10-31 11:17:05.000000000 -0500
@@ -26,11 +26,11 @@
# for SSP
allow ntpd_t urandom_device_t:chr_file { getattr read };
@@ -1934,7 +1972,7 @@
can_exec(ntpd_t, initrc_exec_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/openct.te policy-1.27.1/domains/program/unused/openct.te
--- nsapolicy/domains/program/unused/openct.te 1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.27.1/domains/program/unused/openct.te 2005-10-27 00:08:05.000000000 -0400
++++ policy-1.27.1/domains/program/unused/openct.te 2005-10-31 11:17:05.000000000 -0500
@@ -0,0 +1,16 @@
+#DESC openct - read files in page cache
+#
@@ -1954,7 +1992,7 @@
+allow openct_t etc_t:file r_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pamconsole.te policy-1.27.1/domains/program/unused/pamconsole.te
--- nsapolicy/domains/program/unused/pamconsole.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/pamconsole.te 2005-10-27 00:08:05.000000000 -0400
++++ policy-1.27.1/domains/program/unused/pamconsole.te 2005-10-31 11:17:05.000000000 -0500
@@ -3,7 +3,7 @@
#
# pam_console_apply
@@ -1979,7 +2017,7 @@
+nsswitch_domain(pam_console_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pegasus.te policy-1.27.1/domains/program/unused/pegasus.te
--- nsapolicy/domains/program/unused/pegasus.te 1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.27.1/domains/program/unused/pegasus.te 2005-10-27 00:08:05.000000000 -0400
++++ policy-1.27.1/domains/program/unused/pegasus.te 2005-10-31 11:17:05.000000000 -0500
@@ -0,0 +1,37 @@
+#DESC pegasus - The Open Group Pegasus CIM/WBEM Server
+#
@@ -2020,7 +2058,7 @@
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ping.te policy-1.27.1/domains/program/unused/ping.te
--- nsapolicy/domains/program/unused/ping.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/ping.te 2005-10-27 00:08:05.000000000 -0400
++++ policy-1.27.1/domains/program/unused/ping.te 2005-10-31 11:17:05.000000000 -0500
@@ -58,6 +58,6 @@
dontaudit ping_t devtty_t:chr_file { read write };
dontaudit ping_t self:capability sys_tty_config;
@@ -2031,7 +2069,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/postfix.te policy-1.27.1/domains/program/unused/postfix.te
--- nsapolicy/domains/program/unused/postfix.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/postfix.te 2005-10-27 00:08:05.000000000 -0400
++++ policy-1.27.1/domains/program/unused/postfix.te 2005-10-31 11:17:05.000000000 -0500
@@ -54,6 +54,8 @@
allow postfix_$1_t proc_net_t:dir search;
allow postfix_$1_t proc_net_t:file { getattr read };
@@ -2152,13 +2190,16 @@
allow postfix_local_t postfix_spool_t:file rw_file_perms;
# for .forward - maybe we need a new type for it?
allow postfix_local_t postfix_private_t:dir search;
-@@ -204,7 +213,12 @@
+@@ -204,7 +213,15 @@
allow postfix_local_t postfix_master_t:unix_stream_socket connectto;
allow postfix_local_t postfix_public_t:dir search;
allow postfix_local_t postfix_public_t:sock_file write;
-can_exec(postfix_local_t, shell_exec_t)
+tmp_domain(postfix_local)
+can_exec(postfix_local_t,{ shell_exec_t bin_t })
++ifdef(`spamc.te', `
++can_exec(postfix_local_t, spamc_exec_t)
++')
+allow postfix_local_t mail_spool_t:dir { remove_name };
+allow postfix_local_t mail_spool_t:file { unlink };
+# For reading spamassasin
@@ -2166,7 +2207,7 @@
define(`postfix_public_domain',`
postfix_server_domain($1)
-@@ -241,6 +255,7 @@
+@@ -241,6 +258,7 @@
allow postfix_postqueue_t postfix_public_t:dir search;
allow postfix_postqueue_t postfix_public_t:fifo_file getattr;
allow postfix_postqueue_t self:udp_socket { create ioctl };
@@ -2174,7 +2215,7 @@
allow postfix_master_t postfix_postqueue_exec_t:file getattr;
domain_auto_trans(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t)
allow postfix_postqueue_t initrc_t:process sigchld;
-@@ -260,7 +275,7 @@
+@@ -260,7 +278,7 @@
postfix_user_domain(showq)
# the following auto_trans is usually in postfix server domain
domain_auto_trans(postfix_master_t, postfix_showq_exec_t, postfix_showq_t)
@@ -2183,7 +2224,15 @@
r_dir_file(postfix_showq_t, postfix_spool_maildrop_t)
domain_auto_trans(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t)
allow postfix_showq_t self:capability { setuid setgid };
-@@ -284,7 +299,9 @@
+@@ -271,6 +289,7 @@
+ dontaudit postfix_showq_t net_conf_t:file r_file_perms;
+
+ postfix_user_domain(postdrop, `, mta_user_agent')
++can_resolve(postfix_postdrop_t)
+ allow postfix_postdrop_t postfix_spool_maildrop_t:dir rw_dir_perms;
+ allow postfix_postdrop_t postfix_spool_maildrop_t:file create_file_perms;
+ allow postfix_postdrop_t user_mail_domain:unix_stream_socket rw_socket_perms;
+@@ -284,7 +303,9 @@
allow postfix_postdrop_t { crond_t system_crond_t }:fifo_file rw_file_perms;')
# usually it does not need a UDP socket
allow postfix_postdrop_t self:udp_socket create_socket_perms;
@@ -2193,7 +2242,7 @@
postfix_public_domain(pickup)
allow postfix_pickup_t postfix_public_t:fifo_file rw_file_perms;
-@@ -329,7 +346,8 @@
+@@ -329,7 +350,8 @@
domain_auto_trans(postfix_pipe_t, procmail_exec_t, procmail_t)
')
ifdef(`sendmail.te', `
@@ -2203,7 +2252,7 @@
')
# Program for creating database files
-@@ -348,5 +366,3 @@
+@@ -348,5 +370,3 @@
dontaudit postfix_map_t var_t:dir search;
can_network_server(postfix_map_t)
allow postfix_map_t port_type:tcp_socket name_connect;
@@ -2211,7 +2260,7 @@
-allow postfix_local_t mail_spool_t:file { unlink };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/postgresql.te policy-1.27.1/domains/program/unused/postgresql.te
--- nsapolicy/domains/program/unused/postgresql.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/postgresql.te 2005-10-27 00:08:05.000000000 -0400
++++ policy-1.27.1/domains/program/unused/postgresql.te 2005-10-31 11:17:05.000000000 -0500
@@ -51,7 +51,6 @@
# Use the network.
@@ -2241,7 +2290,7 @@
+}
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pppd.te policy-1.27.1/domains/program/unused/pppd.te
--- nsapolicy/domains/program/unused/pppd.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/pppd.te 2005-10-27 00:08:05.000000000 -0400
++++ policy-1.27.1/domains/program/unused/pppd.te 2005-10-31 11:17:05.000000000 -0500
@@ -14,7 +14,7 @@
#
bool pppd_for_user false;
@@ -2318,7 +2367,7 @@
+allow pppd_t initrc_t:process noatsecure;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/procmail.te policy-1.27.1/domains/program/unused/procmail.te
--- nsapolicy/domains/program/unused/procmail.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/procmail.te 2005-10-27 00:08:05.000000000 -0400
++++ policy-1.27.1/domains/program/unused/procmail.te 2005-10-31 11:17:05.000000000 -0500
@@ -19,8 +19,7 @@
uses_shlib(procmail_t)
allow procmail_t device_t:dir search;
@@ -2346,7 +2395,7 @@
# Search /var/run.
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/readahead.te policy-1.27.1/domains/program/unused/readahead.te
--- nsapolicy/domains/program/unused/readahead.te 1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.27.1/domains/program/unused/readahead.te 2005-10-27 00:08:05.000000000 -0400
++++ policy-1.27.1/domains/program/unused/readahead.te 2005-10-31 11:17:05.000000000 -0500
@@ -0,0 +1,21 @@
+#DESC readahead - read files in page cache
+#
@@ -2371,7 +2420,7 @@
+dontaudit readahead_t device_type:blk_file read;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rlogind.te policy-1.27.1/domains/program/unused/rlogind.te
--- nsapolicy/domains/program/unused/rlogind.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/rlogind.te 2005-10-27 00:08:05.000000000 -0400
++++ policy-1.27.1/domains/program/unused/rlogind.te 2005-10-31 11:17:05.000000000 -0500
@@ -35,4 +35,6 @@
allow rlogind_t default_t:dir search;
typealias rlogind_port_t alias rlogin_port_t;
@@ -2382,7 +2431,7 @@
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/roundup.te policy-1.27.1/domains/program/unused/roundup.te
--- nsapolicy/domains/program/unused/roundup.te 1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.27.1/domains/program/unused/roundup.te 2005-10-27 00:08:05.000000000 -0400
++++ policy-1.27.1/domains/program/unused/roundup.te 2005-10-31 11:17:05.000000000 -0500
@@ -0,0 +1,29 @@
+# Roundup Issue Tracking System
+#
@@ -2415,7 +2464,7 @@
+allow roundup_t etc_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rpcd.te policy-1.27.1/domains/program/unused/rpcd.te
--- nsapolicy/domains/program/unused/rpcd.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/rpcd.te 2005-10-27 00:08:05.000000000 -0400
++++ policy-1.27.1/domains/program/unused/rpcd.te 2005-10-31 11:17:05.000000000 -0500
@@ -19,7 +19,7 @@
can_network($1_t)
allow $1_t port_type:tcp_socket name_connect;
@@ -2449,7 +2498,7 @@
+}
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rpm.te policy-1.27.1/domains/program/unused/rpm.te
--- nsapolicy/domains/program/unused/rpm.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/rpm.te 2005-10-27 00:08:05.000000000 -0400
++++ policy-1.27.1/domains/program/unused/rpm.te 2005-10-31 11:17:05.000000000 -0500
@@ -10,7 +10,7 @@
# rpm_log_t is the type for rpm log files (/var/log/rpmpkgs*)
# rpm_var_lib_t is the type for rpm files in /var/lib
@@ -2470,7 +2519,7 @@
uses_shlib(rpm_script_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rsync.te policy-1.27.1/domains/program/unused/rsync.te
--- nsapolicy/domains/program/unused/rsync.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/rsync.te 2005-10-27 00:08:05.000000000 -0400
++++ policy-1.27.1/domains/program/unused/rsync.te 2005-10-31 11:17:05.000000000 -0500
@@ -15,5 +15,4 @@
type rsync_data_t, file_type, sysadmfile;
r_dir_file(rsync_t, rsync_data_t)
@@ -2480,7 +2529,7 @@
+allow rsync_t self:capability sys_chroot;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/samba.te policy-1.27.1/domains/program/unused/samba.te
--- nsapolicy/domains/program/unused/samba.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/samba.te 2005-10-27 00:08:05.000000000 -0400
++++ policy-1.27.1/domains/program/unused/samba.te 2005-10-31 11:17:05.000000000 -0500
@@ -25,6 +25,9 @@
# not sure why it needs this
tmp_domain(smbd)
@@ -2515,9 +2564,17 @@
allow smbd_t usr_t:file { getattr read };
# Access Samba shares.
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/saslauthd.te policy-1.27.1/domains/program/unused/saslauthd.te
+--- nsapolicy/domains/program/unused/saslauthd.te 2005-09-16 11:17:27.000000000 -0400
++++ policy-1.27.1/domains/program/unused/saslauthd.te 2005-10-31 11:17:05.000000000 -0500
+@@ -39,3 +39,4 @@
+ allow saslauthd_t mysqld_db_t:dir search;
+ allow saslauthd_t mysqld_var_run_t:sock_file rw_file_perms;
+ ')
++dontaudit saslauthd_t self:capability setuid;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/sendmail.te policy-1.27.1/domains/program/unused/sendmail.te
--- nsapolicy/domains/program/unused/sendmail.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/sendmail.te 2005-10-27 00:08:05.000000000 -0400
++++ policy-1.27.1/domains/program/unused/sendmail.te 2005-10-31 11:17:05.000000000 -0500
@@ -13,9 +13,6 @@
# daemon started by the init rc scripts.
#
@@ -2530,7 +2587,7 @@
tmp_domain(sendmail)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/snmpd.te policy-1.27.1/domains/program/unused/snmpd.te
--- nsapolicy/domains/program/unused/snmpd.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/snmpd.te 2005-10-27 00:08:05.000000000 -0400
++++ policy-1.27.1/domains/program/unused/snmpd.te 2005-10-31 11:17:05.000000000 -0500
@@ -22,8 +22,9 @@
# for the .index file
@@ -2560,8 +2617,35 @@
dontaudit snmpd_t selinux_config_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/spamd.te policy-1.27.1/domains/program/unused/spamd.te
--- nsapolicy/domains/program/unused/spamd.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/spamd.te 2005-10-27 00:08:05.000000000 -0400
-@@ -52,20 +52,4 @@
++++ policy-1.27.1/domains/program/unused/spamd.te 2005-10-31 11:17:05.000000000 -0500
+@@ -9,20 +9,22 @@
+
+ tmp_domain(spamd)
+
+-allow spamd_t spamd_port_t:tcp_socket name_bind;
+-
+ general_domain_access(spamd_t)
+ uses_shlib(spamd_t)
+-can_ypbind(spamd_t)
+ read_sysctl(spamd_t)
+
+ # Various Perl bits
+ allow spamd_t lib_t:file rx_file_perms;
+ dontaudit spamd_t shadow_t:file { getattr read };
+ dontaudit spamd_t initrc_var_run_t:file { read write lock };
+-dontaudit spamd_t sysadm_home_dir_t:dir getattr;
++dontaudit spamd_t sysadm_home_dir_t:dir { getattr search };
+
+ can_network_server(spamd_t)
++allow spamd_t spamd_port_t:tcp_socket name_bind;
++allow spamd_t port_type:udp_socket name_bind;
++dontaudit spamd_t reserved_port_type:udp_socket name_bind;
++can_ypbind(spamd_t)
++can_resolve(spamd_t)
+ allow spamd_t self:capability net_bind_service;
+
+ allow spamd_t proc_t:file { getattr read };
+@@ -52,20 +54,4 @@
allow spamd_t urandom_device_t:chr_file { getattr read };
system_crond_entry(spamd_exec_t, spamd_t)
@@ -2582,10 +2666,10 @@
-allow spamd_t user_home_dir_type:dir { search getattr };
-
-
-+ifdef(`targeted_policy', `home_domain_ro_access(spamd_t, user)')
++ifdef(`targeted_policy', `home_domain_access(spamd_t, user)')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/squid.te policy-1.27.1/domains/program/unused/squid.te
--- nsapolicy/domains/program/unused/squid.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/squid.te 2005-10-27 00:08:05.000000000 -0400
++++ policy-1.27.1/domains/program/unused/squid.te 2005-10-31 11:17:05.000000000 -0500
@@ -60,7 +60,7 @@
can_tcp_connect(web_client_domain, squid_t)
@@ -2603,7 +2687,7 @@
')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/udev.te policy-1.27.1/domains/program/unused/udev.te
--- nsapolicy/domains/program/unused/udev.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/udev.te 2005-10-27 00:08:05.000000000 -0400
++++ policy-1.27.1/domains/program/unused/udev.te 2005-10-31 11:17:05.000000000 -0500
@@ -28,12 +28,12 @@
type udev_tdb_t, file_type, sysadmfile, dev_fs;
typealias udev_tdb_t alias udev_tbl_t;
@@ -2635,7 +2719,7 @@
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/utempter.te policy-1.27.1/domains/program/unused/utempter.te
--- nsapolicy/domains/program/unused/utempter.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/utempter.te 2005-10-27 00:08:05.000000000 -0400
++++ policy-1.27.1/domains/program/unused/utempter.te 2005-10-31 11:17:05.000000000 -0500
@@ -19,6 +19,8 @@
type utempter_exec_t, file_type, sysadmfile, exec_type;
domain_auto_trans(userdomain, utempter_exec_t, utempter_t)
@@ -2647,7 +2731,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/webalizer.te policy-1.27.1/domains/program/unused/webalizer.te
--- nsapolicy/domains/program/unused/webalizer.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/webalizer.te 2005-10-27 00:08:05.000000000 -0400
++++ policy-1.27.1/domains/program/unused/webalizer.te 2005-10-31 11:17:05.000000000 -0500
@@ -20,6 +20,9 @@
#read apache log
allow webalizer_t var_log_t:dir r_dir_perms;
@@ -2660,7 +2744,7 @@
var_lib_domain(webalizer)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/winbind.te policy-1.27.1/domains/program/unused/winbind.te
--- nsapolicy/domains/program/unused/winbind.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/winbind.te 2005-10-27 00:08:05.000000000 -0400
++++ policy-1.27.1/domains/program/unused/winbind.te 2005-10-31 11:17:05.000000000 -0500
@@ -44,6 +44,7 @@
r_dir_file(winbind_t, samba_etc_t)
allow winbind_helper_t self:unix_dgram_socket create_socket_perms;
@@ -2671,7 +2755,7 @@
allow winbind_helper_t privfd:fd use;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/xdm.te policy-1.27.1/domains/program/unused/xdm.te
--- nsapolicy/domains/program/unused/xdm.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/xdm.te 2005-10-27 00:08:05.000000000 -0400
++++ policy-1.27.1/domains/program/unused/xdm.te 2005-10-31 11:17:05.000000000 -0500
@@ -371,3 +371,6 @@
dontaudit xdm_t ice_tmp_t:dir { getattr setattr };
@@ -2681,7 +2765,7 @@
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/yppasswdd.te policy-1.27.1/domains/program/unused/yppasswdd.te
--- nsapolicy/domains/program/unused/yppasswdd.te 1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.27.1/domains/program/unused/yppasswdd.te 2005-10-27 00:08:05.000000000 -0400
++++ policy-1.27.1/domains/program/unused/yppasswdd.te 2005-10-31 11:17:05.000000000 -0500
@@ -0,0 +1,40 @@
+#DESC yppassdd - NIS password update daemon
+#
@@ -2725,7 +2809,7 @@
+rw_dir_create_file(yppasswdd_t, var_yp_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ypserv.te policy-1.27.1/domains/program/unused/ypserv.te
--- nsapolicy/domains/program/unused/ypserv.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/ypserv.te 2005-10-27 00:08:05.000000000 -0400
++++ policy-1.27.1/domains/program/unused/ypserv.te 2005-10-31 11:17:05.000000000 -0500
@@ -39,3 +39,4 @@
')
allow ypserv_t reserved_port_t:{ udp_socket tcp_socket } name_bind;
@@ -2733,7 +2817,7 @@
+can_exec(ypserv_t, bin_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/useradd.te policy-1.27.1/domains/program/useradd.te
--- nsapolicy/domains/program/useradd.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/useradd.te 2005-10-24 10:34:39.000000000 -0400
++++ policy-1.27.1/domains/program/useradd.te 2005-10-31 11:17:11.000000000 -0500
@@ -55,7 +55,6 @@
# useradd/userdel request read/write for /var/log/lastlog, and read of /dev,
# but will operate without them.
@@ -3203,15 +3287,15 @@
')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/home_macros.te policy-1.27.1/macros/home_macros.te
--- nsapolicy/macros/home_macros.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/macros/home_macros.te 2005-10-24 10:34:26.000000000 -0400
++++ policy-1.27.1/macros/home_macros.te 2005-10-31 11:17:50.000000000 -0500
@@ -68,7 +68,11 @@
define(`home_domain_ro_access', `
allow $1 { home_root_t $2_home_dir_t }:dir { search getattr };
read_network_home($1)
-+ifelse($3, `
- r_dir_file($1, $2_$3_ro_home_t)
-+', `
++ifelse($3, `', `
+r_dir_file($1, $2_home_t)
++', `
+ r_dir_file($1, $2_$3_ro_home_t)
+')
') dnl home_domain_ro_access
@@ -3220,11 +3304,11 @@
define(`home_domain_access', `
allow $1 { home_root_t $2_home_dir_t }:dir { search getattr };
write_network_home($1)
-+ifelse($3, `
- create_dir_file($1, $2_$3_home_t)
-+', `
++ifelse($3, `', `
+file_type_auto_trans($1, $2_home_dir_t, $2_home_t)
+create_dir_file($1, $2_home_t)
++', `
+ create_dir_file($1, $2_$3_home_t)
+')
') dnl home_domain_access
Index: selinux-policy-strict.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-strict/FC-4/selinux-policy-strict.spec,v
retrieving revision 1.329
retrieving revision 1.330
diff -u -r1.329 -r1.330
--- selinux-policy-strict.spec 27 Oct 2005 04:27:35 -0000 1.329
+++ selinux-policy-strict.spec 31 Oct 2005 16:20:18 -0000 1.330
@@ -11,7 +11,7 @@
Summary: SELinux %{type} policy configuration
Name: selinux-policy-%{type}
Version: 1.27.1
-Release: 2.11
+Release: 2.12
License: GPL
Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policy-%{version}.tgz
@@ -222,13 +222,16 @@
if [ -x /usr/sbin/selinuxenabled -a -f /etc/selinux/config ]; then
. /etc/selinux/config
if [ "${SELINUXTYPE}" = "%{type}" ] && /usr/sbin/selinuxenabled; then
- make -C %{POLICYDIR}/src/policy load > /dev/null 2>&1
+ make -C %{POLICYDIR}/src/policy -W users load > /dev/null 2>&1
[ -f %{PRE_FILE_CONTEXT} ] && fixfiles -l /dev/null -C %{PRE_FILE_CONTEXT} restore && rm -f %{PRE_FILE_CONTEXT}
fi
fi
exit 0
%changelog
+* Mon Oct 31 2005 Dan Walsh <dwalsh at redhat.com> 1.27.1-2.12
+- Fix Handling of spamd, postfix
+
* Thu Oct 27 2005 Dan Walsh <dwalsh at redhat.com> 1.27.1-2.11
- Fix disable_postfix_trans boolean
More information about the fedora-cvs-commits
mailing list