rpms/selinux-policy/devel policy-20060411.patch, 1.6, 1.7 selinux-policy.spec, 1.175, 1.176
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Wed Apr 19 11:55:47 UTC 2006
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv19882
Modified Files:
policy-20060411.patch selinux-policy.spec
Log Message:
* Tue Apr 18 2006 Dan Walsh <dwalsh at redhat.com> 2.2.33-1
- Update to latest from upstream
- Add James Antill patch for xen
- Many fixes for pegasus
policy-20060411.patch:
Rules.modular | 2 -
policy/modules/apps/java.te | 3 ++
policy/modules/kernel/devices.if | 20 ++++++++++++++++++
policy/modules/kernel/files.if | 35 ++++++++++++++++++++++++++++++++
policy/modules/kernel/mls.te | 1
policy/modules/services/cups.fc | 3 +-
policy/modules/services/ftp.te | 1
policy/modules/services/pegasus.fc | 1
policy/modules/services/pegasus.te | 8 +++++++
policy/modules/services/postfix.te | 2 +
policy/modules/services/postgresql.if | 4 ++-
policy/modules/services/privoxy.te | 1
policy/modules/services/samba.te | 5 +++-
policy/modules/services/spamassassin.fc | 2 -
policy/modules/services/xserver.if | 21 +++++++++++++++++++
policy/modules/system/authlogin.te | 4 +++
policy/modules/system/fstools.te | 1
policy/modules/system/init.te | 1
policy/modules/system/libraries.fc | 5 +++-
policy/modules/system/mount.if | 22 ++++++++++++++++++++
policy/modules/system/mount.te | 9 ++++++++
policy/modules/system/selinuxutil.if | 4 +--
policy/modules/system/sysnetwork.te | 2 +
policy/modules/system/unconfined.if | 18 ++++++++++++++++
policy/modules/system/unconfined.te | 7 ++----
policy/modules/system/userdomain.if | 1
policy/modules/system/xen.if | 18 ++++++++++++++++
policy/modules/system/xen.te | 1
28 files changed, 190 insertions(+), 12 deletions(-)
Index: policy-20060411.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/policy-20060411.patch,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -r1.6 -r1.7
--- policy-20060411.patch 17 Apr 2006 11:27:44 -0000 1.6
+++ policy-20060411.patch 19 Apr 2006 11:55:43 -0000 1.7
@@ -1,241 +1,21 @@
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-2.2.32/policy/mcs
---- nsaserefpolicy/policy/mcs 2006-03-29 11:23:41.000000000 -0500
-+++ serefpolicy-2.2.32/policy/mcs 2006-04-14 12:06:19.000000000 -0400
-@@ -134,14 +134,18 @@
- # the high range of the file. We use the high range of the process so
- # that processes can always simply run at s0.
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-2.2.33/policy/modules/apps/java.te
+--- nsaserefpolicy/policy/modules/apps/java.te 2006-04-18 22:49:59.000000000 -0400
++++ serefpolicy-2.2.33/policy/modules/apps/java.te 2006-04-18 23:10:07.000000000 -0400
+@@ -7,8 +7,11 @@
#
--# Only files are constrained by MCS at this stage.
-+# Note that getattr on files is always permitted.
- #
- mlsconstrain file { write setattr append unlink link rename ioctl lock execute relabelfrom }
- ( h1 dom h2 );
-
-+# New filesystem object labels must be dominated by the relabeling subject
-+# clearance, also the objects are single-level.
- mlsconstrain file { create relabelto }
- (( h1 dom h2 ) and ( l2 eq h2 ));
-
-+# At this time we do not restrict "ps" type operations via MCS. This
-+# will probably change in future.
- mlsconstrain file { read }
- (( h1 dom h2 ) or ( t2 == domain ) or ( t1 == mlsfileread ));
-
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.te serefpolicy-2.2.32/policy/modules/admin/amanda.te
---- nsaserefpolicy/policy/modules/admin/amanda.te 2006-03-24 11:15:40.000000000 -0500
-+++ serefpolicy-2.2.32/policy/modules/admin/amanda.te 2006-04-14 14:29:14.000000000 -0400
-@@ -9,6 +9,7 @@
- type amanda_t;
- type amanda_inetd_exec_t;
- inetd_udp_service_domain(amanda_t,amanda_inetd_exec_t)
-+inetd_tcp_service_domain(amanda_t,amanda_inetd_exec_t)
- role system_r types amanda_t;
-
- type amanda_exec_t;
-@@ -141,6 +142,10 @@
- corenet_non_ipsec_sendrecv(amanda_t)
- corenet_tcp_bind_all_nodes(amanda_t)
- corenet_udp_bind_all_nodes(amanda_t)
-+corenet_tcp_bind_reserved_port(amanda_t)
-+corenet_udp_bind_reserved_port(amanda_t)
-+corenet_dontaudit_tcp_bind_all_reserved_ports(amanda_t)
-+corenet_dontaudit_udp_bind_all_reserved_ports(amanda_t)
-
- dev_getattr_all_blk_files(amanda_t)
- dev_getattr_all_chr_files(amanda_t)
-@@ -183,13 +188,15 @@
-
- optional_policy(`
- nscd_socket_use(amanda_t)
-+ nscd_socket_use(amanda_recover_t)
- ')
-
- ########################################
- #
- # Amanda recover local policy
-
--allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_override net_bind_service };
-+allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_override };
-+corenet_tcp_bind_reserved_port(amanda_recover_t)
- allow amanda_recover_t self:process { sigkill sigstop signal };
- allow amanda_recover_t self:fifo_file { getattr ioctl read write };
- allow amanda_recover_t self:unix_stream_socket { connect create read write };
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/bootloader.te serefpolicy-2.2.32/policy/modules/admin/bootloader.te
---- nsaserefpolicy/policy/modules/admin/bootloader.te 2006-04-04 18:06:37.000000000 -0400
-+++ serefpolicy-2.2.32/policy/modules/admin/bootloader.te 2006-04-14 12:06:19.000000000 -0400
-@@ -84,6 +84,7 @@
- dev_read_sysfs(bootloader_t)
- # for reading BIOS data
- dev_read_raw_memory(bootloader_t)
-+mls_file_read_up(bootloader_t)
-
- fs_getattr_xattr_fs(bootloader_t)
- fs_read_tmpfs_symlinks(bootloader_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-2.2.32/policy/modules/admin/rpm.fc
---- nsaserefpolicy/policy/modules/admin/rpm.fc 2006-04-04 18:06:37.000000000 -0400
-+++ serefpolicy-2.2.32/policy/modules/admin/rpm.fc 2006-04-14 12:06:19.000000000 -0400
-@@ -10,6 +10,7 @@
- /usr/lib(64)?/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0)
-
- /usr/share/yumex/yumex -- gen_context(system_u:object_r:rpm_exec_t,s0)
-+/usr/sbin/system-install-packages -- gen_context(system_u:object_r:rpm_exec_t,s0)
-
- ifdef(`distro_redhat', `
- /usr/bin/fedora-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.fc serefpolicy-2.2.32/policy/modules/admin/su.fc
---- nsaserefpolicy/policy/modules/admin/su.fc 2006-03-23 14:33:29.000000000 -0500
-+++ serefpolicy-2.2.32/policy/modules/admin/su.fc 2006-04-14 12:06:19.000000000 -0400
-@@ -1,5 +1,5 @@
-
- /bin/su -- gen_context(system_u:object_r:su_exec_t,s0)
-
--/usr(/local)?/bin/ksu -- gen_context(system_u:object_r:su_exec_t,s0)
-+/usr/(local/)?bin/ksu -- gen_context(system_u:object_r:su_exec_t,s0)
- /usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-2.2.32/policy/modules/admin/usermanage.te
---- nsaserefpolicy/policy/modules/admin/usermanage.te 2006-04-04 18:06:38.000000000 -0400
-+++ serefpolicy-2.2.32/policy/modules/admin/usermanage.te 2006-04-14 12:06:19.000000000 -0400
-@@ -514,6 +514,7 @@
- # Add/remove user home directories
- userdom_home_filetrans_generic_user_home_dir(useradd_t)
- userdom_manage_generic_user_home_content_dirs(useradd_t)
-+userdom_manage_staff_home_dir(useradd_t)
- userdom_generic_user_home_dir_filetrans_generic_user_home_content(useradd_t,notdevfile_class_set)
-
- mta_manage_spool(useradd_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-2.2.32/policy/modules/apps/java.fc
---- nsaserefpolicy/policy/modules/apps/java.fc 2006-04-12 13:44:36.000000000 -0400
-+++ serefpolicy-2.2.32/policy/modules/apps/java.fc 2006-04-14 12:06:19.000000000 -0400
-@@ -1,11 +1,8 @@
- #
--# /opt
--#
--/opt(/.*)?/bin/java.* -- gen_context(system_u:object_r:java_exec_t,s0)
--
--#
- # /usr
- #
--/usr(/.*)?/bin/java.* -- gen_context(system_u:object_r:java_exec_t,s0)
-+/usr/(.*/)?bin/java.* -- gen_context(system_u:object_r:java_exec_t,s0)
-+/usr/lib(.*/)?bin/java([^/]*)? -- gen_context(system_u:object_r:java_exec_t,s0)
- /usr/bin/gcj-dbtool -- gen_context(system_u:object_r:java_exec_t,s0)
- /usr/bin/gij -- gen_context(system_u:object_r:java_exec_t,s0)
-+/opt/(.*/)?bin/java([^/]*)? -- gen_context(system_u:object_r:java_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-2.2.32/policy/modules/apps/java.te
---- nsaserefpolicy/policy/modules/apps/java.te 2006-04-12 13:44:36.000000000 -0400
-+++ serefpolicy-2.2.32/policy/modules/apps/java.te 2006-04-14 12:06:19.000000000 -0400
-@@ -10,6 +10,7 @@
- domain_type(java_t)
+ type java_t;
++domain_type(java_t)
++
type java_exec_t;
-+init_system_domain(java_t,java_exec_t)
- files_type(java_exec_t)
+ init_system_domain(java_t,java_exec_t)
++files_type(java_exec_t)
########################################
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-2.2.32/policy/modules/apps/mono.te
---- nsaserefpolicy/policy/modules/apps/mono.te 2006-04-12 13:44:36.000000000 -0400
-+++ serefpolicy-2.2.32/policy/modules/apps/mono.te 2006-04-14 12:06:19.000000000 -0400
-@@ -22,6 +22,8 @@
- unconfined_domain_noaudit(mono_t)
- role system_r types mono_t;
-
-+ init_dbus_chat_script(mono_t)
-+
- optional_policy(`
- avahi_dbus_chat(mono_t)
- ')
-@@ -29,4 +31,8 @@
- optional_policy(`
- hal_dbus_chat(mono_t)
- ')
-+ optional_policy(`
-+ networkmanager_dbus_chat(mono_t)
-+ ')
-+
- ')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-2.2.32/policy/modules/kernel/corecommands.fc
---- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2006-04-10 17:05:08.000000000 -0400
-+++ serefpolicy-2.2.32/policy/modules/kernel/corecommands.fc 2006-04-14 12:06:19.000000000 -0400
-@@ -2,7 +2,8 @@
- #
- # /bin
- #
--/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/bin -d gen_context(system_u:object_r:bin_t,s0)
-+/bin/.* gen_context(system_u:object_r:bin_t,s0)
- /bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0)
- /bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0)
- /bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -86,27 +87,30 @@
#
- # /sbin
- #
--/sbin(/.*)? gen_context(system_u:object_r:sbin_t,s0)
-+/sbin -d gen_context(system_u:object_r:sbin_t,s0)
-+/sbin/.* gen_context(system_u:object_r:sbin_t,s0)
- /sbin/mkfs\.cramfs -- gen_context(system_u:object_r:sbin_t,s0)
- /sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:sbin_t,s0)
-
- #
- # /opt
- #
--/opt(/.*)?/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/opt/(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-
--/opt(/.*)?/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/opt/(.*/)?libexec(/.*)? gen_context(system_u:object_r:bin_t,s0)
-
--/opt(/.*)?/sbin(/.*)? gen_context(system_u:object_r:sbin_t,s0)
-+/opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:sbin_t,s0)
-
- #
- # /usr
- #
--/usr(/.*)?/Bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/usr/(.*/)?Bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-
--/usr(/.*)?/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/usr/(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-
--/usr(/.*)?/sbin(/.*)? gen_context(system_u:object_r:sbin_t,s0)
-+/usr/(.*/)?sbin(/.*)? gen_context(system_u:object_r:sbin_t,s0)
-+/usr/lib(.*/)?sbin(/.*)? gen_context(system_u:object_r:sbin_t,s0)
-
- /usr/lib/ccache/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/pgsql/test/regress/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-2.2.32/policy/modules/kernel/devices.fc
---- nsaserefpolicy/policy/modules/kernel/devices.fc 2006-04-12 13:44:36.000000000 -0400
-+++ serefpolicy-2.2.32/policy/modules/kernel/devices.fc 2006-04-14 12:06:19.000000000 -0400
-@@ -1,5 +1,6 @@
-
--/dev(/.*)? gen_context(system_u:object_r:device_t,s0)
-+/dev -d gen_context(system_u:object_r:device_t,s0)
-+/dev/.* gen_context(system_u:object_r:device_t,s0)
-
- /dev/.*mouse.* -c gen_context(system_u:object_r:mouse_device_t,s0)
- /dev/adsp -c gen_context(system_u:object_r:sound_device_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-2.2.32/policy/modules/kernel/devices.if
---- nsaserefpolicy/policy/modules/kernel/devices.if 2006-04-12 13:44:36.000000000 -0400
-+++ serefpolicy-2.2.32/policy/modules/kernel/devices.if 2006-04-14 12:06:19.000000000 -0400
-@@ -2701,7 +2701,7 @@
- ')
-
- allow $1 device_t:dir r_dir_perms;
-- allow $1 xen_device_t:chr_file r_file_perms;
-+ allow $1 xen_device_t:chr_file rw_file_perms;
- ')
-
- ########################################
-@@ -2720,7 +2720,7 @@
- ')
-
- allow $1 device_t:dir r_dir_perms;
-- allow $1 xen_device_t:chr_file r_file_perms;
-+ allow $1 xen_device_t:chr_file manage_file_perms;
- ')
-
- ########################################
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-2.2.33/policy/modules/kernel/devices.if
+--- nsaserefpolicy/policy/modules/kernel/devices.if 2006-04-18 22:49:59.000000000 -0400
++++ serefpolicy-2.2.33/policy/modules/kernel/devices.if 2006-04-18 23:10:07.000000000 -0400
@@ -2874,3 +2874,23 @@
typeattribute $1 devices_unconfined_type;
@@ -260,140 +40,37 @@
+ dontaudit $1 device_node:dir_file_class_set getattr;
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-2.2.32/policy/modules/kernel/files.fc
---- nsaserefpolicy/policy/modules/kernel/files.fc 2006-03-23 14:33:29.000000000 -0500
-+++ serefpolicy-2.2.32/policy/modules/kernel/files.fc 2006-04-14 12:06:19.000000000 -0400
-@@ -25,7 +25,8 @@
- #
- # /boot
- #
--/boot(/.*)? gen_context(system_u:object_r:boot_t,s0)
-+/boot -d gen_context(system_u:object_r:boot_t,s0)
-+/boot/.* gen_context(system_u:object_r:boot_t,s0)
- /boot/\.journal <<none>>
- /boot/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c255)
- /boot/lost\+found/.* <<none>>
-@@ -36,13 +37,15 @@
- #
-
- ifdef(`distro_redhat',`
--/emul(/.*)? gen_context(system_u:object_r:usr_t,s0)
-+/emul -d gen_context(system_u:object_r:usr_t,s0)
-+/emul/.* gen_context(system_u:object_r:usr_t,s0)
- ')
-
- #
- # /etc
- #
--/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
-+/etc -d gen_context(system_u:object_r:etc_t,s0)
-+/etc/.* gen_context(system_u:object_r:etc_t,s0)
- /etc/\.fstab\.hal\..+ -- gen_context(system_u:object_r:etc_runtime_t,s0)
- /etc/asound\.state -- gen_context(system_u:object_r:etc_runtime_t,s0)
- /etc/blkid(/.*)? gen_context(system_u:object_r:etc_runtime_t,s0)
-@@ -104,7 +107,8 @@
- #
- # /lib(64)?
- #
--/lib(64)?/modules(/.*)? gen_context(system_u:object_r:modules_object_t,s0)
-+/lib/modules(/.*)? gen_context(system_u:object_r:modules_object_t,s0)
-+/lib64/modules(/.*)? gen_context(system_u:object_r:modules_object_t,s0)
-
- #
- # /lost+found
-@@ -139,29 +143,34 @@
- #
- # /opt
- #
--/opt(/.*)? gen_context(system_u:object_r:usr_t,s0)
-+/opt -d gen_context(system_u:object_r:usr_t,s0)
-+/opt/.* gen_context(system_u:object_r:usr_t,s0)
-
--/opt(/.*)?/var/lib(64)?(/.*)? gen_context(system_u:object_r:var_lib_t,s0)
-+/opt/(.*/)?var/lib(64)?(/.*)? gen_context(system_u:object_r:var_lib_t,s0)
-
- #
- # /proc
- #
--/proc(/.*)? <<none>>
-+/proc -d <<none>>
-+/proc/.* <<none>>
-
- #
- # /selinux
- #
--/selinux(/.*)? <<none>>
-+/selinux -d <<none>>
-+/selinux/.* <<none>>
-
- #
- # /srv
- #
--/srv(/.*)? gen_context(system_u:object_r:var_t,s0)
-+/srv -d gen_context(system_u:object_r:var_t,s0)
-+/srv/.* gen_context(system_u:object_r:var_t,s0)
-
- #
- # /sys
- #
--/sys(/.*)? <<none>>
-+/sys -d <<none>>
-+/sys/.* <<none>>
-
- #
- # /tmp
-@@ -176,7 +185,8 @@
- #
- # /usr
- #
--/usr(/.*)? gen_context(system_u:object_r:usr_t,s0)
-+/usr -d gen_context(system_u:object_r:usr_t,s0)
-+/usr/.* gen_context(system_u:object_r:usr_t,s0)
- /usr/\.journal <<none>>
-
- /usr/doc(/.*)?/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
-@@ -200,7 +210,7 @@
- /usr/share(/.*)?/lib(64)?(/.*)? gen_context(system_u:object_r:usr_t,s0)
-
- /usr/src(/.*)? gen_context(system_u:object_r:src_t,s0)
--/usr/src(/.*)?/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
-+/usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
-
- /usr/tmp -d gen_context(system_u:object_r:tmp_t,s0-s15:c0.c255)
- /usr/tmp/.* <<none>>
-@@ -208,7 +218,8 @@
- #
- # /var
- #
--/var(/.*)? gen_context(system_u:object_r:var_t,s0)
-+/var -d gen_context(system_u:object_r:var_t,s0)
-+/var/.* gen_context(system_u:object_r:var_t,s0)
- /var/\.journal <<none>>
-
- /var/db/.*\.db -- gen_context(system_u:object_r:etc_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.2.32/policy/modules/kernel/files.if
---- nsaserefpolicy/policy/modules/kernel/files.if 2006-04-14 07:58:12.000000000 -0400
-+++ serefpolicy-2.2.32/policy/modules/kernel/files.if 2006-04-14 12:06:19.000000000 -0400
-@@ -948,6 +948,18 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.2.33/policy/modules/kernel/files.if
+--- nsaserefpolicy/policy/modules/kernel/files.if 2006-04-18 22:49:59.000000000 -0400
++++ serefpolicy-2.2.33/policy/modules/kernel/files.if 2006-04-19 07:51:01.000000000 -0400
+@@ -1268,6 +1268,26 @@
########################################
- #
-+# files_stat_all_mountpoints(domain)
+ ## <summary>
++## Read kernel files in the /boot directory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
+#
-+interface(`files_stat_all_mountpoints',`
-+ gen_require(`
-+ attribute mountpoint;
-+ ')
-+
-+ allow $1 mountpoint:dir { getattr };
++interface(`files_read_kernel_img',`
++ gen_require(`
++ type boot_t;
++ ')
++
++ allow $1 boot_t:dir r_dir_perms;
++ allow $1 boot_t:file { getattr read };
++ allow $1 boot_t:lnk_file { getattr read };
+')
+
+########################################
-+#
- # files_list_root(domain)
- #
- interface(`files_list_root',`
-@@ -1661,6 +1673,21 @@
++## <summary>
+ ## Install a kernel into the /boot directory.
+ ## </summary>
+ ## <param name="domain">
+@@ -1679,6 +1699,21 @@
')
########################################
@@ -415,36 +92,9 @@
## <summary>
## Read files in /etc that are dynamically
## created on boot, such as mtab.
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-2.2.32/policy/modules/kernel/kernel.if
---- nsaserefpolicy/policy/modules/kernel/kernel.if 2006-04-10 17:05:10.000000000 -0400
-+++ serefpolicy-2.2.32/policy/modules/kernel/kernel.if 2006-04-14 12:06:19.000000000 -0400
-@@ -1148,7 +1148,8 @@
-
- allow $1 proc_t:dir search;
- allow $1 sysctl_t:dir r_dir_perms;
-- allow $1 sysctl_vm_t:dir list_dir_perms;
-+#hal needs allow hald_t sysctl_vm_t:dir write;
-+ allow $1 sysctl_vm_t:dir rw_dir_perms;
- allow $1 sysctl_vm_t:file rw_file_perms;
- ')
-
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mcs.te serefpolicy-2.2.32/policy/modules/kernel/mcs.te
---- nsaserefpolicy/policy/modules/kernel/mcs.te 2006-04-04 18:06:38.000000000 -0400
-+++ serefpolicy-2.2.32/policy/modules/kernel/mcs.te 2006-04-14 12:06:19.000000000 -0400
-@@ -32,6 +32,10 @@
- type xdm_exec_t;
-
- ifdef(`enable_mcs',`
-+# The eventual plan is to have a range_transition to s0 for the daemon by
-+# default and have the daemons which need to run with all categories be
-+# exceptions. But while range_transitions have to be in the base module
-+# this is not possible.
- range_transition getty_t login_exec_t s0 - s0:c0.c255;
- range_transition init_t xdm_exec_t s0 - s0:c0.c255;
- range_transition initrc_t crond_exec_t s0 - s0:c0.c255;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mls.te serefpolicy-2.2.32/policy/modules/kernel/mls.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mls.te serefpolicy-2.2.33/policy/modules/kernel/mls.te
--- nsaserefpolicy/policy/modules/kernel/mls.te 2006-03-07 10:31:09.000000000 -0500
-+++ serefpolicy-2.2.32/policy/modules/kernel/mls.te 2006-04-14 12:06:19.000000000 -0400
++++ serefpolicy-2.2.33/policy/modules/kernel/mls.te 2006-04-18 23:10:07.000000000 -0400
@@ -60,6 +60,7 @@
ifdef(`enable_mls',`
@@ -453,31 +103,9 @@
range_transition kernel_t init_exec_t s0 - s15:c0.c255;
range_transition kernel_t lvm_exec_t s0 - s15:c0.c255;
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-2.2.32/policy/modules/services/avahi.te
---- nsaserefpolicy/policy/modules/services/avahi.te 2006-03-24 11:15:50.000000000 -0500
-+++ serefpolicy-2.2.32/policy/modules/services/avahi.te 2006-04-14 12:06:19.000000000 -0400
-@@ -92,6 +92,7 @@
- dbus_system_bus_client_template(avahi,avahi_t)
- dbus_connect_system_bus(avahi_t)
- dbus_send_system_bus(avahi_t)
-+ init_dbus_chat_script(avahi_t)
- ')
-
- optional_policy(`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.fc serefpolicy-2.2.32/policy/modules/services/bind.fc
---- nsaserefpolicy/policy/modules/services/bind.fc 2006-01-16 17:04:24.000000000 -0500
-+++ serefpolicy-2.2.32/policy/modules/services/bind.fc 2006-04-14 12:06:19.000000000 -0400
-@@ -29,6 +29,7 @@
-
- ifdef(`distro_redhat',`
- /etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
-+/etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
- /var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
- /var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
- /var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-2.2.32/policy/modules/services/cups.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-2.2.33/policy/modules/services/cups.fc
--- nsaserefpolicy/policy/modules/services/cups.fc 2006-03-23 14:33:30.000000000 -0500
-+++ serefpolicy-2.2.32/policy/modules/services/cups.fc 2006-04-17 07:15:02.000000000 -0400
++++ serefpolicy-2.2.33/policy/modules/services/cups.fc 2006-04-18 23:10:07.000000000 -0400
@@ -35,7 +35,8 @@
/usr/share/hplip/hpssd.py -- gen_context(system_u:object_r:hplip_exec_t,s0)
@@ -488,9 +116,9 @@
/var/lib/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-2.2.32/policy/modules/services/ftp.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-2.2.33/policy/modules/services/ftp.te
--- nsaserefpolicy/policy/modules/services/ftp.te 2006-04-12 13:44:37.000000000 -0400
-+++ serefpolicy-2.2.32/policy/modules/services/ftp.te 2006-04-14 13:41:32.000000000 -0400
++++ serefpolicy-2.2.33/policy/modules/services/ftp.te 2006-04-18 23:10:07.000000000 -0400
@@ -126,6 +126,7 @@
seutil_dontaudit_search_config(ftpd_t)
@@ -499,83 +127,58 @@
userdom_dontaudit_search_sysadm_home_dirs(ftpd_t)
userdom_dontaudit_use_unpriv_user_fds(ftpd_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-2.2.32/policy/modules/services/hal.te
---- nsaserefpolicy/policy/modules/services/hal.te 2006-04-12 13:44:37.000000000 -0400
-+++ serefpolicy-2.2.32/policy/modules/services/hal.te 2006-04-14 12:06:19.000000000 -0400
-@@ -103,6 +103,7 @@
- fs_getattr_all_fs(hald_t)
- fs_search_all(hald_t)
- fs_list_auto_mountpoints(hald_t)
-+files_stat_all_mountpoints(hald_t)
-
- mls_file_read_up(hald_t)
-
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.fc serefpolicy-2.2.32/policy/modules/services/kerberos.fc
---- nsaserefpolicy/policy/modules/services/kerberos.fc 2005-10-06 17:29:17.000000000 -0400
-+++ serefpolicy-2.2.32/policy/modules/services/kerberos.fc 2006-04-14 12:06:19.000000000 -0400
-@@ -5,8 +5,8 @@
- /etc/krb5kdc/kadm5.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0)
- /etc/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
-
--/usr(/local)?(/kerberos)?/sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0)
--/usr(/local)?(/kerberos)?/sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
-+/usr/(local/)?(kerberos/)?sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0)
-+/usr/(local/)?(kerberos/)?sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
-
- /usr/local/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
- /usr/local/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.if serefpolicy-2.2.32/policy/modules/services/mailman.if
---- nsaserefpolicy/policy/modules/services/mailman.if 2006-03-24 11:15:50.000000000 -0500
-+++ serefpolicy-2.2.32/policy/modules/services/mailman.if 2006-04-14 12:06:19.000000000 -0400
-@@ -200,6 +200,44 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.fc serefpolicy-2.2.33/policy/modules/services/pegasus.fc
+--- nsaserefpolicy/policy/modules/services/pegasus.fc 2005-11-07 15:10:44.000000000 -0500
++++ serefpolicy-2.2.33/policy/modules/services/pegasus.fc 2006-04-19 07:45:04.000000000 -0400
+@@ -3,6 +3,7 @@
+ /etc/Pegasus/pegasus_current.conf gen_context(system_u:object_r:pegasus_data_t,s0)
+
+ /usr/sbin/cimserver -- gen_context(system_u:object_r:pegasus_exec_t,s0)
++
+ /usr/sbin/init_repository -- gen_context(system_u:object_r:pegasus_exec_t,s0)
+
+ /var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-2.2.33/policy/modules/services/pegasus.te
+--- nsaserefpolicy/policy/modules/services/pegasus.te 2006-04-04 18:06:38.000000000 -0400
++++ serefpolicy-2.2.33/policy/modules/services/pegasus.te 2006-04-19 07:53:45.000000000 -0400
+@@ -79,11 +79,16 @@
+ corenet_tcp_connect_pegasus_https_port(pegasus_t)
+ corenet_tcp_connect_generic_port(pegasus_t)
+
++corecmd_exec_sbin(pegasus_t)
++corecmd_exec_bin(pegasus_t)
++corecmd_exec_shell(pegasus_t)
++
+ dev_read_sysfs(pegasus_t)
+ dev_read_urand(pegasus_t)
+
+ fs_getattr_all_fs(pegasus_t)
+ fs_search_auto_mountpoints(pegasus_t)
++files_getattr_all_dirs(pegasus_t)
+
+ term_dontaudit_use_console(pegasus_t)
+
+@@ -98,6 +103,8 @@
+ files_read_var_lib_files(pegasus_t)
+ files_read_var_lib_symlinks(pegasus_t)
+
++hostname_exec(pegasus_t)
++
+ init_use_fds(pegasus_t)
+ init_use_script_ptys(pegasus_t)
+ init_rw_utmp(pegasus_t)
+@@ -116,6 +123,7 @@
+ term_dontaudit_use_unallocated_ttys(pegasus_t)
+ term_dontaudit_use_generic_ptys(pegasus_t)
+ files_dontaudit_read_root_files(pegasus_t)
++ unconfined_signull(pegasus_t)
+ ')
- #######################################
- ## <summary>
-+## Allow domain to to create mailman data files and write the directory
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`mailman_create_data_file',`
-+ gen_require(`
-+ type mailman_data_t;
-+ ')
-+
-+ allow $1 mailman_data_t:dir rw_dir_perms;
-+ allow $1 mailman_data_t:file create_file_perms;
-+')
-+
-+#######################################
-+## <summary>
-+## Allow domain to to read mailman data files
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`mailman_read_data_file',`
-+ gen_require(`
-+ type mailman_data_t;
-+ ')
-+
-+ allow $1 mailman_data_t:dir search_dir_perms;
-+ allow $1 mailman_data_t:file read_file_perms;
-+')
-+
-+#######################################
-+## <summary>
- ## List the contents of mailman data directories.
- ## </summary>
- ## <param name="domain">
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-2.2.32/policy/modules/services/postfix.te
---- nsaserefpolicy/policy/modules/services/postfix.te 2006-04-04 18:06:38.000000000 -0400
-+++ serefpolicy-2.2.32/policy/modules/services/postfix.te 2006-04-14 14:54:13.000000000 -0400
-@@ -305,6 +305,7 @@
+ optional_policy(`
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-2.2.33/policy/modules/services/postfix.te
+--- nsaserefpolicy/policy/modules/services/postfix.te 2006-04-18 22:50:00.000000000 -0400
++++ serefpolicy-2.2.33/policy/modules/services/postfix.te 2006-04-18 23:10:07.000000000 -0400
+@@ -315,6 +315,7 @@
kernel_read_kernel_sysctls(postfix_map_t)
kernel_dontaudit_list_proc(postfix_map_t)
@@ -583,7 +186,7 @@
corenet_tcp_sendrecv_all_if(postfix_map_t)
corenet_udp_sendrecv_all_if(postfix_map_t)
-@@ -350,6 +351,7 @@
+@@ -360,6 +361,7 @@
ifdef(`targeted_policy',`
# FIXME: would be better to use a run interface
role system_r types postfix_map_t;
@@ -591,19 +194,9 @@
')
tunable_policy(`read_default_t',`
-@@ -408,6 +410,9 @@
-
- optional_policy(`
- mailman_domtrans_queue(postfix_pipe_t)
-+# for postalias
-+ mailman_create_data_file(postfix_master_t)
-+ mailman_read_data_file(postfix_local_t)
- ')
-
- ########################################
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-2.2.32/policy/modules/services/postgresql.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-2.2.33/policy/modules/services/postgresql.if
--- nsaserefpolicy/policy/modules/services/postgresql.if 2006-02-10 17:05:19.000000000 -0500
-+++ serefpolicy-2.2.32/policy/modules/services/postgresql.if 2006-04-14 16:09:39.000000000 -0400
++++ serefpolicy-2.2.33/policy/modules/services/postgresql.if 2006-04-18 23:10:07.000000000 -0400
@@ -113,10 +113,12 @@
#
interface(`postgresql_stream_connect',`
@@ -618,9 +211,9 @@
+ # Some versions of postgresql put the sock file in /tmp
+ allow $1 postgresql_tmp_t:sock_file write;
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.te serefpolicy-2.2.32/policy/modules/services/privoxy.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.te serefpolicy-2.2.33/policy/modules/services/privoxy.te
--- nsaserefpolicy/policy/modules/services/privoxy.te 2006-04-04 18:06:38.000000000 -0400
-+++ serefpolicy-2.2.32/policy/modules/services/privoxy.te 2006-04-17 06:37:23.000000000 -0400
++++ serefpolicy-2.2.33/policy/modules/services/privoxy.te 2006-04-18 23:10:07.000000000 -0400
@@ -50,6 +50,7 @@
corenet_non_ipsec_sendrecv(privoxy_t)
corenet_tcp_bind_http_cache_port(privoxy_t)
@@ -629,39 +222,9 @@
corenet_tcp_connect_ftp_port(privoxy_t)
corenet_tcp_connect_tor_port(privoxy_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-2.2.32/policy/modules/services/rpc.te
---- nsaserefpolicy/policy/modules/services/rpc.te 2006-03-24 11:15:50.000000000 -0500
-+++ serefpolicy-2.2.32/policy/modules/services/rpc.te 2006-04-14 12:06:19.000000000 -0400
-@@ -110,13 +110,13 @@
- portmap_udp_chat(nfsd_t)
-
- tunable_policy(`nfs_export_all_rw',`
-- auth_read_all_dirs_except_shadow(nfsd_t)
- fs_read_noxattr_fs_files(nfsd_t)
-+ auth_manage_all_files_except_shadow(nfsd_t)
- ')
-
- tunable_policy(`nfs_export_all_ro',`
-- auth_read_all_dirs_except_shadow(nfsd_t)
- fs_read_noxattr_fs_files(nfsd_t)
-+ auth_read_all_files_except_shadow(nfsd_t)
- ')
-
- ########################################
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-2.2.32/policy/modules/services/samba.if
---- nsaserefpolicy/policy/modules/services/samba.if 2006-02-21 14:35:36.000000000 -0500
-+++ serefpolicy-2.2.32/policy/modules/services/samba.if 2006-04-14 12:06:19.000000000 -0400
-@@ -33,6 +33,7 @@
- ')
-
- tunable_policy(`samba_enable_home_dirs',`
-+ userdom_manage_user_home_content_dirs($1,smbd_t)
- userdom_manage_user_home_content_files($1,smbd_t)
- userdom_manage_user_home_content_symlinks($1,smbd_t)
- userdom_manage_user_home_content_sockets($1,smbd_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-2.2.32/policy/modules/services/samba.te
---- nsaserefpolicy/policy/modules/services/samba.te 2006-04-12 13:44:37.000000000 -0400
-+++ serefpolicy-2.2.32/policy/modules/services/samba.te 2006-04-14 13:42:57.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-2.2.33/policy/modules/services/samba.te
+--- nsaserefpolicy/policy/modules/services/samba.te 2006-04-18 22:50:00.000000000 -0400
++++ serefpolicy-2.2.33/policy/modules/services/samba.te 2006-04-18 23:10:07.000000000 -0400
@@ -106,8 +106,8 @@
files_tmp_filetrans(samba_net_t, samba_net_tmp_t, { file dir })
@@ -683,7 +246,7 @@
optional_policy(`
nscd_socket_use(samba_net_t)
')
-@@ -268,6 +270,7 @@
+@@ -269,6 +271,7 @@
init_use_fds(smbd_t)
init_use_script_ptys(smbd_t)
@@ -691,23 +254,9 @@
libs_use_ld_so(smbd_t)
libs_use_shared_libs(smbd_t)
-@@ -333,6 +336,13 @@
- ')
- allow smbd_t mtrr_device_t:file getattr;
-
-+# Support Samba sharing of NFS mount points
-+bool samba_share_nfs false;
-+if (samba_share_nfs) {
-+fs_manage_nfs_dirs(smbd_t)
-+fs_manage_nfs_files(smbd_t)
-+}
-+
- ########################################
- #
- # nmbd Local policy
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-2.2.32/policy/modules/services/spamassassin.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-2.2.33/policy/modules/services/spamassassin.fc
--- nsaserefpolicy/policy/modules/services/spamassassin.fc 2005-12-01 17:57:16.000000000 -0500
-+++ serefpolicy-2.2.32/policy/modules/services/spamassassin.fc 2006-04-14 12:06:19.000000000 -0400
++++ serefpolicy-2.2.33/policy/modules/services/spamassassin.fc 2006-04-18 23:10:07.000000000 -0400
@@ -1,5 +1,5 @@
-/usr/bin/sa-learn -- gen_context(system_u:object_r:spamd_exec_t,s0)
@@ -715,19 +264,9 @@
/usr/bin/spamc -- gen_context(system_u:object_r:spamc_exec_t,s0)
/usr/bin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.fc serefpolicy-2.2.32/policy/modules/services/tftp.fc
---- nsaserefpolicy/policy/modules/services/tftp.fc 2005-10-06 17:29:17.000000000 -0400
-+++ serefpolicy-2.2.32/policy/modules/services/tftp.fc 2006-04-14 12:06:19.000000000 -0400
-@@ -2,4 +2,5 @@
- /usr/sbin/atftpd -- gen_context(system_u:object_r:tftpd_exec_t,s0)
- /usr/sbin/in\.tftpd -- gen_context(system_u:object_r:tftpd_exec_t,s0)
-
--/tftpboot(/.*)? gen_context(system_u:object_r:tftpdir_t,s0)
-+/tftpboot -d gen_context(system_u:object_r:tftpdir_t,s0)
-+/tftpboot/.* gen_context(system_u:object_r:tftpdir_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-2.2.32/policy/modules/services/xserver.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-2.2.33/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2006-04-06 15:31:54.000000000 -0400
-+++ serefpolicy-2.2.32/policy/modules/services/xserver.if 2006-04-14 12:06:19.000000000 -0400
++++ serefpolicy-2.2.33/policy/modules/services/xserver.if 2006-04-18 23:10:07.000000000 -0400
@@ -1070,3 +1070,24 @@
dontaudit $1 xdm_xserver_t:tcp_socket { read write };
@@ -753,22 +292,9 @@
+ allow $1 xdm_xserver_tmp_t:sock_file { read write };
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-2.2.32/policy/modules/system/authlogin.fc
---- nsaserefpolicy/policy/modules/system/authlogin.fc 2006-01-19 17:48:34.000000000 -0500
-+++ serefpolicy-2.2.32/policy/modules/system/authlogin.fc 2006-04-14 12:06:19.000000000 -0400
-@@ -7,7 +7,8 @@
- /etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0)
- /etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0)
-
--/lib(64)?/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:pam_exec_t,s0)
-+/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:pam_exec_t,s0)
-+/lib64/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:pam_exec_t,s0)
-
- /sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0)
- /sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-2.2.32/policy/modules/system/authlogin.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-2.2.33/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te 2006-04-04 18:06:38.000000000 -0400
-+++ serefpolicy-2.2.32/policy/modules/system/authlogin.te 2006-04-14 12:06:19.000000000 -0400
++++ serefpolicy-2.2.33/policy/modules/system/authlogin.te 2006-04-18 23:10:07.000000000 -0400
@@ -173,9 +173,13 @@
dev_setattr_video_dev(pam_console_t)
dev_getattr_xserver_misc_dev(pam_console_t)
@@ -783,22 +309,9 @@
storage_getattr_fixed_disk_dev(pam_console_t)
storage_setattr_fixed_disk_dev(pam_console_t)
storage_getattr_removable_dev(pam_console_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemontools.fc serefpolicy-2.2.32/policy/modules/system/daemontools.fc
---- nsaserefpolicy/policy/modules/system/daemontools.fc 2006-04-05 11:35:09.000000000 -0400
-+++ serefpolicy-2.2.32/policy/modules/system/daemontools.fc 2006-04-14 12:06:19.000000000 -0400
-@@ -2,7 +2,8 @@
- # /service
- #
-
--/service(/.*)? gen_context(system_u:object_r:svc_svc_t,s0)
-+/service -d gen_context(system_u:object_r:svc_svc_t,s0)
-+/service/.* gen_context(system_u:object_r:svc_svc_t,s0)
-
- #
- # /usr
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-2.2.32/policy/modules/system/fstools.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-2.2.33/policy/modules/system/fstools.te
--- nsaserefpolicy/policy/modules/system/fstools.te 2006-04-04 18:06:38.000000000 -0400
-+++ serefpolicy-2.2.32/policy/modules/system/fstools.te 2006-04-14 12:06:19.000000000 -0400
++++ serefpolicy-2.2.33/policy/modules/system/fstools.te 2006-04-18 23:10:07.000000000 -0400
@@ -77,6 +77,7 @@
dev_getattr_usbfs_dirs(fsadm_t)
# Access to /dev/mapper/control
@@ -807,9 +320,9 @@
fs_search_auto_mountpoints(fsadm_t)
fs_getattr_xattr_fs(fsadm_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-2.2.32/policy/modules/system/init.te
---- nsaserefpolicy/policy/modules/system/init.te 2006-04-06 15:32:43.000000000 -0400
-+++ serefpolicy-2.2.32/policy/modules/system/init.te 2006-04-14 12:06:19.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-2.2.33/policy/modules/system/init.te
+--- nsaserefpolicy/policy/modules/system/init.te 2006-04-18 22:50:00.000000000 -0400
++++ serefpolicy-2.2.33/policy/modules/system/init.te 2006-04-18 23:10:07.000000000 -0400
@@ -352,6 +352,7 @@
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
@@ -818,99 +331,18 @@
libs_rw_ld_so_cache(initrc_t)
libs_use_ld_so(initrc_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-2.2.32/policy/modules/system/libraries.fc
---- nsaserefpolicy/policy/modules/system/libraries.fc 2006-04-12 13:44:38.000000000 -0400
-+++ serefpolicy-2.2.32/policy/modules/system/libraries.fc 2006-04-14 12:06:19.000000000 -0400
-@@ -24,17 +24,22 @@
- #
- # /lib(64)?
- #
--/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
-+/lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
-+/lib64(/.*)? gen_context(system_u:object_r:lib_t,s0)
- /lib(64)?/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
- /lib(64)?(/.*)?/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
-
- #
- # /opt
- #
--/opt(/.*)?/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
--/opt(/.*)?/lib(64)?/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
--/opt/.*/jre.*/libdeploy.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
--/opt/.*/jre.*/libjvm.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/opt/(.*/)?lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
-+/opt/(.*/)?lib64(/.*)? gen_context(system_u:object_r:lib_t,s0)
-+/opt/(.*/)?lib/.*\.so -- gen_context(system_u:object_r:shlib_t,s0)
-+/opt/(.*/)?lib/.*\.so\.[^/]* -- gen_context(system_u:object_r:shlib_t,s0)
-+/opt/(.*/)?lib64/.*\.so -- gen_context(system_u:object_r:shlib_t,s0)
-+/opt/(.*/)?lib64/.*\.so\.[^/]* -- gen_context(system_u:object_r:shlib_t,s0)
-+/opt/(.*/)?jre.*/libdeploy.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/opt/(.*/)?jre.*/libjvm.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-
- #
- # /sbin
-@@ -44,18 +49,22 @@
- #
- # /usr
- #
--/usr(/.*)?/HelixPlayer/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/(.*/)?/HelixPlayer/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-
--/usr(/.*)?/java/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
--/usr(/.*)?/java/.*\.jar -- gen_context(system_u:object_r:shlib_t,s0)
--/usr(/.*)?/java/.*\.jsa -- gen_context(system_u:object_r:shlib_t,s0)
-+/usr/(.*/)?java/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/(.*/)?java/.*\.jar -- gen_context(system_u:object_r:shlib_t,s0)
-+/usr/(.*/)?java/.*\.jsa -- gen_context(system_u:object_r:shlib_t,s0)
-+
-+/usr/(.*/)?lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
-+/usr/(.*/)?lib64(/.*)? gen_context(system_u:object_r:lib_t,s0)
-+/usr/(.*/)?lib/.*\.so -- gen_context(system_u:object_r:shlib_t,s0)
-+/usr/(.*/)?lib/.*\.so\.[^/]* -- gen_context(system_u:object_r:shlib_t,s0)
-+/usr/(.*/)?lib64/.*\.so -- gen_context(system_u:object_r:shlib_t,s0)
-+/usr/(.*/)?lib64/.*\.so\.[^/]* -- gen_context(system_u:object_r:shlib_t,s0)
-
--/usr(/.*)?/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
--/usr(/.*)?/lib(64)?/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
-+/usr/(.*/)?lib(64)?(/.*)?/ld-[^/]*\.so(\.[^/]*)* gen_context(system_u:object_r:ld_so_t,s0)
-
--/usr(/.*)?/lib(64)?(/.*)?/ld-[^/]*\.so(\.[^/]*)* gen_context(system_u:object_r:ld_so_t,s0)
--
--/usr(/.*)?/nvidia/.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/(.*/)?nvidia/.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-
- /usr/lib(64)?/pgsql/test/regress/.*\.so -- gen_context(system_u:object_r:shlib_t,s0)
-
-@@ -64,7 +73,7 @@
- /usr/lib(64)?/im/.*\.so.* -- gen_context(system_u:object_r:shlib_t,s0)
- /usr/lib(64)?/iiim/.*\.so.* -- gen_context(system_u:object_r:shlib_t,s0)
-
--/usr(/.*)?/lib(64)?(/.*)?/nvidia/.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/(.*/)?lib(64)?(/.*)?/nvidia/.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib(64)?/libsipphoneapi\.so.* -- gen_context(system_u:object_r:texrel_shlib_t,s0)
- /usr/lib(64)?/(nvidia/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib(64)?/libGLU\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -74,9 +83,8 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-2.2.33/policy/modules/system/libraries.fc
+--- nsaserefpolicy/policy/modules/system/libraries.fc 2006-04-18 22:50:00.000000000 -0400
++++ serefpolicy-2.2.33/policy/modules/system/libraries.fc 2006-04-18 23:10:07.000000000 -0400
+@@ -83,7 +83,6 @@
/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
--/usr/lib(64)?/vmware(.*/)?/VmPerl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/vmware(.*/)?VmPerl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
--/usr/(local/)?lib/wine/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/(local/)?lib(64)?/wine/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/(local/)?lib(64)?/wine/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(local/)?lib/libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/local/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
-
-@@ -127,7 +135,7 @@
- /usr/lib(64)?/.*/program/libsvx680li\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib(64)?/.*/program/libcomphelp4gcc3\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib(64)?/.*/program/libsoffice\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
--/usr(/.*)?/pcsc/drivers(/.*)?/lib(cm2020|cm4000|SCR24x)\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/(.*/)?pcsc/drivers(/.*)?/lib(cm2020|cm4000|SCR24x)\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-
- /usr/lib(64)?/firefox.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib(64)?/mozilla.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -180,15 +188,17 @@
+@@ -189,6 +188,8 @@
# vmware
/usr/lib(64)?/vmware/lib(/.*)?/libgdk-x11-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -918,60 +350,16 @@
+/usr/lib(64)?/vmware/(.*/)?VmPerl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
# Java, Sun Microsystems (JPackage SRPM)
--/usr/.*/jre.*/libdeploy.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
--/usr/.*/jre.*/libjvm.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/(.*/)?jre.*/libdeploy.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/(.*/)?jre.*/libjvm.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-
--/usr(/.*)?/intellinux/nppdf\.so -- gen_context(system_u:object_r:texrel_shlib_t,s0)
--/usr(/.*)?/intellinux/lib/\.so -- gen_context(system_u:object_r:texrel_shlib_t,s0)
--/usr(/.*)?/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:texrel_shlib_t,s0)
--/usr(/.*)?/intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:texrel_shlib_t,s0)
-+/usr/(.*/)?intellinux/lib/\.so -- gen_context(system_u:object_r:texrel_shlib_t,s0)
-+/usr/(.*/)?intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:texrel_shlib_t,s0)
-+/usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- ') dnl end distro_redhat
-
- ifdef(`distro_suse',`
-@@ -214,3 +224,5 @@
+ /usr/(.*/)?jre.*/libdeploy.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+@@ -223,3 +224,5 @@
/var/spool/postfix/lib(64)?/lib.*\.so.* -- gen_context(system_u:object_r:shlib_t,s0)
/var/spool/postfix/lib(64)?/[^/]*/lib.*\.so.* -- gen_context(system_u:object_r:shlib_t,s0)
/var/spool/postfix/lib(64)?/devfsd/.*\.so.* -- gen_context(system_u:object_r:shlib_t,s0)
+/usr/NX/lib/libXcomp.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/NX/lib/libjpeg.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.fc serefpolicy-2.2.32/policy/modules/system/miscfiles.fc
---- nsaserefpolicy/policy/modules/system/miscfiles.fc 2005-10-27 14:57:47.000000000 -0400
-+++ serefpolicy-2.2.32/policy/modules/system/miscfiles.fc 2006-04-14 12:06:19.000000000 -0400
-@@ -7,7 +7,7 @@
- #
- # /opt
- #
--/opt(/.*)?/man(/.*)? gen_context(system_u:object_r:man_t,s0)
-+/opt/(.*/)?man(/.*)? gen_context(system_u:object_r:man_t,s0)
-
- #
- # /srv
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.fc serefpolicy-2.2.32/policy/modules/system/modutils.fc
---- nsaserefpolicy/policy/modules/system/modutils.fc 2005-10-06 17:29:17.000000000 -0400
-+++ serefpolicy-2.2.32/policy/modules/system/modutils.fc 2006-04-14 12:06:19.000000000 -0400
-@@ -2,9 +2,11 @@
- /etc/modules\.conf.* -- gen_context(system_u:object_r:modules_conf_t,s0)
- /etc/modprobe\.conf.* -- gen_context(system_u:object_r:modules_conf_t,s0)
-
--/lib(64)?/modules/[^/]+/modules\..+ -- gen_context(system_u:object_r:modules_dep_t,s0)
-+/lib/modules/[^/]+/modules\..+ -- gen_context(system_u:object_r:modules_dep_t,s0)
-+/lib64/modules/[^/]+/modules\..+ -- gen_context(system_u:object_r:modules_dep_t,s0)
-
--/lib(64)?/modules/modprobe\.conf -- gen_context(system_u:object_r:modules_conf_t,s0)
-+/lib/modules/modprobe\.conf -- gen_context(system_u:object_r:modules_conf_t,s0)
-+/lib64/modules/modprobe\.conf -- gen_context(system_u:object_r:modules_conf_t,s0)
-
- /sbin/depmod.* -- gen_context(system_u:object_r:depmod_exec_t,s0)
- /sbin/generate-modprobe\.conf -- gen_context(system_u:object_r:update_modules_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-2.2.32/policy/modules/system/mount.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-2.2.33/policy/modules/system/mount.if
--- nsaserefpolicy/policy/modules/system/mount.if 2006-03-02 18:45:56.000000000 -0500
-+++ serefpolicy-2.2.32/policy/modules/system/mount.if 2006-04-17 07:02:48.000000000 -0400
++++ serefpolicy-2.2.33/policy/modules/system/mount.if 2006-04-18 23:10:07.000000000 -0400
@@ -113,3 +113,25 @@
allow $1 mount_t:udp_socket rw_socket_perms;
')
@@ -998,9 +386,9 @@
+ allow unconfined_mount_t $1:fifo_file rw_file_perms;
+ allow unconfined_mount_t $1:process sigchld;
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-2.2.32/policy/modules/system/mount.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-2.2.33/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2006-04-12 13:44:38.000000000 -0400
-+++ serefpolicy-2.2.32/policy/modules/system/mount.te 2006-04-17 07:12:08.000000000 -0400
++++ serefpolicy-2.2.33/policy/modules/system/mount.te 2006-04-18 23:10:07.000000000 -0400
@@ -151,3 +151,12 @@
optional_policy(`
samba_domtrans_smbmount(mount_t)
@@ -1014,9 +402,9 @@
+ files_manage_etc_runtime_files(unconfined_mount_t)
+ unconfined_domain(unconfined_mount_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-2.2.32/policy/modules/system/selinuxutil.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-2.2.33/policy/modules/system/selinuxutil.if
--- nsaserefpolicy/policy/modules/system/selinuxutil.if 2006-03-29 14:18:17.000000000 -0500
-+++ serefpolicy-2.2.32/policy/modules/system/selinuxutil.if 2006-04-14 12:06:19.000000000 -0400
++++ serefpolicy-2.2.33/policy/modules/system/selinuxutil.if 2006-04-18 23:10:07.000000000 -0400
@@ -697,8 +697,8 @@
files_search_etc($1)
@@ -1028,9 +416,54 @@
allow $1 file_context_t:lnk_file { getattr read };
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-2.2.32/policy/modules/system/unconfined.te
---- nsaserefpolicy/policy/modules/system/unconfined.te 2006-04-12 13:44:38.000000000 -0400
-+++ serefpolicy-2.2.32/policy/modules/system/unconfined.te 2006-04-15 08:15:21.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-2.2.33/policy/modules/system/sysnetwork.te
+--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2006-03-24 11:15:53.000000000 -0500
++++ serefpolicy-2.2.33/policy/modules/system/sysnetwork.te 2006-04-18 23:44:30.000000000 -0400
+@@ -248,6 +248,7 @@
+
+ optional_policy(`
+ xen_append_log(dhcpc_t)
++ xen_dontaudit_rw_unix_stream_sockets(dhcpc_t)
+ ')
+
+ ########################################
+@@ -346,4 +347,5 @@
+
+ optional_policy(`
+ xen_append_log(ifconfig_t)
++ xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
+ ')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-2.2.33/policy/modules/system/unconfined.if
+--- nsaserefpolicy/policy/modules/system/unconfined.if 2006-04-12 13:44:38.000000000 -0400
++++ serefpolicy-2.2.33/policy/modules/system/unconfined.if 2006-04-19 07:53:34.000000000 -0400
+@@ -224,6 +224,24 @@
+
+ ########################################
+ ## <summary>
++## Send a SIGNULL signal to the unconfined domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`unconfined_signull',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ allow $1 unconfined_t:process signull;
++')
++
++########################################
++## <summary>
+ ## Send generic signals to the unconfined domain.
+ ## </summary>
+ ## <param name="domain">
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-2.2.33/policy/modules/system/unconfined.te
+--- nsaserefpolicy/policy/modules/system/unconfined.te 2006-04-18 22:50:00.000000000 -0400
++++ serefpolicy-2.2.33/policy/modules/system/unconfined.te 2006-04-18 23:10:07.000000000 -0400
@@ -37,10 +37,13 @@
logging_domtrans_auditctl(unconfined_t)
@@ -1045,41 +478,21 @@
optional_policy(`
ada_domtrans(unconfined_t)
')
-@@ -64,6 +67,8 @@
- optional_policy(`
- dbus_stub(unconfined_t)
-
-+ init_dbus_chat_script(unconfined_t)
-+
- optional_policy(`
- avahi_dbus_chat(unconfined_t)
- ')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-2.2.32/policy/modules/system/userdomain.if
---- nsaserefpolicy/policy/modules/system/userdomain.if 2006-04-14 07:58:13.000000000 -0400
-+++ serefpolicy-2.2.32/policy/modules/system/userdomain.if 2006-04-14 12:06:19.000000000 -0400
-@@ -379,10 +379,6 @@
- ')
-
- optional_policy(`
-- jabber_tcp_connect($1_t)
-- ')
--
-- optional_policy(`
- nis_use_ypbind($1_t)
- ')
-
-@@ -408,10 +404,6 @@
+@@ -140,10 +143,6 @@
')
optional_policy(`
-- perdition_tcp_connect($1_t)
+- seutil_domtrans_semanage(unconfined_t)
- ')
-
- optional_policy(`
- portmap_tcp_connect($1_t)
+ sysnet_domtrans_dhcpc(unconfined_t)
')
-@@ -4140,11 +4132,31 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-2.2.33/policy/modules/system/userdomain.if
+--- nsaserefpolicy/policy/modules/system/userdomain.if 2006-04-18 22:50:01.000000000 -0400
++++ serefpolicy-2.2.33/policy/modules/system/userdomain.if 2006-04-18 23:10:07.000000000 -0400
+@@ -4171,6 +4171,7 @@
type user_home_dir_t;
')
@@ -1087,62 +500,48 @@
files_home_filetrans($1,user_home_dir_t,dir)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-2.2.33/policy/modules/system/xen.if
+--- nsaserefpolicy/policy/modules/system/xen.if 2006-03-23 16:08:51.000000000 -0500
++++ serefpolicy-2.2.33/policy/modules/system/xen.if 2006-04-18 23:44:30.000000000 -0400
+@@ -47,6 +47,24 @@
+
########################################
## <summary>
-+## Create staff home directories
-+## with automatic file type transition.
++## Don't audit leaked file descriptor.
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
++## <summary>
++## Domain to don't audit.
++## </summary>
+## </param>
+#
-+interface(`userdom_manage_staff_home_dir',`
-+ gen_require(`
-+ type staff_home_dir_t;
-+ ')
++interface(`xen_dontaudit_rw_unix_stream_sockets',`
++ gen_require(`
++ type xend_t;
++ ')
+
-+ allow $1 staff_home_dir_t:dir create_dir_perms;
++ dontaudit $1 xend_t:unix_stream_socket { read write };
+')
+
+########################################
+## <summary>
- ## Search generic user home directories.
+ ## Connect to xenstored over an unix stream socket.
## </summary>
## <param name="domain">
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-2.2.32/policy/modules/system/xen.te
---- nsaserefpolicy/policy/modules/system/xen.te 2006-03-23 14:33:30.000000000 -0500
-+++ serefpolicy-2.2.32/policy/modules/system/xen.te 2006-04-14 12:06:19.000000000 -0400
-@@ -19,6 +19,8 @@
- # var/lib files
- type xend_var_lib_t;
- files_type(xend_var_lib_t)
-+# for mounting an NFS store
-+files_mountpoint(xend_var_lib_t)
-
- # log files
- type xend_var_log_t;
-@@ -67,6 +69,8 @@
- allow xend_t self:tcp_socket create_stream_socket_perms;
- allow xend_t self:packet_socket create_socket_perms;
-
-+files_read_kernel_symbol_table(xend_t)
-+
- # pid file
- allow xend_t xend_var_run_t:file manage_file_perms;
- allow xend_t xend_var_run_t:sock_file manage_file_perms;
-@@ -210,6 +214,7 @@
- dev_filetrans_xen(xenstored_t)
-
- term_dontaudit_use_generic_ptys(xenstored_t)
-+dev_rw_xen(xenstored_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-2.2.33/policy/modules/system/xen.te
+--- nsaserefpolicy/policy/modules/system/xen.te 2006-04-18 22:50:01.000000000 -0400
++++ serefpolicy-2.2.33/policy/modules/system/xen.te 2006-04-18 23:45:51.000000000 -0400
+@@ -125,6 +125,7 @@
+
+ files_read_etc_files(xend_t)
+ files_read_kernel_symbol_table(xend_t)
++files_read_kernel_img(xend_t)
- init_use_fds(xenstored_t)
+ storage_raw_read_fixed_disk(xend_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-2.2.32/Rules.modular
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-2.2.33/Rules.modular
--- nsaserefpolicy/Rules.modular 2006-03-23 14:33:29.000000000 -0500
-+++ serefpolicy-2.2.32/Rules.modular 2006-04-14 14:21:43.000000000 -0400
++++ serefpolicy-2.2.33/Rules.modular 2006-04-18 23:10:07.000000000 -0400
@@ -208,7 +208,7 @@
#
$(APPDIR)/customizable_types: $(BASE_CONF)
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.175
retrieving revision 1.176
diff -u -r1.175 -r1.176
--- selinux-policy.spec 17 Apr 2006 11:27:44 -0000 1.175
+++ selinux-policy.spec 19 Apr 2006 11:55:43 -0000 1.176
@@ -15,8 +15,8 @@
%define CHECKPOLICYVER 1.30.1-2
Summary: SELinux policy configuration
Name: selinux-policy
-Version: 2.2.32
-Release: 2
+Version: 2.2.33
+Release: 1
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -321,6 +321,11 @@
%endif
%changelog
+* Tue Apr 18 2006 Dan Walsh <dwalsh at redhat.com> 2.2.33-1
+- Update to latest from upstream
+- Add James Antill patch for xen
+- Many fixes for pegasus
+
* Sat Apr 14 2006 Dan Walsh <dwalsh at redhat.com> 2.2.32-2
- Add unconfined_mount_t
- Allow privoxy to connect to httpd_cache
More information about the fedora-cvs-commits
mailing list