rpms/selinux-policy/devel .cvsignore, 1.88, 1.89 modules-targeted.conf, 1.36, 1.37 policy-20060915.patch, 1.12, 1.13 selinux-policy.spec, 1.292, 1.293 sources, 1.92, 1.93
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Tue Sep 26 15:00:00 UTC 2006
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv22995
Modified Files:
.cvsignore modules-targeted.conf policy-20060915.patch
selinux-policy.spec sources
Log Message:
* Mon Sep 25 2006 Dan Walsh <dwalsh at redhat.com> 2.3.16-1
- Update with upstream
Index: .cvsignore
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/.cvsignore,v
retrieving revision 1.88
retrieving revision 1.89
diff -u -r1.88 -r1.89
--- .cvsignore 22 Sep 2006 20:41:12 -0000 1.88
+++ .cvsignore 26 Sep 2006 14:59:58 -0000 1.89
@@ -90,3 +90,4 @@
serefpolicy-2.3.13.tgz
serefpolicy-2.3.14.tgz
serefpolicy-2.3.15.tgz
+serefpolicy-2.3.16.tgz
Index: modules-targeted.conf
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/modules-targeted.conf,v
retrieving revision 1.36
retrieving revision 1.37
diff -u -r1.36 -r1.37
--- modules-targeted.conf 21 Sep 2006 23:05:49 -0000 1.36
+++ modules-targeted.conf 26 Sep 2006 14:59:58 -0000 1.37
@@ -924,13 +924,6 @@
libraries = base
# Layer: system
-# Module: raid
-#
-# RAID array management tools
-#
-raid = off
-
-# Layer: system
# Module: userdomain
#
# Policy for user domains
@@ -1158,3 +1151,10 @@
#
smartmon = module
+# Layer: system
+# Module: iscsi
+#
+# Open-iSCSI daemon
+#
+iscsi = module
+
policy-20060915.patch:
Rules.modular | 10
config/appconfig-strict-mcs/seusers | 3
config/appconfig-strict-mls/initrc_context | 2
config/appconfig-strict-mls/seusers | 3
config/appconfig-strict/seusers | 1
config/appconfig-targeted-mcs/seusers | 3
config/appconfig-targeted-mls/initrc_context | 2
config/appconfig-targeted-mls/seusers | 3
config/appconfig-targeted/seusers | 1
policy/mcs | 6
policy/mls | 36 +-
policy/modules/admin/bootloader.fc | 1
policy/modules/admin/bootloader.te | 7
policy/modules/admin/consoletype.te | 7
policy/modules/admin/prelink.if | 2
policy/modules/admin/readahead.te | 1
policy/modules/admin/rpm.fc | 2
policy/modules/apps/java.fc | 2
policy/modules/apps/slocate.te | 1
policy/modules/kernel/corenetwork.te.in | 13
policy/modules/kernel/devices.fc | 8
policy/modules/kernel/devices.if | 20 +
policy/modules/kernel/domain.if | 4
policy/modules/kernel/files.fc | 27 -
policy/modules/kernel/files.if | 20 +
policy/modules/kernel/filesystem.if | 22 +
policy/modules/kernel/kernel.te | 25 -
policy/modules/kernel/mcs.te | 18 -
policy/modules/kernel/selinux.te | 2
policy/modules/kernel/storage.fc | 48 +--
policy/modules/kernel/storage.if | 1
policy/modules/kernel/terminal.fc | 2
policy/modules/services/apache.fc | 9
policy/modules/services/automount.te | 4
policy/modules/services/ccs.fc | 8
policy/modules/services/ccs.if | 65 ++++
policy/modules/services/ccs.te | 87 ++++++
policy/modules/services/cron.te | 19 +
policy/modules/services/dbus.if | 1
policy/modules/services/lpd.fc | 9
policy/modules/services/nscd.if | 20 +
policy/modules/services/oddjob.fc | 8
policy/modules/services/oddjob.if | 99 ++++++
policy/modules/services/oddjob.te | 85 +++++
policy/modules/services/pegasus.if | 31 ++
policy/modules/services/pegasus.te | 5
policy/modules/services/ricci.fc | 20 +
policy/modules/services/ricci.if | 184 ++++++++++++
policy/modules/services/ricci.te | 386 +++++++++++++++++++++++++++
policy/modules/services/sendmail.te | 1
policy/modules/services/setroubleshoot.te | 2
policy/modules/services/smartmon.te | 3
policy/modules/system/hostname.te | 5
policy/modules/system/init.fc | 3
policy/modules/system/init.te | 5
policy/modules/system/iscsi.fc | 7
policy/modules/system/iscsi.if | 24 +
policy/modules/system/iscsi.te | 74 +++++
policy/modules/system/logging.fc | 8
policy/modules/system/logging.te | 1
policy/modules/system/raid.te | 2
policy/modules/system/selinuxutil.fc | 6
policy/modules/system/setrans.fc | 2
policy/modules/system/unconfined.if | 1
policy/modules/system/userdomain.fc | 2
policy/modules/system/userdomain.if | 1
policy/modules/system/userdomain.te | 3
policy/users | 14
68 files changed, 1385 insertions(+), 122 deletions(-)
Index: policy-20060915.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/policy-20060915.patch,v
retrieving revision 1.12
retrieving revision 1.13
diff -u -r1.12 -r1.13
--- policy-20060915.patch 25 Sep 2006 17:40:51 -0000 1.12
+++ policy-20060915.patch 26 Sep 2006 14:59:58 -0000 1.13
@@ -1,100 +1,64 @@
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-strict/seusers serefpolicy-2.3.15/config/appconfig-strict/seusers
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-strict/seusers serefpolicy-2.3.16/config/appconfig-strict/seusers
--- nsaserefpolicy/config/appconfig-strict/seusers 2006-07-14 17:04:47.000000000 -0400
-+++ serefpolicy-2.3.15/config/appconfig-strict/seusers 2006-09-25 13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/config/appconfig-strict/seusers 2006-09-26 09:53:18.000000000 -0400
@@ -1,2 +1,3 @@
+system_u:system_u
root:root
__default__:user_u
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-strict-mcs/seusers serefpolicy-2.3.15/config/appconfig-strict-mcs/seusers
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-strict-mcs/seusers serefpolicy-2.3.16/config/appconfig-strict-mcs/seusers
--- nsaserefpolicy/config/appconfig-strict-mcs/seusers 2006-07-14 17:04:48.000000000 -0400
-+++ serefpolicy-2.3.15/config/appconfig-strict-mcs/seusers 2006-09-25 13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/config/appconfig-strict-mcs/seusers 2006-09-26 09:53:18.000000000 -0400
@@ -1,2 +1,3 @@
-root:root:s0-s0:c0.c255
+system_u:system_u:s0-s0:c0.c1023
+root:root:s0-s0:c0.c1023
__default__:user_u:s0
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-strict-mls/initrc_context serefpolicy-2.3.15/config/appconfig-strict-mls/initrc_context
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-strict-mls/initrc_context serefpolicy-2.3.16/config/appconfig-strict-mls/initrc_context
--- nsaserefpolicy/config/appconfig-strict-mls/initrc_context 2006-07-14 17:04:47.000000000 -0400
-+++ serefpolicy-2.3.15/config/appconfig-strict-mls/initrc_context 2006-09-25 13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/config/appconfig-strict-mls/initrc_context 2006-09-26 09:53:18.000000000 -0400
@@ -1 +1 @@
-system_u:system_r:initrc_t:s0-s15:c0.c255
+system_u:system_r:initrc_t:s0-s15:c0.c1023
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-strict-mls/seusers serefpolicy-2.3.15/config/appconfig-strict-mls/seusers
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-strict-mls/seusers serefpolicy-2.3.16/config/appconfig-strict-mls/seusers
--- nsaserefpolicy/config/appconfig-strict-mls/seusers 2006-07-14 17:04:47.000000000 -0400
-+++ serefpolicy-2.3.15/config/appconfig-strict-mls/seusers 2006-09-25 13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/config/appconfig-strict-mls/seusers 2006-09-26 09:53:18.000000000 -0400
@@ -1,2 +1,3 @@
-root:root:s0-s15:c0.c255
+system_u:system_u:s0-s15:c0.c1023
+root:root:s0-s15:c0.c1023
__default__:user_u:s0
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-targeted/seusers serefpolicy-2.3.15/config/appconfig-targeted/seusers
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-targeted/seusers serefpolicy-2.3.16/config/appconfig-targeted/seusers
--- nsaserefpolicy/config/appconfig-targeted/seusers 2006-07-14 17:04:46.000000000 -0400
-+++ serefpolicy-2.3.15/config/appconfig-targeted/seusers 2006-09-25 13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/config/appconfig-targeted/seusers 2006-09-26 09:53:18.000000000 -0400
@@ -1,2 +1,3 @@
+system_u:system_u
root:root
__default__:user_u
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-targeted-mcs/seusers serefpolicy-2.3.15/config/appconfig-targeted-mcs/seusers
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-targeted-mcs/seusers serefpolicy-2.3.16/config/appconfig-targeted-mcs/seusers
--- nsaserefpolicy/config/appconfig-targeted-mcs/seusers 2006-07-14 17:04:47.000000000 -0400
-+++ serefpolicy-2.3.15/config/appconfig-targeted-mcs/seusers 2006-09-25 13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/config/appconfig-targeted-mcs/seusers 2006-09-26 09:53:18.000000000 -0400
@@ -1,2 +1,3 @@
-root:root:s0-s0:c0.c255
+system_u:system_u:s0-s0:c0.c1023
+root:root:s0-s0:c0.c1023
__default__:user_u:s0
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-targeted-mls/initrc_context serefpolicy-2.3.15/config/appconfig-targeted-mls/initrc_context
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-targeted-mls/initrc_context serefpolicy-2.3.16/config/appconfig-targeted-mls/initrc_context
--- nsaserefpolicy/config/appconfig-targeted-mls/initrc_context 2006-07-14 17:04:48.000000000 -0400
-+++ serefpolicy-2.3.15/config/appconfig-targeted-mls/initrc_context 2006-09-25 13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/config/appconfig-targeted-mls/initrc_context 2006-09-26 09:53:18.000000000 -0400
@@ -1 +1 @@
-user_u:system_r:initrc_t:s0-s15:c0.c255
+user_u:system_r:initrc_t:s0-s15:c0.c1023
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-targeted-mls/seusers serefpolicy-2.3.15/config/appconfig-targeted-mls/seusers
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-targeted-mls/seusers serefpolicy-2.3.16/config/appconfig-targeted-mls/seusers
--- nsaserefpolicy/config/appconfig-targeted-mls/seusers 2006-07-14 17:04:48.000000000 -0400
-+++ serefpolicy-2.3.15/config/appconfig-targeted-mls/seusers 2006-09-25 13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/config/appconfig-targeted-mls/seusers 2006-09-26 09:53:18.000000000 -0400
@@ -1,2 +1,3 @@
-root:root:s0-s15:c0.c255
+system_u:system_u:s0-s15:c0.c1023
+root:root:s0-s15:c0.c1023
__default__:user_u:s0
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/local.te serefpolicy-2.3.15/local.te
---- nsaserefpolicy/local.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.3.15/local.te 2006-09-25 13:31:59.000000000 -0400
-@@ -0,0 +1,16 @@
-+module local 1.0;
-+
-+require {
-+ class association polmatch;
-+ class unix_stream_socket { read write };
-+ type ifconfig_t;
-+ type initrc_t;
-+ type unlabeled_t;
-+ role object_r;
-+ role system_r;
-+};
-+
-+allow ifconfig_t initrc_t:unix_stream_socket { read write };
-+allow initrc_t self:association polmatch;
-+allow unlabeled_t initrc_t:association polmatch;
-+allow unlabeled_t self:association polmatch;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-2.3.15/policy/global_tunables
---- nsaserefpolicy/policy/global_tunables 2006-09-15 13:14:28.000000000 -0400
-+++ serefpolicy-2.3.15/policy/global_tunables 2006-09-25 13:31:59.000000000 -0400
-@@ -587,3 +587,12 @@
- ## </desc>
- gen_tunable(spamd_enable_home_dirs,true)
- ')
-+
-+## <desc>
-+## <p>
-+## Allow all daemons the ability to use unallocated ttys
-+## </p>
-+## </desc>
-+#
-+gen_tunable(allow_daemons_use_tty,false)
-+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-2.3.15/policy/mcs
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-2.3.16/policy/mcs
--- nsaserefpolicy/policy/mcs 2006-09-22 14:07:08.000000000 -0400
-+++ serefpolicy-2.3.15/policy/mcs 2006-09-25 13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/policy/mcs 2006-09-26 09:53:18.000000000 -0400
@@ -20,14 +20,14 @@
# Each category has a name and zero or more aliases.
#
@@ -113,9 +77,9 @@
#
# Define the MCS policy
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mls serefpolicy-2.3.15/policy/mls
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mls serefpolicy-2.3.16/policy/mls
--- nsaserefpolicy/policy/mls 2006-09-22 09:35:45.000000000 -0400
-+++ serefpolicy-2.3.15/policy/mls 2006-09-25 13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/policy/mls 2006-09-26 09:53:18.000000000 -0400
@@ -33,30 +33,30 @@
# Each category has a name and zero or more aliases.
#
@@ -165,24 +129,17 @@
#
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/bootloader.fc serefpolicy-2.3.15/policy/modules/admin/bootloader.fc
---- nsaserefpolicy/policy/modules/admin/bootloader.fc 2006-07-14 17:04:46.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/admin/bootloader.fc 2006-09-25 13:31:59.000000000 -0400
-@@ -6,7 +6,10 @@
-
- /usr/sbin/mkinitrd -- gen_context(system_u:object_r:bootloader_exec_t,s0)
-
--/sbin/grub.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
-+/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0)
-+#/sbin/grub-.* -- gen_context(system_u:object_r:bootloader_helper_exec_t,s0)
-+#/sbin/grubby -- gen_context(system_u:object_r:bootloader_helper_exec_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/bootloader.fc serefpolicy-2.3.16/policy/modules/admin/bootloader.fc
+--- nsaserefpolicy/policy/modules/admin/bootloader.fc 2006-09-25 15:11:11.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/admin/bootloader.fc 2006-09-26 09:53:18.000000000 -0400
+@@ -12,3 +12,4 @@
/sbin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
/sbin/mkinitrd -- gen_context(system_u:object_r:bootloader_exec_t,s0)
/sbin/ybin.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+/boot/grub/.* -- gen_context(system_u:object_r:boot_runtime_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/bootloader.te serefpolicy-2.3.15/policy/modules/admin/bootloader.te
---- nsaserefpolicy/policy/modules/admin/bootloader.te 2006-08-29 09:00:30.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/admin/bootloader.te 2006-09-25 13:31:59.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/bootloader.te serefpolicy-2.3.16/policy/modules/admin/bootloader.te
+--- nsaserefpolicy/policy/modules/admin/bootloader.te 2006-09-25 15:11:11.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/admin/bootloader.te 2006-09-26 09:53:18.000000000 -0400
@@ -21,6 +21,13 @@
type bootloader_exec_t;
domain_entry_file(bootloader_t,bootloader_exec_t)
@@ -197,9 +154,9 @@
#
# bootloader_etc_t is the configuration file,
# grub.conf, lilo.conf, etc.
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-2.3.15/policy/modules/admin/consoletype.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-2.3.16/policy/modules/admin/consoletype.te
--- nsaserefpolicy/policy/modules/admin/consoletype.te 2006-08-29 09:00:30.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/admin/consoletype.te 2006-09-25 13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/admin/consoletype.te 2006-09-26 09:53:18.000000000 -0400
@@ -8,7 +8,12 @@
type consoletype_t;
@@ -214,24 +171,9 @@
mls_file_read_up(consoletype_t)
mls_file_write_down(consoletype_t)
role system_r types consoletype_t;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstboot.te serefpolicy-2.3.15/policy/modules/admin/firstboot.te
---- nsaserefpolicy/policy/modules/admin/firstboot.te 2006-09-05 07:41:01.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/admin/firstboot.te 2006-09-25 13:31:59.000000000 -0400
-@@ -3,7 +3,11 @@
-
- gen_require(`
- class passwd rootok;
-+ type etc_runtime_t;
- ')
-+#Temporarily in policy until FC5 dissappears
-+typealias etc_runtime_t alias firstboot_rw_t;
-+
-
- ########################################
- #
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.if serefpolicy-2.3.15/policy/modules/admin/prelink.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.if serefpolicy-2.3.16/policy/modules/admin/prelink.if
--- nsaserefpolicy/policy/modules/admin/prelink.if 2006-07-14 17:04:46.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/admin/prelink.if 2006-09-25 13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/admin/prelink.if 2006-09-26 09:53:18.000000000 -0400
@@ -76,7 +76,7 @@
gen_require(`
type prelink_cache_t;
@@ -241,30 +183,20 @@
allow $1 prelink_cache_t:file unlink;
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-2.3.15/policy/modules/admin/readahead.te
---- nsaserefpolicy/policy/modules/admin/readahead.te 2006-07-14 17:04:46.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/admin/readahead.te 2006-09-25 13:31:59.000000000 -0400
-@@ -36,6 +36,8 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-2.3.16/policy/modules/admin/readahead.te
+--- nsaserefpolicy/policy/modules/admin/readahead.te 2006-09-25 15:11:11.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/admin/readahead.te 2006-09-26 09:54:33.000000000 -0400
+@@ -36,6 +36,7 @@
dev_getattr_all_blk_files(readahead_t)
dev_dontaudit_read_all_blk_files(readahead_t)
dev_dontaudit_getattr_memory_dev(readahead_t)
-+dev_dontaudit_getattr_nvram(readahead_t)
+storage_dontaudit_getattr_fixed_disk_dev(readahead_t)
domain_use_interactive_fds(readahead_t)
-@@ -52,6 +54,8 @@
- fs_dontaudit_read_ramfs_files(readahead_t)
- fs_read_tmpfs_symlinks(readahead_t)
-
-+mls_file_read_up(readahead_t)
-+
- term_dontaudit_use_console(readahead_t)
-
- auth_dontaudit_read_shadow(readahead_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-2.3.15/policy/modules/admin/rpm.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-2.3.16/policy/modules/admin/rpm.fc
--- nsaserefpolicy/policy/modules/admin/rpm.fc 2006-09-22 14:07:08.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/admin/rpm.fc 2006-09-25 13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/admin/rpm.fc 2006-09-26 09:53:18.000000000 -0400
@@ -21,6 +21,8 @@
/usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -274,9 +206,9 @@
')
/var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-2.3.15/policy/modules/apps/java.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-2.3.16/policy/modules/apps/java.fc
--- nsaserefpolicy/policy/modules/apps/java.fc 2006-08-29 09:00:26.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/apps/java.fc 2006-09-25 13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/apps/java.fc 2006-09-26 09:53:18.000000000 -0400
@@ -1,7 +1,7 @@
#
# /opt
@@ -286,9 +218,9 @@
#
# /usr
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate.te serefpolicy-2.3.15/policy/modules/apps/slocate.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate.te serefpolicy-2.3.16/policy/modules/apps/slocate.te
--- nsaserefpolicy/policy/modules/apps/slocate.te 2006-07-14 17:04:31.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/apps/slocate.te 2006-09-25 13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/apps/slocate.te 2006-09-26 09:53:18.000000000 -0400
@@ -45,6 +45,7 @@
files_dontaudit_getattr_all_dirs(locate_t)
@@ -297,9 +229,9 @@
libs_use_shared_libs(locate_t)
libs_use_ld_so(locate_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-2.3.15/policy/modules/kernel/corenetwork.te.in
---- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2006-09-22 09:35:44.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/kernel/corenetwork.te.in 2006-09-25 13:31:59.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-2.3.16/policy/modules/kernel/corenetwork.te.in
+--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2006-09-25 15:11:10.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/kernel/corenetwork.te.in 2006-09-26 09:53:18.000000000 -0400
@@ -67,6 +67,7 @@
network_port(clamd, tcp,3310,s0)
network_port(clockspeed, udp,4041,s0)
@@ -308,15 +240,6 @@
network_port(cvs, tcp,2401,s0, udp,2401,s0)
network_port(dcc, udp,6276,s0, udp,6277,s0)
network_port(dbskkd, tcp,1178,s0)
-@@ -82,7 +83,7 @@
- network_port(giftd, tcp,1213,s0)
- network_port(gopher, tcp,70,s0, udp,70,s0)
- network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0) # 8118 is for privoxy
--network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0)
-+network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0, ) #8443 is mod_nss default port
- network_port(howl, tcp,5335,s0, udp,5353,s0)
- network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
- network_port(i18n_input, tcp,9010,s0)
@@ -121,6 +122,8 @@
network_port(radacct, udp,1646,s0, udp,1813,s0)
network_port(radius, udp,1645,s0, udp,1812,s0)
@@ -358,9 +281,9 @@
')
########################################
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-2.3.15/policy/modules/kernel/devices.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-2.3.16/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2006-09-22 14:07:03.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/kernel/devices.fc 2006-09-25 13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/kernel/devices.fc 2006-09-26 09:53:18.000000000 -0400
@@ -25,10 +25,10 @@
/dev/i915 -c gen_context(system_u:object_r:dri_device_t,s0)
/dev/irlpt[0-9]+ -c gen_context(system_u:object_r:printer_device_t,s0)
@@ -388,36 +311,10 @@
/dev/(misc/)?psaux -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/rmidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/radeon -c gen_context(system_u:object_r:dri_device_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-2.3.15/policy/modules/kernel/devices.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-2.3.16/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2006-09-22 09:35:44.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/kernel/devices.if 2006-09-25 13:31:59.000000000 -0400
-@@ -1998,6 +1998,25 @@
-
- ########################################
- ## <summary>
-+## dontaudit getattr BIOS non-volatile RAM.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`dev_dontaudit_getattr_nvram',`
-+ gen_require(`
-+ type nvram_device_t;
-+ ')
-+
-+ allow $1 device_t:dir search_dir_perms;
-+ dontaudit $1 nvram_device_t:chr_file getattr;
-+')
-+
-+########################################
-+## <summary>
- ## Get the attributes of the printer device nodes.
- ## </summary>
- ## <param name="domain">
-@@ -3211,3 +3230,23 @@
++++ serefpolicy-2.3.16/policy/modules/kernel/devices.if 2006-09-26 09:53:18.000000000 -0400
+@@ -3211,3 +3211,23 @@
typeattribute $1 devices_unconfined_type;
')
@@ -441,9 +338,23 @@
+ dontaudit $1 device_t:file getattr;
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-2.3.15/policy/modules/kernel/files.fc
---- nsaserefpolicy/policy/modules/kernel/files.fc 2006-09-05 07:41:00.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/kernel/files.fc 2006-09-25 13:31:59.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-2.3.16/policy/modules/kernel/domain.if
+--- nsaserefpolicy/policy/modules/kernel/domain.if 2006-09-15 13:14:21.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/kernel/domain.if 2006-09-26 09:53:18.000000000 -0400
+@@ -99,7 +99,9 @@
+
+ typeattribute $2 entry_type;
+
+- corecmd_executable_file($2)
++ ifdef(`targeted_policy',`
++ corecmd_executable_file($2)
++ ')
+ ')
+
+ ########################################
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-2.3.16/policy/modules/kernel/files.fc
+--- nsaserefpolicy/policy/modules/kernel/files.fc 2006-09-25 15:11:10.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/kernel/files.fc 2006-09-26 09:53:18.000000000 -0400
@@ -29,9 +29,10 @@
/boot -d gen_context(system_u:object_r:boot_t,s0)
/boot/.* gen_context(system_u:object_r:boot_t,s0)
@@ -456,15 +367,6 @@
#
# /emul
-@@ -58,7 +59,7 @@
- /etc/nohotplug -- gen_context(system_u:object_r:etc_runtime_t,s0)
- /etc/nologin.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
- /etc/reader.conf -- gen_context(system_u:object_r:etc_runtime_t,s0)
--/etc/smartd\.conf -- gen_context(system_u:object_r:etc_runtime_t,s0)
-+/etc/smartd\.conf.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
-
- /etc/cups/client\.conf -- gen_context(system_u:object_r:etc_t,s0)
-
@@ -92,9 +93,9 @@
# HOME_ROOT
# expanded by genhomedircon
@@ -547,9 +449,9 @@
+/var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c1023)
/var/tmp/lost\+found/.* <<none>>
/var/tmp/vi\.recover -d gen_context(system_u:object_r:tmp_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.3.15/policy/modules/kernel/files.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.3.16/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2006-09-22 14:07:03.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/kernel/files.if 2006-09-25 13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/kernel/files.if 2006-09-26 09:53:18.000000000 -0400
@@ -4541,3 +4541,23 @@
typealias etc_runtime_t alias $1;
@@ -574,21 +476,38 @@
+ allow $1 etc_t:dir rw_dir_perms;
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-2.3.15/policy/modules/kernel/filesystem.if
---- nsaserefpolicy/policy/modules/kernel/filesystem.if 2006-09-22 14:07:03.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/kernel/filesystem.if 2006-09-25 13:31:59.000000000 -0400
-@@ -455,7 +455,7 @@
- ')
-
- allow $1 binfmt_misc_fs_t:dir { getattr search };
-- allow $1 binfmt_misc_fs_t:file { getattr ioctl write };
-+ allow $1 binfmt_misc_fs_t:file { getattr ioctl write read };
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-2.3.16/policy/modules/kernel/filesystem.if
+--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2006-09-25 15:11:10.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/kernel/filesystem.if 2006-09-26 10:02:05.000000000 -0400
+@@ -3381,3 +3381,25 @@
+ allow $1 noxattrfs:blk_file { getattr relabelfrom };
+ allow $1 noxattrfs:chr_file { getattr relabelfrom };
')
-
- ########################################
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-2.3.15/policy/modules/kernel/kernel.te
++
++
++########################################
++## <summary>
++## Create, read, write, and delete symbolic links
++## on a autofs filesystem.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_manage_autofs_symlinks',`
++ gen_require(`
++ type autofs_t;
++ ')
++
++ allow $1 autofs_t:dir rw_dir_perms;
++ allow $1 autofs_t:lnk_file create_lnk_perms;
++')
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-2.3.16/policy/modules/kernel/kernel.te
--- nsaserefpolicy/policy/modules/kernel/kernel.te 2006-09-22 09:35:44.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/kernel/kernel.te 2006-09-25 13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/kernel/kernel.te 2006-09-26 09:53:18.000000000 -0400
@@ -39,7 +39,7 @@
domain_base_type(kernel_t)
mls_rangetrans_source(kernel_t)
@@ -658,9 +577,9 @@
')
optional_policy(`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mcs.te serefpolicy-2.3.15/policy/modules/kernel/mcs.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mcs.te serefpolicy-2.3.16/policy/modules/kernel/mcs.te
--- nsaserefpolicy/policy/modules/kernel/mcs.te 2006-09-22 14:07:03.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/kernel/mcs.te 2006-09-25 13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/kernel/mcs.te 2006-09-26 09:53:18.000000000 -0400
@@ -37,15 +37,15 @@
# default and have the daemons which need to run with all categories be
# exceptions. But while range_transitions have to be in the base module
@@ -686,31 +605,9 @@
# these might be targeted_policy only
range_transition unconfined_t initrc_exec_t s0;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mls.te serefpolicy-2.3.15/policy/modules/kernel/mls.te
---- nsaserefpolicy/policy/modules/kernel/mls.te 2006-09-22 09:35:44.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/kernel/mls.te 2006-09-25 13:31:59.000000000 -0400
-@@ -62,11 +62,13 @@
- type lvm_exec_t;
- type run_init_t;
- type setrans_exec_t;
-+type fsdaemon_exec_t;
-
- ifdef(`enable_mls',`
--range_transition initrc_t auditd_exec_t s15:c0.c255;
--range_transition kernel_t init_exec_t s0 - s15:c0.c255;
--range_transition kernel_t lvm_exec_t s0 - s15:c0.c255;
--range_transition initrc_t setrans_exec_t s15:c0.c255;
--range_transition run_init_t initrc_exec_t s0 - s15:c0.c255;
-+range_transition initrc_t auditd_exec_t s15:c0.c1023;
-+range_transition initrc_t fsdaemon_exec_t s15:c0.c1023;
-+range_transition kernel_t init_exec_t s0 - s15:c0.c1023;
-+range_transition kernel_t lvm_exec_t s0 - s15:c0.c1023;
-+range_transition initrc_t setrans_exec_t s15:c0.c1023;
-+range_transition run_init_t initrc_exec_t s0 - s15:c0.c1023;
- ')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.te serefpolicy-2.3.15/policy/modules/kernel/selinux.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.te serefpolicy-2.3.16/policy/modules/kernel/selinux.te
--- nsaserefpolicy/policy/modules/kernel/selinux.te 2006-08-02 10:34:05.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/kernel/selinux.te 2006-09-25 13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/kernel/selinux.te 2006-09-26 09:53:18.000000000 -0400
@@ -19,7 +19,7 @@
type security_t;
fs_type(security_t)
@@ -720,9 +617,9 @@
genfscon selinuxfs / gen_context(system_u:object_r:security_t,s0)
neverallow ~{ selinux_unconfined_type can_load_policy } security_t:security load_policy;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-2.3.15/policy/modules/kernel/storage.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-2.3.16/policy/modules/kernel/storage.fc
--- nsaserefpolicy/policy/modules/kernel/storage.fc 2006-08-02 10:34:05.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/kernel/storage.fc 2006-09-25 13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/kernel/storage.fc 2006-09-26 09:53:18.000000000 -0400
@@ -5,36 +5,36 @@
/dev/n?osst[0-3].* -c gen_context(system_u:object_r:tape_device_t,s0)
/dev/n?pt[0-9]+ -c gen_context(system_u:object_r:tape_device_t,s0)
@@ -810,9 +707,9 @@
+/dev/scramdisk/.* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c1023)
/dev/usb/rio500 -c gen_context(system_u:object_r:removable_device_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.if serefpolicy-2.3.15/policy/modules/kernel/storage.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.if serefpolicy-2.3.16/policy/modules/kernel/storage.if
--- nsaserefpolicy/policy/modules/kernel/storage.if 2006-07-14 17:04:29.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/kernel/storage.if 2006-09-25 13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/kernel/storage.if 2006-09-26 09:53:18.000000000 -0400
@@ -37,6 +37,7 @@
')
@@ -821,9 +718,9 @@
')
########################################
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.fc serefpolicy-2.3.15/policy/modules/kernel/terminal.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.fc serefpolicy-2.3.16/policy/modules/kernel/terminal.fc
--- nsaserefpolicy/policy/modules/kernel/terminal.fc 2006-09-01 14:10:17.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/kernel/terminal.fc 2006-09-25 13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/kernel/terminal.fc 2006-09-26 09:53:18.000000000 -0400
@@ -18,7 +18,7 @@
/dev/pty/.* -c gen_context(system_u:object_r:bsdpty_device_t,s0)
@@ -833,9 +730,9 @@
/dev/tts/[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-2.3.15/policy/modules/services/apache.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-2.3.16/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2006-08-02 10:34:07.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/services/apache.fc 2006-09-25 13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/services/apache.fc 2006-09-26 09:53:18.000000000 -0400
@@ -80,3 +80,12 @@
/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -849,9 +746,9 @@
+/opt/fortitude/modules.local(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
+/opt/fortitude/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-2.3.15/policy/modules/services/automount.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-2.3.16/policy/modules/services/automount.te
--- nsaserefpolicy/policy/modules/services/automount.te 2006-09-22 14:07:05.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/services/automount.te 2006-09-25 13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/services/automount.te 2006-09-26 10:01:31.000000000 -0400
@@ -36,6 +36,8 @@
allow automount_t self:unix_dgram_socket create_socket_perms;
allow automount_t self:tcp_socket create_stream_socket_perms;
@@ -869,32 +766,17 @@
fs_mount_all_fs(automount_t)
fs_unmount_all_fs(automount_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-2.3.15/policy/modules/services/bind.te
---- nsaserefpolicy/policy/modules/services/bind.te 2006-08-29 09:00:27.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/services/bind.te 2006-09-25 13:31:59.000000000 -0400
-@@ -223,6 +223,7 @@
- allow ndc_t named_t:unix_stream_socket connectto;
-
- allow ndc_t named_conf_t:file { getattr read };
-+allow ndc_t named_conf_t:lnk_file { getattr read };
-
- allow ndc_t named_var_run_t:sock_file rw_file_perms;
-
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.fc serefpolicy-2.3.15/policy/modules/services/bluetooth.fc
---- nsaserefpolicy/policy/modules/services/bluetooth.fc 2006-09-22 14:07:06.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/services/bluetooth.fc 2006-09-25 13:31:59.000000000 -0400
-@@ -7,7 +7,7 @@
- #
- # /usr
- #
--/usr/bin/blue.*pin -- gen_context(system_u:object_r:bluetooth_helper_exec_t,s0)
-+#/usr/bin/blue.*pin -- gen_context(system_u:object_r:bluetooth_helper_exec_t,s0)
- /usr/bin/dund -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
- /usr/bin/hidd -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
- /usr/bin/rfcomm -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.fc serefpolicy-2.3.15/policy/modules/services/ccs.fc
+@@ -128,6 +131,7 @@
+ fs_manage_auto_mountpoints(automount_t)
+ fs_unmount_autofs(automount_t)
+ fs_mount_autofs(automount_t)
++fs_manage_autofs_symlinks(automount_t)
+
+ term_dontaudit_use_console(automount_t)
+ term_dontaudit_getattr_pty_dirs(automount_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.fc serefpolicy-2.3.16/policy/modules/services/ccs.fc
--- nsaserefpolicy/policy/modules/services/ccs.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.3.15/policy/modules/services/ccs.fc 2006-09-25 13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/services/ccs.fc 2006-09-26 09:53:18.000000000 -0400
@@ -0,0 +1,8 @@
+# ccs executable will have:
+# label: system_u:object_r:ccs_exec_t
@@ -904,9 +786,9 @@
+/sbin/ccsd -- gen_context(system_u:object_r:ccs_exec_t,s0)
+/var/run/cluster(/.*)? gen_context(system_u:object_r:ccs_var_run_t,s0)
+/etc/cluster(/.*)? gen_context(system_u:object_r:cluster_conf_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.if serefpolicy-2.3.15/policy/modules/services/ccs.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.if serefpolicy-2.3.16/policy/modules/services/ccs.if
--- nsaserefpolicy/policy/modules/services/ccs.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.3.15/policy/modules/services/ccs.if 2006-09-25 13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/services/ccs.if 2006-09-26 09:53:18.000000000 -0400
@@ -0,0 +1,65 @@
+## <summary>policy for ccs</summary>
+
@@ -973,9 +855,9 @@
+ allow $1 cluster_conf_t:file { getattr read };
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.te serefpolicy-2.3.15/policy/modules/services/ccs.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.te serefpolicy-2.3.16/policy/modules/services/ccs.te
--- nsaserefpolicy/policy/modules/services/ccs.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.3.15/policy/modules/services/ccs.te 2006-09-25 13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/services/ccs.te 2006-09-26 09:53:18.000000000 -0400
@@ -0,0 +1,87 @@
+policy_module(ccs,1.0.0)
+
@@ -1064,20 +946,9 @@
+
+allow ccs_t cluster_conf_t:dir r_dir_perms;
+allow ccs_t cluster_conf_t:file rw_file_perms;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-2.3.15/policy/modules/services/cron.fc
---- nsaserefpolicy/policy/modules/services/cron.fc 2006-07-14 17:04:41.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/services/cron.fc 2006-09-25 13:31:59.000000000 -0400
-@@ -11,6 +11,7 @@
- /usr/sbin/fcron -- gen_context(system_u:object_r:crond_exec_t,s0)
-
- /var/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
-+/var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
- /var/run/crond?\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
- /var/run/crond\.reboot -- gen_context(system_u:object_r:crond_var_run_t,s0)
- /var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-2.3.15/policy/modules/services/cron.te
---- nsaserefpolicy/policy/modules/services/cron.te 2006-09-15 13:14:24.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/services/cron.te 2006-09-25 13:31:59.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-2.3.16/policy/modules/services/cron.te
+--- nsaserefpolicy/policy/modules/services/cron.te 2006-09-25 15:11:11.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/services/cron.te 2006-09-26 09:53:18.000000000 -0400
@@ -17,6 +17,14 @@
type cron_spool_t;
files_type(cron_spool_t)
@@ -1111,9 +982,9 @@
tunable_policy(`fcron_crond', `
allow crond_t system_cron_spool_t:file create_file_perms;
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-2.3.15/policy/modules/services/dbus.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-2.3.16/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if 2006-09-15 13:14:24.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/services/dbus.if 2006-09-25 13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/services/dbus.if 2006-09-26 09:53:18.000000000 -0400
@@ -123,6 +123,7 @@
selinux_compute_relabel_context($1_dbusd_t)
selinux_compute_user_contexts($1_dbusd_t)
@@ -1122,56 +993,36 @@
corecmd_list_bin($1_dbusd_t)
corecmd_read_bin_symlinks($1_dbusd_t)
corecmd_read_bin_files($1_dbusd_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-2.3.15/policy/modules/services/hal.te
---- nsaserefpolicy/policy/modules/services/hal.te 2006-09-05 07:41:01.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/services/hal.te 2006-09-25 13:31:59.000000000 -0400
-@@ -142,10 +142,12 @@
- userdom_dontaudit_use_unpriv_user_fds(hald_t)
- userdom_dontaudit_search_sysadm_home_dirs(hald_t)
-
-+# hal_probe_serial causes these
-+term_setattr_unallocated_ttys(hald_t)
-+term_dontaudit_use_unallocated_ttys(hald_t)
-+
- ifdef(`targeted_policy',`
- term_dontaudit_use_console(hald_t)
-- term_setattr_unallocated_ttys(hald_t)
-- term_dontaudit_use_unallocated_ttys(hald_t)
- term_dontaudit_use_generic_ptys(hald_t)
- files_dontaudit_read_root_files(hald_t)
- ')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.fc serefpolicy-2.3.15/policy/modules/services/lpd.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.fc serefpolicy-2.3.16/policy/modules/services/lpd.fc
--- nsaserefpolicy/policy/modules/services/lpd.fc 2006-09-22 14:07:06.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/services/lpd.fc 2006-09-25 13:39:36.000000000 -0400
-@@ -8,11 +8,14 @@
++++ serefpolicy-2.3.16/policy/modules/services/lpd.fc 2006-09-26 09:53:18.000000000 -0400
+@@ -8,14 +8,23 @@
#
/usr/sbin/checkpc -- gen_context(system_u:object_r:checkpc_exec_t,s0)
/usr/sbin/lpd -- gen_context(system_u:object_r:lpd_exec_t,s0)
+/usr/sbin/lpadmin -- gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/sbin/lpc(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
++/usr/sbin/accept -- gen_context(system_u:object_r:lpr_exec_t,s0)
++/usr/sbin/lpinfo -- gen_context(system_u:object_r:lpr_exec_t,s0)
++/usr/sbin/lpmove -- gen_context(system_u:object_r:lpr_exec_t,s0)
/usr/share/printconf/.* -- gen_context(system_u:object_r:printconf_t,s0)
/usr/bin/lp(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
/usr/bin/lpr(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
/usr/bin/lpq(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
/usr/bin/lprm(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
+/usr/bin/lpstat(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
++/usr/bin/cancel(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
++/usr/bin/lpoptions -- gen_context(system_u:object_r:lpr_exec_t,s0)
#
# /var
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-2.3.15/policy/modules/services/networkmanager.te
---- nsaserefpolicy/policy/modules/services/networkmanager.te 2006-09-22 14:07:06.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/services/networkmanager.te 2006-09-25 13:31:59.000000000 -0400
-@@ -163,6 +163,7 @@
- optional_policy(`
- ppp_domtrans(NetworkManager_t)
- ppp_read_pid_files(NetworkManager_t)
-+ ppp_signal(NetworkManager_t)
- ')
-
- optional_policy(`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-2.3.15/policy/modules/services/nscd.if
+ #
+ /var/spool/lpd(/.*)? gen_context(system_u:object_r:print_spool_t,s0)
+ /var/run/lprng(/.*)? gen_context(system_u:object_r:lpd_var_run_t,s0)
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-2.3.16/policy/modules/services/nscd.if
--- nsaserefpolicy/policy/modules/services/nscd.if 2006-08-07 18:55:18.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/services/nscd.if 2006-09-25 13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/services/nscd.if 2006-09-26 09:53:18.000000000 -0400
@@ -181,3 +181,23 @@
allow $1 nscd_t:nscd *;
@@ -1196,22 +1047,10 @@
+ role $1 types nscd_t;
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-2.3.15/policy/modules/services/nscd.te
---- nsaserefpolicy/policy/modules/services/nscd.te 2006-08-07 18:55:18.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/services/nscd.te 2006-09-25 13:31:59.000000000 -0400
-@@ -88,6 +88,8 @@
- domain_use_interactive_fds(nscd_t)
-
- files_read_etc_files(nscd_t)
-+# Needed to read files created by firstboot "/etc/hesiod.conf"
-+files_read_etc_runtime_files(nscd_t)
- files_read_generic_tmp_symlinks(nscd_t)
-
- init_use_fds(nscd_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.fc serefpolicy-2.3.15/policy/modules/services/oddjob.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.fc serefpolicy-2.3.16/policy/modules/services/oddjob.fc
--- nsaserefpolicy/policy/modules/services/oddjob.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.3.15/policy/modules/services/oddjob.fc 2006-09-25 13:31:59.000000000 -0400
-@@ -0,0 +1,10 @@
++++ serefpolicy-2.3.16/policy/modules/services/oddjob.fc 2006-09-26 09:53:18.000000000 -0400
+@@ -0,0 +1,8 @@
+# oddjob executable will have:
+# label: system_u:object_r:oddjob_exec_t
+# MLS sensitivity: s0
@@ -1219,12 +1058,10 @@
+
+/usr/sbin/oddjobd -- gen_context(system_u:object_r:oddjob_exec_t,s0)
+/var/run/oddjobd.pid gen_context(system_u:object_r:oddjob_var_run_t,s0)
-+/usr/lib/oddjobd gen_context(system_u:object_r:oddjob_var_lib_t,s0)
-+
+/usr/lib/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.if serefpolicy-2.3.15/policy/modules/services/oddjob.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.if serefpolicy-2.3.16/policy/modules/services/oddjob.if
--- nsaserefpolicy/policy/modules/services/oddjob.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.3.15/policy/modules/services/oddjob.if 2006-09-25 13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/services/oddjob.if 2006-09-26 09:53:18.000000000 -0400
@@ -0,0 +1,99 @@
+## <summary>policy for oddjob</summary>
+
@@ -1325,10 +1162,10 @@
+ allow oddjob_mkhomedir_t $1:fifo_file rw_file_perms;
+ allow oddjob_mkhomedir_t $1:process sigchld;
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.te serefpolicy-2.3.15/policy/modules/services/oddjob.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.te serefpolicy-2.3.16/policy/modules/services/oddjob.te
--- nsaserefpolicy/policy/modules/services/oddjob.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.3.15/policy/modules/services/oddjob.te 2006-09-25 13:31:59.000000000 -0400
-@@ -0,0 +1,95 @@
++++ serefpolicy-2.3.16/policy/modules/services/oddjob.te 2006-09-26 09:53:18.000000000 -0400
+@@ -0,0 +1,85 @@
+policy_module(oddjob,1.0.0)
+
+########################################
@@ -1345,10 +1182,6 @@
+type oddjob_var_run_t;
+files_pid_file(oddjob_var_run_t)
+
-+# var/lib files
-+type oddjob_var_lib_t;
-+files_type(oddjob_var_lib_t)
-+
+type oddjob_mkhomedir_t;
+type oddjob_mkhomedir_exec_t;
+domain_type(oddjob_mkhomedir_t)
@@ -1375,12 +1208,6 @@
+allow oddjob_t oddjob_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(oddjob_t,oddjob_var_run_t, { file sock_file })
+
-+# var/lib files for oddjob
-+allow oddjob_t oddjob_var_lib_t:file create_file_perms;
-+allow oddjob_t oddjob_var_lib_t:sock_file create_file_perms;
-+allow oddjob_t oddjob_var_lib_t:dir create_dir_perms;
-+files_var_lib_filetrans(oddjob_t,oddjob_var_lib_t, { file dir sock_file })
-+
+init_dontaudit_use_fds(oddjob_t)
+allow oddjob_t self:capability { audit_write setgid } ;
+allow oddjob_t self:process setexec;
@@ -1424,9 +1251,9 @@
+oddjob_system_entry(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
+domain_auto_trans(unconfined_t,oddjob_mkhomedir_exec_t,oddjob_mkhomedir_t)
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.if serefpolicy-2.3.15/policy/modules/services/pegasus.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.if serefpolicy-2.3.16/policy/modules/services/pegasus.if
--- nsaserefpolicy/policy/modules/services/pegasus.if 2006-07-14 17:04:41.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/services/pegasus.if 2006-09-25 13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/services/pegasus.if 2006-09-26 09:53:18.000000000 -0400
@@ -1 +1,32 @@
## <summary>The Open Group Pegasus CIM/WBEM Server.</summary>
+
@@ -1460,9 +1287,9 @@
+ allow pegasus_t $1:fifo_file rw_file_perms;
+ allow pegasus_t $1:process sigchld;
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-2.3.15/policy/modules/services/pegasus.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-2.3.16/policy/modules/services/pegasus.te
--- nsaserefpolicy/policy/modules/services/pegasus.te 2006-08-23 12:14:54.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/services/pegasus.te 2006-09-25 13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/services/pegasus.te 2006-09-26 09:53:18.000000000 -0400
@@ -100,13 +100,12 @@
auth_use_nsswitch(pegasus_t)
@@ -1479,20 +1306,9 @@
files_read_var_lib_symlinks(pegasus_t)
hostname_exec(pegasus_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-2.3.15/policy/modules/services/postfix.fc
---- nsaserefpolicy/policy/modules/services/postfix.fc 2006-07-14 17:04:40.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/services/postfix.fc 2006-09-25 13:31:59.000000000 -0400
-@@ -22,6 +22,7 @@
- /usr/lib/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
- /usr/lib/postfix/showq -- gen_context(system_u:object_r:postfix_showq_exec_t,s0)
- /usr/lib/postfix/smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
-+/usr/lib/postfix/lmtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
- /usr/lib/postfix/scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
- /usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
- /usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.fc serefpolicy-2.3.15/policy/modules/services/ricci.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.fc serefpolicy-2.3.16/policy/modules/services/ricci.fc
--- nsaserefpolicy/policy/modules/services/ricci.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.3.15/policy/modules/services/ricci.fc 2006-09-25 13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/services/ricci.fc 2006-09-26 09:53:18.000000000 -0400
@@ -0,0 +1,20 @@
+# ricci executable will have:
+# label: system_u:object_r:ricci_exec_t
@@ -1514,9 +1330,9 @@
+/usr/sbin/ricci-modservice -- gen_context(system_u:object_r:ricci_modservice_exec_t,s0)
+/usr/sbin/ricci-modstorage -- gen_context(system_u:object_r:ricci_modstorage_exec_t,s0)
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.if serefpolicy-2.3.15/policy/modules/services/ricci.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.if serefpolicy-2.3.16/policy/modules/services/ricci.if
--- nsaserefpolicy/policy/modules/services/ricci.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.3.15/policy/modules/services/ricci.if 2006-09-25 13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/services/ricci.if 2006-09-26 09:53:18.000000000 -0400
@@ -0,0 +1,184 @@
+## <summary>policy for ricci</summary>
+
@@ -1702,9 +1518,9 @@
+ allow $1 ricci_modcluster_var_run_t:sock_file write;
+ allow $1 ricci_modclusterd_t:unix_stream_socket connectto;
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-2.3.15/policy/modules/services/ricci.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-2.3.16/policy/modules/services/ricci.te
--- nsaserefpolicy/policy/modules/services/ricci.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.3.15/policy/modules/services/ricci.te 2006-09-25 13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/services/ricci.te 2006-09-26 09:53:18.000000000 -0400
@@ -0,0 +1,386 @@
+policy_module(ricci,1.0.0)
+
@@ -2092,9 +1908,9 @@
+')
+
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-2.3.15/policy/modules/services/sendmail.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-2.3.16/policy/modules/services/sendmail.te
--- nsaserefpolicy/policy/modules/services/sendmail.te 2006-09-22 14:07:06.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/services/sendmail.te 2006-09-25 13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/services/sendmail.te 2006-09-26 09:53:18.000000000 -0400
@@ -32,6 +32,7 @@
allow sendmail_t self:unix_dgram_socket create_socket_perms;
allow sendmail_t self:tcp_socket create_stream_socket_perms;
@@ -2103,58 +1919,36 @@
allow sendmail_t sendmail_log_t:file create_file_perms;
allow sendmail_t sendmail_log_t:dir { rw_dir_perms setattr };
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-2.3.15/policy/modules/services/smartmon.te
---- nsaserefpolicy/policy/modules/services/smartmon.te 2006-07-14 17:04:41.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/services/smartmon.te 2006-09-25 13:31:59.000000000 -0400
-@@ -7,8 +7,13 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-2.3.16/policy/modules/services/setroubleshoot.te
+--- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2006-09-22 14:07:05.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/services/setroubleshoot.te 2006-09-26 09:53:18.000000000 -0400
+@@ -28,7 +28,7 @@
#
- type fsdaemon_t;
--type fsdaemon_exec_t;
-+# real declaration moved to mls until
-+# range_transition works in loadable modules
-+gen_require(`
-+ type fsdaemon_exec_t;
-+')
- init_daemon_domain(fsdaemon_t,fsdaemon_exec_t)
-+mls_rangetrans_target(fsdaemon_t)
-
- type fsdaemon_var_run_t;
- files_pid_file(fsdaemon_var_run_t)
-@@ -62,6 +67,7 @@
+ allow setroubleshootd_t self:capability { dac_override sys_tty_config };
+-allow setroubleshootd_t self:process { signal getattr };
++allow setroubleshootd_t self:process { signal getattr getsched };
+ allow setroubleshootd_t self:fifo_file rw_file_perms;
+ allow setroubleshootd_t self:tcp_socket create_stream_socket_perms;
+ allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-2.3.16/policy/modules/services/smartmon.te
+--- nsaserefpolicy/policy/modules/services/smartmon.te 2006-07-14 17:04:41.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/services/smartmon.te 2006-09-26 09:53:18.000000000 -0400
+@@ -60,8 +60,11 @@
+ fs_getattr_all_fs(fsdaemon_t)
+ fs_search_auto_mountpoints(fsdaemon_t)
++mls_file_read_up(fsdaemon_t)
++
storage_raw_read_fixed_disk(fsdaemon_t)
storage_raw_write_fixed_disk(fsdaemon_t)
+storage_raw_read_removable_device(fsdaemon_t)
term_dontaudit_use_console(fsdaemon_t)
term_dontaudit_search_ptys(fsdaemon_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-2.3.15/policy/modules/services/ssh.te
---- nsaserefpolicy/policy/modules/services/ssh.te 2006-09-22 09:35:44.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/services/ssh.te 2006-09-25 13:31:59.000000000 -0400
-@@ -71,7 +71,7 @@
- ifdef(`strict_policy',`
- # so a tunnel can point to another ssh tunnel
- allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
--
-+ allow sshd_t self:key { search link write };
- allow sshd_t sshd_tmp_t:dir create_dir_perms;
- allow sshd_t sshd_tmp_t:file create_file_perms;
- allow sshd_t sshd_tmp_t:sock_file create_file_perms;
-@@ -81,6 +81,10 @@
- corenet_tcp_bind_xserver_port(sshd_t)
- corenet_sendrecv_xserver_server_packets(sshd_t)
-
-+ kernel_link_key(sshd_t)
-+
-+ userdom_search_all_users_home_dirs(sshd_t)
-+
- tunable_policy(`ssh_sysadm_login',`
- # Relabel and access ptys created by sshd
- # ioctl is necessary for logout() processing for utmp entry and for w to
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-2.3.15/policy/modules/system/hostname.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-2.3.16/policy/modules/system/hostname.te
--- nsaserefpolicy/policy/modules/system/hostname.te 2006-08-29 09:00:29.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/system/hostname.te 2006-09-25 13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/system/hostname.te 2006-09-26 09:53:18.000000000 -0400
@@ -8,7 +8,10 @@
type hostname_t;
@@ -2167,9 +1961,9 @@
role system_r types hostname_t;
########################################
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-2.3.15/policy/modules/system/init.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-2.3.16/policy/modules/system/init.fc
--- nsaserefpolicy/policy/modules/system/init.fc 2006-08-25 13:29:58.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/system/init.fc 2006-09-25 13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/system/init.fc 2006-09-26 09:53:18.000000000 -0400
@@ -66,3 +66,6 @@
/var/run/sysconfig(/.*)? gen_context(system_u:object_r:initrc_var_run_t,s0)
')
@@ -2177,43 +1971,10 @@
+# Until their is a policy for pcscd we need these
+/var/run/pcscd\.pub -- gen_context(system_u:object_r:initrc_var_run_t,s0)
+/var/run/pcscd\.pid -- gen_context(system_u:object_r:initrc_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-2.3.15/policy/modules/system/init.if
---- nsaserefpolicy/policy/modules/system/init.if 2006-09-15 13:14:26.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/system/init.if 2006-09-25 13:31:59.000000000 -0400
-@@ -63,8 +63,11 @@
- attribute direct_run_init, direct_init, direct_init_entry;
- type initrc_t;
- role system_r;
-+ attribute daemon;
- ')
-
-+ typeattribute $1 daemon;
-+
- domain_type($1)
- domain_entry_file($1,$2)
-
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-2.3.15/policy/modules/system/init.te
---- nsaserefpolicy/policy/modules/system/init.te 2006-09-22 14:07:07.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/system/init.te 2006-09-25 13:31:59.000000000 -0400
-@@ -16,6 +16,9 @@
- attribute direct_init;
- attribute direct_init_entry;
-
-+# Mark process types as daemons
-+attribute daemon;
-+
- #
- # init_t is the domain of the init process.
- #
-@@ -206,6 +209,7 @@
-
- allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
- allow initrc_t self:capability ~{ sys_admin sys_module };
-+dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
- allow initrc_t self:passwd rootok;
-
- # Allow IPC with self
-@@ -361,7 +365,8 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-2.3.16/policy/modules/system/init.te
+--- nsaserefpolicy/policy/modules/system/init.te 2006-09-25 15:11:11.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/system/init.te 2006-09-26 09:53:18.000000000 -0400
+@@ -365,7 +365,8 @@
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@@ -2223,19 +1984,7 @@
# slapd needs to read cert files from its initscript
miscfiles_read_certs(initrc_t)
-@@ -513,6 +518,11 @@
- optional_policy(`
- mono_domtrans(initrc_t)
- ')
-+
-+ tunable_policy(`allow_daemons_use_tty',`
-+ term_use_unallocated_ttys(daemon)
-+ term_use_generic_ptys(daemon)
-+ ')
- ',`
- # cjp: require doesnt work in the else of optionals :\
- # this also would result in a type transition
-@@ -570,6 +580,8 @@
+@@ -579,6 +580,8 @@
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
@@ -2244,9 +1993,126 @@
cups_read_rw_config(initrc_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-2.3.15/policy/modules/system/logging.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.fc serefpolicy-2.3.16/policy/modules/system/iscsi.fc
+--- nsaserefpolicy/policy/modules/system/iscsi.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-2.3.16/policy/modules/system/iscsi.fc 2006-09-26 10:04:37.000000000 -0400
+@@ -0,0 +1,7 @@
++# iscsid executable will have:
++# label: system_u:object_r:iscsid_exec_t
++# MLS sensitivity: s0
++# MCS categories: <none>
++
++/sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0)
++/var/run/iscsid.pid -- gen_context(system_u:object_r:iscsi_var_run_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.if serefpolicy-2.3.16/policy/modules/system/iscsi.if
+--- nsaserefpolicy/policy/modules/system/iscsi.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-2.3.16/policy/modules/system/iscsi.if 2006-09-26 10:04:37.000000000 -0400
+@@ -0,0 +1,24 @@
++## <summary>policy for iscsid</summary>
++
++########################################
++## <summary>
++## Execute a domain transition to run iscsid.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`iscsid_domtrans',`
++ gen_require(`
++ type iscsid_t, iscsid_exec_t;
++ ')
++
++ domain_auto_trans($1,iscsid_exec_t,iscsid_t)
++
++ allow $1 iscsid_t:fd use;
++ allow iscsid_t $1:fd use;
++ allow iscsid_t $1:fifo_file rw_file_perms;
++ allow iscsid_t $1:process sigchld;
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-2.3.16/policy/modules/system/iscsi.te
+--- nsaserefpolicy/policy/modules/system/iscsi.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-2.3.16/policy/modules/system/iscsi.te 2006-09-26 10:04:37.000000000 -0400
+@@ -0,0 +1,74 @@
++policy_module(iscsid,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type iscsid_t;
++type iscsid_exec_t;
++domain_type(iscsid_t)
++init_daemon_domain(iscsid_t, iscsid_exec_t)
++
++type iscsi_tmp_t;
++files_tmp_file(iscsi_tmp_t)
++
++type iscsi_var_run_t;
++files_pid_file(iscsi_var_run_t)
++
++
++########################################
++#
++# iscsid local policy
++#
++# Check in /etc/selinux/refpolicy/include for macros to use instead of allow rules.
++
++# Some common macros (you might be able to remove some)
++files_read_etc_files(iscsid_t)
++libs_use_ld_so(iscsid_t)
++libs_use_shared_libs(iscsid_t)
++miscfiles_read_localization(iscsid_t)
++## internal communication is often done using fifo and unix sockets.
++allow iscsid_t self:fifo_file { read write };
++allow iscsid_t self:unix_stream_socket create_stream_socket_perms;
++
++## Networking basics (adjust to your needs!)
++sysnet_dns_name_resolve(iscsid_t)
++corenet_tcp_sendrecv_all_if(iscsid_t)
++corenet_tcp_sendrecv_all_nodes(iscsid_t)
++corenet_tcp_sendrecv_all_ports(iscsid_t)
++corenet_non_ipsec_sendrecv(iscsid_t)
++corenet_tcp_connect_http_port(iscsid_t)
++#corenet_tcp_connect_all_ports(iscsid_t)
++## if it is a network daemon, consider these:
++#corenet_tcp_bind_all_ports(iscsid_t)
++#corenet_tcp_bind_all_nodes(iscsid_t)
++allow iscsid_t self:tcp_socket { listen accept };
++
++# Init script handling
++init_use_fds(iscsid_t)
++init_use_script_ptys(iscsid_t)
++domain_use_interactive_fds(iscsid_t)
++
++logging_send_syslog_msg(iscsid_t)
++
++allow iscsid_t self:capability { ipc_lock net_admin sys_nice sys_resource };
++allow iscsid_t self:netlink_socket { bind create };
++allow iscsid_t self:unix_dgram_socket create_socket_perms;
++
++allow iscsid_t devpts_t:chr_file { read write };
++
++allow iscsid_t self:process setsched;
++allow iscsid_t self:sem create_sem_perms;
++allow iscsid_t self:shm create_shm_perms;
++
++dev_rw_sysfs(iscsid_t)
++
++allow iscsid_t iscsi_var_run_t:dir rw_dir_perms;
++allow iscsid_t iscsi_var_run_t:file create_file_perms;
++files_pid_filetrans(iscsid_t,iscsi_var_run_t,file)
++
++allow iscsid_t iscsi_tmp_t:dir create_dir_perms;
++allow iscsid_t iscsi_tmp_t:file create_file_perms;
++fs_tmpfs_filetrans(iscsid_t, iscsi_tmp_t, file )
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-2.3.16/policy/modules/system/logging.fc
--- nsaserefpolicy/policy/modules/system/logging.fc 2006-09-01 14:10:18.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/system/logging.fc 2006-09-25 13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/system/logging.fc 2006-09-26 09:53:18.000000000 -0400
@@ -1,7 +1,7 @@
/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
@@ -2271,9 +2137,9 @@
/var/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,s0)
/var/run/auditd\.pid -- gen_context(system_u:object_r:auditd_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-2.3.15/policy/modules/system/logging.te
---- nsaserefpolicy/policy/modules/system/logging.te 2006-08-29 09:00:29.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/system/logging.te 2006-09-25 13:31:59.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-2.3.16/policy/modules/system/logging.te
+--- nsaserefpolicy/policy/modules/system/logging.te 2006-09-25 15:11:11.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/system/logging.te 2006-09-26 09:53:18.000000000 -0400
@@ -18,6 +18,7 @@
type auditd_log_t;
@@ -2282,17 +2148,9 @@
type auditd_t;
# real declaration moved to mls until
-@@ -161,6 +162,7 @@
- miscfiles_read_localization(auditd_t)
-
- mls_file_read_up(auditd_t)
-+mls_file_write_down(auditd_t) # Need to be able to write to /var/run/ directory
- mls_rangetrans_target(auditd_t)
-
- seutil_dontaudit_read_config(auditd_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-2.3.15/policy/modules/system/raid.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-2.3.16/policy/modules/system/raid.te
--- nsaserefpolicy/policy/modules/system/raid.te 2006-07-14 17:04:44.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/system/raid.te 2006-09-25 13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/system/raid.te 2006-09-26 09:53:18.000000000 -0400
@@ -29,11 +29,13 @@
kernel_read_system_state(mdadm_t)
kernel_read_kernel_sysctls(mdadm_t)
@@ -2307,9 +2165,9 @@
fs_search_auto_mountpoints(mdadm_t)
fs_dontaudit_list_tmpfs(mdadm_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-2.3.15/policy/modules/system/selinuxutil.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-2.3.16/policy/modules/system/selinuxutil.fc
--- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2006-09-05 07:41:01.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/system/selinuxutil.fc 2006-09-25 13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/system/selinuxutil.fc 2006-09-26 09:53:18.000000000 -0400
@@ -6,12 +6,12 @@
/etc/selinux(/.*)? gen_context(system_u:object_r:selinux_config_t,s0)
/etc/selinux/([^/]*/)?contexts(/.*)? gen_context(system_u:object_r:default_context_t,s0)
@@ -2326,28 +2184,17 @@
#
# /root
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.fc serefpolicy-2.3.15/policy/modules/system/setrans.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.fc serefpolicy-2.3.16/policy/modules/system/setrans.fc
--- nsaserefpolicy/policy/modules/system/setrans.fc 2006-07-14 17:04:44.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/system/setrans.fc 2006-09-25 13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/system/setrans.fc 2006-09-26 09:53:18.000000000 -0400
@@ -1,3 +1,3 @@
/sbin/mcstransd -- gen_context(system_u:object_r:setrans_exec_t,s0)
-/var/run/setrans(/.*)? gen_context(system_u:object_r:setrans_var_run_t,s15:c0.c255)
+/var/run/setrans(/.*)? gen_context(system_u:object_r:setrans_var_run_t,s15:c0.c1023)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-2.3.15/policy/modules/system/udev.te
---- nsaserefpolicy/policy/modules/system/udev.te 2006-09-01 14:10:18.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/system/udev.te 2006-09-25 13:31:59.000000000 -0400
-@@ -92,6 +92,7 @@
- dev_delete_generic_files(udev_t)
-
- domain_read_all_domains_state(udev_t)
-+domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these
-
- files_read_etc_runtime_files(udev_t)
- files_read_etc_files(udev_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-2.3.15/policy/modules/system/unconfined.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-2.3.16/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2006-08-29 09:00:29.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/system/unconfined.if 2006-09-25 13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/system/unconfined.if 2006-09-26 09:53:18.000000000 -0400
@@ -31,6 +31,7 @@
allow $1 self:nscd *;
allow $1 self:dbus *;
@@ -2356,9 +2203,9 @@
kernel_unconfined($1)
corenet_unconfined($1)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-2.3.15/policy/modules/system/userdomain.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-2.3.16/policy/modules/system/userdomain.fc
--- nsaserefpolicy/policy/modules/system/userdomain.fc 2006-07-14 17:04:44.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/system/userdomain.fc 2006-09-25 13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/system/userdomain.fc 2006-09-26 09:53:18.000000000 -0400
@@ -4,6 +4,6 @@
HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0)
HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0)
@@ -2367,112 +2214,21 @@
+HOME_DIR -d gen_context(system_u:object_r:ROLE_home_dir_t,s0-s15:c0.c1023)
HOME_DIR/.+ gen_context(system_u:object_r:ROLE_home_t,s0)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-2.3.15/policy/modules/system/userdomain.if
---- nsaserefpolicy/policy/modules/system/userdomain.if 2006-09-22 09:35:45.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/system/userdomain.if 2006-09-25 13:31:59.000000000 -0400
-@@ -4317,6 +4317,7 @@
- ')
-
- dontaudit $1 user_home_dir_t:dir search_dir_perms;
-+ dontaudit $1 user_home_t:dir search_dir_perms;
- dontaudit $1 user_home_t:file r_file_perms;
- ',`
- gen_require(`
-@@ -4324,7 +4325,8 @@
- ')
-
- dontaudit $1 sysadm_home_dir_t:dir search_dir_perms;
-- dontaudit $1 sysadm_home_t:dir r_file_perms;
-+ dontaudit $1 sysadm_home_t:dir search_dir_perms;
-+ dontaudit $1 sysadm_home_t:file r_file_perms;
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-2.3.16/policy/modules/system/userdomain.if
+--- nsaserefpolicy/policy/modules/system/userdomain.if 2006-09-25 15:11:11.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/system/userdomain.if 2006-09-26 09:53:18.000000000 -0400
+@@ -849,6 +849,7 @@
')
- ')
-
-@@ -5146,6 +5148,29 @@
- ########################################
- ## <summary>
-+## Read and write unprivileged user ttys.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`userdom_use_unpriv_users_ttys',`
-+ ifdef(`targeted_policy',`
-+ term_use_unallocated_ttys($1)
-+ ',`
-+ gen_require(`
-+ attribute user_ttynode;
-+ ')
-+
-+ allow $1 user_ttynode:chr_file rw_file_perms;
-+ ')
-+')
-+
-+
-+########################################
-+## <summary>
- ## Read the process state of all user domains.
- ## </summary>
- ## <param name="domain">
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-2.3.15/policy/modules/system/userdomain.te
---- nsaserefpolicy/policy/modules/system/userdomain.te 2006-09-22 09:35:45.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/system/userdomain.te 2006-09-25 13:31:59.000000000 -0400
-@@ -58,6 +58,10 @@
-
- ifdef(`strict_policy',`
- userdom_admin_user_template(sysadm)
-+ # Following for sending reboot, and wall messages
-+ userdom_use_unpriv_users_ptys(sysadm_t)
-+ userdom_use_unpriv_users_ttys(sysadm_t)
-+
- userdom_unpriv_user_template(staff)
- userdom_unpriv_user_template(user)
-
-@@ -128,11 +132,13 @@
- domain_kill_all_domains(auditadm_t)
- seutil_read_bin_policy(auditadm_t)
- corecmd_exec_shell(auditadm_t)
-+ logging_send_syslog_msg(auditadm_t)
- logging_read_generic_logs(auditadm_t)
- logging_manage_audit_log(auditadm_t)
- logging_manage_audit_config(auditadm_t)
- logging_run_auditctl(auditadm_t,auditadm_r,{ auditadm_tty_device_t auditadm_devpts_t })
- logging_run_auditd(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
-+ userdom_dontaudit_read_sysadm_home_content_files(auditadm_t)
-
- allow secadm_t self:capability dac_override;
- corecmd_exec_shell(secadm_t)
-@@ -148,6 +154,7 @@
- logging_read_audit_log(secadm_t)
- logging_read_generic_logs(secadm_t)
- userdom_dontaudit_append_staff_home_content_files(secadm_t)
-+ userdom_dontaudit_read_sysadm_home_content_files(secadm_t)
- ',`
- logging_manage_audit_log(sysadm_t)
- logging_manage_audit_config(sysadm_t)
-@@ -376,11 +383,12 @@
- selinux_set_parameters(secadm_t)
-
- seutil_manage_bin_policy(secadm_t)
-- seutil_run_checkpolicy(secadm_t,secadm_r,admin_terminal)
-- seutil_run_loadpolicy(secadm_t,secadm_r,admin_terminal)
-- seutil_run_semanage(secadm_t,secadm_r,admin_terminal)
-- seutil_run_setfiles(secadm_t,secadm_r,admin_terminal)
-- seutil_run_restorecon(secadm_t,secadm_r,admin_terminal)
-+ seutil_run_checkpolicy(secadm_t,secadm_r,{ secadm_tty_device_t sysadm_devpts_t })
-+ seutil_run_loadpolicy(secadm_t,secadm_r,{ secadm_tty_device_t sysadm_devpts_t })
-+ seutil_run_semanage(secadm_t,secadm_r,{ secadm_tty_device_t sysadm_devpts_t })
-+ seutil_run_setfiles(secadm_t,secadm_r,{ secadm_tty_device_t sysadm_devpts_t })
-+ seutil_run_restorecon(secadm_t,secadm_r,{ secadm_tty_device_t sysadm_devpts_t })
-+ logging_send_syslog_msg(secadm_t)
- ', `
- selinux_set_enforce_mode(sysadm_t)
- selinux_set_boolean(sysadm_t)
-@@ -415,6 +423,9 @@
+ optional_policy(`
++ rpm_exec($1_t)
+ rpm_read_db($1_t)
+ rpm_dontaudit_manage_db($1_t)
+ ')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-2.3.16/policy/modules/system/userdomain.te
+--- nsaserefpolicy/policy/modules/system/userdomain.te 2006-09-25 15:11:11.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/system/userdomain.te 2006-09-26 09:53:18.000000000 -0400
+@@ -423,6 +423,9 @@
')
optional_policy(`
@@ -2482,9 +2238,9 @@
usermanage_run_admin_passwd(sysadm_t,sysadm_r,admin_terminal)
usermanage_run_groupadd(sysadm_t,sysadm_r,admin_terminal)
usermanage_run_useradd(sysadm_t,sysadm_r,admin_terminal)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-2.3.15/policy/users
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-2.3.16/policy/users
--- nsaserefpolicy/policy/users 2006-07-14 17:04:46.000000000 -0400
-+++ serefpolicy-2.3.15/policy/users 2006-09-25 13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/policy/users 2006-09-26 09:53:18.000000000 -0400
@@ -16,7 +16,7 @@
# and a user process should never be assigned the system user
# identity.
@@ -2524,9 +2280,9 @@
+ gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - s15:c0.c1023, c0.c1023)
')
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-2.3.15/Rules.modular
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-2.3.16/Rules.modular
--- nsaserefpolicy/Rules.modular 2006-09-15 13:14:28.000000000 -0400
-+++ serefpolicy-2.3.15/Rules.modular 2006-09-25 13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/Rules.modular 2006-09-26 09:53:18.000000000 -0400
@@ -212,6 +212,16 @@
########################################
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.292
retrieving revision 1.293
diff -u -r1.292 -r1.293
--- selinux-policy.spec 25 Sep 2006 15:58:33 -0000 1.292
+++ selinux-policy.spec 26 Sep 2006 14:59:58 -0000 1.293
@@ -16,8 +16,8 @@
%define CHECKPOLICYVER 1.30.11-1
Summary: SELinux policy configuration
Name: selinux-policy
-Version: 2.3.15
-Release: 2
+Version: 2.3.16
+Release: 1
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -349,6 +349,9 @@
%endif
%changelog
+* Mon Sep 25 2006 Dan Walsh <dwalsh at redhat.com> 2.3.16-1
+- Update with upstream
+
* Mon Sep 25 2006 Dan Walsh <dwalsh at redhat.com> 2.3.15-2
- mls fixes
Index: sources
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/sources,v
retrieving revision 1.92
retrieving revision 1.93
diff -u -r1.92 -r1.93
--- sources 22 Sep 2006 20:41:12 -0000 1.92
+++ sources 26 Sep 2006 14:59:58 -0000 1.93
@@ -1 +1 @@
-c26b613471b3742750204c54e4336a48 serefpolicy-2.3.15.tgz
+549a42b9073f1aae693dd3481a11c9ff serefpolicy-2.3.16.tgz
More information about the fedora-cvs-commits
mailing list