rpms/selinux-policy/FC-6 policy-20061106.patch, 1.14, 1.15 selinux-policy.spec, 1.340, 1.341
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Tue Feb 6 18:26:40 UTC 2007
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy/FC-6
In directory cvs.devel.redhat.com:/tmp/cvs-serv18053
Modified Files:
policy-20061106.patch selinux-policy.spec
Log Message:
* Mon Feb 5 2007 Dan Walsh <dwalsh at redhat.com> 2.4.6-36
- Allow xen to work properly on ia64, needs to be able to read dosfs_t
Resolves: #217362
- Allow mozilla, evolution and thunderbird to read dev_random.
Resolves: FC6-227002
- Allow spamd to connect to smtp port
Resolves: FC6-227184
- Fixes to make ypxfr work
Resolves: FC6-227237
- Allow audit fsetsid capability
Resolves: FC6-227423
- Allow syslog (syslog-ng) to tcp_connect to other syslog servers
Resolves: FC6-218978
policy-20061106.patch:
Rules.modular | 10
config/appconfig-strict-mcs/seusers | 1
config/appconfig-strict-mls/default_contexts | 6
config/appconfig-strict-mls/seusers | 1
config/appconfig-strict/seusers | 1
policy/flask/access_vectors | 2
policy/global_tunables | 66 +++
policy/mls | 31 +
policy/modules/admin/acct.te | 1
policy/modules/admin/amanda.if | 17
policy/modules/admin/amanda.te | 6
policy/modules/admin/backup.te | 5
policy/modules/admin/bootloader.fc | 5
policy/modules/admin/bootloader.te | 14
policy/modules/admin/consoletype.te | 21
policy/modules/admin/ddcprobe.te | 10
policy/modules/admin/dmesg.te | 7
policy/modules/admin/dmidecode.te | 5
policy/modules/admin/firstboot.if | 6
policy/modules/admin/kudzu.te | 5
policy/modules/admin/logrotate.te | 5
policy/modules/admin/logwatch.te | 6
policy/modules/admin/netutils.te | 10
policy/modules/admin/portage.te | 5
policy/modules/admin/prelink.te | 17
policy/modules/admin/quota.fc | 7
policy/modules/admin/quota.te | 24 -
policy/modules/admin/rpm.fc | 3
policy/modules/admin/rpm.if | 24 +
policy/modules/admin/rpm.te | 49 --
policy/modules/admin/su.if | 28 -
policy/modules/admin/su.te | 2
policy/modules/admin/sudo.if | 10
policy/modules/admin/tripwire.te | 11
policy/modules/admin/usbmodules.te | 5
policy/modules/admin/usermanage.te | 34 +
policy/modules/admin/vpn.te | 1
policy/modules/apps/ethereal.te | 5
policy/modules/apps/evolution.if | 107 ++++-
policy/modules/apps/evolution.te | 1
policy/modules/apps/gnome.fc | 2
policy/modules/apps/gnome.if | 108 +++++
policy/modules/apps/gnome.te | 5
policy/modules/apps/gpg.if | 1
policy/modules/apps/java.fc | 2
policy/modules/apps/java.if | 38 +
policy/modules/apps/java.te | 2
policy/modules/apps/loadkeys.if | 17
policy/modules/apps/mozilla.if | 210 ++++++++-
policy/modules/apps/mplayer.if | 84 +++
policy/modules/apps/mplayer.te | 1
policy/modules/apps/slocate.te | 3
policy/modules/apps/thunderbird.if | 81 +++
policy/modules/apps/userhelper.if | 19
policy/modules/apps/webalizer.te | 6
policy/modules/apps/wine.fc | 1
policy/modules/apps/yam.te | 5
policy/modules/kernel/corecommands.fc | 11
policy/modules/kernel/corecommands.if | 77 +++
policy/modules/kernel/corenetwork.if.in | 99 ++++
policy/modules/kernel/corenetwork.te.in | 17
policy/modules/kernel/corenetwork.te.m4 | 4
policy/modules/kernel/devices.fc | 7
policy/modules/kernel/devices.if | 18
policy/modules/kernel/devices.te | 8
policy/modules/kernel/domain.if | 58 ++
policy/modules/kernel/domain.te | 22 +
policy/modules/kernel/files.fc | 2
policy/modules/kernel/files.if | 222 ++++++++++
policy/modules/kernel/filesystem.if | 43 +-
policy/modules/kernel/filesystem.te | 13
policy/modules/kernel/kernel.if | 64 ++-
policy/modules/kernel/kernel.te | 12
policy/modules/kernel/mls.if | 28 +
policy/modules/kernel/mls.te | 6
policy/modules/kernel/storage.fc | 1
policy/modules/kernel/storage.if | 2
policy/modules/kernel/terminal.fc | 1
policy/modules/kernel/terminal.if | 2
policy/modules/kernel/terminal.te | 1
policy/modules/services/apache.fc | 11
policy/modules/services/apache.te | 24 +
policy/modules/services/apm.te | 3
policy/modules/services/automount.fc | 1
policy/modules/services/automount.te | 9
policy/modules/services/avahi.if | 21
policy/modules/services/bind.fc | 1
policy/modules/services/bind.te | 5
policy/modules/services/bluetooth.te | 7
policy/modules/services/ccs.fc | 1
policy/modules/services/ccs.te | 11
policy/modules/services/clamav.te | 2
policy/modules/services/cron.fc | 6
policy/modules/services/cron.if | 92 ++--
policy/modules/services/cron.te | 52 ++
policy/modules/services/cups.te | 7
policy/modules/services/cvs.te | 1
policy/modules/services/dbus.fc | 1
policy/modules/services/dbus.if | 62 ++
policy/modules/services/dcc.te | 9
policy/modules/services/dhcp.te | 2
policy/modules/services/ftp.te | 14
policy/modules/services/hal.fc | 4
policy/modules/services/hal.if | 57 ++
policy/modules/services/hal.te | 9
policy/modules/services/inetd.te | 28 +
policy/modules/services/irqbalance.te | 4
policy/modules/services/kerberos.if | 3
policy/modules/services/kerberos.te | 13
policy/modules/services/ktalk.fc | 3
policy/modules/services/ktalk.te | 5
policy/modules/services/lpd.if | 56 +-
policy/modules/services/lpd.te | 5
policy/modules/services/mta.fc | 1
policy/modules/services/mta.if | 1
policy/modules/services/mta.te | 2
policy/modules/services/munin.te | 5
policy/modules/services/networkmanager.te | 2
policy/modules/services/nis.fc | 3
policy/modules/services/nis.if | 8
policy/modules/services/nis.te | 30 +
policy/modules/services/nscd.if | 20
policy/modules/services/nscd.te | 15
policy/modules/services/oav.te | 5
policy/modules/services/oddjob.te | 3
policy/modules/services/openvpn.te | 4
policy/modules/services/pcscd.fc | 9
policy/modules/services/pcscd.if | 62 ++
policy/modules/services/pcscd.te | 78 +++
policy/modules/services/pegasus.if | 31 +
policy/modules/services/pegasus.te | 5
policy/modules/services/portmap.te | 5
policy/modules/services/postfix.fc | 1
policy/modules/services/postfix.if | 2
policy/modules/services/postfix.te | 17
policy/modules/services/procmail.te | 19
policy/modules/services/pyzor.te | 4
policy/modules/services/radvd.te | 2
policy/modules/services/rhgb.if | 76 +++
policy/modules/services/rhgb.te | 3
policy/modules/services/ricci.te | 13
policy/modules/services/rlogin.te | 10
policy/modules/services/rpc.fc | 1
policy/modules/services/rpc.te | 23 -
policy/modules/services/rsync.te | 1
policy/modules/services/samba.if | 2
policy/modules/services/samba.te | 17
policy/modules/services/sasl.te | 2
policy/modules/services/sendmail.te | 8
policy/modules/services/setroubleshoot.if | 20
policy/modules/services/setroubleshoot.te | 2
policy/modules/services/smartmon.te | 1
policy/modules/services/snmp.if | 17
policy/modules/services/snmp.te | 4
policy/modules/services/spamassassin.fc | 2
policy/modules/services/spamassassin.if | 22 +
policy/modules/services/spamassassin.te | 17
policy/modules/services/squid.fc | 1
policy/modules/services/squid.if | 1
policy/modules/services/squid.te | 11
policy/modules/services/ssh.if | 83 +++
policy/modules/services/ssh.te | 10
policy/modules/services/telnet.te | 1
policy/modules/services/tftp.te | 2
policy/modules/services/uucp.fc | 1
policy/modules/services/uucp.if | 67 +++
policy/modules/services/uucp.te | 44 +-
policy/modules/services/xserver.fc | 2
policy/modules/services/xserver.if | 190 ++++++++-
policy/modules/services/xserver.te | 12
policy/modules/system/authlogin.if | 74 +++
policy/modules/system/authlogin.te | 6
policy/modules/system/clock.te | 13
policy/modules/system/fstools.fc | 1
policy/modules/system/fstools.te | 11
policy/modules/system/getty.te | 14
policy/modules/system/hostname.te | 19
policy/modules/system/init.if | 23 +
policy/modules/system/init.te | 48 ++
policy/modules/system/ipsec.fc | 5
policy/modules/system/ipsec.if | 99 ++++
policy/modules/system/ipsec.te | 107 +++++
policy/modules/system/iptables.te | 16
policy/modules/system/libraries.fc | 38 +
policy/modules/system/libraries.te | 11
policy/modules/system/locallogin.if | 37 +
policy/modules/system/locallogin.te | 6
policy/modules/system/logging.te | 19
policy/modules/system/lvm.fc | 1
policy/modules/system/lvm.if | 44 ++
policy/modules/system/lvm.te | 75 +++
policy/modules/system/miscfiles.fc | 3
policy/modules/system/miscfiles.if | 79 +++
policy/modules/system/modutils.te | 25 -
policy/modules/system/mount.te | 27 -
policy/modules/system/pcmcia.te | 5
policy/modules/system/raid.te | 13
policy/modules/system/selinuxutil.fc | 2
policy/modules/system/selinuxutil.if | 119 +++++
policy/modules/system/selinuxutil.te | 118 ++---
policy/modules/system/sysnetwork.te | 10
policy/modules/system/tzdata.fc | 3
policy/modules/system/tzdata.if | 23 +
policy/modules/system/tzdata.te | 51 ++
policy/modules/system/unconfined.fc | 4
policy/modules/system/unconfined.if | 19
policy/modules/system/unconfined.te | 23 +
policy/modules/system/userdomain.if | 569 ++++++++++++++++++++++++---
policy/modules/system/userdomain.te | 63 +-
policy/modules/system/xen.fc | 1
policy/modules/system/xen.te | 37 +
211 files changed, 4680 insertions(+), 587 deletions(-)
Index: policy-20061106.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/FC-6/policy-20061106.patch,v
retrieving revision 1.14
retrieving revision 1.15
diff -u -r1.14 -r1.15
--- policy-20061106.patch 1 Feb 2007 21:35:56 -0000 1.14
+++ policy-20061106.patch 6 Feb 2007 18:26:38 -0000 1.15
@@ -12,6 +12,20 @@
+system_u:system_u:s0-mcs_systemhigh
root:root:s0-mcs_systemhigh
__default__:user_u:s0
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-strict-mls/default_contexts serefpolicy-2.4.6/config/appconfig-strict-mls/default_contexts
+--- nsaserefpolicy/config/appconfig-strict-mls/default_contexts 2006-11-29 12:04:52.000000000 -0500
++++ serefpolicy-2.4.6/config/appconfig-strict-mls/default_contexts 2007-02-06 13:23:35.000000000 -0500
+@@ -1,7 +1,7 @@
+ system_r:sulogin_t:s0 sysadm_r:sysadm_t:s0
+-system_r:local_login_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0
+-system_r:remote_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0
+-system_r:sshd_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
++system_r:local_login_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0 secadm_r:secadm_t:s0 auditadm_r:auditadm_t:s0
++system_r:remote_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 secadm_r:secadm_t:s0 auditadm_r:auditadm_t:s0
++system_r:sshd_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 secadm_r:secadm_t:s0 auditadm_r:auditadm_t:s0
+ system_r:crond_t:s0 user_r:user_crond_t:s0 staff_r:staff_crond_t:s0 sysadm_r:sysadm_crond_t:s0 system_r:system_crond_t:s0 mailman_r:user_crond_t:s0
+ system_r:xdm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0
+ staff_r:staff_su_t:s0 staff_r:staff_t:s0 user_r:user_t:s0 sysadm_r:sysadm_t:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-strict-mls/seusers serefpolicy-2.4.6/config/appconfig-strict-mls/seusers
--- nsaserefpolicy/config/appconfig-strict-mls/seusers 2006-11-29 12:04:52.000000000 -0500
+++ serefpolicy-2.4.6/config/appconfig-strict-mls/seusers 2007-01-16 11:11:26.000000000 -0500
@@ -1088,7 +1102,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/evolution.if serefpolicy-2.4.6/policy/modules/apps/evolution.if
--- nsaserefpolicy/policy/modules/apps/evolution.if 2006-11-29 12:04:49.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/apps/evolution.if 2007-01-16 11:11:26.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/apps/evolution.if 2007-02-05 15:24:26.000000000 -0500
@@ -129,6 +129,10 @@
allow $1_evolution_t $1_evolution_orbit_tmp_t:file manage_file_perms;
files_tmp_filetrans($1_evolution_t,$1_evolution_orbit_tmp_t,{ dir file })
@@ -1109,7 +1123,15 @@
#FIXME check to see if really needed
kernel_read_kernel_sysctls($1_evolution_t)
kernel_read_system_state($1_evolution_t)
-@@ -238,6 +244,7 @@
+@@ -214,6 +220,7 @@
+ corenet_udp_bind_generic_port($1_evolution_t)
+
+ dev_read_urand($1_evolution_t)
++ dev_read_rand($1_evolution_t)
+
+ files_read_etc_files($1_evolution_t)
+ files_read_usr_files($1_evolution_t)
+@@ -238,6 +245,7 @@
userdom_manage_user_tmp_dirs($1,$1_evolution_t)
userdom_manage_user_tmp_sockets($1,$1_evolution_t)
userdom_manage_user_tmp_files($1,$1_evolution_t)
@@ -1117,7 +1139,7 @@
# FIXME: suppress access to .local/.icons/.themes until properly implemented
# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
# until properly implemented
-@@ -246,6 +253,7 @@
+@@ -246,6 +254,7 @@
mta_read_config($1_evolution_t)
xserver_user_client_template($1,$1_evolution_t,$1_evolution_tmpfs_t)
@@ -1125,7 +1147,7 @@
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs($1_evolution_t)
-@@ -410,7 +418,11 @@
+@@ -410,7 +419,11 @@
')
optional_policy(`
@@ -1138,7 +1160,7 @@
')
### Junk mail filtering (start spamd)
-@@ -463,7 +475,8 @@
+@@ -463,7 +476,8 @@
# Evolution alarm local policy
#
@@ -1148,7 +1170,7 @@
allow $1_evolution_alarm_t $1_evolution_t:unix_stream_socket connectto;
allow $1_evolution_alarm_t $1_evolution_orbit_tmp_t:sock_file write;
-@@ -489,6 +502,14 @@
+@@ -489,6 +503,14 @@
domain_auto_trans($2, evolution_alarm_exec_t, $1_evolution_alarm_t)
allow $1_evolution_alarm_t $2:fd use;
@@ -1163,7 +1185,7 @@
fs_search_auto_mountpoints($1_evolution_alarm_t)
miscfiles_read_localization($1_evolution_alarm_t)
-@@ -512,9 +533,18 @@
+@@ -512,9 +534,18 @@
')
optional_policy(`
@@ -1182,7 +1204,7 @@
ifdef(`TODO',`
# Gnome common stuff
gnome_application($1_evolution_alarm,$1)
-@@ -525,6 +555,9 @@
+@@ -525,6 +556,9 @@
# Evolution exchange connector local policy
#
@@ -1192,7 +1214,7 @@
allow $1_evolution_exchange_t self:tcp_socket create_socket_perms;
allow $1_evolution_exchange_t self:udp_socket create_socket_perms;
-@@ -542,6 +575,16 @@
+@@ -542,6 +576,16 @@
allow $1_evolution_exchange_t $1_evolution_server_t:unix_stream_socket connectto;
allow $1_evolution_exchange_t $1_evolution_server_orbit_tmp_t:sock_file write;
@@ -1209,7 +1231,7 @@
# /tmp/.exchange-$USER
allow $1_evolution_exchange_t $1_evolution_exchange_tmp_t:dir create_dir_perms;
allow $1_evolution_exchange_t $1_evolution_exchange_tmp_t:file create_file_perms;
-@@ -588,6 +631,10 @@
+@@ -588,6 +632,10 @@
fs_manage_nfs_files($1_evolution_exchange_t)
')
@@ -1220,7 +1242,7 @@
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_files($1_evolution_exchange_t)
')
-@@ -606,6 +653,8 @@
+@@ -606,6 +654,8 @@
# Evolution data server local policy
#
@@ -1229,7 +1251,7 @@
allow $1_evolution_server_t self:fifo_file { read write };
allow $1_evolution_server_t self:unix_stream_socket { accept connectto };
# Talk to ldap (address book),
-@@ -628,6 +677,12 @@
+@@ -628,6 +678,12 @@
allow $1_evolution_server_t $2:fd use;
@@ -1242,7 +1264,7 @@
kernel_read_system_state($1_evolution_server_t)
corecmd_exec_shell($1_evolution_server_t)
-@@ -682,6 +737,10 @@
+@@ -682,6 +738,10 @@
')
optional_policy(`
@@ -1253,7 +1275,7 @@
nscd_socket_use($1_evolution_server_t)
')
-@@ -813,3 +872,46 @@
+@@ -813,3 +873,46 @@
allow $2 $1_evolution_t:unix_stream_socket connectto;
allow $2 $1_evolution_home_t:dir search;
')
@@ -1602,7 +1624,7 @@
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-2.4.6/policy/modules/apps/mozilla.if
--- nsaserefpolicy/policy/modules/apps/mozilla.if 2006-11-29 12:04:49.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/apps/mozilla.if 2007-01-16 11:11:26.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/apps/mozilla.if 2007-02-05 15:24:34.000000000 -0500
@@ -59,7 +59,7 @@
#
allow $1_mozilla_t self:capability { sys_nice setgid setuid };
@@ -1620,7 +1642,11 @@
allow $1_mozilla_t $1_mozilla_tmpfs_t:dir rw_dir_perms;
allow $1_mozilla_t $1_mozilla_tmpfs_t:file manage_file_perms;
-@@ -154,6 +155,7 @@
+@@ -151,9 +152,11 @@
+ corenet_dontaudit_tcp_bind_generic_port($1_mozilla_t)
+
+ dev_read_urand($1_mozilla_t)
++ dev_read_rand($1_mozilla_t)
dev_write_sound($1_mozilla_t)
dev_read_sound($1_mozilla_t)
dev_dontaudit_rw_dri($1_mozilla_t)
@@ -1628,7 +1654,7 @@
files_read_etc_runtime_files($1_mozilla_t)
files_read_usr_files($1_mozilla_t)
-@@ -163,8 +165,9 @@
+@@ -163,8 +166,9 @@
# interacting with gstreamer
files_read_var_files($1_mozilla_t)
files_read_var_symlinks($1_mozilla_t)
@@ -1639,7 +1665,7 @@
fs_rw_tmpfs_files($1_mozilla_t)
libs_use_ld_so($1_mozilla_t)
-@@ -180,6 +183,8 @@
+@@ -180,6 +184,8 @@
sysnet_dns_name_resolve($1_mozilla_t)
sysnet_read_config($1_mozilla_t)
@@ -1648,7 +1674,7 @@
userdom_manage_user_home_content_dirs($1,$1_mozilla_t)
userdom_manage_user_home_content_files($1,$1_mozilla_t)
userdom_manage_user_home_content_symlinks($1,$1_mozilla_t)
-@@ -188,7 +193,9 @@
+@@ -188,7 +194,9 @@
userdom_manage_user_tmp_sockets($1,$1_mozilla_t)
xserver_user_client_template($1,$1_mozilla_t,$1_mozilla_tmpfs_t)
@@ -1659,7 +1685,7 @@
tunable_policy(`allow_execmem',`
allow $1_mozilla_t self:process { execmem execstack };
')
-@@ -336,6 +343,14 @@
+@@ -336,6 +344,14 @@
')
optional_policy(`
@@ -1674,7 +1700,7 @@
apache_read_user_scripts($1,$1_mozilla_t)
apache_read_user_content($1,$1_mozilla_t)
')
-@@ -347,6 +362,8 @@
+@@ -347,6 +363,8 @@
optional_policy(`
dbus_system_bus_client_template($1_mozilla,$1_mozilla_t)
dbus_send_system_bus($1_mozilla_t)
@@ -1683,7 +1709,7 @@
ifdef(`TODO',`
optional_policy(`
allow cupsd_t $1_mozilla_t:dbus send_msg;
-@@ -359,44 +376,34 @@
+@@ -359,44 +377,34 @@
')
optional_policy(`
@@ -1745,7 +1771,7 @@
# Macros for mozilla/mozilla (or other browser) domains.
# FIXME: Rules were removed to centralize policy in a gnome_app macro
-@@ -406,7 +413,147 @@
+@@ -406,7 +414,147 @@
# GNOME integration
optional_policy(`
gnome_application($1_mozilla, $1)
@@ -2043,14 +2069,15 @@
libs_use_ld_so(locate_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/thunderbird.if serefpolicy-2.4.6/policy/modules/apps/thunderbird.if
--- nsaserefpolicy/policy/modules/apps/thunderbird.if 2006-11-29 12:04:49.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/apps/thunderbird.if 2007-01-16 11:11:26.000000000 -0500
-@@ -62,12 +62,16 @@
++++ serefpolicy-2.4.6/policy/modules/apps/thunderbird.if 2007-02-05 15:26:32.000000000 -0500
+@@ -62,12 +62,17 @@
allow $1_thunderbird_t self:unix_stream_socket { create accept connect write getattr read listen bind };
allow $1_thunderbird_t self:tcp_socket create_socket_perms;
allow $1_thunderbird_t self:shm { read write create destroy unix_read unix_write };
+ allow $1_thunderbird_t self:netlink_route_socket r_netlink_socket_perms;
+
+ dev_read_urand($1_thunderbird_t)
++ dev_read_rand($1_thunderbird_t)
# Access ~/.thunderbird
allow $1_thunderbird_t $1_thunderbird_home_t:dir manage_dir_perms;
@@ -2061,7 +2088,7 @@
allow $1_thunderbird_t $1_thunderbird_tmpfs_t:dir rw_dir_perms;
allow $1_thunderbird_t $1_thunderbird_tmpfs_t:file manage_file_perms;
-@@ -96,10 +100,13 @@
+@@ -96,10 +101,13 @@
# Allow netstat
kernel_read_network_state($1_thunderbird_t)
@@ -2075,7 +2102,7 @@
corenet_non_ipsec_sendrecv($1_thunderbird_t)
corenet_tcp_sendrecv_generic_if($1_thunderbird_t)
-@@ -126,15 +133,20 @@
+@@ -126,15 +134,20 @@
files_list_tmp($1_thunderbird_t)
files_read_usr_files($1_thunderbird_t)
files_read_etc_files($1_thunderbird_t)
@@ -2096,7 +2123,7 @@
sysnet_read_config($1_thunderbird_t)
# Allow DNS
-@@ -148,7 +160,8 @@
+@@ -148,7 +161,8 @@
userdom_read_user_home_content_files($1,$1_thunderbird_t)
xserver_user_client_template($1,$1_thunderbird_t,$1_thunderbird_tmpfs_t)
@@ -2106,7 +2133,7 @@
# Transition from user type
tunable_policy(`! disable_thunderbird_trans',`
domain_auto_trans($2, thunderbird_exec_t, $1_thunderbird_t)
-@@ -299,6 +312,10 @@
+@@ -299,6 +313,10 @@
')
optional_policy(`
@@ -2117,7 +2144,7 @@
dbus_system_bus_client_template($1_thunderbird,$1_thunderbird_t)
dbus_user_bus_client_template($1,$1_thunderbird,$1_thunderbird_t)
dbus_send_system_bus($1_thunderbird_t)
-@@ -321,17 +338,26 @@
+@@ -321,17 +339,26 @@
nis_use_ypbind($1_thunderbird_t)
')
@@ -2150,7 +2177,7 @@
# GNOME support
optional_policy(`
gnome_application($1_thunderbird, $1)
-@@ -347,3 +373,43 @@
+@@ -347,3 +374,43 @@
')
')
@@ -2247,6 +2274,13 @@
+ ssh_sigchld(webalizer_t)
+ ssh_rw_stream_sockets(webalizer_t)
+')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.fc serefpolicy-2.4.6/policy/modules/apps/wine.fc
+--- nsaserefpolicy/policy/modules/apps/wine.fc 2006-11-29 12:04:49.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/apps/wine.fc 2007-02-06 10:34:41.000000000 -0500
+@@ -1,2 +1,3 @@
+ /usr/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0)
+ /opt/picasa/wine/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0)
++/opt/cxoffice/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/yam.te serefpolicy-2.4.6/policy/modules/apps/yam.te
--- nsaserefpolicy/policy/modules/apps/yam.te 2006-11-29 12:04:49.000000000 -0500
+++ serefpolicy-2.4.6/policy/modules/apps/yam.te 2007-01-16 11:11:26.000000000 -0500
@@ -3174,8 +3208,8 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-2.4.6/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2006-11-29 12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/kernel/filesystem.if 2007-02-01 16:29:45.000000000 -0500
-@@ -1122,7 +1122,7 @@
++++ serefpolicy-2.4.6/policy/modules/kernel/filesystem.if 2007-02-06 11:16:16.000000000 -0500
+@@ -1122,12 +1122,32 @@
type dosfs_t;
')
@@ -3184,7 +3218,32 @@
allow $1 dosfs_t:file manage_file_perms;
')
-@@ -2763,7 +2763,26 @@
+ ########################################
+ ## <summary>
++## read files
++## on a DOS filesystem.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_read_dos_files',`
++ gen_require(`
++ type dosfs_t;
++ ')
++
++ allow $1 dosfs_t:dir r_dir_perms;
++ allow $1 dosfs_t:file r_file_perms;
++')
++
++########################################
++## <summary>
+ ## Read eventpollfs files.
+ ## </summary>
+ ## <desc>
+@@ -2763,7 +2783,26 @@
type tmpfs_t;
')
@@ -3531,7 +3590,7 @@
/dev/tty -c gen_context(system_u:object_r:devtty_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-2.4.6/policy/modules/kernel/terminal.if
--- nsaserefpolicy/policy/modules/kernel/terminal.if 2006-11-29 12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/kernel/terminal.if 2007-01-16 11:11:26.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/kernel/terminal.if 2007-02-06 11:24:29.000000000 -0500
@@ -636,6 +636,8 @@
attribute ptynode;
')
@@ -5011,7 +5070,7 @@
allow ypxfr_t $1:process sigchld;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-2.4.6/policy/modules/services/nis.te
--- nsaserefpolicy/policy/modules/services/nis.te 2006-11-29 12:04:49.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/nis.te 2007-01-25 14:15:11.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/nis.te 2007-02-05 15:59:41.000000000 -0500
@@ -291,6 +291,7 @@
domain_use_interactive_fds(ypserv_t)
@@ -5020,33 +5079,48 @@
init_use_fds(ypserv_t)
init_use_script_ptys(ypserv_t)
-@@ -329,7 +330,15 @@
+@@ -329,7 +330,19 @@
# ypxfr local policy
#
+allow ypxfr_t var_yp_t:dir rw_dir_perms;
+allow ypxfr_t var_yp_t:file create_file_perms;
+
-+allow ypxfr_t ypserv_t:tcp_socket { read write };
-+allow ypxfr_t ypserv_t:udp_socket { read write };
-+
++allow ypxfr_t self:unix_dgram_socket create_stream_socket_perms;
allow ypxfr_t self:unix_stream_socket create_stream_socket_perms;
+allow ypxfr_t self:tcp_socket create_stream_socket_perms;
+allow ypxfr_t self:udp_socket create_socket_perms;
++allow ypxfr_t self:netlink_route_socket r_netlink_socket_perms;
++
++allow ypxfr_t ypserv_t:tcp_socket { read write };
++allow ypxfr_t ypserv_t:udp_socket { read write };
++
++allow ypxfr_t ypserv_conf_t:file { getattr read };
corenet_non_ipsec_sendrecv(ypxfr_t)
corenet_tcp_sendrecv_all_if(ypxfr_t)
-@@ -348,4 +357,10 @@
+@@ -348,4 +361,21 @@
corenet_sendrecv_generic_server_packets(ypxfr_t)
corenet_sendrecv_all_client_packets(ypxfr_t)
-+libs_use_ld_so(ypxfr_t)
-+libs_use_shared_libs(ypxfr_t)
++init_use_fds(ypxfr_t)
+
files_read_etc_files(ypxfr_t)
+files_search_usr(ypxfr_t)
+
++libs_use_ld_so(ypxfr_t)
++libs_use_shared_libs(ypxfr_t)
++
++logging_send_syslog_msg(ypxfr_t)
++
++miscfiles_read_localization(ypxfr_t)
++
+sysnet_read_config(ypxfr_t)
++
++ifdef(`targeted_policy', `
++ term_dontaudit_use_unallocated_ttys(ypxfr_t)
++ term_dontaudit_use_generic_ptys(ypxfr_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-2.4.6/policy/modules/services/nscd.if
--- nsaserefpolicy/policy/modules/services/nscd.if 2006-11-29 12:04:49.000000000 -0500
+++ serefpolicy-2.4.6/policy/modules/services/nscd.if 2007-01-16 11:11:26.000000000 -0500
@@ -6082,7 +6156,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-2.4.6/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2006-11-29 12:04:49.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/spamassassin.te 2007-02-01 15:52:08.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/spamassassin.te 2007-02-05 15:39:09.000000000 -0500
@@ -8,7 +8,7 @@
# spamassassin client executable
@@ -6122,7 +6196,15 @@
allow spamd_t spamd_tmp_t:dir create_dir_perms;
allow spamd_t spamd_tmp_t:file create_file_perms;
files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
-@@ -85,6 +92,7 @@
+@@ -78,6 +85,7 @@
+ corenet_tcp_bind_all_nodes(spamd_t)
+ corenet_tcp_bind_spamd_port(spamd_t)
+ corenet_tcp_connect_razor_port(spamd_t)
++corenet_tcp_connect_smtp_port(spamd_t)
+ corenet_sendrecv_razor_client_packets(spamd_t)
+ corenet_sendrecv_spamd_server_packets(spamd_t)
+ # spamassassin 3.1 needs this for its
+@@ -85,6 +93,7 @@
# random ports >= 1024.
corenet_udp_bind_all_nodes(spamd_t)
corenet_udp_bind_generic_port(spamd_t)
@@ -6130,7 +6212,7 @@
corenet_udp_bind_imaze_port(spamd_t)
corenet_sendrecv_imaze_server_packets(spamd_t)
corenet_sendrecv_generic_server_packets(spamd_t)
-@@ -107,7 +115,8 @@
+@@ -107,7 +116,8 @@
files_read_usr_files(spamd_t)
files_read_etc_files(spamd_t)
files_read_etc_runtime_files(spamd_t)
@@ -6140,7 +6222,7 @@
init_use_fds(spamd_t)
init_use_script_ptys(spamd_t)
-@@ -138,6 +147,7 @@
+@@ -138,6 +148,7 @@
tunable_policy(`spamd_enable_home_dirs',`
userdom_home_filetrans_generic_user_home_dir(spamd_t)
@@ -6187,7 +6269,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-2.4.6/policy/modules/services/ssh.if
--- nsaserefpolicy/policy/modules/services/ssh.if 2006-11-29 12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/ssh.if 2007-01-16 11:11:26.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/ssh.if 2007-02-05 16:41:00.000000000 -0500
@@ -234,6 +234,7 @@
domain_type($1_ssh_agent_t)
domain_entry_file($1_ssh_agent_t,ssh_agent_exec_t)
@@ -6207,7 +6289,7 @@
tunable_policy(`allow_ssh_keysign',`
domain_auto_trans($1_ssh_t, ssh_keysign_exec_t, $1_ssh_keysign_t)
allow $1_ssh_keysign_t $1_ssh_t:fd use;
-@@ -734,3 +739,63 @@
+@@ -734,3 +739,81 @@
dontaudit $1 sshd_key_t:file { getattr read };
')
@@ -6271,6 +6353,24 @@
+ allow sshd_t $1:fifo_file rw_file_perms;
+ allow sshd_t $1:process sigchld;
+')
++
++########################################
++## <summary>
++## Read ssh server keys
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`ssh_setattr_server_keys',`
++ gen_require(`
++ type sshd_key_t;
++ ')
++
++ allow $1 sshd_key_t:file setattr;
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-2.4.6/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2006-11-29 12:04:49.000000000 -0500
+++ serefpolicy-2.4.6/policy/modules/services/ssh.te 2007-01-16 11:11:26.000000000 -0500
@@ -7203,7 +7303,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-2.4.6/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2006-11-29 12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/init.te 2007-01-29 17:39:36.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/init.te 2007-02-05 16:41:08.000000000 -0500
@@ -125,6 +125,7 @@
# file descriptors inherited from the rootfs:
files_dontaudit_rw_root_files(init_t)
@@ -7255,7 +7355,7 @@
-miscfiles_read_localization(initrc_t)
+# init scripts cp /etc/localtime over other directories localtime
-+miscfiles_rw_localization(initrc_t)
++miscfiles_manage_localization(initrc_t)
+miscfiles_setattr_localization(initrc_t)
+miscfiles_relabel_localization(initrc_t)
+
@@ -7325,7 +7425,15 @@
')
optional_policy(`
-@@ -761,3 +795,10 @@
+@@ -724,6 +758,7 @@
+
+ optional_policy(`
+ ssh_dontaudit_read_server_keys(initrc_t)
++ ssh_setattr_server_keys(initrc_t)
+ ')
+
+ optional_policy(`
+@@ -761,3 +796,10 @@
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -7621,16 +7729,17 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-2.4.6/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2006-11-29 12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/libraries.fc 2007-01-23 15:26:46.000000000 -0500
-@@ -79,6 +79,7 @@
++++ serefpolicy-2.4.6/policy/modules/system/libraries.fc 2007-02-06 10:34:24.000000000 -0500
+@@ -79,6 +79,8 @@
/opt/netbeans(.*/)?jdk.*/linux/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:shlib_t,s0)
/opt/(.*/)?jre/.+\.jar -- gen_context(system_u:object_r:shlib_t,s0)
+/opt/ibm/java2-ppc64-50/jre/bin/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/opt/cxoffice/lib/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
ifdef(`distro_gentoo',`
# despite the extensions, they are actually libs
-@@ -130,7 +131,8 @@
+@@ -130,7 +132,8 @@
/usr/lib/win32/.* -- gen_context(system_u:object_r:shlib_t,s0)
@@ -7640,7 +7749,7 @@
/usr/lib(64)?/libsipphoneapi\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/ati-fglrx/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/(nvidia/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -139,17 +141,21 @@
+@@ -139,17 +142,21 @@
/usr/lib(64)?/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?(/.*)?/libnvidia.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -7663,7 +7772,7 @@
/usr/X11R6/lib/libGL\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/X11R6/lib/libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -157,6 +163,7 @@
+@@ -157,6 +164,7 @@
/usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xorg/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xorg/modules/drivers/fglrx_drv\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -7671,7 +7780,7 @@
/usr/lib(64)?/xorg/modules/extensions/nvidia(-[^/]*)?/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
ifdef(`distro_redhat',`
-@@ -167,19 +174,15 @@
+@@ -167,19 +175,15 @@
# Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv
# HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php
@@ -7695,7 +7804,7 @@
/usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xorg/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/X11R6/lib/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -243,9 +246,13 @@
+@@ -243,9 +247,13 @@
/usr/lib(64)?/libmp3lame\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
# Flash plugin, Macromedia
@@ -7709,7 +7818,7 @@
# Jai, Sun Microsystems (Jpackage SPRM)
/usr/lib(64)?/libmlib_jai\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -258,10 +265,9 @@
+@@ -258,10 +266,9 @@
/usr/lib(64)?/vmware/(.*/)?VmPerl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
# Java, Sun Microsystems (JPackage SRPM)
@@ -7723,7 +7832,7 @@
/usr/(local/)?Adobe/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(local/)?Adobe/(.*/)?intellinux/sidecars/* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -300,3 +306,6 @@
+@@ -300,3 +307,6 @@
/var/spool/postfix/lib(64)?/lib.*\.so.* -- gen_context(system_u:object_r:shlib_t,s0)
/var/spool/postfix/lib(64)?/[^/]*/lib.*\.so.* -- gen_context(system_u:object_r:shlib_t,s0)
/var/spool/postfix/lib(64)?/devfsd/.+\.so.* -- gen_context(system_u:object_r:shlib_t,s0)
@@ -7831,7 +7940,7 @@
corecmd_read_sbin_symlinks(local_login_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-2.4.6/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2006-11-29 12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/logging.te 2007-01-17 13:53:23.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/logging.te 2007-02-06 09:59:26.000000000 -0500
@@ -53,6 +53,7 @@
type var_log_t;
@@ -7840,7 +7949,25 @@
ifdef(`enable_mls',`
init_ranged_daemon_domain(auditd_t,auditd_exec_t,mls_systemhigh)
-@@ -326,6 +327,14 @@
+@@ -63,7 +64,7 @@
+ # Auditd local policy
+ #
+
+-allow auditctl_t self:capability { audit_write audit_control };
++allow auditctl_t self:capability { fsetsid audit_write audit_control };
+ allow auditctl_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv };
+
+ libs_use_ld_so(auditctl_t)
+@@ -275,7 +276,7 @@
+ allow syslogd_t self:unix_dgram_socket sendto;
+ allow syslogd_t self:fifo_file rw_file_perms;
+ allow syslogd_t self:udp_socket create_socket_perms;
+-
++allow syslogd_t self:tcp_socket create_stream_socket_perms;
+ # Create and bind to /dev/log or /var/run/log.
+ allow syslogd_t devlog_t:sock_file create_file_perms;
+ files_pid_filetrans(syslogd_t,devlog_t,sock_file)
+@@ -326,6 +327,15 @@
corenet_udp_sendrecv_all_ports(syslogd_t)
corenet_udp_bind_all_nodes(syslogd_t)
corenet_udp_bind_syslogd_port(syslogd_t)
@@ -7849,13 +7976,14 @@
+corenet_tcp_sendrecv_all_if(syslogd_t)
+corenet_tcp_sendrecv_all_nodes(syslogd_t)
+corenet_tcp_sendrecv_all_ports(syslogd_t)
++corenet_tcp_bind_all_nodes(syslogd_t)
+corenet_tcp_bind_rsh_port(syslogd_t)
+corenet_tcp_connect_rsh_port(syslogd_t)
+
# syslog-ng can send or receive logs
corenet_sendrecv_syslogd_client_packets(syslogd_t)
corenet_sendrecv_syslogd_server_packets(syslogd_t)
-@@ -398,3 +407,8 @@
+@@ -398,3 +408,8 @@
# log to the xconsole
xserver_rw_console(syslogd_t)
')
@@ -8145,7 +8273,7 @@
+/var/empty/sshd/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-2.4.6/policy/modules/system/miscfiles.if
--- nsaserefpolicy/policy/modules/system/miscfiles.if 2006-11-29 12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/miscfiles.if 2007-01-16 11:11:26.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/miscfiles.if 2007-02-05 16:36:56.000000000 -0500
@@ -138,6 +138,44 @@
########################################
@@ -10006,7 +10134,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-2.4.6/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te 2006-11-29 12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/xen.te 2007-01-16 11:11:26.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/xen.te 2007-02-06 11:15:08.000000000 -0500
@@ -86,8 +86,8 @@
allow xend_t self:tcp_socket create_stream_socket_perms;
allow xend_t self:packet_socket create_socket_perms;
@@ -10085,7 +10213,7 @@
kernel_read_system_state(xm_t)
kernel_read_kernel_sysctls(xm_t)
-@@ -353,3 +375,10 @@
+@@ -353,3 +375,12 @@
xen_append_log(xm_t)
xen_stream_connect(xm_t)
xen_stream_connect_xenstore(xm_t)
@@ -10096,6 +10224,8 @@
+fs_write_nfs_files(xend_t)
+fs_read_nfs_files(xend_t)
+
++fs_read_dos_files(xend_t)
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-2.4.6/Rules.modular
--- nsaserefpolicy/Rules.modular 2006-11-29 12:04:51.000000000 -0500
+++ serefpolicy-2.4.6/Rules.modular 2007-01-16 11:11:26.000000000 -0500
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/FC-6/selinux-policy.spec,v
retrieving revision 1.340
retrieving revision 1.341
diff -u -r1.340 -r1.341
--- selinux-policy.spec 1 Feb 2007 21:35:56 -0000 1.340
+++ selinux-policy.spec 6 Feb 2007 18:26:38 -0000 1.341
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 2.4.6
-Release: 35%{?dist}
+Release: 36%{?dist}
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -356,6 +356,20 @@
%endif
%changelog
+* Mon Feb 5 2007 Dan Walsh <dwalsh at redhat.com> 2.4.6-36
+- Allow xen to work properly on ia64, needs to be able to read dosfs_t
+Resolves: #217362
+- Allow mozilla, evolution and thunderbird to read dev_random.
+Resolves: FC6-227002
+- Allow spamd to connect to smtp port
+Resolves: FC6-227184
+- Fixes to make ypxfr work
+Resolves: FC6-227237
+- Allow audit fsetsid capability
+Resolves: FC6-227423
+- Allow syslog (syslog-ng) to tcp_connect to other syslog servers
+Resolves: FC6-218978
+
* Fri Jan 26 2007 Dan Walsh <dwalsh at redhat.com> 2.4.6-35
- Fixes to make setrans work properly on MLS
Resolves: #224441
More information about the fedora-cvs-commits
mailing list