rpms/selinux-policy-targeted/devel .cvsignore, 1.100, 1.101 policy-20050404.patch, 1.2, 1.3 selinux-policy-targeted.spec, 1.265, 1.266 sources, 1.105, 1.106

Wed Apr 6 12:22:59 UTC 2005

Update of /cvs/dist/rpms/selinux-policy-targeted/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv17784

Modified Files:
	.cvsignore policy-20050404.patch selinux-policy-targeted.spec 
	sources 
Log Message:
* Wed Apr 6 2005 Dan Walsh <dwalsh at redhat.com> 1.23.8-1
- Update from NSA
	* Added netlink_kobject_uevent_socket class.
	* Removed empty files pump.te and pump.fc.
	* Added NetworkManager policy from Dan Walsh.
	* Merged Dan Walsh's major restructuring of Apache's policy.



Index: .cvsignore
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-targeted/devel/.cvsignore,v
retrieving revision 1.100
retrieving revision 1.101
diff -u -r1.100 -r1.101

--- .cvsignore	4 Apr 2005 15:43:56 -0000	1.100
+++ .cvsignore	6 Apr 2005 12:22:56 -0000	1.101
@@ -65,3 +65,4 @@
 policy-1.23.4.tgz
 policy-1.23.5.tgz
 policy-1.23.6.tgz
+policy-1.23.8.tgz

policy-20050404.patch:
 domains/program/unused/NetworkManager.te |   78 +++++++++++++++++++++++++++++++
 domains/program/unused/apache.te         |    6 ++
 domains/program/unused/hald.te           |    1 
 file_contexts/distros.fc                 |    4 +
 file_contexts/program/NetworkManager.fc  |    2 
 macros/base_user_macros.te               |   14 +----
 macros/program/apache_macros.te          |    2 
 macros/program/gift_macros.te            |    7 +-
 macros/program/java_macros.te            |   33 +------------
 macros/program/mozilla_macros.te         |    6 +-
 macros/program/mplayer_macros.te         |    6 +-
 macros/program/ssh_agent_macros.te       |    2 
 macros/program/ssh_macros.te             |   24 ---------
 macros/program/tvtime_macros.te          |    6 +-
 macros/program/x_client_macros.te        |   67 +++++++++++++-------------
 man/man8/httpd_selinux.8                 |   15 +++++
 targeted/domains/program/modutil.te      |   17 ------
 tunables/distro.tun                      |    2 
 tunables/tunable.tun                     |   12 ++--
 19 files changed, 177 insertions(+), 127 deletions(-)

Index: policy-20050404.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-targeted/devel/policy-20050404.patch,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- policy-20050404.patch	4 Apr 2005 21:02:29 -0000	1.2
+++ policy-20050404.patch	6 Apr 2005 12:22:56 -0000	1.3
@@ -1,408 +1,34 @@
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ifconfig.te policy-1.23.6/domains/program/ifconfig.te
---- nsapolicy/domains/program/ifconfig.te	2005-03-15 08:02:23.000000000 -0500
-+++ policy-1.23.6/domains/program/ifconfig.te	2005-04-04 10:44:54.000000000 -0400
-@@ -66,3 +66,4 @@
- rhgb_domain(ifconfig_t)
- allow ifconfig_t userdomain:fd use;
- dontaudit ifconfig_t root_t:file read;
-+r_dir_file(ifconfig_t, sysfs_t)
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/logrotate.te policy-1.23.6/domains/program/logrotate.te
---- nsapolicy/domains/program/logrotate.te	2005-04-04 10:21:10.000000000 -0400
-+++ policy-1.23.6/domains/program/logrotate.te	2005-04-04 10:44:54.000000000 -0400
-@@ -141,5 +141,10 @@
- 
- domain_auto_trans(logrotate_t, initrc_exec_t, initrc_t)
- 
-+# Supress libselinux initialization denials
- dontaudit logrotate_t selinux_config_t:dir search;
-+dontaudit logrotate_t selinux_config_t:file { read getattr };
- 
-+# Allow selinux_getenforce 
-+allow logrotate_t security_t:dir search;
-+allow logrotate_t security_t:file { getattr read };
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.23.6/domains/program/unused/apache.te
---- nsapolicy/domains/program/unused/apache.te	2005-04-04 10:21:10.000000000 -0400
-+++ policy-1.23.6/domains/program/unused/apache.te	2005-04-04 10:44:54.000000000 -0400
-@@ -28,6 +28,9 @@
- 
- bool httpd_unified false;
- 
-+# Allow httpd to use built in scripting (usually php)
-+bool httpd_builtin_scripting false;
-+
- # Allow httpd cgi support
- bool httpd_enable_cgi false;
- 
-@@ -86,54 +89,6 @@
- # for modules that want to access /etc/mtab and /proc/meminfo
- allow httpd_t { proc_t etc_runtime_t }:file { getattr read };
- 
--# setup the system domain for system CGI scripts
--apache_domain(sys)
--
--# The following are types for SUEXEC,which runs user scripts as their
--# own user ID
--#
--daemon_sub_domain(httpd_t, httpd_suexec)
--allow httpd_t httpd_suexec_exec_t:file read;
--
--#########################################################
--# Permissions for running child processes and scripts
--##########################################################
--
--allow httpd_suexec_t self:capability { setuid setgid };
--
--dontaudit httpd_suexec_t var_run_t:dir search;
--allow httpd_suexec_t { var_t var_log_t }:dir search;
--allow httpd_suexec_t home_root_t:dir search;
--
--allow httpd_suexec_t httpd_log_t:dir search;
--allow httpd_suexec_t httpd_log_t:file { append getattr };
--allow httpd_suexec_t httpd_t:fifo_file getattr;
--allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
--
--allow httpd_suexec_t etc_t:file { getattr read };
--read_locale(httpd_suexec_t)
--read_sysctl(httpd_suexec_t)
--allow httpd_suexec_t urandom_device_t:chr_file { getattr read };
--
--# for shell scripts
--allow httpd_suexec_t bin_t:dir search;
--allow httpd_suexec_t bin_t:lnk_file read;
--can_exec(httpd_suexec_t, { bin_t shell_exec_t })
--
--if (httpd_can_network_connect) {
--can_network(httpd_suexec_t)
--allow httpd_suexec_t port_type:tcp_socket name_connect;
--}
--
--can_ypbind(httpd_suexec_t)
--allow httpd_suexec_t { usr_t lib_t }:file { getattr read ioctl };
--
--ifdef(`mta.te', `
--# apache should set close-on-exec
--dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
--dontaudit { system_mail_t mta_user_agent } { httpd_t httpd_sys_script_t }:unix_stream_socket { read write };
--')
--
- uses_shlib(httpd_t)
- allow httpd_t { usr_t lib_t }:file { getattr read ioctl };
- allow httpd_t usr_t:lnk_file { getattr read };
-@@ -149,15 +104,24 @@
- can_exec(httpd_t, { bin_t sbin_t })
- allow httpd_t bin_t:lnk_file read;
- 
--can_network(httpd_t)
-+########################################
-+# Set up networking
-+########################################
-+
-+can_network_server(httpd_t)
-+can_kerberos(httpd_t)
-+can_resolve(httpd_t)
-+can_ypbind(httpd_t)
-+allow httpd_t { http_port_t http_cache_port_t }:tcp_socket name_bind;
-+
- if (httpd_can_network_connect) {
-+can_network_client(httpd_t)
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.23.8/domains/program/unused/apache.te
+--- nsapolicy/domains/program/unused/apache.te	2005-04-06 06:57:44.000000000 -0400
++++ policy-1.23.8/domains/program/unused/apache.te	2005-04-06 07:32:56.000000000 -0400
+@@ -119,6 +119,12 @@
  allow httpd_t port_type:tcp_socket name_connect;
  }
--can_ypbind(httpd_t)
- 
--###################
--# Allow httpd to search users diretories
--######################
-+#########################################
-+# Allow httpd to search users directories
-+#########################################
- allow httpd_t home_root_t:dir { getattr search };
- dontaudit httpd_t sysadm_home_dir_t:dir getattr;
- 
-@@ -171,7 +135,6 @@
- # Allow the httpd_t to read the web servers config files
- ###################################################
- r_dir_file(httpd_t, httpd_config_t)
--dontaudit httpd_sys_script_t httpd_config_t:dir search;
- # allow logrotate to read the config files for restart
- ifdef(`logrotate.te', `
- r_dir_file(logrotate_t, httpd_config_t)
-@@ -181,11 +144,6 @@
- r_dir_file(initrc_t, httpd_config_t)
- ##################################################
- 
--########################################
--# Allow httpd_t to bind to the HTTP port
--########################################
--allow httpd_t { http_port_t http_cache_port_t }:tcp_socket name_bind;
--
- ###############################
- # Allow httpd_t to put files in /var/cache/httpd etc
- ##############################
-@@ -217,13 +175,14 @@
- allow httpd_t etc_t:file { read getattr ioctl };
- allow httpd_t etc_t:lnk_file { getattr read };
- 
-+# setup the system domain for system CGI scripts
-+apache_domain(sys)
-+dontaudit httpd_sys_script_t httpd_config_t:dir search;
-+
- # Run SSI execs in system CGI script domain.
- if (httpd_ssi_exec) {
- domain_auto_trans(httpd_t, shell_exec_t, httpd_sys_script_t)
- }
--r_dir_file(httpd_t, httpd_sys_script_ro_t)
--create_dir_file(httpd_t, httpd_sys_script_rw_t)
--ra_dir_file(httpd_t, httpd_sys_script_ra_t)
- allow httpd_sys_script_t httpd_t:tcp_socket { read write };
- 
- ##################################################
-@@ -250,7 +209,6 @@
- # access to /tmp
- tmp_domain(httpd)
- tmp_domain(httpd_php)
--tmp_domain(httpd_suexec)
- 
- # Creation of lock files for apache2
- lock_domain(httpd)
-@@ -269,11 +227,11 @@
- allow httpd_t bin_t:dir search;
- allow httpd_t sbin_t:dir search;
- allow httpd_t httpd_log_t:dir remove_name;
-+r_dir_file(httpd_t, fonts_t)
- 
- allow httpd_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
- 
- allow httpd_t autofs_t:dir { search getattr };
--allow httpd_suexec_t autofs_t:dir { search getattr };
- 
- if (use_nfs_home_dirs && httpd_enable_homedirs) {
- httpd_home_dirs(nfs_t)
-@@ -281,23 +239,12 @@
- if (use_samba_home_dirs && httpd_enable_homedirs) {
- httpd_home_dirs(cifs_t)
- }
--r_dir_file(httpd_t, fonts_t)
- 
- #
- # Allow users to mount additional directories as http_source
- #
- allow httpd_t mnt_t:dir r_dir_perms;
- 
--########################################
--# When the admin starts the server, the server wants to acess
--# the TTY or PTY associated with the session. The httpd appears
--# to run correctly without this permission, so the permission
--# are dontaudited here. 
--##################################################
--dontaudit httpd_t admin_tty_type:chr_file rw_file_perms;
--
--can_kerberos(httpd_t)
--
- ifdef(`targeted_policy', `
- typealias httpd_sys_content_t alias httpd_user_content_t;
- typealias httpd_sys_script_exec_t alias httpd_user_script_exec_t;
-@@ -308,6 +255,9 @@
- }
- ') dnl targeted policy
- 
-+# We no longer call httpd_domain(sysadm), but need httpd_sysadm_content_t for file context
-+typealias httpd_sys_content_t alias httpd_sysadm_content_t;
-+
- ifdef(`distro_redhat', `
- #
- # mod_jk2 creates /var/log/httpd/jk2.shm to communicate with tomcat
-@@ -327,33 +277,27 @@
- dontaudit httpd_t usr_t:dir write;
- ')
- 
--type httpd_squirrelmail_t, file_type, sysadmfile;
--create_dir_file(httpd_t, httpd_squirrelmail_t)
--allow httpd_sys_script_t httpd_squirrelmail_t:file { append read };
--# File Type of squirrelmail attachments
--type squirrelmail_spool_t, file_type, sysadmfile, tmpfile;
--allow { httpd_t httpd_sys_script_t } var_spool_t:dir { getattr search };
--create_dir_file(httpd_t, squirrelmail_spool_t)
--r_dir_file(httpd_sys_script_t, squirrelmail_spool_t)
--
--ifdef(`mta.te', `
--dontaudit system_mail_t httpd_log_t:file { append getattr };
--allow system_mail_t httpd_squirrelmail_t:file { append read };
--dontaudit system_mail_t httpd_t:tcp_socket { read write };
--')
--
- application_domain(httpd_helper)
- role system_r types httpd_helper_t;
- domain_auto_trans(httpd_t, httpd_helper_exec_t, httpd_helper_t)
- allow httpd_helper_t httpd_config_t:file { getattr read };
- allow httpd_helper_t httpd_log_t:file { append };
- 
-+########################################
-+# When the admin starts the server, the server wants to acess
-+# the TTY or PTY associated with the session. The httpd appears
-+# to run correctly without this permission, so the permission
-+# are dontaudited here. 
-+##################################################
-+
- if (httpd_tty_comm) {
- allow { httpd_t httpd_helper_t } devpts_t:dir { search };
- ifdef(`targeted_policy', `
- allow { httpd_helper_t httpd_t } { devtty_t devpts_t }:chr_file { read write };
- ')
- allow { httpd_t httpd_helper_t } admin_tty_type:chr_file { read write };
-+} else {
-+dontaudit httpd_t admin_tty_type:chr_file rw_file_perms;
- }
- 
- read_sysctl(httpd_sys_script_t)
-@@ -368,6 +312,64 @@
- type httpd_unconfined_script_t, domain, nscd_client_domain;
- role system_r types httpd_unconfined_script_t;
- unconfined_domain(httpd_unconfined_script_t)
-+
-+# The following are types for SUEXEC,which runs user scripts as their
-+# own user ID
-+#
-+daemon_sub_domain(httpd_t, httpd_suexec)
-+allow httpd_t httpd_suexec_exec_t:file read;
-+
-+#########################################################
-+# Permissions for running child processes and scripts
-+##########################################################
-+
-+allow httpd_suexec_t self:capability { setuid setgid };
-+
-+dontaudit httpd_suexec_t var_run_t:dir search;
-+allow httpd_suexec_t { var_t var_log_t }:dir search;
-+allow httpd_suexec_t home_root_t:dir search;
-+
-+allow httpd_suexec_t httpd_log_t:dir search;
-+allow httpd_suexec_t httpd_log_t:file { append getattr };
-+allow httpd_suexec_t httpd_t:fifo_file getattr;
-+allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
-+
-+allow httpd_suexec_t etc_t:file { getattr read };
-+read_locale(httpd_suexec_t)
-+read_sysctl(httpd_suexec_t)
-+allow httpd_suexec_t urandom_device_t:chr_file { getattr read };
-+
-+# for shell scripts
-+allow httpd_suexec_t bin_t:dir search;
-+allow httpd_suexec_t bin_t:lnk_file read;
-+can_exec(httpd_suexec_t, { bin_t shell_exec_t })
-+
-+if (httpd_can_network_connect) {
-+can_network(httpd_suexec_t)
-+allow httpd_suexec_t port_type:tcp_socket name_connect;
-+}
-+
-+can_ypbind(httpd_suexec_t)
-+allow httpd_suexec_t { usr_t lib_t }:file { getattr read ioctl };
-+
-+allow httpd_suexec_t autofs_t:dir { search getattr };
-+tmp_domain(httpd_suexec)
-+
-+ifdef(`mta.te', `
-+# apache should set close-on-exec
-+dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
-+dontaudit { system_mail_t mta_user_agent } { httpd_t httpd_sys_script_t }:unix_stream_socket { read write };
-+')
-+
-+if (httpd_enable_cgi && httpd_unified ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
-+domain_auto_trans(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
-+domain_auto_trans(sysadm_t, httpdcontent, httpd_sys_script_t)
-+}
-+if (httpd_enable_cgi && httpd_unified && httpd_builtin_scripting ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
-+domain_auto_trans(httpd_t, httpdcontent, httpd_sys_script_t)
-+create_dir_file(httpd_t, httpdcontent)
-+can_exec(httpd_t, httpdcontent )
-+}
- if (httpd_enable_cgi) {
- domain_auto_trans(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
- domain_auto_trans(httpd_suexec_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
-@@ -375,3 +377,21 @@
- allow httpd_t httpd_unconfined_script_exec_t:dir r_dir_perms;
- }
  
-+#
-+# Types for squirrelmail
-+#
-+type httpd_squirrelmail_t, file_type, sysadmfile;
-+create_dir_file(httpd_t, httpd_squirrelmail_t)
-+allow httpd_sys_script_t httpd_squirrelmail_t:file { append read };
-+# File Type of squirrelmail attachments
-+type squirrelmail_spool_t, file_type, sysadmfile, tmpfile;
-+allow { httpd_t httpd_sys_script_t } var_spool_t:dir { getattr search };
-+create_dir_file(httpd_t, squirrelmail_spool_t)
-+r_dir_file(httpd_sys_script_t, squirrelmail_spool_t)
-+
-+ifdef(`mta.te', `
-+dontaudit system_mail_t httpd_log_t:file { append getattr };
-+allow system_mail_t httpd_squirrelmail_t:file { append read };
-+dontaudit system_mail_t httpd_t:tcp_socket { read write };
-+')
++##########################################
++# Legacy: remove when it's fixed         #
++# Allow libphp5.so with text relocations #
++##########################################
++allow httpd_t texrel_shlib_t:file execmod;
 +
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dhcpc.te policy-1.23.6/domains/program/unused/dhcpc.te
---- nsapolicy/domains/program/unused/dhcpc.te	2005-03-24 08:58:26.000000000 -0500
-+++ policy-1.23.6/domains/program/unused/dhcpc.te	2005-04-04 10:44:54.000000000 -0400
-@@ -44,6 +44,8 @@
- domain_auto_trans(cardmgr_t, dhcpc_exec_t, dhcpc_t)
- allow cardmgr_t dhcpc_var_run_t:file { getattr read };
- allow cardmgr_t dhcpc_t:process signal_perms;
-+allow cardmgr_t dhcpc_var_run_t:file unlink;
-+allow dhcpc_t cardmgr_dev_t:chr_file { read write };
- ')
- ifdef(`hotplug.te', `
- domain_auto_trans(hotplug_t, dhcpc_exec_t, dhcpc_t)
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hald.te policy-1.23.6/domains/program/unused/hald.te
---- nsapolicy/domains/program/unused/hald.te	2005-04-04 10:21:10.000000000 -0400
-+++ policy-1.23.6/domains/program/unused/hald.te	2005-04-04 10:44:54.000000000 -0400
-@@ -43,6 +43,9 @@
- allow hald_t event_device_t:chr_file { getattr read ioctl };
- allow hald_t printer_device_t:chr_file rw_file_perms;
- allow hald_t urandom_device_t:chr_file read;
-+allow hald_t mouse_device_t:chr_file r_file_perms;
-+
-+can_getsecurity(hald_t)
- 
- ifdef(`updfstab.te', `
- domain_auto_trans(hald_t, updfstab_exec_t, updfstab_t)
-@@ -73,3 +76,20 @@
- tmp_domain(hald)
- allow hald_t mnt_t:dir search;
- r_dir_file(hald_t, proc_net_t)
-+
-+
-+# For /usr/libxexc/hald-addon-acpi - writes to /var/run/acpid.socket
-+ifdef(`apmd.te', `
-+allow hald_t apmd_var_run_t:sock_file write;
-+allow hald_t apmd_t:unix_stream_socket connectto;
-+')
-+
-+# For /usr/sbin/dmidecode
-+# Violates assertion
-+#allow hald_t memory_device_t:chr_file read;
-+allow hald_t self:capability sys_rawio;
-+
-+# ??
-+ifdef(`lvm.te', `
-+allow hald_t lvm_control_t:chr_file r_file_perms;
-+')
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/kudzu.te policy-1.23.6/domains/program/unused/kudzu.te
---- nsapolicy/domains/program/unused/kudzu.te	2005-03-11 15:31:06.000000000 -0500
-+++ policy-1.23.6/domains/program/unused/kudzu.te	2005-04-04 10:44:54.000000000 -0400
-@@ -100,3 +100,8 @@
- allow kudzu_t xserver_exec_t:file getattr;
- ')
- 
-+ifdef(`userhelper.te', `
-+role system_r types sysadm_userhelper_t;
-+domain_auto_trans(kudzu_t, userhelper_exec_t, sysadm_userhelper_t)
-+')
-+
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/NetworkManager.te policy-1.23.6/domains/program/unused/NetworkManager.te
+ #########################################
+ # Allow httpd to search users directories
+ #########################################
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hald.te policy-1.23.8/domains/program/unused/hald.te
+--- nsapolicy/domains/program/unused/hald.te	2005-04-06 06:57:44.000000000 -0400
++++ policy-1.23.8/domains/program/unused/hald.te	2005-04-06 07:31:54.000000000 -0400
+@@ -31,7 +31,6 @@
+ allow hald_t usr_t:file { getattr read };
+ 
+ allow hald_t bin_t:file getattr;
+-allow hald_t self:netlink_socket create_socket_perms;
+ allow hald_t self:netlink_kobject_uevent_socket create_socket_perms;
+ allow hald_t self:netlink_route_socket r_netlink_socket_perms;
+ allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search mknod };
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/NetworkManager.te policy-1.23.8/domains/program/unused/NetworkManager.te
 --- nsapolicy/domains/program/unused/NetworkManager.te	1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.23.6/domains/program/unused/NetworkManager.te	2005-04-04 10:44:54.000000000 -0400
-@@ -0,0 +1,76 @@
++++ policy-1.23.8/domains/program/unused/NetworkManager.te	2005-04-06 07:31:54.000000000 -0400
+@@ -0,0 +1,78 @@
 +#DESC NetworkManager - 
 +#
 +# Authors: Dan Walsh <dwalsh at redhat.com>
@@ -472,348 +98,473 @@
 +allow NetworkManager_t { etc_t etc_runtime_t }:file { getattr read };
 +allow NetworkManager_t proc_t:file { getattr read };
 +
-+allow NetworkManager_t domain:dir search;
-+allow NetworkManager_t domain:file { getattr read };
++allow NetworkManager_t { domain -unrestricted }:dir search;
++allow NetworkManager_t { domain -unrestricted }:file { getattr read };
++dontaudit NetworkManager_t unrestricted:dir search;
++dontaudit NetworkManager_t unrestricted:file { getattr read };
 +
 +allow NetworkManager_t howl_t:process signal;
 +allow NetworkManager_t initrc_var_run_t:file { getattr read };
 +
 +domain_auto_trans(NetworkManager_t, insmod_exec_t, insmod_t)
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ntpd.te policy-1.23.6/domains/program/unused/ntpd.te
---- nsapolicy/domains/program/unused/ntpd.te	2005-03-24 08:58:27.000000000 -0500
-+++ policy-1.23.6/domains/program/unused/ntpd.te	2005-04-04 10:44:54.000000000 -0400
-@@ -41,7 +41,7 @@
- 
- # Use the network.
- can_network(ntpd_t)
--allow ntpd_t port_type:tcp_socket name_connect;
-+allow ntpd_t ntp_port_t:tcp_socket name_connect;
- can_ypbind(ntpd_t)
- allow ntpd_t ntp_port_t:udp_socket name_bind;
- allow ntpd_t self:unix_dgram_socket create_socket_perms;
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pam.te policy-1.23.6/domains/program/unused/pam.te
---- nsapolicy/domains/program/unused/pam.te	2005-03-15 08:02:23.000000000 -0500
-+++ policy-1.23.6/domains/program/unused/pam.te	2005-04-04 10:44:54.000000000 -0400
-@@ -37,4 +37,4 @@
- 
- allow initrc_t pam_var_run_t:dir rw_dir_perms;
- allow initrc_t pam_var_run_t:file { getattr read unlink };
--dontaudit pam_t initrc_var_run_t:file { read write };
-+dontaudit pam_t initrc_var_run_t:file rw_file_perms;
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/postgresql.te policy-1.23.6/domains/program/unused/postgresql.te
---- nsapolicy/domains/program/unused/postgresql.te	2005-04-04 10:21:11.000000000 -0400
-+++ policy-1.23.6/domains/program/unused/postgresql.te	2005-04-04 10:44:54.000000000 -0400
-@@ -124,11 +124,15 @@
- 
- ifdef(`distro_gentoo', `
- # "su - postgres ..." is called from initrc_t
--allow initrc_su_t postgresql_db_t:dir { search };
--allow postgresql_t initrc_su_t:process { sigchld };
-+allow initrc_su_t postgresql_db_t:dir search;
-+allow postgresql_t initrc_su_t:process sigchld;
- dontaudit initrc_su_t sysadm_devpts_t:chr_file rw_file_perms;
- ')
- 
- dontaudit postgresql_t home_root_t:dir search;
- can_kerberos(postgresql_t)
- allow postgresql_t urandom_device_t:chr_file { getattr read };
-+
-+if (allow_execmem) {
-+allow postgresql_t self:process execmem;
-+}
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/publicfile.te policy-1.23.6/domains/program/unused/publicfile.te
---- nsapolicy/domains/program/unused/publicfile.te	2005-03-15 12:54:54.000000000 -0500
-+++ policy-1.23.6/domains/program/unused/publicfile.te	2005-04-04 10:46:35.000000000 -0400
-@@ -12,11 +12,6 @@
- type ftp_data_port_t, port_type, reserved_port_type;
- ')
- 
--ifdef(`apache.te', `
--', `
--type http_port_t, port_type, reserved_port_type;
--')
--
- daemon_domain(publicfile)
- type publicfile_content_t, file_type, sysadmfile;
- domain_auto_trans(initrc_t, publicfile_exec_t, publicfile_t)
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/snmpd.te policy-1.23.6/domains/program/unused/snmpd.te
---- nsapolicy/domains/program/unused/snmpd.te	2005-03-11 15:31:06.000000000 -0500
-+++ policy-1.23.6/domains/program/unused/snmpd.te	2005-04-04 10:44:54.000000000 -0400
-@@ -45,7 +45,9 @@
- allow snmpd_t proc_t:dir search;
- allow snmpd_t proc_t:file r_file_perms;
- allow snmpd_t self:file { getattr read };
--allow snmpd_t self:fifo_file { read write };
-+allow snmpd_t self:fifo_file rw_file_perms;
-+allow snmpd_t { bin_t sbin_t }:dir search;
-+can_exec(snmpd_t, { bin_t sbin_t shell_exec_t })
- 
- ifdef(`distro_redhat', `
- ifdef(`rpm.te', `
-diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/distros.fc policy-1.23.6/file_contexts/distros.fc
---- nsapolicy/file_contexts/distros.fc	2005-04-04 10:21:11.000000000 -0400
-+++ policy-1.23.6/file_contexts/distros.fc	2005-04-04 10:44:54.000000000 -0400
-@@ -141,6 +141,10 @@
- # Jai, Sun Microsystems (Jpackage SPRM)
- /usr/lib/libmlib_jai\.so			-- system_u:object_r:texrel_shlib_t
- /usr/lib/libdivxdecore.so.0			-- system_u:object_r:texrel_shlib_t
-+/usr/lib/libdivxencore.so.0			-- system_u:object_r:texrel_shlib_t
-+
-+# Java, Sun Microsystems (JPackage SRPM)
-+/usr/.*/jre/lib/i386/libdeploy.so		-- system_u:object_r:texrel_shlib_t
- 
- /usr(/.*)?/Acrobat5/Reader/intellinux/plug_ins/.*\.api	-- system_u:object_r:shlib_t
- /usr(/.*)?/Acrobat5/Reader/intellinux/plug_ins/AcroForm\.api	-- system_u:object_r:texrel_shlib_t
-diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/NetworkManager.fc policy-1.23.6/file_contexts/program/NetworkManager.fc
+diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/distros.fc policy-1.23.8/file_contexts/distros.fc
+--- nsapolicy/file_contexts/distros.fc	2005-04-06 06:57:44.000000000 -0400
++++ policy-1.23.8/file_contexts/distros.fc	2005-04-06 07:32:56.000000000 -0400
+@@ -69,7 +69,7 @@
+ # Some of them should be fixed and removed from this list
+ 
+ # Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv
+-# 	HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs
++# 	HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php
+ /usr/lib/gstreamer-.*/libgstffmpeg\.so.*  -- system_u:object_r:texrel_shlib_t
+ /usr/lib/gstreamer-.*/libgsthermescolorspace\.so -- system_u:object_r:texrel_shlib_t
+ /usr/lib/gstreamer-.*/libgstmms\.so 	 -- system_u:object_r:texrel_shlib_t
+@@ -123,6 +123,8 @@
+ /usr/lib/ladspa/se4_1883\.so			-- system_u:object_r:texrel_shlib_t
+ /usr/lib/libImlib2\.so.* 			-- system_u:object_r:texrel_shlib_t
+ /usr/lib/ocaml/stublibs/dllnums\.so		-- system_u:object_r:texrel_shlib_t
++/usr/lib/httpd/modules/libphp5\.so		-- system_u:object_r:texrel_shlib_t
++/usr/lib/php/modules/.*\.so			-- system_u:object_r:texrel_shlib_t
+ 
+ # Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
+ /usr/lib/xmms/Input/libmpg123\.so		-- system_u:object_r:texrel_shlib_t
+diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/NetworkManager.fc policy-1.23.8/file_contexts/program/NetworkManager.fc
 --- nsapolicy/file_contexts/program/NetworkManager.fc	1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.23.6/file_contexts/program/NetworkManager.fc	2005-04-04 10:44:54.000000000 -0400
++++ policy-1.23.8/file_contexts/program/NetworkManager.fc	2005-04-06 07:31:54.000000000 -0400
 @@ -0,0 +1,2 @@
 +# NetworkManager 
 +/usr/bin/NetworkManager	--	system_u:object_r:NetworkManager_exec_t
-diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/apache_macros.te policy-1.23.6/macros/program/apache_macros.te
---- nsapolicy/macros/program/apache_macros.te	2005-04-04 10:21:11.000000000 -0400
-+++ policy-1.23.6/macros/program/apache_macros.te	2005-04-04 16:52:31.000000000 -0400
-@@ -4,14 +4,11 @@
- #This type is for webpages
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/base_user_macros.te policy-1.23.8/macros/base_user_macros.te
+--- nsapolicy/macros/base_user_macros.te	2005-04-06 06:57:44.000000000 -0400
++++ policy-1.23.8/macros/base_user_macros.te	2005-04-06 07:32:06.000000000 -0400
+@@ -282,6 +280,9 @@
  #
- type httpd_$1_content_t, file_type, httpdcontent, sysadmfile, customizable;
--ifelse($1, sys, `
--typealias httpd_sys_content_t alias httpd_sysadm_content_t;
--')
--ifelse($1, sys, `',`typeattribute httpd_$1_content_t $1_file_type;') 
- 
- # This type is used for .htaccess files
- #
--type httpd_$1_htaccess_t, file_type, sysadmfile;
-+type httpd_$1_htaccess_t, file_type, sysadmfile, customizable;
-+allow httpd_t httpd_$1_htaccess_t: file r_file_perms;
- 
- # This type is used for executable scripts files
- #
-@@ -68,13 +65,6 @@
- type httpd_$1_script_ra_t, file_type, httpdcontent, sysadmfile, customizable;
- file_type_auto_trans(httpd_$1_script_t, tmp_t, httpd_$1_script_rw_t)
- 
--ifdef(`slocate.te', `
--ifelse($1, `sys', `', `
--allow $1_locate_t { httpd_$1_content_t httpd_$1_htaccess_t httpd_$1_script_exec_t httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_ra_t }:dir { getattr search };
--allow $1_locate_t { httpd_$1_content_t httpd_$1_htaccess_t httpd_$1_script_exec_t httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_ra_t }:file { getattr read };
--')dnl end ifelse
--')dnl end slocate.te
--
- #########################################################
- # Permissions for running child processes and scripts
- ##########################################################
-@@ -117,20 +107,9 @@
- ra_dir_file(httpd_$1_script_t, httpd_$1_script_ra_t)
- 
- if (httpd_enable_cgi && httpd_unified ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
--ifelse($1, sys, `
--domain_auto_trans(httpd_t, httpdcontent, httpd_sys_script_t)
--domain_auto_trans(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
--domain_auto_trans(sysadm_t, httpdcontent, httpd_sys_script_t)
--create_dir_file(httpd_t, httpdcontent)
--can_exec(httpd_t, httpdcontent )
--', `
--can_exec(httpd_$1_script_t, httpdcontent )
--domain_auto_trans($1_t, httpdcontent, httpd_$1_script_t)
--')
- create_dir_file(httpd_$1_script_t, httpdcontent)
- }
+ dontaudit $1_t usr_t:file setattr;
  
--ifelse($1, sys, `
- #
- # If a user starts a script by hand it gets the proper context
- #
-@@ -138,7 +117,38 @@
- domain_auto_trans(sysadm_t, httpd_$1_script_exec_t, httpd_$1_script_t)
- }
- role sysadm_r types httpd_$1_script_t;
--', `
-+
-+dontaudit httpd_$1_script_t sysctl_kernel_t:dir search;
-+dontaudit httpd_$1_script_t sysctl_t:dir search;
-+
-+############################################
-+# Allow scripts to append to http logs
-+#########################################
-+allow httpd_$1_script_t httpd_log_t:file { getattr append };
-+
-+# apache should set close-on-exec
-+dontaudit  httpd_$1_script_t httpd_t:unix_stream_socket { read write };
-+
-+################################################################
-+# Allow the web server to run scripts and serve pages
-+##############################################################
-+if (httpd_builtin_scripting) {
-+r_dir_file(httpd_t, httpd_$1_script_ro_t)
-+create_dir_file(httpd_t, httpd_$1_script_rw_t)
-+ra_dir_file(httpd_t, httpd_$1_script_ra_t)
-+}
-+r_dir_file(httpd_t, httpd_$1_content_t)
-+
-+')
-+define(`apache_user_domain', `
-+
-+apache_domain($1)
++# Use X
++x_client_domain($1, $1)
 +
-+typeattribute httpd_$1_content_t $1_file_type;
-+
-+if (httpd_enable_cgi && httpd_unified ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
-+domain_auto_trans($1_t, httpdcontent, httpd_$1_script_t)
-+}
- 
- if (httpd_enable_cgi ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
- # If a user starts a script by hand it gets the proper context
-@@ -151,11 +161,7 @@
- #########################################
- 
- create_dir_file($1_t, { httpd_$1_content_t httpd_$1_script_exec_t })
--create_dir_file($1_crond_t, httpd_$1_content_t)
- allow $1_t { httpd_$1_content_t httpd_$1_script_exec_t }:{ dir file lnk_file } { relabelto relabelfrom };
--ifdef(`mozilla.te', `
--r_dir_file($1_mozilla_t, { httpd_$1_script_exec_t httpd_$1_content_t })
--')
+ ifdef(`xserver.te', `
+ # for /tmp/.ICE-unix
+ file_type_auto_trans($1_t, xdm_xserver_tmp_t, $1_tmp_t, sock_file)
+@@ -291,13 +292,7 @@
+ ifdef(`xdm.te', `
+ # Connect to the X server run by the X Display Manager.
+ can_unix_connect($1_t, xdm_t)
+-allow $1_t xdm_tmp_t:sock_file rw_file_perms;
+-allow $1_t xdm_tmp_t:dir r_dir_perms;
+-allow $1_t xdm_tmp_t:file { getattr read };
+-allow $1_t xdm_xserver_tmp_t:sock_file { read write };
+-allow $1_t xdm_xserver_tmp_t:dir search;
+-allow $1_t xdm_xserver_t:unix_stream_socket connectto;
+-# certain apps want to read xdm.pid file
++# certain apps want to read xdm.pid file 
+ r_dir_file($1_t, xdm_var_run_t)
+ allow $1_t xdm_var_lib_t:file { getattr read };
+ allow xdm_t $1_home_dir_t:dir getattr;
+@@ -305,9 +300,6 @@
+ file_type_auto_trans(xdm_t, $1_home_dir_t, $1_xauth_home_t, file)
+ ')
  
- ######################################################################
- # Allow the user to create htaccess files
-@@ -178,26 +184,8 @@
- r_dir_file(httpd_$1_script_t, nfs_t)
- ')dnl end if nfs_home_dirs
- }
--')dnl end ifelse sys
--
--dontaudit httpd_$1_script_t sysctl_kernel_t:dir search;
--dontaudit httpd_$1_script_t sysctl_t:dir search;
+-# for shared memory
+-allow xdm_xserver_t $1_tmpfs_t:file { read write };
 -
--################################################################
--# Allow the web server to run scripts and serve pages
--##############################################################
+ ')dnl end ifdef xdm.te
+ 
+ # Access the sound device.
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/apache_macros.te policy-1.23.8/macros/program/apache_macros.te
+--- nsapolicy/macros/program/apache_macros.te	2005-04-06 06:57:44.000000000 -0400
++++ policy-1.23.8/macros/program/apache_macros.te	2005-04-06 07:31:54.000000000 -0400
+@@ -136,8 +136,8 @@
+ r_dir_file(httpd_t, httpd_$1_script_ro_t)
+ create_dir_file(httpd_t, httpd_$1_script_rw_t)
+ ra_dir_file(httpd_t, httpd_$1_script_ra_t)
 -r_dir_file(httpd_t, httpd_$1_content_t)
--
--allow httpd_t httpd_$1_htaccess_t: file r_file_perms;
--
--r_dir_file(httpd_t, httpd_$1_script_rw_t)
--
--############################################
--# Allow scripts to append to http logs
--#########################################
--allow httpd_$1_script_t httpd_log_t:file { getattr append };
--
--# apache should set close-on-exec
--dontaudit  httpd_$1_script_t httpd_t:unix_stream_socket { read write };
-+ifdef(`crond.te', `
-+create_dir_file($1_crond_t, httpd_$1_content_t)
-+')
+ }
++r_dir_file(httpd_t, httpd_$1_content_t)
  
  ')
-diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/gift_macros.te policy-1.23.6/macros/program/gift_macros.te
---- nsapolicy/macros/program/gift_macros.te	2005-04-04 10:21:11.000000000 -0400
-+++ policy-1.23.6/macros/program/gift_macros.te	2005-04-04 10:44:54.000000000 -0400
-@@ -90,6 +90,13 @@
- uses_shlib($1_giftd_t)
- access_terminal($1_giftd_t, $1)
- 
-+# Read /proc/meminfo
-+allow $1_giftd_t proc_t:dir search;
-+allow $1_giftd_t proc_t:file read;
-+
-+# Read /etc/mtab
-+allow $1_giftd_t etc_runtime_t:file { getattr read };
-+
- # Access home domain
- home_domain_access($1_giftd_t, $1, gift)
- 	
-diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/java_macros.te policy-1.23.6/macros/program/java_macros.te
---- nsapolicy/macros/program/java_macros.te	2005-03-24 08:58:29.000000000 -0500
-+++ policy-1.23.6/macros/program/java_macros.te	2005-04-04 10:44:54.000000000 -0400
-@@ -31,7 +31,7 @@
- can_network_client($1_javaplugin_t)
+ define(`apache_user_domain', `
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/gift_macros.te policy-1.23.8/macros/program/gift_macros.te
+--- nsapolicy/macros/program/gift_macros.te	2005-04-06 06:57:44.000000000 -0400
++++ policy-1.23.8/macros/program/gift_macros.te	2005-04-06 07:32:06.000000000 -0400
+@@ -18,7 +18,7 @@
+ role $1_r types $1_gift_t;
+ 
+ # X access, Home files 
+-x_client_domain($1, gift)
++x_client_domain($1_gift, $1)
+ home_domain($1, gift)
+ 
+ uses_shlib($1_gift_t)
+@@ -26,12 +26,15 @@
+ read_sysctl($1_gift_t)
+ access_terminal($1_gift_t, $1)
+ 
++# Allow the user domain to signal/ps.
++can_ps($1_t, $1_gift_t)
++allow $1_t $1_gift_t:process signal_perms;
++
+ # Self permissions
+ allow $1_gift_t self:process getsched;
+ 
+ # Fonts, icons
+ r_dir_file($1_gift_t, usr_t)
+-r_dir_file($1_gift_t, fonts_t)
+ 
+ # Launch gift daemon
+ allow $1_gift_t bin_t:dir search;
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/java_macros.te policy-1.23.8/macros/program/java_macros.te
+--- nsapolicy/macros/program/java_macros.te	2005-04-06 06:57:44.000000000 -0400
++++ policy-1.23.8/macros/program/java_macros.te	2005-04-06 07:37:13.000000000 -0400
+@@ -32,7 +32,6 @@
  allow $1_javaplugin_t port_type:tcp_socket name_connect;
  can_ypbind($1_javaplugin_t)
--allow $1_javaplugin_t self:process { fork signal_perms getsched setsched };
-+allow $1_javaplugin_t self:process { execmem fork signal_perms getsched setsched };
- allow $1_javaplugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
+ allow $1_javaplugin_t self:process { fork signal_perms getsched setsched };
+-allow $1_javaplugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
  allow $1_javaplugin_t self:fifo_file rw_file_perms;
  allow $1_javaplugin_t etc_runtime_t:file { getattr read };
-@@ -42,6 +42,7 @@
- allow $1_javaplugin_t self:file { getattr read };
+ allow $1_javaplugin_t fs_t:filesystem getattr;
+@@ -58,36 +57,9 @@
+ if (allow_execmem) {
+ allow $1_javaplugin_t self:process execmem;
+ }
+-# Allow connections to X server.
+-ifdef(`xserver.te', `
  
- read_sysctl($1_javaplugin_t)
-+allow $1_javaplugin_t sysctl_vm_t:dir search;
+-ifdef(`xdm.te', `
+-# for when /tmp/.X11-unix is created by the system
+-allow $1_javaplugin_t xdm_xserver_tmp_t:dir search;
+-allow $1_javaplugin_t xdm_t:fifo_file rw_file_perms;
+-allow $1_javaplugin_t xdm_tmp_t:dir search;
+-allow $1_javaplugin_t xdm_tmp_t:sock_file write;
+-')
+-
+-ifdef(`startx.te', `
+-# for when /tmp/.X11-unix is created by the X server
+-allow $1_javaplugin_t $2_xserver_tmp_t:dir search;
+-
+-# for /tmp/.X0-lock
+-allow $1_javaplugin_t $2_xserver_tmp_t:file getattr;
+-
+-allow $1_javaplugin_t $2_xserver_tmp_t:sock_file rw_file_perms;
+-can_unix_connect($1_javaplugin_t, $2_xserver_t)
+-')dnl end startx
+-
+-can_unix_connect($1_javaplugin_t, xdm_xserver_t)
+-allow xdm_xserver_t $1_javaplugin_t:fd use;
+-allow xdm_xserver_t $1_javaplugin_t:shm { associate getattr read unix_read };
+-dontaudit xdm_xserver_t $1_javaplugin_t:shm { unix_write write };
+-
+-')dnl end xserver
+-
+-allow $1_javaplugin_t self:shm create_shm_perms;
++# Connect to X server
++x_client_domain($1_javaplugin, $2) 
+ 
+ uses_shlib($1_javaplugin_t)
+ read_locale($1_javaplugin_t)
+@@ -121,4 +93,5 @@
  
- tmp_domain($1_javaplugin)
- r_dir_file($1_javaplugin_t,{ fonts_t usr_t etc_t })
-@@ -50,6 +51,11 @@
- allow $1_javaplugin_t bin_t:dir search;
- can_exec($1_javaplugin_t, java_exec_t)
- 
-+# libdeploy.so legacy
-+if (allow_execmod) {
-+allow $1_javaplugin_t texrel_shlib_t:file execmod;
+ # Do not audit read/getattr of .fonts-cache-1
+ dontaudit $1_javaplugin_t $1_home_t:file { read getattr };
++
+ ')
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.23.8/macros/program/mozilla_macros.te
+--- nsapolicy/macros/program/mozilla_macros.te	2005-04-06 06:57:44.000000000 -0400
++++ policy-1.23.8/macros/program/mozilla_macros.te	2005-04-06 07:32:06.000000000 -0400
+@@ -26,7 +26,7 @@
+ 
+ # X access, Home files
+ home_domain($1, mozilla)
+-x_client_domain($1, mozilla)
++x_client_domain($1_mozilla, $1)
+ 
+ # Browse files
+ file_browse_domain($1_mozilla_t)
+@@ -43,6 +43,10 @@
+ allow $1_t $1_mozilla_t:process { noatsecure siginh rlimitinh };
+ allow $1_mozilla_t $1_t:process signull;
+ 
++# Allow the user domain to signal/ps.
++can_ps($1_t, $1_mozilla_t)
++allow $1_t $1_mozilla_t:process signal_perms;
++
+ # Fork, set resource limits and scheduling info.
+ allow $1_mozilla_t self:process { fork signal_perms setrlimit setsched getsched };
+ 
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mplayer_macros.te policy-1.23.8/macros/program/mplayer_macros.te
+--- nsapolicy/macros/program/mplayer_macros.te	2005-03-21 22:32:19.000000000 -0500
++++ policy-1.23.8/macros/program/mplayer_macros.te	2005-04-06 07:32:06.000000000 -0400
+@@ -15,6 +15,10 @@
+ # Read global config
+ r_dir_file($1_$2_t, mplayer_etc_t)
+ 
++# Allow the user domain to signal/ps.
++can_ps($1_t, $1_$2_t)
++allow $1_t $1_$2_t:process signal_perms;
++
+ # Read data in /usr/share (fonts, icons..)
+ r_dir_file($1_$2_t, usr_t)
+ 
+@@ -72,7 +76,7 @@
+ 
+ # Home access, X access, Browse files
+ home_domain($1, mplayer)
+-x_client_domain($1, mplayer)
++x_client_domain($1_mplayer, $1)
+ file_browse_domain($1_mplayer_t)
+ 
+ # Mplayer common stuff
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ssh_agent_macros.te policy-1.23.8/macros/program/ssh_agent_macros.te
+--- nsapolicy/macros/program/ssh_agent_macros.te	2005-04-06 06:57:44.000000000 -0400
++++ policy-1.23.8/macros/program/ssh_agent_macros.te	2005-04-06 07:32:40.000000000 -0400
+@@ -63,7 +63,7 @@
+ allow $1_ssh_agent_t self:capability setgid;
+ 
+ # access the random devices
+-allow $1_ssh_agent_t { random_device_t urandom_device_t }:chr_file read;
++allow $1_ssh_agent_t { random_device_t urandom_device_t }:chr_file { getattr read };
+ 
+ # for ssh-add
+ can_unix_connect($1_t, $1_ssh_agent_t)
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ssh_macros.te policy-1.23.8/macros/program/ssh_macros.te
+--- nsapolicy/macros/program/ssh_macros.te	2005-04-04 10:21:11.000000000 -0400
++++ policy-1.23.8/macros/program/ssh_macros.te	2005-04-06 07:32:06.000000000 -0400
+@@ -129,18 +129,8 @@
+ # allow ps to show ssh
+ can_ps($1_t, $1_ssh_t)
+ 
+-ifdef(`xserver.te', `
+-# Communicate with the X server.
+-ifdef(`startx.te', `
+-can_unix_connect($1_ssh_t, $1_xserver_t)
+-allow $1_ssh_t $1_xserver_tmp_t:sock_file rw_file_perms;
+-allow $1_ssh_t $1_xserver_tmp_t:dir search;
+-')dnl end if startx
+-ifdef(`xdm.te', `
+-allow $1_ssh_t { xdm_xserver_tmp_t xdm_tmp_t }:dir search;
+-allow $1_ssh_t { xdm_tmp_t }:sock_file write;
+-')
+-')dnl end if xserver
++# Connect to X server
++x_client_domain($1_ssh, $1)
+ 
+ ifdef(`ssh-agent.te', `
+ ssh_agent_domain($1)
+@@ -167,16 +157,6 @@
+ allow $1_ssh_keysign_t self:file { getattr read };
+ allow $1_ssh_keysign_t self:unix_stream_socket create_socket_perms;
+ 
+-ifdef(`xdm.te', `
+-# should be able to remove these two later
+-allow $1_ssh_t xdm_xserver_tmp_t:sock_file { read write };
+-allow $1_ssh_t xdm_xserver_tmp_t:dir search;
+-allow $1_ssh_t xdm_xserver_t:unix_stream_socket connectto;
+-allow $1_ssh_t xdm_xserver_t:shm r_shm_perms;
+-allow $1_ssh_t xdm_xserver_t:fd use;
+-allow $1_ssh_t xdm_xserver_tmpfs_t:file read;
+-allow $1_ssh_t xdm_t:fd use;
+-')dnl end if xdm.te
+ ')dnl end macro definition
+ ', `
+ 
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/tvtime_macros.te policy-1.23.8/macros/program/tvtime_macros.te
+--- nsapolicy/macros/program/tvtime_macros.te	2005-04-04 10:21:11.000000000 -0400
++++ policy-1.23.8/macros/program/tvtime_macros.te	2005-04-06 07:32:06.000000000 -0400
+@@ -26,13 +26,17 @@
+ 
+ # X access, Home files
+ home_domain($1, tvtime)
+-x_client_domain($1, tvtime)
++x_client_domain($1_tvtime, $1)
+ 
+ uses_shlib($1_tvtime_t)
+ read_locale($1_tvtime_t)
+ read_sysctl($1_tvtime_t)
+ access_terminal($1_tvtime_t, $1)
+ 
++# Allow the user domain to signal/ps.
++can_ps($1_t, $1_tvtime_t)
++allow $1_t $1_tvtime_t:process signal_perms;
++
+ # Read /etc/tvtime
+ allow $1_tvtime_t etc_t:file { getattr read };
+ 
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/x_client_macros.te policy-1.23.8/macros/program/x_client_macros.te
+--- nsapolicy/macros/program/x_client_macros.te	2005-04-04 10:21:11.000000000 -0400
++++ policy-1.23.8/macros/program/x_client_macros.te	2005-04-06 07:32:06.000000000 -0400
+@@ -1,5 +1,5 @@
+ #
+-# Macros for X client programs ($2 etc)
++# Macros for X client programs 
+ #
+ 
+ #
+@@ -8,6 +8,9 @@
+ # and Timothy Fraser 
+ #
+ 
++# Allows clients to write to the X server's shm 
++bool allow_write_xshm false;
++
+ define(`xsession_domain', `
+ 
+ # Connect to xserver
+@@ -23,73 +26,73 @@
+ # Signal Xserver
+ allow $1_t $2_xserver_t:process signal;
+ 
+-# Use file descriptors created by each other.
+-allow $1_t $2_xserver_t:fd use;
++# Xserver read/write client shm
+ allow $2_xserver_t $1_t:fd use;
+-
+-# Xserver read/write parent shm
+ allow $2_xserver_t $1_t:shm rw_shm_perms;
+ allow $2_xserver_t $1_tmpfs_t:file rw_file_perms;
+ 
+-# Parent read xserver shm
++# Client read xserver shm
++allow $1_t $2_xserver_t:fd use;
+ allow $1_t $2_xserver_t:shm r_shm_perms;
+ allow $1_t $2_xserver_tmpfs_t:file r_file_perms;
++
++# Client write xserver shm
++if (allow_write_xshm) {
++allow $1_t $2_xserver_t:shm rw_shm_perms;
++allow $1_t $2_xserver_tmpfs_t:file rw_file_perms;
 +}
 +
- # Allow connections to X server.
- ifdef(`xserver.te', `
+ ')
  
-@@ -111,4 +117,6 @@
- dontaudit $1_javaplugin_t tmpfs_t:file { execute read write };
- dontaudit $1_javaplugin_t $1_home_t:file { execute setattr };
+ #
+-# x_client_domain(user, app)
++# x_client_domain(client, role)
+ #
+-# Defines common X access rules for the user_app_t domain
++# Defines common X access rules for the client domain
+ #
+ define(`x_client_domain',`
  
-+# Do not audit read/getattr of .fonts-cache-1
-+dontaudit $1_javaplugin_t $1_home_t:file { read getattr };
+-allow $1_$2_t self:unix_dgram_socket create_socket_perms;
+-allow $1_$2_t self:unix_stream_socket { connectto create_stream_socket_perms };
++# Create socket to communicate with X server
++allow $1_t self:unix_dgram_socket create_socket_perms;
++allow $1_t self:unix_stream_socket { connectto create_stream_socket_perms };
+ 
++# Read .Xauthority file
+ ifdef(`xauth.te',`
+-allow $1_$2_t $1_xauth_home_t:file { getattr read };
++allow $1_t home_root_t:dir { search getattr };
++allow $1_t $2_xauth_home_t:file { getattr read };
  ')
-diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.23.6/macros/program/mozilla_macros.te
---- nsapolicy/macros/program/mozilla_macros.te	2005-04-04 10:21:11.000000000 -0400
-+++ policy-1.23.6/macros/program/mozilla_macros.te	2005-04-04 10:44:54.000000000 -0400
-@@ -55,6 +55,7 @@
- 
- # for bash - old mozilla binary
- can_exec($1_mozilla_t, mozilla_exec_t)
-+can_exec($1_mozilla_t, shell_exec_t)
- can_exec($1_mozilla_t, bin_t)
- allow $1_mozilla_t bin_t:lnk_file read;
- allow $1_mozilla_t device_t:dir r_dir_perms;
-@@ -155,6 +156,11 @@
- allow $1_mozilla_t texrel_shlib_t:file execmod;
- }
- dbusd_client(system, $1_mozilla)
-+ifdef(`apache.te', `
-+ifelse($1, sysadm, `', `
-+r_dir_file($1_mozilla_t, { httpd_$1_script_exec_t httpd_$1_content_t })
-+')
-+')
  
- ')dnl end mozilla macro
+-# Allow the user domain to send any signal to the $2 process.
+-can_ps($1_t, $1_$2_t)
+-allow $1_t $1_$2_t:process signal_perms;
+-
+ # for .xsession-errors
+-dontaudit $1_$2_t $1_home_t:file write;
++dontaudit $1_t $2_home_t:file write;
+ 
+ # for X over a ssh tunnel
+ ifdef(`ssh.te', `
+-can_tcp_connect($1_$2_t, sshd_t)
++can_tcp_connect($1_t, sshd_t)
+ ')
  
-diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ssh_agent_macros.te policy-1.23.6/macros/program/ssh_agent_macros.te
---- nsapolicy/macros/program/ssh_agent_macros.te	2005-02-24 14:51:09.000000000 -0500
-+++ policy-1.23.6/macros/program/ssh_agent_macros.te	2005-04-04 10:44:54.000000000 -0400
-@@ -49,6 +49,7 @@
- allow $1_ssh_agent_t proc_t:dir search;
- dontaudit $1_ssh_agent_t proc_t:{ lnk_file file } { getattr read };
- dontaudit $1_ssh_agent_t selinux_config_t:dir search;
-+dontaudit $1_ssh_agent_t selinux_config_t:file { read getattr };
- read_sysctl($1_ssh_agent_t)
- 
- # Access the ssh temporary files. Should we have an own type here
-diff --exclude-from=exclude -N -u -r nsapolicy/macros/user_macros.te policy-1.23.6/macros/user_macros.te
---- nsapolicy/macros/user_macros.te	2005-04-04 10:21:11.000000000 -0400
-+++ policy-1.23.6/macros/user_macros.te	2005-04-04 10:44:54.000000000 -0400
-@@ -44,7 +44,9 @@
- # user domain and the program, and allow us to maintain separation
- # between different instances of the program being run by different
- # user domains.
--ifdef(`apache.te', `apache_domain($1)')
-+ifelse($1, sysadm, `',`
-+ifdef(`apache.te', `apache_user_domain($1)')
-+')
- ifdef(`slocate.te', `locate_domain($1)')
- ifdef(`lockdev.te', `lockdev_domain($1)')
+-# Read the home directory, e.g. for .Xauthority and to get to config files
+-allow $1_$2_t home_root_t:dir { search getattr };
+-
+ # Use a separate type for tmpfs/shm pseudo files.
+-tmpfs_domain($1_$2)
+-
+-allow $1_$2_t self:shm create_shm_perms;
++tmpfs_domain($1)
++allow $1_t self:shm create_shm_perms;
+ 
+ # allow X client to read all font files
+-r_dir_file($1_$2_t, fonts_t)
++r_dir_file($1_t, fonts_t)
+ 
+ # Allow connections to X server.
+ ifdef(`xserver.te', `
+-allow $1_$2_t tmp_t:dir search;
++allow $1_t tmp_t:dir search;
+ 
+ ifdef(`xdm.te', `
+-xsession_domain($1_$2, xdm)
++xsession_domain($1, xdm)
+ 
+ # for when /tmp/.X11-unix is created by the system
+-allow $1_$2_t xdm_t:fifo_file rw_file_perms;
+-allow $1_$2_t xdm_tmp_t:dir search;
+-allow $1_$2_t xdm_tmp_t:sock_file { read write };
+-allow $1_$2_t xdm_t:fd use;
+-dontaudit $1_$2_t xdm_t:tcp_socket { read write };
++allow $1_t xdm_t:fifo_file rw_file_perms;
++allow $1_t xdm_tmp_t:dir search;
++allow $1_t xdm_tmp_t:sock_file { read write };
++allow $1_t xdm_t:fd use;
++dontaudit $1_t xdm_t:tcp_socket { read write };
+ ')
  
-diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.23.6/tunables/distro.tun
+ ifdef(`startx.te', `
+-xsession_domain($1_$2, $1)
++xsession_domain($1, $2)
+ ')dnl end startx
+ 
+ ')dnl end xserver
+diff --exclude-from=exclude -N -u -r nsapolicy/man/man8/httpd_selinux.8 policy-1.23.8/man/man8/httpd_selinux.8
+--- nsapolicy/man/man8/httpd_selinux.8	2005-03-24 08:58:29.000000000 -0500
++++ policy-1.23.8/man/man8/httpd_selinux.8	2005-04-06 07:31:54.000000000 -0400
+@@ -75,6 +75,21 @@
+ setsebool -P httpd_unified 0
+ 
+ .TP
++httpd can be configured to turn off internal scripting (PHP).  PHP and other
++loadable modules run under the same context as httpd. Therefore several policy rules allow httpd greater access to the system then is needed if you only use external cgi scripts.
++.br
++
++setsebool -P httpd_builtin_scripting 0
++
++.TP
++httpd scripts by default are not allowed to connect out to the network.
++This would prevent a hacker from breaking into you httpd server and attacking 
++other machines.  If you need scripts to be able to connect you can set the httpd_can_network_connect boolean on.
++.br
++
++setsebool -P httpd_can_network_connect 1
++
++.TP
+ You can disable SELinux protection for the httpd daemon by executing:
+ .br
+ 
+diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/modutil.te policy-1.23.8/targeted/domains/program/modutil.te
+--- nsapolicy/targeted/domains/program/modutil.te	2005-02-24 14:51:10.000000000 -0500
++++ policy-1.23.8/targeted/domains/program/modutil.te	1969-12-31 19:00:00.000000000 -0500
+@@ -1,17 +0,0 @@
+-#DESC Modutil - Dynamic module utilities
+-#
+-# Authors:  Stephen Smalley <sds at epoch.ncsc.mil> and Timothy Fraser  
+-# X-Debian-Packages: modutils
+-#
+-
+-#################################
+-#
+-# Rules for the module utility domains.
+-#
+-type modules_dep_t, file_type, sysadmfile;
+-type modules_conf_t, file_type, sysadmfile;
+-type modules_object_t, file_type, sysadmfile;
+-type depmod_exec_t, file_type, exec_type, sysadmfile;
+-type insmod_exec_t, file_type, exec_type, sysadmfile;
+-type update_modules_exec_t, file_type, exec_type, sysadmfile;
+-
+diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.23.8/tunables/distro.tun
 --- nsapolicy/tunables/distro.tun	2005-02-24 14:51:09.000000000 -0500
-+++ policy-1.23.6/tunables/distro.tun	2005-04-04 10:44:54.000000000 -0400
++++ policy-1.23.8/tunables/distro.tun	2005-04-06 07:31:54.000000000 -0400
 @@ -5,7 +5,7 @@
  # appropriate ifdefs.
  
@@ -823,9 +574,9 @@
  
  dnl define(`distro_suse')
  
-diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.23.6/tunables/tunable.tun
+diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.23.8/tunables/tunable.tun
 --- nsapolicy/tunables/tunable.tun	2005-02-24 14:51:09.000000000 -0500
-+++ policy-1.23.6/tunables/tunable.tun	2005-04-04 10:44:54.000000000 -0400
++++ policy-1.23.8/tunables/tunable.tun	2005-04-06 07:31:54.000000000 -0400
 @@ -1,27 +1,27 @@
  # Allow users to execute the mount command
 -dnl define(`user_can_mount')
@@ -860,15 +611,3 @@
  
  # Allow xinetd to run unconfined, including any services it starts
  # that do not have a domain transition explicitly defined.
-diff --exclude-from=exclude -N -u -r nsapolicy/types/network.te policy-1.23.6/types/network.te
---- nsapolicy/types/network.te	2005-04-04 10:21:11.000000000 -0400
-+++ policy-1.23.6/types/network.te	2005-04-04 10:44:54.000000000 -0400
-@@ -27,7 +27,7 @@
- type dhcpd_port_t, port_type, reserved_port_type;
- type smbd_port_t, port_type, reserved_port_type;
- type nmbd_port_t, port_type, reserved_port_type;
--type http_cache_port_t, port_type;
-+type http_cache_port_t, port_type, reserved_port_type;
- type http_port_t, port_type, reserved_port_type;
- 
- ifdef(`cyrus.te', `define(`use_pop')')


Index: selinux-policy-targeted.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-targeted/devel/selinux-policy-targeted.spec,v
retrieving revision 1.265
retrieving revision 1.266
diff -u -r1.265 -r1.266
--- selinux-policy-targeted.spec	4 Apr 2005 21:02:29 -0000	1.265
+++ selinux-policy-targeted.spec	6 Apr 2005 12:22:56 -0000	1.266
@@ -8,8 +8,8 @@
 
 Summary: SELinux %{type} policy configuration
 Name: selinux-policy-%{type}
-Version: 1.23.6
-Release: 3
+Version: 1.23.8
+Release: 1
 License: GPL
 Group: System Environment/Base
 Source: http://www.nsa.gov/selinux/archives/policy-%{version}.tgz
@@ -49,7 +49,7 @@
 mv domains/misc/*.te domains/misc/unused
 mv domains/program/*.te domains/program/unused/
 rm domains/*.te
-for i in amanda.te apache.te chkpwd.te cups.te dhcpc.te dhcpd.te dictd.te dovecot.te fingerd.te ftpd.te howl.te i18n_input.te ifconfig.te init.te initrc.te inetd.te innd.te kerberos.te ktalkd.te ldconfig.te login.te lpd.te mailman.te modutil.te mta.te mysqld.te named.te nscd.te ntpd.te portmap.te postgresql.te privoxy.te radius.te radvd.te rlogind.te rpcd.te rshd.te rsync.te samba.te slapd.te snmpd.te squid.te stunnel.te syslogd.te telnetd.te tftpd.te winbind.te ypbind.te ypserv.te zebra.te; do
+for i in amanda.te apache.te chkpwd.te cups.te dhcpc.te dhcpd.te dictd.te dovecot.te fingerd.te ftpd.te howl.te i18n_input.te ifconfig.te init.te initrc.te inetd.te innd.te kerberos.te ktalkd.te ldconfig.te login.te lpd.te mailman.te modutil.te mta.te mysqld.te named.te NetworkManager.te nscd.te ntpd.te portmap.te postgresql.te privoxy.te radius.te radvd.te rlogind.te rpcd.te rshd.te rsync.te samba.te slapd.te snmpd.te squid.te stunnel.te syslogd.te telnetd.te tftpd.te winbind.te ypbind.te ypserv.te zebra.te; do
 mv domains/program/unused/$i domains/program/ 
 done 
 rm -rf domains/program/unused 
@@ -60,6 +60,8 @@
 echo "define(\`distro_redhat')"  >> tunables/tunable.tun
 echo "define(\`unlimitedInetd')"  >> tunables/tunable.tun
 echo "define(\`unlimitedRC')"  >> tunables/tunable.tun
+echo "define(\`unlimitedUtils')"  >> tunables/tunable.tun
+
 make policy
 
 %install
@@ -229,6 +231,16 @@
 exit 0
 
 %changelog
+* Wed Apr 6 2005 Dan Walsh <dwalsh at redhat.com> 1.23.8-1
+- Update from NSA
+	* Added netlink_kobject_uevent_socket class.
+	* Removed empty files pump.te and pump.fc.
+	* Added NetworkManager policy from Dan Walsh.
+	* Merged Dan Walsh's major restructuring of Apache's policy.
+
+* Tue Apr 5 2005 Dan Walsh <dwalsh at redhat.com> 1.23.6-4
+- add NetworkManager and modutils
+
 * Mon Apr 4 2005 Dan Walsh <dwalsh at redhat.com> 1.23.6-3
 - Allow httpd to read content without builtin scripting turned on
 - Remove policy.18


Index: sources
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-targeted/devel/sources,v
retrieving revision 1.105
retrieving revision 1.106
diff -u -r1.105 -r1.106
--- sources	4 Apr 2005 15:43:56 -0000	1.105
+++ sources	6 Apr 2005 12:22:56 -0000	1.106
@@ -1,2 +1 @@
-9e7d6f81f6687803940fd5a559d10bb1  policy-1.23.5.tgz
-12f7a9283adfb166a8b20f8b531938b0  policy-1.23.6.tgz
+8db219297b8b02e69930c43075157d07  policy-1.23.8.tgz


