rpms/selinux-policy-targeted/devel policy-20050404.patch, 1.11, 1.12 selinux-policy-targeted.spec, 1.274, 1.275
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Wed Apr 13 21:23:01 UTC 2005
Update of /cvs/dist/rpms/selinux-policy-targeted/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv358
Modified Files:
policy-20050404.patch selinux-policy-targeted.spec
Log Message:
* Wed Apr 12 2005 Dan Walsh <dwalsh at redhat.com> 1.23.10-6
- Add auditd policy to targeted
- Fix auditd policy
policy-20050404.patch:
Makefile | 6 +-
appconfig/default_type | 1
assert.te | 4 -
attrib.te | 14 +++++
domains/admin.te | 23 +++++----
domains/misc/kernel.te | 2
domains/program/checkpolicy.te | 5 -
domains/program/crond.te | 4 +
domains/program/cvs.te | 16 ++++++
domains/program/initrc.te | 3 -
domains/program/load_policy.te | 5 +
domains/program/login.te | 3 -
domains/program/modutil.te | 3 -
domains/program/newrole.te | 1
domains/program/restorecon.te | 3 -
domains/program/setfiles.te | 3 -
domains/program/ssh.te | 2
domains/program/syslogd.te | 5 +
domains/program/unused/NetworkManager.te | 15 +++++
domains/program/unused/apache.te | 1
domains/program/unused/auditd.te | 24 +++++++++
domains/program/unused/cups.te | 12 +---
domains/program/unused/dmidecode.te | 1
domains/program/unused/ftpd.te | 3 -
domains/program/unused/howl.te | 2
domains/program/unused/kudzu.te | 1
domains/program/unused/named.te | 3 +
domains/program/unused/publicfile.te | 6 --
domains/program/unused/rsync.te | 2
domains/program/unused/snmpd.te | 3 +
domains/program/unused/updfstab.te | 1
domains/program/unused/xdm.te | 2
domains/program/useradd.te | 4 +
domains/program/uucpd.te | 24 +++++++++
domains/user.te | 2
file_contexts/distros.fc | 10 ++-
file_contexts/program/apache.fc | 1
file_contexts/program/auditd.fc | 5 +
file_contexts/program/compat.fc | 55 +++++++++++++++++++++
file_contexts/program/crack.fc | 1
file_contexts/program/cvs.fc | 2
file_contexts/program/ftpd.fc | 1
file_contexts/program/i18n_input.fc | 1
file_contexts/program/lvm.fc | 1
file_contexts/program/named.fc | 1
file_contexts/program/rsync.fc | 1
file_contexts/program/uucpd.fc | 5 +
file_contexts/types.fc | 6 ++
macros/admin_macros.te | 75 ++++++++++++++++++-----------
macros/base_user_macros.te | 9 ---
macros/program/apache_macros.te | 2
macros/program/dbusd_macros.te | 4 +
macros/program/gift_macros.te | 2
macros/program/mozilla_macros.te | 5 +
macros/program/mplayer_macros.te | 10 ++-
macros/user_macros.te | 78 +++++++++++++++++++++----------
net_contexts | 10 +++
targeted/domains/program/compat.te | 9 +++
targeted/domains/unconfined.te | 8 +--
tunables/distro.tun | 2
tunables/tunable.tun | 6 +-
types/file.te | 3 -
types/network.te | 9 +--
types/security.te | 8 +--
users | 2
65 files changed, 393 insertions(+), 148 deletions(-)
Index: policy-20050404.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-targeted/devel/policy-20050404.patch,v
retrieving revision 1.11
retrieving revision 1.12
diff -u -r1.11 -r1.12
--- policy-20050404.patch 13 Apr 2005 02:32:24 -0000 1.11
+++ policy-20050404.patch 13 Apr 2005 21:22:57 -0000 1.12
@@ -1,6 +1,6 @@
diff --exclude-from=exclude -N -u -r nsapolicy/appconfig/default_type policy-1.23.10/appconfig/default_type
--- nsapolicy/appconfig/default_type 2005-02-24 14:51:10.000000000 -0500
-+++ policy-1.23.10/appconfig/default_type 2005-04-12 09:53:46.000000000 -0400
++++ policy-1.23.10/appconfig/default_type 2005-04-13 14:11:21.000000000 -0400
@@ -1,3 +1,4 @@
+secadm_r:secadm_t
sysadm_r:sysadm_t
@@ -8,7 +8,7 @@
user_r:user_t
diff --exclude-from=exclude -N -u -r nsapolicy/assert.te policy-1.23.10/assert.te
--- nsapolicy/assert.te 2005-03-24 08:58:24.000000000 -0500
-+++ policy-1.23.10/assert.te 2005-04-12 09:53:46.000000000 -0400
++++ policy-1.23.10/assert.te 2005-04-13 14:11:21.000000000 -0400
@@ -30,7 +30,7 @@
# Verify that only the insmod_t and kernel_t domains
# have the sys_module capability.
@@ -29,7 +29,7 @@
# Verify that only the kernel and load_policy_t have load_policy.
diff --exclude-from=exclude -N -u -r nsapolicy/attrib.te policy-1.23.10/attrib.te
--- nsapolicy/attrib.te 2005-02-24 14:51:10.000000000 -0500
-+++ policy-1.23.10/attrib.te 2005-04-12 09:53:46.000000000 -0400
++++ policy-1.23.10/attrib.te 2005-04-13 14:11:21.000000000 -0400
@@ -110,6 +110,10 @@
# and an allow rule to permit it
attribute privmodule;
@@ -46,8 +46,8 @@
attribute admin;
+# The secadmin attribute identifies every security administrator domain.
-+# It is used in TE assertions when verifying that only administrator
-+# domains have certain permissions.
++# It is used in TE assertions when verifying that only administrator
++# domains have certain permissions.
+# This attribute is presently associated with sysadm_t and secadm_t
+attribute secadmin;
+
@@ -67,7 +67,7 @@
# applied to all user domains.
diff --exclude-from=exclude -N -u -r nsapolicy/domains/admin.te policy-1.23.10/domains/admin.te
--- nsapolicy/domains/admin.te 2005-02-24 14:51:08.000000000 -0500
-+++ policy-1.23.10/domains/admin.te 2005-04-12 09:53:46.000000000 -0400
++++ policy-1.23.10/domains/admin.te 2005-04-13 14:11:21.000000000 -0400
@@ -17,19 +17,22 @@
# sysadm_t is also granted permissions specific to administrator domains.
admin_domain(sysadm)
@@ -103,7 +103,7 @@
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/misc/kernel.te policy-1.23.10/domains/misc/kernel.te
--- nsapolicy/domains/misc/kernel.te 2005-02-24 14:51:08.000000000 -0500
-+++ policy-1.23.10/domains/misc/kernel.te 2005-04-12 09:53:46.000000000 -0400
++++ policy-1.23.10/domains/misc/kernel.te 2005-04-13 14:11:21.000000000 -0400
@@ -11,7 +11,7 @@
# kernel_t is the domain of kernel threads.
# It is also the target type when checking permissions in the system class.
@@ -115,7 +115,7 @@
general_proc_read_access(kernel_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/checkpolicy.te policy-1.23.10/domains/program/checkpolicy.te
--- nsapolicy/domains/program/checkpolicy.te 2005-02-24 14:51:07.000000000 -0500
-+++ policy-1.23.10/domains/program/checkpolicy.te 2005-04-12 09:53:46.000000000 -0400
++++ policy-1.23.10/domains/program/checkpolicy.te 2005-04-13 14:11:21.000000000 -0400
@@ -12,6 +12,7 @@
type checkpolicy_t, domain;
role sysadm_r types checkpolicy_t;
@@ -144,8 +144,17 @@
# so it can be used without privilege to write real binary policy file
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/crond.te policy-1.23.10/domains/program/crond.te
--- nsapolicy/domains/program/crond.te 2005-03-21 22:32:18.000000000 -0500
-+++ policy-1.23.10/domains/program/crond.te 2005-04-12 09:53:46.000000000 -0400
-@@ -210,6 +210,6 @@
++++ policy-1.23.10/domains/program/crond.te 2005-04-13 16:03:46.000000000 -0400
+@@ -88,6 +88,8 @@
+
+ system_crond_entry(rpm_exec_t, rpm_t)
+ allow system_crond_t rpm_log_t:file create_file_perms;
++#read ahead wants to read this
++allow initrc_t system_cron_spool_t:file { getattr read };
+ ')
+ ')
+
+@@ -210,6 +212,6 @@
# Required for webalizer
#
ifdef(`apache.te', `
@@ -155,7 +164,7 @@
dontaudit crond_t self:capability sys_tty_config;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/cvs.te policy-1.23.10/domains/program/cvs.te
--- nsapolicy/domains/program/cvs.te 1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.23.10/domains/program/cvs.te 2005-04-12 09:53:46.000000000 -0400
++++ policy-1.23.10/domains/program/cvs.te 2005-04-13 14:11:21.000000000 -0400
@@ -0,0 +1,16 @@
+#DESC cvs - Concurrent Versions System
+#
@@ -173,9 +182,31 @@
+inetd_child_domain(cvs, tcp)
+type cvs_data_t, file_type, sysadmfile;
+create_dir_file(cvs_t, cvs_data_t)
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/initrc.te policy-1.23.10/domains/program/initrc.te
+--- nsapolicy/domains/program/initrc.te 2005-03-24 08:58:25.000000000 -0500
++++ policy-1.23.10/domains/program/initrc.te 2005-04-13 16:02:40.000000000 -0400
+@@ -195,10 +195,8 @@
+ allow initrc_t tmpfs_t:chr_file rw_file_perms;
+ allow initrc_t tmpfs_t:dir r_dir_perms;
+
+-ifdef(`distro_redhat', `
+ # Allow initrc domain to set the enforcing flag.
+ can_setenforce(initrc_t)
+-')
+
+ #
+ # readahead asks for these
+@@ -209,6 +207,7 @@
+ # for /halt /.autofsck and other flag files
+ file_type_auto_trans({ initrc_t sysadm_t }, root_t, etc_runtime_t, file)
+
++file_type_auto_trans(initrc_t, device_t, fixed_disk_device_t, blk_file)
+ ')dnl end distro_redhat
+
+ allow initrc_t system_map_t:{ file lnk_file } r_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/load_policy.te policy-1.23.10/domains/program/load_policy.te
--- nsapolicy/domains/program/load_policy.te 2005-04-04 10:21:10.000000000 -0400
-+++ policy-1.23.10/domains/program/load_policy.te 2005-04-12 17:33:09.000000000 -0400
++++ policy-1.23.10/domains/program/load_policy.te 2005-04-13 14:11:21.000000000 -0400
@@ -11,6 +11,7 @@
type load_policy_t, domain;
@@ -203,7 +234,7 @@
+allow load_policy_t proc_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/login.te policy-1.23.10/domains/program/login.te
--- nsapolicy/domains/program/login.te 2005-04-04 10:21:10.000000000 -0400
-+++ policy-1.23.10/domains/program/login.te 2005-04-12 09:53:46.000000000 -0400
++++ policy-1.23.10/domains/program/login.te 2005-04-13 14:11:21.000000000 -0400
@@ -57,6 +57,7 @@
tmp_domain($1_login)
@@ -223,7 +254,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/modutil.te policy-1.23.10/domains/program/modutil.te
--- nsapolicy/domains/program/modutil.te 2005-03-11 15:31:06.000000000 -0500
-+++ policy-1.23.10/domains/program/modutil.te 2005-04-12 10:19:54.000000000 -0400
++++ policy-1.23.10/domains/program/modutil.te 2005-04-13 14:11:21.000000000 -0400
@@ -54,6 +54,7 @@
# Read module objects.
allow depmod_t modules_object_t:dir r_dir_perms;
@@ -243,7 +274,7 @@
role sysadm_r types insmod_t;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/newrole.te policy-1.23.10/domains/program/newrole.te
--- nsapolicy/domains/program/newrole.te 2005-02-24 14:51:07.000000000 -0500
-+++ policy-1.23.10/domains/program/newrole.te 2005-04-12 09:53:46.000000000 -0400
++++ policy-1.23.10/domains/program/newrole.te 2005-04-13 14:11:21.000000000 -0400
@@ -17,3 +17,4 @@
allow newrole_t var_run_t:dir r_dir_perms;
allow newrole_t initrc_var_run_t:file rw_file_perms;
@@ -251,7 +282,7 @@
+role secadm_r types newrole_t;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/restorecon.te policy-1.23.10/domains/program/restorecon.te
--- nsapolicy/domains/program/restorecon.te 2005-02-24 14:51:08.000000000 -0500
-+++ policy-1.23.10/domains/program/restorecon.te 2005-04-12 09:53:46.000000000 -0400
++++ policy-1.23.10/domains/program/restorecon.te 2005-04-13 14:11:21.000000000 -0400
@@ -17,11 +17,12 @@
role system_r types restorecon_t;
@@ -268,7 +299,7 @@
uses_shlib(restorecon_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/setfiles.te policy-1.23.10/domains/program/setfiles.te
--- nsapolicy/domains/program/setfiles.te 2005-02-24 14:51:07.000000000 -0500
-+++ policy-1.23.10/domains/program/setfiles.te 2005-04-12 09:53:46.000000000 -0400
++++ policy-1.23.10/domains/program/setfiles.te 2005-04-13 14:11:21.000000000 -0400
@@ -17,13 +17,14 @@
role system_r types setfiles_t;
@@ -287,7 +318,7 @@
uses_shlib(setfiles_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ssh.te policy-1.23.10/domains/program/ssh.te
--- nsapolicy/domains/program/ssh.te 2005-04-04 10:21:10.000000000 -0400
-+++ policy-1.23.10/domains/program/ssh.te 2005-04-12 09:53:46.000000000 -0400
++++ policy-1.23.10/domains/program/ssh.te 2005-04-13 14:11:21.000000000 -0400
@@ -71,7 +71,7 @@
can_network($1_t)
allow $1_t port_type:tcp_socket name_connect;
@@ -297,9 +328,31 @@
allow $1_t { home_root_t home_dir_type }:dir { search getattr };
if (use_nfs_home_dirs) {
allow $1_t autofs_t:dir { search getattr };
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/syslogd.te policy-1.23.10/domains/program/syslogd.te
+--- nsapolicy/domains/program/syslogd.te 2005-04-04 10:21:10.000000000 -0400
++++ policy-1.23.10/domains/program/syslogd.te 2005-04-13 17:09:09.000000000 -0400
+@@ -20,7 +20,7 @@
+ ')
+
+ # can_network is for the UDP socket
+-can_network_udp(syslogd_t)
++can_network(syslogd_t)
+ can_ypbind(syslogd_t)
+
+ r_dir_file(syslogd_t, sysfs_t)
+@@ -89,7 +89,8 @@
+
+ # Allow name_bind for remote logging
+ type syslogd_port_t, port_type, reserved_port_type;
+-allow syslogd_t syslogd_port_t:udp_socket name_bind;
++allow syslogd_t syslogd_port_t:{ tcp_socket udp_socket } name_bind;
++allow syslogd_t syslogd_port_t:tcp_socket name_connect;
+ #
+ # /initrd is not umounted before minilog starts
+ #
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.23.10/domains/program/unused/apache.te
--- nsapolicy/domains/program/unused/apache.te 2005-04-07 22:22:55.000000000 -0400
-+++ policy-1.23.10/domains/program/unused/apache.te 2005-04-12 09:53:46.000000000 -0400
++++ policy-1.23.10/domains/program/unused/apache.te 2005-04-13 14:11:21.000000000 -0400
@@ -401,3 +401,4 @@
dontaudit system_mail_t httpd_t:tcp_socket { read write };
')
@@ -307,16 +360,45 @@
+allow httpd_t var_t:file read;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/auditd.te policy-1.23.10/domains/program/unused/auditd.te
--- nsapolicy/domains/program/unused/auditd.te 2005-02-24 14:51:07.000000000 -0500
-+++ policy-1.23.10/domains/program/unused/auditd.te 2005-04-12 09:53:46.000000000 -0400
-@@ -9,4 +9,4 @@
++++ policy-1.23.10/domains/program/unused/auditd.te 2005-04-13 17:06:26.000000000 -0400
+@@ -2,11 +2,33 @@
+ #
+ # Authors: Colin Walters <walters at verbum.org>
+ #
++define(`audit_manager_domain', `
++allow $1 auditd_etc_t:file rw_file_perms;
++create_dir_file($1, auditd_log_t)
++')
++
++type auditd_etc_t, file_type, secure_file_type;
+
+ daemon_domain(auditd)
++
+ allow auditd_t self:netlink_audit_socket { bind create getattr nlmsg_read nlmsg_write read write };
+ allow auditd_t self:capability { audit_write audit_control };
allow auditd_t sysadm_tty_device_t:chr_file rw_file_perms;
allow auditd_t self:unix_dgram_socket create_socket_perms;
allow auditd_t etc_t:file { getattr read };
-log_domain(auditd)
-+logdir_domain(auditd)
++
++# Don't use logdir_domain since this is a security file
++type auditd_log_t, file_type, secure_file_type;
++file_type_auto_trans(auditd_t, var_log_t, auditd_log_t, file)
++allow auditd_t auditd_log_t:dir { setattr rw_dir_perms };
++
++can_exec(auditd_t, init_exec_t)
++allow auditd_t auditd_etc_t:file r_file_perms;
++
++audit_manager_domain(secadm_t)
++
++ifdef(`separate_secadm', `', `
++audit_manager_domain(sysadm_t)
++')
++can_exec(auditd_t, init_exec_t)
++allow auditd_t initctl_t:fifo_file write;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.23.10/domains/program/unused/cups.te
--- nsapolicy/domains/program/unused/cups.te 2005-04-04 10:21:10.000000000 -0400
-+++ policy-1.23.10/domains/program/unused/cups.te 2005-04-12 09:53:46.000000000 -0400
++++ policy-1.23.10/domains/program/unused/cups.te 2005-04-13 14:11:21.000000000 -0400
@@ -168,7 +168,11 @@
allow cupsd_t printconf_t:file { getattr read };
@@ -353,7 +435,7 @@
-')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dmidecode.te policy-1.23.10/domains/program/unused/dmidecode.te
--- nsapolicy/domains/program/unused/dmidecode.te 2005-04-07 13:17:30.000000000 -0400
-+++ policy-1.23.10/domains/program/unused/dmidecode.te 2005-04-12 09:53:46.000000000 -0400
++++ policy-1.23.10/domains/program/unused/dmidecode.te 2005-04-13 14:11:21.000000000 -0400
@@ -8,6 +8,7 @@
# Allow execution by the sysadm
@@ -364,7 +446,7 @@
uses_shlib(dmidecode_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ftpd.te policy-1.23.10/domains/program/unused/ftpd.te
--- nsapolicy/domains/program/unused/ftpd.te 2005-04-04 10:21:10.000000000 -0400
-+++ policy-1.23.10/domains/program/unused/ftpd.te 2005-04-12 09:53:46.000000000 -0400
++++ policy-1.23.10/domains/program/unused/ftpd.te 2005-04-13 14:11:21.000000000 -0400
@@ -9,8 +9,6 @@
#
# Rules for the ftpd_t domain
@@ -384,7 +466,7 @@
create_dir_file(ftpd_t,ftpd_anon_rw_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/howl.te policy-1.23.10/domains/program/unused/howl.te
--- nsapolicy/domains/program/unused/howl.te 2005-02-24 14:51:08.000000000 -0500
-+++ policy-1.23.10/domains/program/unused/howl.te 2005-04-12 09:53:46.000000000 -0400
++++ policy-1.23.10/domains/program/unused/howl.te 2005-04-13 14:11:21.000000000 -0400
@@ -3,7 +3,7 @@
# Author: Russell Coker <rcoker at redhat.com>
#
@@ -396,7 +478,7 @@
can_ypbind(howl_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/kudzu.te policy-1.23.10/domains/program/unused/kudzu.te
--- nsapolicy/domains/program/unused/kudzu.te 2005-04-06 06:57:44.000000000 -0400
-+++ policy-1.23.10/domains/program/unused/kudzu.te 2005-04-12 09:53:46.000000000 -0400
++++ policy-1.23.10/domains/program/unused/kudzu.te 2005-04-13 14:11:21.000000000 -0400
@@ -105,3 +105,4 @@
domain_auto_trans(kudzu_t, userhelper_exec_t, sysadm_userhelper_t)
')
@@ -404,7 +486,7 @@
+allow kudzu_t initrc_t:unix_stream_socket connectto;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/named.te policy-1.23.10/domains/program/unused/named.te
--- nsapolicy/domains/program/unused/named.te 2005-04-04 10:21:10.000000000 -0400
-+++ policy-1.23.10/domains/program/unused/named.te 2005-04-12 09:59:47.000000000 -0400
++++ policy-1.23.10/domains/program/unused/named.te 2005-04-13 14:11:21.000000000 -0400
@@ -15,6 +15,9 @@
daemon_domain(named, `, nscd_client_domain')
tmp_domain(named)
@@ -417,7 +499,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/NetworkManager.te policy-1.23.10/domains/program/unused/NetworkManager.te
--- nsapolicy/domains/program/unused/NetworkManager.te 2005-04-07 22:22:55.000000000 -0400
-+++ policy-1.23.10/domains/program/unused/NetworkManager.te 2005-04-12 22:23:49.000000000 -0400
++++ policy-1.23.10/domains/program/unused/NetworkManager.te 2005-04-13 16:13:41.000000000 -0400
@@ -11,7 +11,7 @@
# NetworkManager_t is the domain for the NetworkManager daemon.
# NetworkManager_exec_t is the type of the NetworkManager executable.
@@ -462,9 +544,15 @@
allow NetworkManager_t { domain -unrestricted }:dir search;
allow NetworkManager_t { domain -unrestricted }:file { getattr read };
+@@ -76,3 +85,5 @@
+ allow NetworkManager_t initrc_var_run_t:file { getattr read };
+
+ domain_auto_trans(NetworkManager_t, insmod_exec_t, insmod_t)
++allow NetworkManager_t self:netlink_route_socket r_netlink_socket_perms;
++
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/publicfile.te policy-1.23.10/domains/program/unused/publicfile.te
--- nsapolicy/domains/program/unused/publicfile.te 2005-04-06 06:57:44.000000000 -0400
-+++ policy-1.23.10/domains/program/unused/publicfile.te 2005-04-12 09:53:46.000000000 -0400
++++ policy-1.23.10/domains/program/unused/publicfile.te 2005-04-13 14:11:21.000000000 -0400
@@ -6,12 +6,6 @@
# this policy depends on ucspi-tcp
#
@@ -480,7 +568,7 @@
domain_auto_trans(initrc_t, publicfile_exec_t, publicfile_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rsync.te policy-1.23.10/domains/program/unused/rsync.te
--- nsapolicy/domains/program/unused/rsync.te 2005-02-24 14:51:08.000000000 -0500
-+++ policy-1.23.10/domains/program/unused/rsync.te 2005-04-12 09:53:46.000000000 -0400
++++ policy-1.23.10/domains/program/unused/rsync.te 2005-04-13 14:11:21.000000000 -0400
@@ -14,6 +14,4 @@
inetd_child_domain(rsync)
type rsync_data_t, file_type, sysadmfile;
@@ -490,7 +578,7 @@
-')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/snmpd.te policy-1.23.10/domains/program/unused/snmpd.te
--- nsapolicy/domains/program/unused/snmpd.te 2005-04-06 06:57:44.000000000 -0400
-+++ policy-1.23.10/domains/program/unused/snmpd.te 2005-04-12 09:53:46.000000000 -0400
++++ policy-1.23.10/domains/program/unused/snmpd.te 2005-04-13 14:11:21.000000000 -0400
@@ -63,6 +63,9 @@
dontaudit snmpd_t rpc_pipefs_t:dir getattr;
allow snmpd_t rpc_pipefs_t:dir getattr;
@@ -503,7 +591,7 @@
ifdef(`amanda.te', `
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/updfstab.te policy-1.23.10/domains/program/unused/updfstab.te
--- nsapolicy/domains/program/unused/updfstab.te 2005-03-11 15:31:06.000000000 -0500
-+++ policy-1.23.10/domains/program/unused/updfstab.te 2005-04-12 09:53:46.000000000 -0400
++++ policy-1.23.10/domains/program/unused/updfstab.te 2005-04-13 14:11:21.000000000 -0400
@@ -72,3 +72,4 @@
dontaudit updfstab_t home_root_t:dir { getattr search };
dontaudit updfstab_t { home_dir_type home_type }:dir search;
@@ -511,7 +599,7 @@
+allow updfstab_t tmpfs_t:dir getattr;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/xdm.te policy-1.23.10/domains/program/unused/xdm.te
--- nsapolicy/domains/program/unused/xdm.te 2005-04-04 10:21:11.000000000 -0400
-+++ policy-1.23.10/domains/program/unused/xdm.te 2005-04-12 09:53:46.000000000 -0400
++++ policy-1.23.10/domains/program/unused/xdm.te 2005-04-13 14:11:21.000000000 -0400
@@ -69,7 +69,7 @@
#
@@ -523,7 +611,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/useradd.te policy-1.23.10/domains/program/useradd.te
--- nsapolicy/domains/program/useradd.te 2005-03-11 15:31:06.000000000 -0500
-+++ policy-1.23.10/domains/program/useradd.te 2005-04-12 09:53:46.000000000 -0400
++++ policy-1.23.10/domains/program/useradd.te 2005-04-13 14:11:21.000000000 -0400
@@ -98,3 +98,7 @@
allow groupadd_t self:process setrlimit;
allow groupadd_t initrc_var_run_t:file r_file_perms;
@@ -534,7 +622,7 @@
+allow useradd_t file_context_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/uucpd.te policy-1.23.10/domains/program/uucpd.te
--- nsapolicy/domains/program/uucpd.te 1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.23.10/domains/program/uucpd.te 2005-04-12 09:53:46.000000000 -0400
++++ policy-1.23.10/domains/program/uucpd.te 2005-04-13 14:11:21.000000000 -0400
@@ -0,0 +1,24 @@
+#DESC uucpd - UUCP file transfer daemon
+#
@@ -562,7 +650,7 @@
+create_dir_file(uucpd_t, uucpd_spool_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/user.te policy-1.23.10/domains/user.te
--- nsapolicy/domains/user.te 2005-02-24 14:51:08.000000000 -0500
-+++ policy-1.23.10/domains/user.te 2005-04-12 09:53:46.000000000 -0400
++++ policy-1.23.10/domains/user.te 2005-04-13 14:11:21.000000000 -0400
@@ -126,6 +126,8 @@
role_tty_type_change(sysadm, user)
role_tty_type_change(staff, sysadm)
@@ -574,7 +662,7 @@
dontaudit unpriv_userdomain ptyfile:chr_file getattr;
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/distros.fc policy-1.23.10/file_contexts/distros.fc
--- nsapolicy/file_contexts/distros.fc 2005-04-07 22:22:55.000000000 -0400
-+++ policy-1.23.10/file_contexts/distros.fc 2005-04-12 09:53:46.000000000 -0400
++++ policy-1.23.10/file_contexts/distros.fc 2005-04-13 14:11:21.000000000 -0400
@@ -98,10 +98,12 @@
/usr/lib/valgrind/vgskin_massif\.so -- system_u:object_r:texrel_shlib_t
/usr/lib/valgrind/vgskin_memcheck\.so -- system_u:object_r:texrel_shlib_t
@@ -604,7 +692,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/apache.fc policy-1.23.10/file_contexts/program/apache.fc
--- nsapolicy/file_contexts/program/apache.fc 2005-04-04 10:21:11.000000000 -0400
-+++ policy-1.23.10/file_contexts/program/apache.fc 2005-04-12 09:53:46.000000000 -0400
++++ policy-1.23.10/file_contexts/program/apache.fc 2005-04-13 14:11:21.000000000 -0400
@@ -1,6 +1,7 @@
# apache
HOME_DIR/((www)|(web)|(public_html))(/.+)? system_u:object_r:httpd_ROLE_content_t
@@ -615,15 +703,19 @@
/var/www/perl(/.*)? system_u:object_r:httpd_sys_script_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/auditd.fc policy-1.23.10/file_contexts/program/auditd.fc
--- nsapolicy/file_contexts/program/auditd.fc 2005-02-24 14:51:08.000000000 -0500
-+++ policy-1.23.10/file_contexts/program/auditd.fc 2005-04-12 10:00:44.000000000 -0400
-@@ -1,3 +1,4 @@
++++ policy-1.23.10/file_contexts/program/auditd.fc 2005-04-13 14:11:21.000000000 -0400
+@@ -1,3 +1,8 @@
# auditd
++/sbin/auditctl -- system_u:object_r:auditd_exec_t
/sbin/auditd -- system_u:object_r:auditd_exec_t
/var/log/audit.log -- system_u:object_r:auditd_log_t
+/var/log/audit(/.*)? system_u:object_r:auditd_log_t
++/etc/auditd.conf -- system_u:object_r:auditd_etc_t
++/etc/audit.rules -- system_u:object_r:auditd_etc_t
++
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/compat.fc policy-1.23.10/file_contexts/program/compat.fc
--- nsapolicy/file_contexts/program/compat.fc 1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.23.10/file_contexts/program/compat.fc 2005-04-12 15:06:09.000000000 -0400
++++ policy-1.23.10/file_contexts/program/compat.fc 2005-04-13 14:11:21.000000000 -0400
@@ -0,0 +1,55 @@
+# setfiles
+/usr/sbin/setfiles.* -- system_u:object_r:setfiles_exec_t
@@ -682,7 +774,7 @@
+/sbin/kmodule -- system_u:object_r:kudzu_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/crack.fc policy-1.23.10/file_contexts/program/crack.fc
--- nsapolicy/file_contexts/program/crack.fc 2005-02-24 14:51:09.000000000 -0500
-+++ policy-1.23.10/file_contexts/program/crack.fc 2005-04-12 09:53:46.000000000 -0400
++++ policy-1.23.10/file_contexts/program/crack.fc 2005-04-13 14:11:21.000000000 -0400
@@ -2,3 +2,4 @@
/usr/sbin/crack_[a-z]* -- system_u:object_r:crack_exec_t
/var/cache/cracklib(/.*)? system_u:object_r:crack_db_t
@@ -690,21 +782,40 @@
+/usr/share/cracklib(/.*)? system_u:object_r:crack_db_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/cvs.fc policy-1.23.10/file_contexts/program/cvs.fc
--- nsapolicy/file_contexts/program/cvs.fc 1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.23.10/file_contexts/program/cvs.fc 2005-04-12 09:53:46.000000000 -0400
++++ policy-1.23.10/file_contexts/program/cvs.fc 2005-04-13 14:11:21.000000000 -0400
@@ -0,0 +1,2 @@
+# cvs program
+/usr/bin/cvs -- system_u:object_r:cvs_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/ftpd.fc policy-1.23.10/file_contexts/program/ftpd.fc
--- nsapolicy/file_contexts/program/ftpd.fc 2005-02-24 14:51:09.000000000 -0500
-+++ policy-1.23.10/file_contexts/program/ftpd.fc 2005-04-12 09:53:46.000000000 -0400
++++ policy-1.23.10/file_contexts/program/ftpd.fc 2005-04-13 14:11:21.000000000 -0400
@@ -13,3 +13,4 @@
/var/log/xferreport.* -- system_u:object_r:xferlog_t
/etc/cron\.monthly/proftpd -- system_u:object_r:ftpd_exec_t
/var/ftp(/.*)? system_u:object_r:ftpd_anon_t
+/srv/([^/]*/)?ftp(/.*)? system_u:object_r:ftpd_anon_t
+diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/i18n_input.fc policy-1.23.10/file_contexts/program/i18n_input.fc
+--- nsapolicy/file_contexts/program/i18n_input.fc 2005-02-24 14:51:08.000000000 -0500
++++ policy-1.23.10/file_contexts/program/i18n_input.fc 2005-04-13 14:11:21.000000000 -0400
+@@ -1,6 +1,7 @@
+ # i18n_input.fc
+ /usr/sbin/htt -- system_u:object_r:i18n_input_exec_t
+ /usr/sbin/htt_server -- system_u:object_r:i18n_input_exec_t
++/usr/sbin/iiimd -- system_u:object_r:i18n_input_exec_t
+ /usr/bin/httx -- system_u:object_r:i18n_input_exec_t
+ /usr/bin/htt_xbe -- system_u:object_r:i18n_input_exec_t
+ /usr/lib(64)?/im/.*\.so.* -- system_u:object_r:shlib_t
+diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/lvm.fc policy-1.23.10/file_contexts/program/lvm.fc
+--- nsapolicy/file_contexts/program/lvm.fc 2005-02-24 14:51:09.000000000 -0500
++++ policy-1.23.10/file_contexts/program/lvm.fc 2005-04-13 16:04:19.000000000 -0400
+@@ -65,3 +65,4 @@
+ /sbin/pvremove -- system_u:object_r:lvm_exec_t
+ /sbin/pvs -- system_u:object_r:lvm_exec_t
+ /sbin/vgs -- system_u:object_r:lvm_exec_t
++/sbin/multipathd -- system_u:object_r:lvm_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/named.fc policy-1.23.10/file_contexts/program/named.fc
--- nsapolicy/file_contexts/program/named.fc 2005-04-04 10:21:11.000000000 -0400
-+++ policy-1.23.10/file_contexts/program/named.fc 2005-04-12 09:58:09.000000000 -0400
++++ policy-1.23.10/file_contexts/program/named.fc 2005-04-13 14:11:21.000000000 -0400
@@ -16,6 +16,7 @@
/etc/rndc.* -- system_u:object_r:named_conf_t
/etc/rndc.key -- system_u:object_r:dnssec_t
@@ -715,14 +826,14 @@
/var/run/bind(/.*)? system_u:object_r:named_var_run_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/rsync.fc policy-1.23.10/file_contexts/program/rsync.fc
--- nsapolicy/file_contexts/program/rsync.fc 2005-02-24 14:51:09.000000000 -0500
-+++ policy-1.23.10/file_contexts/program/rsync.fc 2005-04-12 09:53:46.000000000 -0400
++++ policy-1.23.10/file_contexts/program/rsync.fc 2005-04-13 14:11:21.000000000 -0400
@@ -1,2 +1,3 @@
# rsync program
/usr/bin/rsync -- system_u:object_r:rsync_exec_t
+/srv/([^/]*/)?rsync(/.*)? system_u:object_r:ftpd_anon_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/uucpd.fc policy-1.23.10/file_contexts/program/uucpd.fc
--- nsapolicy/file_contexts/program/uucpd.fc 1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.23.10/file_contexts/program/uucpd.fc 2005-04-12 09:53:46.000000000 -0400
++++ policy-1.23.10/file_contexts/program/uucpd.fc 2005-04-13 14:11:21.000000000 -0400
@@ -0,0 +1,5 @@
+# uucico program
+/usr/sbin/uucico -- system_u:object_r:uucpd_exec_t
@@ -731,7 +842,7 @@
+/var/log/uucp(/.*)? system_u:object_r:uucpd_log_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/types.fc policy-1.23.10/file_contexts/types.fc
--- nsapolicy/file_contexts/types.fc 2005-03-11 15:31:06.000000000 -0500
-+++ policy-1.23.10/file_contexts/types.fc 2005-04-12 09:53:46.000000000 -0400
++++ policy-1.23.10/file_contexts/types.fc 2005-04-13 14:11:21.000000000 -0400
@@ -478,3 +478,9 @@
/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird-bin -- system_u:object_r:bin_t
/usr/lib(64)?/[^/]*thunderbird[^/]*/run-mozilla\.sh -- system_u:object_r:bin_t
@@ -744,7 +855,7 @@
+
diff --exclude-from=exclude -N -u -r nsapolicy/macros/admin_macros.te policy-1.23.10/macros/admin_macros.te
--- nsapolicy/macros/admin_macros.te 2005-03-11 15:31:07.000000000 -0500
-+++ policy-1.23.10/macros/admin_macros.te 2005-04-12 09:53:46.000000000 -0400
++++ policy-1.23.10/macros/admin_macros.te 2005-04-13 14:11:21.000000000 -0400
@@ -20,12 +20,12 @@
type $1_home_t, file_type, sysadmfile, home_type, $1_file_type;
@@ -865,7 +976,7 @@
+
diff --exclude-from=exclude -N -u -r nsapolicy/macros/base_user_macros.te policy-1.23.10/macros/base_user_macros.te
--- nsapolicy/macros/base_user_macros.te 2005-04-07 22:22:55.000000000 -0400
-+++ policy-1.23.10/macros/base_user_macros.te 2005-04-12 09:53:46.000000000 -0400
++++ policy-1.23.10/macros/base_user_macros.te 2005-04-13 14:11:21.000000000 -0400
@@ -103,16 +103,9 @@
# Bind to a Unix domain socket in /tmp.
allow $1_t $1_tmp_t:unix_stream_socket name_bind;
@@ -894,7 +1005,7 @@
allow $1_t cardmgr_var_run_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/apache_macros.te policy-1.23.10/macros/program/apache_macros.te
--- nsapolicy/macros/program/apache_macros.te 2005-04-07 22:22:55.000000000 -0400
-+++ policy-1.23.10/macros/program/apache_macros.te 2005-04-12 09:53:46.000000000 -0400
++++ policy-1.23.10/macros/program/apache_macros.te 2005-04-13 14:11:21.000000000 -0400
@@ -39,7 +39,7 @@
allow httpd_$1_script_t fs_t:filesystem getattr;
allow httpd_$1_script_t self:unix_stream_socket create_stream_socket_perms;
@@ -906,7 +1017,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/dbusd_macros.te policy-1.23.10/macros/program/dbusd_macros.te
--- nsapolicy/macros/program/dbusd_macros.te 2005-02-24 14:51:09.000000000 -0500
-+++ policy-1.23.10/macros/program/dbusd_macros.te 2005-04-12 09:53:46.000000000 -0400
++++ policy-1.23.10/macros/program/dbusd_macros.te 2005-04-13 14:11:21.000000000 -0400
@@ -41,6 +41,10 @@
allow $1_dbusd_t self:file { getattr read };
allow $1_dbusd_t proc_t:file read;
@@ -920,7 +1031,7 @@
')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/gift_macros.te policy-1.23.10/macros/program/gift_macros.te
--- nsapolicy/macros/program/gift_macros.te 2005-04-07 22:22:55.000000000 -0400
-+++ policy-1.23.10/macros/program/gift_macros.te 2005-04-12 09:53:46.000000000 -0400
++++ policy-1.23.10/macros/program/gift_macros.te 2005-04-13 14:11:21.000000000 -0400
@@ -95,7 +95,7 @@
# Read /proc/meminfo
@@ -932,7 +1043,7 @@
allow $1_giftd_t etc_runtime_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.23.10/macros/program/mozilla_macros.te
--- nsapolicy/macros/program/mozilla_macros.te 2005-04-07 22:22:55.000000000 -0400
-+++ policy-1.23.10/macros/program/mozilla_macros.te 2005-04-12 09:53:46.000000000 -0400
++++ policy-1.23.10/macros/program/mozilla_macros.te 2005-04-13 14:11:21.000000000 -0400
@@ -31,7 +31,10 @@
# Browse files
file_browse_domain($1_mozilla_t)
@@ -947,7 +1058,7 @@
read_sysctl($1_mozilla_t)
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mplayer_macros.te policy-1.23.10/macros/program/mplayer_macros.te
--- nsapolicy/macros/program/mplayer_macros.te 2005-04-07 22:22:55.000000000 -0400
-+++ policy-1.23.10/macros/program/mplayer_macros.te 2005-04-12 09:53:46.000000000 -0400
++++ policy-1.23.10/macros/program/mplayer_macros.te 2005-04-13 14:11:21.000000000 -0400
@@ -82,16 +82,18 @@
# Mplayer common stuff
mplayer_common($1, mplayer)
@@ -973,7 +1084,7 @@
# Legacy domain issues
diff --exclude-from=exclude -N -u -r nsapolicy/macros/user_macros.te policy-1.23.10/macros/user_macros.te
--- nsapolicy/macros/user_macros.te 2005-04-06 06:57:44.000000000 -0400
-+++ policy-1.23.10/macros/user_macros.te 2005-04-12 09:53:46.000000000 -0400
++++ policy-1.23.10/macros/user_macros.te 2005-04-13 14:11:21.000000000 -0400
@@ -23,12 +23,6 @@
tmp_domain($1, `, user_tmpfile, $1_file_type', `{ file lnk_file dir sock_file fifo_file }')
@@ -1093,7 +1204,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/Makefile policy-1.23.10/Makefile
--- nsapolicy/Makefile 2005-04-04 10:21:10.000000000 -0400
-+++ policy-1.23.10/Makefile 2005-04-12 11:07:50.000000000 -0400
++++ policy-1.23.10/Makefile 2005-04-13 14:11:21.000000000 -0400
@@ -163,7 +163,7 @@
@echo "Validating file contexts files ..."
$(SETFILES) -q -c $(POLICYVER) $(FC)
@@ -1124,7 +1235,7 @@
$(FC): $(ALL_TUNABLES) tmp/program_used_flags.te $(FCFILES) domains/program domains/misc file_contexts/program file_contexts/misc users /etc/passwd
diff --exclude-from=exclude -N -u -r nsapolicy/net_contexts policy-1.23.10/net_contexts
--- nsapolicy/net_contexts 2005-04-06 06:57:43.000000000 -0400
-+++ policy-1.23.10/net_contexts 2005-04-12 09:53:46.000000000 -0400
++++ policy-1.23.10/net_contexts 2005-04-13 17:09:28.000000000 -0400
@@ -38,10 +38,8 @@
portcon udp 892 system_u:object_r:inetd_child_port_t
portcon tcp 2105 system_u:object_r:inetd_child_port_t
@@ -1136,7 +1247,15 @@
ifdef(`ssh.te', `portcon tcp 22 system_u:object_r:ssh_port_t')
ifdef(`inetd.te', `portcon tcp 23 system_u:object_r:telnetd_port_t')
-@@ -121,6 +119,13 @@
+@@ -101,6 +99,7 @@
+ ifdef(`rshd.te', `portcon tcp 514 system_u:object_r:rsh_port_t')
+ ifdef(`lpd.te', `portcon tcp 515 system_u:object_r:printer_port_t')
+ ifdef(`syslogd.te', `
++portcon tcp 514 system_u:object_r:syslogd_port_t
+ portcon udp 514 system_u:object_r:syslogd_port_t
+ ')
+ ifdef(`ktalkd.te', `
+@@ -121,6 +120,13 @@
portcon tcp 4444 system_u:object_r:kerberos_master_port_t
portcon udp 4444 system_u:object_r:kerberos_master_port_t
ifdef(`spamd.te', `portcon tcp 783 system_u:object_r:spamd_port_t')
@@ -1152,7 +1271,7 @@
portcon udp 873 system_u:object_r:rsync_port_t
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/compat.te policy-1.23.10/targeted/domains/program/compat.te
--- nsapolicy/targeted/domains/program/compat.te 1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.23.10/targeted/domains/program/compat.te 2005-04-12 15:05:57.000000000 -0400
++++ policy-1.23.10/targeted/domains/program/compat.te 2005-04-13 14:11:21.000000000 -0400
@@ -0,0 +1,9 @@
+typealias sbin_t alias setfiles_exec_t;
+typealias bin_t alias mount_exec_t;
@@ -1165,15 +1284,17 @@
+typealias sbin_t alias kudzu_exec_t;
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/unconfined.te policy-1.23.10/targeted/domains/unconfined.te
--- nsapolicy/targeted/domains/unconfined.te 2005-02-24 14:51:10.000000000 -0500
-+++ policy-1.23.10/targeted/domains/unconfined.te 2005-04-12 10:04:41.000000000 -0400
-@@ -16,10 +16,8 @@
++++ policy-1.23.10/targeted/domains/unconfined.te 2005-04-13 15:16:17.000000000 -0400
+@@ -15,11 +15,9 @@
+ # Define some type aliases to help with compatibility with
# macros and domains from the "strict" policy.
typealias bin_t alias su_exec_t;
- typealias unconfined_t alias { kernel_t logrotate_t sendmail_t sshd_t sysadm_t rpm_t rpm_script_t xdm_t };
+-typealias unconfined_t alias { kernel_t logrotate_t sendmail_t sshd_t sysadm_t rpm_t rpm_script_t xdm_t };
-define(`admin_tty_type', `{ tty_device_t devpts_t }')
-
-#type of rundir to communicate with dbus
-type system_dbusd_var_run_t, file_type, sysadmfile;
++typealias unconfined_t alias { kernel_t logrotate_t sendmail_t sshd_t secadm_t sysadm_t rpm_t rpm_script_t xdm_t };
+typeattribute tty_device_t admin_tty_type;
+typeattribute devpts_t admin_tty_type;
@@ -1181,7 +1302,7 @@
type user_home_t, file_type, sysadmfile, home_type;
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.23.10/tunables/distro.tun
--- nsapolicy/tunables/distro.tun 2005-02-24 14:51:09.000000000 -0500
-+++ policy-1.23.10/tunables/distro.tun 2005-04-12 09:53:46.000000000 -0400
++++ policy-1.23.10/tunables/distro.tun 2005-04-13 14:11:21.000000000 -0400
@@ -5,7 +5,7 @@
# appropriate ifdefs.
@@ -1193,7 +1314,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.23.10/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun 2005-02-24 14:51:09.000000000 -0500
-+++ policy-1.23.10/tunables/tunable.tun 2005-04-12 10:13:08.000000000 -0400
++++ policy-1.23.10/tunables/tunable.tun 2005-04-13 14:11:21.000000000 -0400
@@ -2,7 +2,7 @@
dnl define(`user_can_mount')
@@ -1219,7 +1340,7 @@
# that do not have a domain transition explicitly defined.
diff --exclude-from=exclude -N -u -r nsapolicy/types/file.te policy-1.23.10/types/file.te
--- nsapolicy/types/file.te 2005-04-04 10:21:11.000000000 -0400
-+++ policy-1.23.10/types/file.te 2005-04-12 09:53:46.000000000 -0400
++++ policy-1.23.10/types/file.te 2005-04-13 14:11:21.000000000 -0400
@@ -319,4 +319,5 @@
allow file_type removable_t:filesystem associate;
allow file_type noexattrfile:filesystem associate;
@@ -1229,7 +1350,7 @@
+type ftpd_anon_t, file_type, sysadmfile, customizable;
diff --exclude-from=exclude -N -u -r nsapolicy/types/network.te policy-1.23.10/types/network.te
--- nsapolicy/types/network.te 2005-04-06 06:57:44.000000000 -0400
-+++ policy-1.23.10/types/network.te 2005-04-12 09:53:46.000000000 -0400
++++ policy-1.23.10/types/network.te 2005-04-13 14:11:21.000000000 -0400
@@ -39,12 +39,9 @@
ifdef(`use_pop', `
type pop_port_t, port_type, reserved_port_type;
@@ -1246,9 +1367,44 @@
ifdef(`dhcpd.te', `define(`use_pxe')')
ifdef(`pxe.te', `define(`use_pxe')')
+diff --exclude-from=exclude -N -u -r nsapolicy/types/security.te policy-1.23.10/types/security.te
+--- nsapolicy/types/security.te 2005-03-11 15:31:07.000000000 -0500
++++ policy-1.23.10/types/security.te 2005-04-13 14:11:21.000000000 -0400
+@@ -24,20 +24,20 @@
+ # policy_src_t is the type of the policy source
+ # files.
+ #
+-type policy_src_t, file_type, sysadmfile;
++type policy_src_t, file_type;
+
+
+ #
+ # default_context_t is the type applied to
+ # /etc/selinux/*/contexts/*
+ #
+-type default_context_t, file_type, sysadmfile, login_contexts;
++type default_context_t, file_type, login_contexts;
+
+ #
+ # file_context_t is the type applied to
+ # /etc/selinux/*/contexts/files
+ #
+-type file_context_t, file_type, sysadmfile;
++type file_context_t, file_type;
+
+ #
+ # no_access_t is the type for objects that should
+@@ -49,6 +49,6 @@
+ # selinux_config_t is the type applied to
+ # /etc/selinux/config
+ #
+-type selinux_config_t, file_type, sysadmfile;
++type selinux_config_t, file_type;
+
+
diff --exclude-from=exclude -N -u -r nsapolicy/users policy-1.23.10/users
--- nsapolicy/users 2005-03-17 10:18:56.000000000 -0500
-+++ policy-1.23.10/users 2005-04-12 09:53:46.000000000 -0400
++++ policy-1.23.10/users 2005-04-13 14:11:21.000000000 -0400
@@ -41,7 +41,7 @@
# The sysadm_r user also needs to be permitted system_r if we are to allow
Index: selinux-policy-targeted.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-targeted/devel/selinux-policy-targeted.spec,v
retrieving revision 1.274
retrieving revision 1.275
diff -u -r1.274 -r1.275
--- selinux-policy-targeted.spec 13 Apr 2005 02:32:24 -0000 1.274
+++ selinux-policy-targeted.spec 13 Apr 2005 21:22:57 -0000 1.275
@@ -11,7 +11,7 @@
Summary: SELinux %{type} policy configuration
Name: selinux-policy-%{type}
Version: 1.23.10
-Release: 5
+Release: 6
License: GPL
Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policy-%{version}.tgz
@@ -51,7 +51,7 @@
mv domains/misc/*.te domains/misc/unused
mv domains/program/*.te domains/program/unused/
rm domains/*.te
-for i in amanda.te apache.te chkpwd.te cups.te cvs.te dbusd.te dhcpc.te dhcpd.te dictd.te dovecot.te fingerd.te ftpd.te howl.te i18n_input.te ifconfig.te init.te initrc.te inetd.te innd.te kerberos.te ktalkd.te ldconfig.te login.te lpd.te mailman.te modutil.te mta.te mysqld.te named.te NetworkManager.te nscd.te ntpd.te portmap.te postgresql.te privoxy.te radius.te radvd.te rlogind.te rpcd.te rshd.te rsync.te samba.te slapd.te snmpd.te squid.te stunnel.te syslogd.te telnetd.te tftpd.te uucpd.te winbind.te ypbind.te ypserv.te zebra.te; do
+for i in amanda.te apache.te auditd.te chkpwd.te cups.te cvs.te dbusd.te dhcpc.te dhcpd.te dictd.te dovecot.te fingerd.te ftpd.te howl.te i18n_input.te ifconfig.te init.te initrc.te inetd.te innd.te kerberos.te ktalkd.te ldconfig.te login.te lpd.te mailman.te modutil.te mta.te mysqld.te named.te NetworkManager.te nscd.te ntpd.te portmap.te postgresql.te privoxy.te radius.te radvd.te rlogind.te rpcd.te rshd.te rsync.te samba.te slapd.te snmpd.te squid.te stunnel.te syslogd.te telnetd.te tftpd.te uucpd.te winbind.te ypbind.te ypserv.te zebra.te; do
mv domains/program/unused/$i domains/program/
done
rm -rf domains/program/unused
@@ -233,6 +233,10 @@
exit 0
%changelog
+* Wed Apr 12 2005 Dan Walsh <dwalsh at redhat.com> 1.23.10-6
+- Add auditd policy to targeted
+- Fix auditd policy
+
* Tue Apr 12 2005 Dan Walsh <dwalsh at redhat.com> 1.23.10-5
- Allow NetworkManager to communicate with hal in targeted_policy
More information about the fedora-cvs-commits
mailing list