[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

rpms/selinux-policy-strict/devel policy-20050811.patch, 1.2, 1.3 selinux-policy-strict.spec, 1.367, 1.368



Author: dwalsh

Update of /cvs/dist/rpms/selinux-policy-strict/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv6951

Modified Files:
	policy-20050811.patch selinux-policy-strict.spec 
Log Message:
* Sun Aug 14 2005 Dan Walsh <dwalsh redhat com> 1.25.4-2
- Support for policy.20 and policy.19


policy-20050811.patch:
 Makefile                                 |   42 +++++-
 domains/misc/kernel.te                   |    2 
 domains/program/crond.te                 |    5 
 domains/program/fsadm.te                 |    3 
 domains/program/hostname.te              |    1 
 domains/program/ifconfig.te              |    2 
 domains/program/initrc.te                |    3 
 domains/program/passwd.te                |    3 
 domains/program/unused/NetworkManager.te |    7 -
 domains/program/unused/alsa.te           |    9 +
 domains/program/unused/apache.te         |    5 
 domains/program/unused/apmd.te           |    2 
 domains/program/unused/backup.te         |    2 
 domains/program/unused/bluetooth.te      |    3 
 domains/program/unused/bootloader.te     |    2 
 domains/program/unused/cardmgr.te        |    3 
 domains/program/unused/certwatch.te      |   11 +
 domains/program/unused/clockspeed.te     |    3 
 domains/program/unused/cups.te           |    1 
 domains/program/unused/cvs.te            |   10 -
 domains/program/unused/cyrus.te          |   10 +
 domains/program/unused/dbusd.te          |    5 
 domains/program/unused/ddclient.te       |    6 
 domains/program/unused/dhcpc.te          |    4 
 domains/program/unused/firstboot.te      |    7 -
 domains/program/unused/ftpd.te           |    8 -
 domains/program/unused/hald.te           |    1 
 domains/program/unused/hwclock.te        |    3 
 domains/program/unused/ipsec.te          |    7 -
 domains/program/unused/kudzu.te          |    2 
 domains/program/unused/mta.te            |    2 
 domains/program/unused/ping.te           |   11 -
 domains/program/unused/postgresql.te     |    4 
 domains/program/unused/pppd.te           |   21 ++-
 domains/program/unused/radvd.te          |    2 
 domains/program/unused/rlogind.te        |    2 
 domains/program/unused/rpm.te            |    3 
 domains/program/unused/rsync.te          |    4 
 domains/program/unused/samba.te          |    5 
 domains/program/unused/saslauthd.te      |   10 +
 domains/program/unused/slocate.te        |    4 
 domains/program/unused/udev.te           |    2 
 domains/program/unused/vpnc.te           |   17 ++
 domains/program/useradd.te               |    1 
 file_contexts/program/apache.fc          |    2 
 file_contexts/program/certwatch.fc       |    3 
 file_contexts/program/cups.fc            |    1 
 file_contexts/program/postgresql.fc      |    4 
 file_contexts/program/pppd.fc            |   14 +-
 file_contexts/types.fc                   |    4 
 macros/base_user_macros.te               |    4 
 macros/global_macros.te                  |   24 +++
 macros/network_macros.te                 |    4 
 macros/program/apache_macros.te          |    6 
 macros/program/cdrecord_macros.te        |   14 --
 macros/program/chkpwd_macros.te          |   17 --
 macros/program/ethereal_macros.te        |    7 -
 macros/program/evolution_macros.te       |    2 
 macros/program/mail_client_macros.te     |    5 
 macros/program/mozilla_macros.te         |    7 +
 macros/program/spamassassin_macros.te    |    2 
 macros/program/su_macros.te              |    8 -
 macros/program/thunderbird_macros.te     |    6 
 mcs                                      |  212 +++++++++++++++++++++++++++++++
 net_contexts                             |    8 -
 tunables/distro.tun                      |    2 
 tunables/tunable.tun                     |    4 
 types/file.te                            |    1 
 types/network.te                         |    9 -
 69 files changed, 496 insertions(+), 134 deletions(-)

Index: policy-20050811.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-strict/devel/policy-20050811.patch,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- policy-20050811.patch	11 Aug 2005 11:46:40 -0000	1.2
+++ policy-20050811.patch	14 Aug 2005 20:04:08 -0000	1.3
@@ -1,6 +1,6 @@
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/misc/kernel.te policy-1.25.3/domains/misc/kernel.te
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/misc/kernel.te policy-1.25.4/domains/misc/kernel.te
 --- nsapolicy/domains/misc/kernel.te	2005-07-06 17:15:06.000000000 -0400
-+++ policy-1.25.3/domains/misc/kernel.te	2005-08-01 10:39:07.000000000 -0400
++++ policy-1.25.4/domains/misc/kernel.te	2005-08-11 23:07:13.000000000 -0400
 @@ -11,7 +11,7 @@
  # kernel_t is the domain of kernel threads.
  # It is also the target type when checking permissions in the system class.
@@ -10,9 +10,9 @@
  role system_r types kernel_t;
  general_domain_access(kernel_t)
  general_proc_read_access(kernel_t)
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/crond.te policy-1.25.3/domains/program/crond.te
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/crond.te policy-1.25.4/domains/program/crond.te
 --- nsapolicy/domains/program/crond.te	2005-08-11 06:57:10.000000000 -0400
-+++ policy-1.25.3/domains/program/crond.te	2005-07-29 09:12:48.000000000 -0400
++++ policy-1.25.4/domains/program/crond.te	2005-08-11 23:07:13.000000000 -0400
 @@ -44,7 +44,7 @@
  read_locale(crond_t)
  
@@ -31,9 +31,9 @@
  dontaudit crond_t self:capability sys_tty_config;
 +# Needed for certwatch
 +can_exec(system_crond_t, httpd_modules_t)
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/fsadm.te policy-1.25.3/domains/program/fsadm.te
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/fsadm.te policy-1.25.4/domains/program/fsadm.te
 --- nsapolicy/domains/program/fsadm.te	2005-08-11 06:57:12.000000000 -0400
-+++ policy-1.25.3/domains/program/fsadm.te	2005-08-07 05:47:34.000000000 -0400
++++ policy-1.25.4/domains/program/fsadm.te	2005-08-11 23:07:13.000000000 -0400
 @@ -64,7 +64,7 @@
  allow fsadm_t { urandom_device_t random_device_t }:chr_file { getattr read };
  
@@ -48,17 +48,17 @@
  allow fsadm_t usbfs_t:dir { getattr search };
  allow fsadm_t ramfs_t:fifo_file rw_file_perms;
 +allow fsadm_t device_type:chr_file getattr;
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/hostname.te policy-1.25.3/domains/program/hostname.te
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/hostname.te policy-1.25.4/domains/program/hostname.te
 --- nsapolicy/domains/program/hostname.te	2005-05-02 14:06:54.000000000 -0400
-+++ policy-1.25.3/domains/program/hostname.te	2005-07-27 14:19:20.000000000 -0400
++++ policy-1.25.4/domains/program/hostname.te	2005-08-11 23:07:13.000000000 -0400
 @@ -25,3 +25,4 @@
  allow hostname_t tmpfs_t:chr_file rw_file_perms;
  ')
  allow hostname_t initrc_devpts_t:chr_file { read write };
 +allow hostname_t initrc_t:fd use;
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ifconfig.te policy-1.25.3/domains/program/ifconfig.te
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ifconfig.te policy-1.25.4/domains/program/ifconfig.te
 --- nsapolicy/domains/program/ifconfig.te	2005-08-11 06:57:13.000000000 -0400
-+++ policy-1.25.3/domains/program/ifconfig.te	2005-07-21 17:03:56.000000000 -0400
++++ policy-1.25.4/domains/program/ifconfig.te	2005-08-11 23:07:13.000000000 -0400
 @@ -34,7 +34,7 @@
  allow ifconfig_t self:socket create_socket_perms;
  
@@ -68,9 +68,9 @@
  dontaudit ifconfig_t self:capability sys_module;
  allow ifconfig_t self:capability sys_tty_config;
  
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/initrc.te policy-1.25.3/domains/program/initrc.te
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/initrc.te policy-1.25.4/domains/program/initrc.te
 --- nsapolicy/domains/program/initrc.te	2005-08-11 06:57:13.000000000 -0400
-+++ policy-1.25.3/domains/program/initrc.te	2005-08-04 13:58:50.000000000 -0400
++++ policy-1.25.4/domains/program/initrc.te	2005-08-11 23:07:13.000000000 -0400
 @@ -319,3 +319,6 @@
  ')
  allow initrc_t self:netlink_route_socket r_netlink_socket_perms;
@@ -78,9 +78,9 @@
 +ifdef(`dbusd.te', `
 +allow initrc_t system_dbusd_var_run_t:sock_file write;
 +')
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/passwd.te policy-1.25.3/domains/program/passwd.te
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/passwd.te policy-1.25.4/domains/program/passwd.te
 --- nsapolicy/domains/program/passwd.te	2005-07-12 08:50:43.000000000 -0400
-+++ policy-1.25.3/domains/program/passwd.te	2005-08-08 06:09:23.000000000 -0400
++++ policy-1.25.4/domains/program/passwd.te	2005-08-11 23:07:13.000000000 -0400
 @@ -64,6 +64,7 @@
  dontaudit $1_t { proc_t device_t }:dir { search read };
  
@@ -96,9 +96,9 @@
 -allow sysadm_passwd_t devpts_t:chr_file { read write };
 +allow sysadm_passwd_t devpts_t:chr_file rw_file_perms;
  ')
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/alsa.te policy-1.25.3/domains/program/unused/alsa.te
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/alsa.te policy-1.25.4/domains/program/unused/alsa.te
 --- nsapolicy/domains/program/unused/alsa.te	2005-07-05 15:25:45.000000000 -0400
-+++ policy-1.25.3/domains/program/unused/alsa.te	2005-08-05 09:03:03.000000000 -0400
++++ policy-1.25.4/domains/program/unused/alsa.te	2005-08-11 23:07:13.000000000 -0400
 @@ -6,12 +6,17 @@
  type alsa_t, domain, privlog, daemon;
  type alsa_exec_t, file_type, sysadmfile, exec_type;
@@ -119,9 +119,9 @@
  domain_auto_trans(pam_console_t, alsa_exec_t, alsa_t)
 +role system_r types alsa_t;
 +read_locale(alsa_t) 
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.25.3/domains/program/unused/apache.te
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.25.4/domains/program/unused/apache.te
 --- nsapolicy/domains/program/unused/apache.te	2005-07-12 08:50:43.000000000 -0400
-+++ policy-1.25.3/domains/program/unused/apache.te	2005-08-07 06:04:30.000000000 -0400
++++ policy-1.25.4/domains/program/unused/apache.te	2005-08-11 23:07:13.000000000 -0400
 @@ -222,6 +222,9 @@
  # Creation of lock files for apache2
  lock_domain(httpd)
@@ -141,9 +141,9 @@
  ifdef(`targeted_policy', `
  allow { httpd_helper_t httpd_t } { devtty_t devpts_t }:chr_file { read write };
  ')
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apmd.te policy-1.25.3/domains/program/unused/apmd.te
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apmd.te policy-1.25.4/domains/program/unused/apmd.te
 --- nsapolicy/domains/program/unused/apmd.te	2005-08-11 06:57:15.000000000 -0400
-+++ policy-1.25.3/domains/program/unused/apmd.te	2005-08-02 11:05:02.000000000 -0400
++++ policy-1.25.4/domains/program/unused/apmd.te	2005-08-11 23:07:13.000000000 -0400
 @@ -16,7 +16,9 @@
  
  type apm_t, domain, privlog;
@@ -154,9 +154,9 @@
  uses_shlib(apm_t)
  allow apm_t privfd:fd use;
  allow apm_t admin_tty_type:chr_file rw_file_perms;
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/backup.te policy-1.25.3/domains/program/unused/backup.te
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/backup.te policy-1.25.4/domains/program/unused/backup.te
 --- nsapolicy/domains/program/unused/backup.te	2005-04-27 10:28:49.000000000 -0400
-+++ policy-1.25.3/domains/program/unused/backup.te	2005-08-02 11:05:32.000000000 -0400
++++ policy-1.25.4/domains/program/unused/backup.te	2005-08-11 23:07:13.000000000 -0400
 @@ -16,7 +16,9 @@
  role system_r types backup_t;
  role sysadm_r types backup_t;
@@ -167,9 +167,19 @@
  allow backup_t privfd:fd use;
  ifdef(`crond.te', `
  system_crond_entry(backup_exec_t, backup_t)
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/bootloader.te policy-1.25.3/domains/program/unused/bootloader.te
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/bluetooth.te policy-1.25.4/domains/program/unused/bluetooth.te
+--- nsapolicy/domains/program/unused/bluetooth.te	2005-07-12 08:50:43.000000000 -0400
++++ policy-1.25.4/domains/program/unused/bluetooth.te	2005-08-12 07:55:43.000000000 -0400
+@@ -43,3 +43,6 @@
+ allow initrc_t usbfs_t:file { getattr read };
+ allow bluetooth_t usbfs_t:dir r_dir_perms;
+ allow bluetooth_t usbfs_t:file rw_file_perms; 
++allow bluetooth_t bin_t:dir search;
++can_exec(bluetooth_t, bin_t)
++
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/bootloader.te policy-1.25.4/domains/program/unused/bootloader.te
 --- nsapolicy/domains/program/unused/bootloader.te	2005-04-27 10:28:49.000000000 -0400
-+++ policy-1.25.3/domains/program/unused/bootloader.te	2005-08-02 11:05:41.000000000 -0400
++++ policy-1.25.4/domains/program/unused/bootloader.te	2005-08-11 23:07:13.000000000 -0400
 @@ -24,7 +24,9 @@
  # for nscd
  dontaudit bootloader_t var_run_t:dir search;
@@ -180,9 +190,9 @@
  allow bootloader_t { initrc_t privfd }:fd use;
  
  tmp_domain(bootloader, `, device_type', { dir file lnk_file chr_file blk_file })
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cardmgr.te policy-1.25.3/domains/program/unused/cardmgr.te
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cardmgr.te policy-1.25.4/domains/program/unused/cardmgr.te
 --- nsapolicy/domains/program/unused/cardmgr.te	2005-05-02 14:06:54.000000000 -0400
-+++ policy-1.25.3/domains/program/unused/cardmgr.te	2005-08-07 06:21:22.000000000 -0400
++++ policy-1.25.4/domains/program/unused/cardmgr.te	2005-08-11 23:07:13.000000000 -0400
 @@ -15,7 +15,9 @@
  allow cardmgr_t urandom_device_t:chr_file read;
  
@@ -198,9 +208,9 @@
  allow hald_t cardmgr_var_run_t:chr_file create_file_perms;
  ')
 +allow cardmgr_t device_t:lnk_file { getattr read };
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/certwatch.te policy-1.25.3/domains/program/unused/certwatch.te
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/certwatch.te policy-1.25.4/domains/program/unused/certwatch.te
 --- nsapolicy/domains/program/unused/certwatch.te	1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.25.3/domains/program/unused/certwatch.te	2005-07-27 13:40:10.000000000 -0400
++++ policy-1.25.4/domains/program/unused/certwatch.te	2005-08-11 23:07:13.000000000 -0400
 @@ -0,0 +1,11 @@
 +#DESC certwatch - generate SSL certificate expiry warnings
 +#
@@ -213,9 +223,9 @@
 +can_exec(certwatch_t, httpd_modules_t)
 +system_crond_entry(certwatch_exec_t, certwatch_t)
 +read_locale(certwatch_t) 
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/clockspeed.te policy-1.25.3/domains/program/unused/clockspeed.te
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/clockspeed.te policy-1.25.4/domains/program/unused/clockspeed.te
 --- nsapolicy/domains/program/unused/clockspeed.te	2005-07-06 17:15:06.000000000 -0400
-+++ policy-1.25.3/domains/program/unused/clockspeed.te	2005-08-02 11:06:04.000000000 -0400
++++ policy-1.25.4/domains/program/unused/clockspeed.te	2005-08-11 23:07:13.000000000 -0400
 @@ -21,5 +21,6 @@
  
  # sysadm can play with clockspeed
@@ -224,9 +234,9 @@
  domain_auto_trans( sysadm_t, clockspeed_exec_t, clockspeed_t)
 -
 +')
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.25.3/domains/program/unused/cups.te
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.25.4/domains/program/unused/cups.te
 --- nsapolicy/domains/program/unused/cups.te	2005-07-12 08:50:43.000000000 -0400
-+++ policy-1.25.3/domains/program/unused/cups.te	2005-07-28 11:47:11.000000000 -0400
++++ policy-1.25.4/domains/program/unused/cups.te	2005-08-11 23:07:13.000000000 -0400
 @@ -245,6 +245,7 @@
  allow cupsd_config_t self:fifo_file rw_file_perms;
  
@@ -235,9 +245,9 @@
  ifdef(`dbusd.te', `
  dbusd_client(system, cupsd_config)
  allow cupsd_config_t userdomain:dbus send_msg;
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cvs.te policy-1.25.3/domains/program/unused/cvs.te
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cvs.te policy-1.25.4/domains/program/unused/cvs.te
 --- nsapolicy/domains/program/unused/cvs.te	2005-08-11 06:57:15.000000000 -0400
-+++ policy-1.25.3/domains/program/unused/cvs.te	2005-08-05 14:13:31.000000000 -0400
++++ policy-1.25.4/domains/program/unused/cvs.te	2005-08-11 23:07:13.000000000 -0400
 @@ -15,12 +15,14 @@
  typeattribute cvs_t privmail;
  typeattribute cvs_t auth_chkpwd;
@@ -257,9 +267,9 @@
 +# Allow kerberos to work
 +allow cvs_t { krb5_keytab_t krb5_conf_t }:file r_file_perms;
 +dontaudit cvs_t krb5_conf_t:file write;
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cyrus.te policy-1.25.3/domains/program/unused/cyrus.te
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cyrus.te policy-1.25.4/domains/program/unused/cyrus.te
 --- nsapolicy/domains/program/unused/cyrus.te	2005-08-11 06:57:15.000000000 -0400
-+++ policy-1.25.3/domains/program/unused/cyrus.te	2005-07-25 09:19:03.000000000 -0400
++++ policy-1.25.4/domains/program/unused/cyrus.te	2005-08-11 23:07:13.000000000 -0400
 @@ -20,7 +20,7 @@
  can_ypbind(cyrus_t)
  can_exec(cyrus_t, bin_t)
@@ -281,9 +291,9 @@
 +
 +r_dir_file(cyrus_t, cert_t)
 +allow cyrus_t { urandom_device_t random_device_t }:chr_file { read getattr };
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dbusd.te policy-1.25.3/domains/program/unused/dbusd.te
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dbusd.te policy-1.25.4/domains/program/unused/dbusd.te
 --- nsapolicy/domains/program/unused/dbusd.te	2005-04-27 10:28:50.000000000 -0400
-+++ policy-1.25.3/domains/program/unused/dbusd.te	2005-08-04 13:58:16.000000000 -0400
++++ policy-1.25.4/domains/program/unused/dbusd.te	2005-08-11 23:07:13.000000000 -0400
 @@ -17,4 +17,9 @@
  # I expect we need more than this
  
@@ -294,9 +304,9 @@
 +can_exec(system_dbusd_t, sbin_t)
 +allow system_dbusd_t self:fifo_file { read write };
 +allow system_dbusd_t self:unix_stream_socket connectto;
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ddclient.te policy-1.25.3/domains/program/unused/ddclient.te
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ddclient.te policy-1.25.4/domains/program/unused/ddclient.te
 --- nsapolicy/domains/program/unused/ddclient.te	2005-07-06 17:15:06.000000000 -0400
-+++ policy-1.25.3/domains/program/unused/ddclient.te	2005-08-07 06:01:13.000000000 -0400
++++ policy-1.25.4/domains/program/unused/ddclient.te	2005-08-11 23:07:13.000000000 -0400
 @@ -38,5 +38,7 @@
  
  # allow access to ddclient.conf and ddclient.cache
@@ -307,9 +317,9 @@
 +dontaudit ddclient_t devpts_t:dir search;
 +dontaudit ddclient_t { devtty_t admin_tty_type user_tty_type }:chr_file rw_file_perms;
 +dontaudit httpd_t selinux_config_t:dir search;
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dhcpc.te policy-1.25.3/domains/program/unused/dhcpc.te
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dhcpc.te policy-1.25.4/domains/program/unused/dhcpc.te
 --- nsapolicy/domains/program/unused/dhcpc.te	2005-07-12 08:50:43.000000000 -0400
-+++ policy-1.25.3/domains/program/unused/dhcpc.te	2005-08-02 11:32:50.000000000 -0400
++++ policy-1.25.4/domains/program/unused/dhcpc.te	2005-08-11 23:07:13.000000000 -0400
 @@ -156,6 +156,6 @@
  domain_auto_trans(system_dbusd_t, dhcpc_exec_t, dhcpc_t)
  allow dhcpc_t system_dbusd_t:dbus { acquire_svc send_msg };
@@ -319,9 +329,9 @@
 +allow { unconfined_t NetworkManager_t initrc_t } dhcpc_t:dbus send_msg;
 +allow dhcpc_t { unconfined_t NetworkManager_t initrc_t }:dbus send_msg;
  ')
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/firstboot.te policy-1.25.3/domains/program/unused/firstboot.te
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/firstboot.te policy-1.25.4/domains/program/unused/firstboot.te
 --- nsapolicy/domains/program/unused/firstboot.te	2005-06-01 06:11:22.000000000 -0400
-+++ policy-1.25.3/domains/program/unused/firstboot.te	2005-07-25 15:04:43.000000000 -0400
++++ policy-1.25.4/domains/program/unused/firstboot.te	2005-08-11 23:07:13.000000000 -0400
 @@ -57,9 +57,6 @@
  # Allow write to utmp file
  allow firstboot_t initrc_var_run_t:file write;
@@ -343,9 +353,9 @@
  allow firstboot_t port_t:tcp_socket { recv_msg send_msg };
  allow firstboot_t proc_t:lnk_file read;
  
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ftpd.te policy-1.25.3/domains/program/unused/ftpd.te
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ftpd.te policy-1.25.4/domains/program/unused/ftpd.te
 --- nsapolicy/domains/program/unused/ftpd.te	2005-07-12 08:50:43.000000000 -0400
-+++ policy-1.25.3/domains/program/unused/ftpd.te	2005-07-22 08:48:57.000000000 -0400
++++ policy-1.25.4/domains/program/unused/ftpd.te	2005-08-11 23:07:13.000000000 -0400
 @@ -110,9 +110,5 @@
  	r_dir_file(ftpd_t, cifs_t)
  }
@@ -358,9 +368,9 @@
 -create_dir_file(ftpd_t,ftpd_anon_rw_t)
 +anonymous_domain(ftpd)
 +
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hald.te policy-1.25.3/domains/program/unused/hald.te
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hald.te policy-1.25.4/domains/program/unused/hald.te
 --- nsapolicy/domains/program/unused/hald.te	2005-08-11 06:57:15.000000000 -0400
-+++ policy-1.25.3/domains/program/unused/hald.te	2005-07-26 09:07:57.000000000 -0400
++++ policy-1.25.4/domains/program/unused/hald.te	2005-08-11 23:07:13.000000000 -0400
 @@ -47,6 +47,7 @@
  allow hald_t printer_device_t:chr_file rw_file_perms;
  allow hald_t urandom_device_t:chr_file read;
@@ -369,9 +379,9 @@
  
  can_getsecurity(hald_t)
  
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hwclock.te policy-1.25.3/domains/program/unused/hwclock.te
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hwclock.te policy-1.25.4/domains/program/unused/hwclock.te
 --- nsapolicy/domains/program/unused/hwclock.te	2005-07-12 08:50:43.000000000 -0400
-+++ policy-1.25.3/domains/program/unused/hwclock.te	2005-08-02 11:04:50.000000000 -0400
++++ policy-1.25.4/domains/program/unused/hwclock.te	2005-08-11 23:07:13.000000000 -0400
 @@ -17,7 +17,9 @@
  #
  daemon_base_domain(hwclock)
@@ -387,9 +397,9 @@
  # for when /usr is not mounted
  dontaudit hwclock_t file_t:dir search;
 +allow hwclock_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ipsec.te policy-1.25.3/domains/program/unused/ipsec.te
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ipsec.te policy-1.25.4/domains/program/unused/ipsec.te
 --- nsapolicy/domains/program/unused/ipsec.te	2005-04-27 10:28:51.000000000 -0400
-+++ policy-1.25.3/domains/program/unused/ipsec.te	2005-07-25 09:42:06.000000000 -0400
++++ policy-1.25.4/domains/program/unused/ipsec.te	2005-08-11 23:07:13.000000000 -0400
 @@ -60,8 +60,8 @@
  # it in its own domain?)
  can_exec(ipsec_mgmt_t, bin_t)
@@ -418,9 +428,9 @@
  read_locale(ipsec_t)
  ifdef(`consoletype.te', `
  can_exec(ipsec_mgmt_t, consoletype_exec_t )
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/kudzu.te policy-1.25.3/domains/program/unused/kudzu.te
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/kudzu.te policy-1.25.4/domains/program/unused/kudzu.te
 --- nsapolicy/domains/program/unused/kudzu.te	2005-08-11 06:57:15.000000000 -0400
-+++ policy-1.25.3/domains/program/unused/kudzu.te	2005-08-02 11:07:14.000000000 -0400
++++ policy-1.25.4/domains/program/unused/kudzu.te	2005-08-11 23:07:13.000000000 -0400
 @@ -48,7 +48,9 @@
  allow kudzu_t { tty_device_t devtty_t admin_tty_type }:chr_file rw_file_perms;
  
@@ -431,9 +441,9 @@
  ifdef(`anaconda.te', `
  domain_auto_trans(anaconda_t, kudzu_exec_t, kudzu_t)
  ')
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mta.te policy-1.25.3/domains/program/unused/mta.te
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mta.te policy-1.25.4/domains/program/unused/mta.te
 --- nsapolicy/domains/program/unused/mta.te	2005-08-11 06:57:15.000000000 -0400
-+++ policy-1.25.3/domains/program/unused/mta.te	2005-07-20 14:35:47.000000000 -0400
++++ policy-1.25.4/domains/program/unused/mta.te	2005-08-11 23:07:13.000000000 -0400
 @@ -22,7 +22,7 @@
  # rules are currently defined in sendmail.te, but it is not included in 
  # targeted policy.  We could move these rules permanantly here.
@@ -443,9 +453,9 @@
  allow system_mail_t self:lnk_file read;
  r_dir_file(system_mail_t, { proc_t proc_net_t })
  allow system_mail_t fs_t:filesystem getattr;
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/NetworkManager.te policy-1.25.3/domains/program/unused/NetworkManager.te
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/NetworkManager.te policy-1.25.4/domains/program/unused/NetworkManager.te
 --- nsapolicy/domains/program/unused/NetworkManager.te	2005-08-11 06:57:14.000000000 -0400
-+++ policy-1.25.3/domains/program/unused/NetworkManager.te	2005-08-02 11:53:15.000000000 -0400
++++ policy-1.25.4/domains/program/unused/NetworkManager.te	2005-08-11 23:07:13.000000000 -0400
 @@ -15,12 +15,12 @@
  
  can_network(NetworkManager_t)
@@ -471,9 +481,9 @@
  
  domain_auto_trans(NetworkManager_t, initrc_exec_t, initrc_t)
  domain_auto_trans(NetworkManager_t, dhcpc_exec_t, dhcpc_t)
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ping.te policy-1.25.3/domains/program/unused/ping.te
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ping.te policy-1.25.4/domains/program/unused/ping.te
 --- nsapolicy/domains/program/unused/ping.te	2005-08-11 06:57:15.000000000 -0400
-+++ policy-1.25.3/domains/program/unused/ping.te	2005-08-07 06:26:36.000000000 -0400
++++ policy-1.25.4/domains/program/unused/ping.te	2005-08-11 23:07:13.000000000 -0400
 @@ -17,7 +17,9 @@
  in_user_role(ping_t)
  type ping_exec_t, file_type, sysadmfile, exec_type;
@@ -510,9 +520,9 @@
 +allow ping_t init_t:fd use;
 +')
  
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/postgresql.te policy-1.25.3/domains/program/unused/postgresql.te
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/postgresql.te policy-1.25.4/domains/program/unused/postgresql.te
 --- nsapolicy/domains/program/unused/postgresql.te	2005-08-11 06:57:15.000000000 -0400
-+++ policy-1.25.3/domains/program/unused/postgresql.te	2005-07-20 14:30:01.000000000 -0400
++++ policy-1.25.4/domains/program/unused/postgresql.te	2005-08-11 23:07:13.000000000 -0400
 @@ -110,8 +110,8 @@
  allow postgresql_t self:sem create_sem_perms;
  
@@ -524,9 +534,9 @@
  lock_domain(postgresql)
  can_exec(postgresql_t, { shell_exec_t bin_t postgresql_exec_t ls_exec_t } )
  ifdef(`apache.te', `
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pppd.te policy-1.25.3/domains/program/unused/pppd.te
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pppd.te policy-1.25.4/domains/program/unused/pppd.te
 --- nsapolicy/domains/program/unused/pppd.te	2005-08-11 06:57:15.000000000 -0400
-+++ policy-1.25.3/domains/program/unused/pppd.te	2005-07-28 15:05:54.000000000 -0400
++++ policy-1.25.4/domains/program/unused/pppd.te	2005-08-11 23:07:13.000000000 -0400
 @@ -32,12 +32,9 @@
  log_domain(pppd)
  
@@ -576,9 +586,9 @@
 +# Allow /etc/ppp/ip-{up,down} to run most anything
 +type pppd_script_exec_t, file_type, sysadmfile;
 +domain_auto_trans(pppd_t, pppd_script_exec_t, initrc_t)
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/radvd.te policy-1.25.3/domains/program/unused/radvd.te
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/radvd.te policy-1.25.4/domains/program/unused/radvd.te
 --- nsapolicy/domains/program/unused/radvd.te	2005-08-11 06:57:15.000000000 -0400
-+++ policy-1.25.3/domains/program/unused/radvd.te	2005-07-19 10:57:19.000000000 -0400
++++ policy-1.25.4/domains/program/unused/radvd.te	2005-08-11 23:07:13.000000000 -0400
 @@ -15,7 +15,7 @@
  
  allow radvd_t self:{ rawip_socket unix_dgram_socket } rw_socket_perms;
@@ -588,18 +598,18 @@
  allow radvd_t self:{ unix_dgram_socket rawip_socket } create;
  allow radvd_t self:unix_stream_socket create_socket_perms;
  
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rlogind.te policy-1.25.3/domains/program/unused/rlogind.te
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rlogind.te policy-1.25.4/domains/program/unused/rlogind.te
 --- nsapolicy/domains/program/unused/rlogind.te	2005-08-11 06:57:15.000000000 -0400
-+++ policy-1.25.3/domains/program/unused/rlogind.te	2005-07-26 15:01:06.000000000 -0400
++++ policy-1.25.4/domains/program/unused/rlogind.te	2005-08-11 23:07:13.000000000 -0400
 @@ -35,4 +35,4 @@
  allow rlogind_t default_t:dir search;
  typealias rlogind_port_t alias rlogin_port_t;
  read_sysctl(rlogind_t);
 -allow rlogind_t krb5_keytab_t:file { getattr read };
 +allow rlogind_t krb5_keytab_t:file r_file_perms;
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rpm.te policy-1.25.3/domains/program/unused/rpm.te
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rpm.te policy-1.25.4/domains/program/unused/rpm.te
 --- nsapolicy/domains/program/unused/rpm.te	2005-07-12 08:50:43.000000000 -0400
-+++ policy-1.25.3/domains/program/unused/rpm.te	2005-07-28 11:23:44.000000000 -0400
++++ policy-1.25.4/domains/program/unused/rpm.te	2005-08-11 23:07:13.000000000 -0400
 @@ -114,7 +114,7 @@
  
  allow { insmod_t depmod_t } rpm_t:fifo_file rw_file_perms;
@@ -617,9 +627,9 @@
  domain_auto_trans(rpm_script_t, initrc_exec_t, initrc_t)
  ifdef(`bootloader.te', `
  domain_auto_trans(rpm_script_t, bootloader_exec_t, bootloader_t)
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rsync.te policy-1.25.3/domains/program/unused/rsync.te
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rsync.te policy-1.25.4/domains/program/unused/rsync.te
 --- nsapolicy/domains/program/unused/rsync.te	2005-04-27 10:28:52.000000000 -0400
-+++ policy-1.25.3/domains/program/unused/rsync.te	2005-07-22 08:45:55.000000000 -0400
++++ policy-1.25.4/domains/program/unused/rsync.te	2005-08-11 23:07:13.000000000 -0400
 @@ -14,4 +14,6 @@
  inetd_child_domain(rsync)
  type rsync_data_t, file_type, sysadmfile;
@@ -628,9 +638,9 @@
 +anonymous_domain(rsync)
 +
 +
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/samba.te policy-1.25.3/domains/program/unused/samba.te
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/samba.te policy-1.25.4/domains/program/unused/samba.te
 --- nsapolicy/domains/program/unused/samba.te	2005-07-12 08:50:43.000000000 -0400
-+++ policy-1.25.3/domains/program/unused/samba.te	2005-07-27 11:13:01.000000000 -0400
++++ policy-1.25.4/domains/program/unused/samba.te	2005-08-11 23:07:13.000000000 -0400
 @@ -50,7 +50,7 @@
  can_ldap(smbd_t)
  can_kerberos(smbd_t)
@@ -657,9 +667,9 @@
  file_type_auto_trans(samba_net_t, samba_etc_t, samba_secrets_t, file)
  read_locale(samba_net_t) 
  allow samba_net_t samba_etc_t:file r_file_perms;
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/saslauthd.te policy-1.25.3/domains/program/unused/saslauthd.te
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/saslauthd.te policy-1.25.4/domains/program/unused/saslauthd.te
 --- nsapolicy/domains/program/unused/saslauthd.te	2005-07-19 10:57:05.000000000 -0400
-+++ policy-1.25.3/domains/program/unused/saslauthd.te	2005-08-05 09:04:33.000000000 -0400
++++ policy-1.25.4/domains/program/unused/saslauthd.te	2005-08-11 23:07:13.000000000 -0400
 @@ -9,6 +9,7 @@
  allow saslauthd_t self:unix_dgram_socket create_socket_perms;
  allow saslauthd_t self:unix_stream_socket create_stream_socket_perms;
@@ -681,9 +691,9 @@
 +allow saslauthd_t mysqld_db_t:dir search;
 +allow saslauthd_t mysqld_var_run_t:sock_file rw_file_perms;
 +')
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/slocate.te policy-1.25.3/domains/program/unused/slocate.te
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/slocate.te policy-1.25.4/domains/program/unused/slocate.te
 --- nsapolicy/domains/program/unused/slocate.te	2005-04-27 10:28:53.000000000 -0400
-+++ policy-1.25.3/domains/program/unused/slocate.te	2005-07-21 09:07:15.000000000 -0400
++++ policy-1.25.4/domains/program/unused/slocate.te	2005-08-11 23:07:13.000000000 -0400
 @@ -10,7 +10,8 @@
  # locate_exec_t is the type of the locate executable.
  #
@@ -702,9 +712,9 @@
  allow locate_t file_type:lnk_file r_file_perms;
  allow locate_t { file_type -shadow_t }:{ lnk_file sock_file fifo_file file } getattr;
  dontaudit locate_t { file_type -shadow_t }:{ lnk_file sock_file fifo_file file } read;
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/udev.te policy-1.25.3/domains/program/unused/udev.te
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/udev.te policy-1.25.4/domains/program/unused/udev.te
 --- nsapolicy/domains/program/unused/udev.te	2005-08-11 06:57:15.000000000 -0400
-+++ policy-1.25.3/domains/program/unused/udev.te	2005-07-26 09:08:06.000000000 -0400
++++ policy-1.25.4/domains/program/unused/udev.te	2005-08-11 23:07:13.000000000 -0400
 @@ -33,7 +33,7 @@
  allow udev_t self:unix_stream_socket {connectto create_stream_socket_perms};
  allow udev_t self:unix_dgram_socket create_socket_perms;
@@ -714,26 +724,63 @@
  allow udev_t device_t:file { unlink rw_file_perms };
  allow udev_t device_t:sock_file create_file_perms;
  allow udev_t device_t:lnk_file create_lnk_perms;
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/vpnc.te policy-1.25.3/domains/program/unused/vpnc.te
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/vpnc.te policy-1.25.4/domains/program/unused/vpnc.te
 --- nsapolicy/domains/program/unused/vpnc.te	2005-08-11 06:57:15.000000000 -0400
-+++ policy-1.25.3/domains/program/unused/vpnc.te	2005-08-01 07:21:32.000000000 -0400
-@@ -49,3 +49,5 @@
++++ policy-1.25.4/domains/program/unused/vpnc.te	2005-08-12 07:29:25.000000000 -0400
+@@ -10,9 +10,9 @@
+ # vpnc_t is the domain for the vpnc program.
+ # vpnc_exec_t is the type of the vpnc executable.
+ #
+-daemon_domain(vpnc, `, sysctl_net_writer')
++application_domain(vpnc, `, sysctl_net_writer, nscd_client_domain')
+ 
+-allow vpnc_t { random_device_t urandom_device_t }:chr_file read;
++allow vpnc_t { random_device_t urandom_device_t }:chr_file { getattr read };
+ 
+ # Use the network.
+ can_network(vpnc_t)
+@@ -31,7 +31,7 @@
+ allow vpnc_t self:rawip_socket create_socket_perms;
+ allow vpnc_t self:unix_dgram_socket create_socket_perms;
+ allow vpnc_t self:unix_stream_socket create_socket_perms;
+-allow vpnc_t { user_tty_type admin_tty_type }:chr_file rw_file_perms;
++allow vpnc_t { devtty_t user_tty_type admin_tty_type }:chr_file rw_file_perms;
+ allow vpnc_t port_t:udp_socket name_bind;
+ allow vpnc_t etc_runtime_t:file { getattr read };
+ allow vpnc_t proc_t:file { getattr read };
+@@ -42,6 +42,8 @@
+ allow vpnc_t sbin_t:dir search;
+ allow vpnc_t bin_t:dir search;
+ allow vpnc_t bin_t:lnk_file read;
++allow vpnc_t self:dir search;
++r_dir_file(vpnc_t, proc_t)
+ r_dir_file(vpnc_t, proc_net_t)
+ tmp_domain(vpnc)
+ allow vpnc_t self:fifo_file { getattr ioctl read write };
+@@ -49,3 +51,12 @@
  allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms;
  file_type_auto_trans(vpnc_t, etc_t, net_conf_t, file)
  allow vpnc_t etc_t:file { execute execute_no_trans ioctl };
 +dontaudit vpnc_t home_root_t:dir search;
 +dontaudit vpnc_t user_home_dir_type:dir search;
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/useradd.te policy-1.25.3/domains/program/useradd.te
++var_run_domain(vpnc)
++allow vpnc_t userdomain:fd use;
++r_dir_file(vpnc_t, sysfs_t)
++allow vpnc_t self:process { fork sigchld };
++read_locale(vpnc_t)
++read_sysctl(vpnc_t)
++allow vpnc_t fs_t:filesystem getattr;
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/useradd.te policy-1.25.4/domains/program/useradd.te
 --- nsapolicy/domains/program/useradd.te	2005-04-27 10:28:49.000000000 -0400
-+++ policy-1.25.3/domains/program/useradd.te	2005-07-21 09:07:34.000000000 -0400
++++ policy-1.25.4/domains/program/useradd.te	2005-08-11 23:07:13.000000000 -0400
 @@ -102,3 +102,4 @@
  allow useradd_t default_context_t:dir search;
  allow useradd_t file_context_t:dir search;
  allow useradd_t file_context_t:file { getattr read };
 +allow useradd_t var_lib_t:dir search;
-diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/apache.fc policy-1.25.3/file_contexts/program/apache.fc
+diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/apache.fc policy-1.25.4/file_contexts/program/apache.fc
 --- nsapolicy/file_contexts/program/apache.fc	2005-07-19 10:57:05.000000000 -0400
-+++ policy-1.25.3/file_contexts/program/apache.fc	2005-08-03 09:20:46.000000000 -0400
++++ policy-1.25.4/file_contexts/program/apache.fc	2005-08-11 23:07:13.000000000 -0400
 @@ -7,6 +7,8 @@
  /var/www/perl(/.*)?		system_u:object_r:httpd_sys_script_exec_t
  /var/www/icons(/.*)?		system_u:object_r:httpd_sys_content_t
@@ -743,16 +790,16 @@
  /etc/httpd		-d	system_u:object_r:httpd_config_t
  /etc/httpd/conf.*		system_u:object_r:httpd_config_t
  /etc/httpd/logs			system_u:object_r:httpd_log_t
-diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/certwatch.fc policy-1.25.3/file_contexts/program/certwatch.fc
+diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/certwatch.fc policy-1.25.4/file_contexts/program/certwatch.fc
 --- nsapolicy/file_contexts/program/certwatch.fc	1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.25.3/file_contexts/program/certwatch.fc	2005-07-27 07:49:50.000000000 -0400
++++ policy-1.25.4/file_contexts/program/certwatch.fc	2005-08-11 23:07:13.000000000 -0400
 @@ -0,0 +1,3 @@
 +# certwatch.fc
 +/usr/bin/certwatch	-- system_u:object_r:certwatch_exec_t
 +
-diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/cups.fc policy-1.25.3/file_contexts/program/cups.fc
+diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/cups.fc policy-1.25.4/file_contexts/program/cups.fc
 --- nsapolicy/file_contexts/program/cups.fc	2005-07-12 08:50:43.000000000 -0400
-+++ policy-1.25.3/file_contexts/program/cups.fc	2005-07-28 11:18:01.000000000 -0400
++++ policy-1.25.4/file_contexts/program/cups.fc	2005-08-11 23:07:13.000000000 -0400
 @@ -5,6 +5,7 @@
  /var/cache/alchemist/printconf.* system_u:object_r:cupsd_rw_etc_t
  /etc/cups/client\.conf	--	system_u:object_r:etc_t
@@ -761,9 +808,9 @@
  /etc/cups/lpoptions	--	system_u:object_r:cupsd_rw_etc_t
  /etc/cups/printers\.conf.* --	system_u:object_r:cupsd_rw_etc_t
  /etc/cups/ppd/.*	--	system_u:object_r:cupsd_rw_etc_t
-diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/postgresql.fc policy-1.25.3/file_contexts/program/postgresql.fc
+diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/postgresql.fc policy-1.25.4/file_contexts/program/postgresql.fc
 --- nsapolicy/file_contexts/program/postgresql.fc	2005-03-11 15:31:06.000000000 -0500
-+++ policy-1.25.3/file_contexts/program/postgresql.fc	2005-07-20 13:51:00.000000000 -0400
++++ policy-1.25.4/file_contexts/program/postgresql.fc	2005-08-11 23:07:13.000000000 -0400
 @@ -14,3 +14,7 @@
  /usr/lib/pgsql/test/regress/.*\.so	-- system_u:object_r:shlib_t
  /usr/lib/pgsql/test/regress/.*\.sh	-- system_u:object_r:bin_t
@@ -772,9 +819,9 @@
 +/usr/share/jonas/pgsql(/.*)?       system_u:object_r:postgresql_db_t
 +/var/log/rhdb/rhdb(/.*)?           system_u:object_r:postgresql_log_t 
 +')
-diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/pppd.fc policy-1.25.3/file_contexts/program/pppd.fc
+diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/pppd.fc policy-1.25.4/file_contexts/program/pppd.fc
 --- nsapolicy/file_contexts/program/pppd.fc	2005-08-11 06:57:15.000000000 -0400
-+++ policy-1.25.3/file_contexts/program/pppd.fc	2005-07-22 07:39:08.000000000 -0400
++++ policy-1.25.4/file_contexts/program/pppd.fc	2005-08-11 23:07:13.000000000 -0400
 @@ -13,9 +13,13 @@
  /var/run/(i)?ppp.*pid	--	system_u:object_r:pppd_var_run_t
  /var/log/ppp-connect-errors.* -- system_u:object_r:pppd_log_t
@@ -794,9 +841,9 @@
 +/var/run/pptp(/.*)?	--	system_u:object_r:pptp_var_run_t
 +# Fix /etc/ppp {up,down} family scripts (see man pppd)
 +/etc/ppp/(auth|ip(v6|x)?)-(up|down)	--	system_u:object_r:pppd_script_exec_t
-diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/types.fc policy-1.25.3/file_contexts/types.fc
+diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/types.fc policy-1.25.4/file_contexts/types.fc
 --- nsapolicy/file_contexts/types.fc	2005-07-12 08:50:43.000000000 -0400
-+++ policy-1.25.3/file_contexts/types.fc	2005-07-21 08:57:17.000000000 -0400
++++ policy-1.25.4/file_contexts/types.fc	2005-08-11 23:07:13.000000000 -0400
 @@ -503,8 +503,8 @@
  /usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird --      system_u:object_r:bin_t
  /usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird-bin -- system_u:object_r:bin_t
@@ -808,9 +855,9 @@
  
  #
  # /srv
-diff --exclude-from=exclude -N -u -r nsapolicy/macros/base_user_macros.te policy-1.25.3/macros/base_user_macros.te
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/base_user_macros.te policy-1.25.4/macros/base_user_macros.te
 --- nsapolicy/macros/base_user_macros.te	2005-08-11 06:57:18.000000000 -0400
-+++ policy-1.25.3/macros/base_user_macros.te	2005-08-04 13:56:45.000000000 -0400
++++ policy-1.25.4/macros/base_user_macros.te	2005-08-11 23:07:13.000000000 -0400
 @@ -21,8 +21,8 @@
  type $1_untrusted_content_tmp_t, file_type, $1_file_type, sysadmfile, tmpfile, customizable, polymember;
  
@@ -822,9 +869,9 @@
  
  # Read content
  read_content($1_t, $1)
-diff --exclude-from=exclude -N -u -r nsapolicy/macros/global_macros.te policy-1.25.3/macros/global_macros.te
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/global_macros.te policy-1.25.4/macros/global_macros.te
 --- nsapolicy/macros/global_macros.te	2005-08-11 06:57:18.000000000 -0400
-+++ policy-1.25.3/macros/global_macros.te	2005-08-01 12:31:45.000000000 -0400
++++ policy-1.25.4/macros/global_macros.te	2005-08-11 23:07:13.000000000 -0400
 @@ -595,6 +595,18 @@
  ')dnl end polyinstantiater
  
@@ -860,9 +907,9 @@
 +allow $1 self:capability { audit_write audit_control };
 +dontaudit $1 shadow_t:file { getattr read };
 +')
-diff --exclude-from=exclude -N -u -r nsapolicy/macros/network_macros.te policy-1.25.3/macros/network_macros.te
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/network_macros.te policy-1.25.4/macros/network_macros.te
 --- nsapolicy/macros/network_macros.te	2005-07-12 08:50:43.000000000 -0400
-+++ policy-1.25.3/macros/network_macros.te	2005-08-01 12:31:58.000000000 -0400
++++ policy-1.25.4/macros/network_macros.te	2005-08-11 23:07:13.000000000 -0400
 @@ -16,9 +16,7 @@
  # Allow the domain to send or receive using any network interface.
  # netif_type is a type attribute for all network interface types.
@@ -874,9 +921,9 @@
  #
  # Allow the domain to send to or receive from any node.
  # node_type is a type attribute for all node types.
-diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/apache_macros.te policy-1.25.3/macros/program/apache_macros.te
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/apache_macros.te policy-1.25.4/macros/program/apache_macros.te
 --- nsapolicy/macros/program/apache_macros.te	2005-07-12 08:50:43.000000000 -0400
-+++ policy-1.25.3/macros/program/apache_macros.te	2005-08-03 09:37:45.000000000 -0400
++++ policy-1.25.4/macros/program/apache_macros.te	2005-08-11 23:07:13.000000000 -0400
 @@ -23,6 +23,7 @@
  domain_auto_trans(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t)
  allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop };
@@ -907,9 +954,9 @@
  
  ')
  define(`apache_user_domain', `
-diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/cdrecord_macros.te policy-1.25.3/macros/program/cdrecord_macros.te
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/cdrecord_macros.te policy-1.25.4/macros/program/cdrecord_macros.te
 --- nsapolicy/macros/program/cdrecord_macros.te	2005-08-11 06:57:18.000000000 -0400
-+++ policy-1.25.3/macros/program/cdrecord_macros.te	2005-07-20 15:36:45.000000000 -0400
++++ policy-1.25.4/macros/program/cdrecord_macros.te	2005-08-11 23:07:13.000000000 -0400
 @@ -27,16 +27,8 @@
  
  can_resmgrd_connect($1_cdrecord_t)
@@ -938,9 +985,9 @@
 +allow $1_cdrecord_t $1_home_t:file r_file_perms;
  ')
  
-diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/chkpwd_macros.te policy-1.25.3/macros/program/chkpwd_macros.te
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/chkpwd_macros.te policy-1.25.4/macros/program/chkpwd_macros.te
 --- nsapolicy/macros/program/chkpwd_macros.te	2005-07-19 10:57:05.000000000 -0400
-+++ policy-1.25.3/macros/program/chkpwd_macros.te	2005-07-25 14:22:52.000000000 -0400
++++ policy-1.25.4/macros/program/chkpwd_macros.te	2005-08-11 23:07:13.000000000 -0400
 @@ -23,28 +23,15 @@
  allow $1_chkpwd_t proc_t:file read;
  
@@ -972,9 +1019,9 @@
  ', `
  domain_auto_trans($1_t, chkpwd_exec_t, $1_chkpwd_t)
  allow $1_t sbin_t:dir search;
-diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ethereal_macros.te policy-1.25.3/macros/program/ethereal_macros.te
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ethereal_macros.te policy-1.25.4/macros/program/ethereal_macros.te
 --- nsapolicy/macros/program/ethereal_macros.te	2005-07-05 15:25:49.000000000 -0400
-+++ policy-1.25.3/macros/program/ethereal_macros.te	2005-07-26 13:53:19.000000000 -0400
++++ policy-1.25.4/macros/program/ethereal_macros.te	2005-08-11 23:07:13.000000000 -0400
 @@ -38,11 +38,10 @@
  role $1_r types $1_ethereal_t;
  
@@ -990,9 +1037,9 @@
  ') dnl userhelper
  
  # X, GNOME
-diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/evolution_macros.te policy-1.25.3/macros/program/evolution_macros.te
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/evolution_macros.te policy-1.25.4/macros/program/evolution_macros.te
 --- nsapolicy/macros/program/evolution_macros.te	2005-08-11 06:57:18.000000000 -0400
-+++ policy-1.25.3/macros/program/evolution_macros.te	2005-07-26 14:10:04.000000000 -0400
++++ policy-1.25.4/macros/program/evolution_macros.te	2005-08-11 23:07:13.000000000 -0400
 @@ -64,7 +64,7 @@
  allow $1_evolution_server_t ldap_port_t:tcp_socket name_connect;
  
@@ -1002,9 +1049,9 @@
  
  ') dnl evolution_data_server
  
-diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mail_client_macros.te policy-1.25.3/macros/program/mail_client_macros.te
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mail_client_macros.te policy-1.25.4/macros/program/mail_client_macros.te
 --- nsapolicy/macros/program/mail_client_macros.te	2005-08-11 06:57:18.000000000 -0400
-+++ policy-1.25.3/macros/program/mail_client_macros.te	2005-08-04 13:51:35.000000000 -0400
++++ policy-1.25.4/macros/program/mail_client_macros.te	2005-08-11 23:07:13.000000000 -0400
 @@ -54,10 +54,15 @@
  ') 
  ifdef(`dbusd.te', `
@@ -1021,9 +1068,9 @@
 +allow $2_t $1_t:process signal_perms;
 +
  ')
-diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.25.3/macros/program/mozilla_macros.te
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.25.4/macros/program/mozilla_macros.te
 --- nsapolicy/macros/program/mozilla_macros.te	2005-08-11 06:57:18.000000000 -0400
-+++ policy-1.25.3/macros/program/mozilla_macros.te	2005-07-29 09:37:24.000000000 -0400
++++ policy-1.25.4/macros/program/mozilla_macros.te	2005-08-11 23:07:13.000000000 -0400
 @@ -139,7 +139,14 @@
  }
  allow $1_mozilla_t texrel_shlib_t:file execmod;
@@ -1039,22 +1086,21 @@
  ifdef(`apache.te', `
  ifelse($1, sysadm, `', `
  r_dir_file($1_mozilla_t, { httpd_$1_script_exec_t httpd_$1_content_t })
-diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/spamassassin_macros.te policy-1.25.3/macros/program/spamassassin_macros.te
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/spamassassin_macros.te policy-1.25.4/macros/program/spamassassin_macros.te
 --- nsapolicy/macros/program/spamassassin_macros.te	2005-08-11 06:57:18.000000000 -0400
-+++ policy-1.25.3/macros/program/spamassassin_macros.te	2005-07-19 10:57:18.000000000 -0400
-@@ -84,8 +84,7 @@
- 
++++ policy-1.25.4/macros/program/spamassassin_macros.te	2005-08-12 08:02:44.000000000 -0400
+@@ -85,7 +85,7 @@
  spamassassin_agent_privs($1_spamassassin_t, $1)
  
--can_resolve($1_spamassassin_t)
+ can_resolve($1_spamassassin_t)
 -# set tunable if you give spamassassin full network access.
 +# set tunable if you have spamassassin do DNS lookups
  if (spamassasin_can_network) {
  can_network($1_spamassassin_t)
  allow $1_spamassassin_t port_type:tcp_socket name_connect;
-diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/su_macros.te policy-1.25.3/macros/program/su_macros.te
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/su_macros.te policy-1.25.4/macros/program/su_macros.te
 --- nsapolicy/macros/program/su_macros.te	2005-05-25 11:28:11.000000000 -0400
-+++ policy-1.25.3/macros/program/su_macros.te	2005-07-25 14:18:04.000000000 -0400
++++ policy-1.25.4/macros/program/su_macros.te	2005-08-11 23:07:13.000000000 -0400
 @@ -23,9 +23,13 @@
  
  define(`su_restricted_domain', `
@@ -1071,9 +1117,9 @@
  ')
  
  # for SSP
-diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/thunderbird_macros.te policy-1.25.3/macros/program/thunderbird_macros.te
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/thunderbird_macros.te policy-1.25.4/macros/program/thunderbird_macros.te
 --- nsapolicy/macros/program/thunderbird_macros.te	2005-08-11 06:57:18.000000000 -0400
-+++ policy-1.25.3/macros/program/thunderbird_macros.te	2005-08-04 13:52:49.000000000 -0400
++++ policy-1.25.4/macros/program/thunderbird_macros.te	2005-08-11 23:07:13.000000000 -0400
 @@ -38,6 +38,7 @@
  x_client_domain($1_thunderbird, $1)
  mail_client_domain($1_thunderbird, $1)
@@ -1093,10 +1139,318 @@
 +allow $1_thunderbird_t self:process { execheap execmem execstack };
  
  ')
-diff --exclude-from=exclude -N -u -r nsapolicy/net_contexts policy-1.25.3/net_contexts
+diff --exclude-from=exclude -N -u -r nsapolicy/Makefile policy-1.25.4/Makefile
+--- nsapolicy/Makefile	2005-07-06 17:15:06.000000000 -0400
++++ policy-1.25.4/Makefile	2005-08-11 23:14:04.000000000 -0400
+@@ -15,6 +15,9 @@
+ # Set to y if MLS is enabled in the policy.
+ MLS=n
+ 
++# Set to y if MCS is enabled in the policy
++MCS=n
++
+ FLASKDIR = flask/
+ PREFIX = /usr
+ BINDIR = $(PREFIX)/bin
+@@ -24,14 +27,18 @@
+ GENHOMEDIRCON = $(SBINDIR)/genhomedircon
+ SETFILES = $(SBINDIR)/setfiles
+ VERS := $(shell $(CHECKPOLICY) $(POLICYCOMPAT) -V |cut -f 1 -d ' ')
++PREVERS := 19
+ KERNVERS := $(shell cat /selinux/policyvers)
+ POLICYVER := policy.$(VERS)
+ TOPDIR = $(DESTDIR)/etc/selinux
++TYPE=strict
+ ifeq ($(MLS),y)
+ TYPE=mls
+-else
+-TYPE=strict
+ endif
++ifeq ($(MCS),y)
++TYPE=mcs
++endif
++
+ INSTALLDIR = $(TOPDIR)/$(TYPE)
+ POLICYPATH = $(INSTALLDIR)/policy
+ SRCPATH = $(INSTALLDIR)/src
+@@ -54,6 +61,10 @@
+ POLICYFILES += mls
+ CHECKPOLMLS += -M
+ endif
++ifeq ($(MCS), y)
++POLICYFILES += mcs
++CHECKPOLMLS += -M
++endif
+ DEFCONTEXTFILES = initial_sid_contexts fs_use genfs_contexts net_contexts
+ POLICYFILES += $(ALL_TUNABLES) $(TE_RBAC_FILES)
+ POLICYFILES += $(USER_FILES)
+@@ -148,8 +159,10 @@
+ 	@echo "Compiling policy ..."
+ 	@mkdir -p $(POLICYPATH)
+ 	$(CHECKPOLICY) $(CHECKPOLMLS) -o $@ policy.conf
+-ifneq ($(MLS),y)
++ifneq ($(VERS),$(PREVERS))
++	$(CHECKPOLICY) -c $(PREVERS) -o $(POLICYPATH)/policy.$(PREVERS) policy.conf
+ endif
++
+ # Note: Can't use install, so not sure how to deal with mode, user, and group
+ #	other than by default.
+ 
+@@ -162,7 +175,11 @@
+ 
+ reload tmp/load: $(LOADPATH) 
+ 	@echo "Loading Policy ..."
++ifeq ($(VERS), $(KERNVERS))
+ 	$(LOADPOLICY) $(LOADPATH)
++else
++	$(LOADPOLICY) $(POLICYPATH)/policy.$(PREVERS)
++endif
+ 	touch tmp/load
+ 
+ load: tmp/load $(FCPATH) 
+@@ -328,3 +345,22 @@
+ 	@sed "s/MLS=n/MLS=y/" Makefile > Makefile.new
+ 	@mv Makefile.new Makefile
+ 	@echo "Done"
++
++mcsconvert: 
++	@for file in $(CONTEXTFILES); do \
++		echo "Converting $$file"; \
++		sed -e 's/_t\b/_t:s0/g' $$file > $$file.new && \
++		mv $$file.new $$file; \
++	done
++	@for file in $(USER_FILES); do \
++		echo "Converting $$file"; \
++		sed -r -e 's/\;/ level s0 range s0;/' $$file | \
++		sed -r -e 's/(user (root|system_u).*);/\1 - s0:c0.c127;/' > $$file.new; \
++		mv $$file.new $$file; \
++	done
++	@sed -e '/sid kernel/s/s0/s0 - s0:c0.c127/' initial_sid_contexts > initial_sid_contexts.new && mv initial_sid_contexts.new initial_sid_contexts
++	@echo "Enabling MCS in the Makefile"
++	@sed "s/MCS=y/MCS=y/" Makefile > Makefile.new
++	@mv Makefile.new Makefile
++	@echo "Done"
++
+diff --exclude-from=exclude -N -u -r nsapolicy/mcs policy-1.25.4/mcs
+--- nsapolicy/mcs	1969-12-31 19:00:00.000000000 -0500
++++ policy-1.25.4/mcs	2005-08-11 23:15:17.000000000 -0400
+@@ -0,0 +1,212 @@
++#
++# Define sensitivities 
++#
++# Each sensitivity has a name and zero or more aliases.
++#
++# MCS is single-sensitivity.
++#
++sensitivity s0;
++
++#
++# Define the ordering of the sensitivity levels (least to greatest)
++#
++dominance { s0 }
++
++
++#
++# Define the categories
++#
++# Each category has a name and zero or more aliases.
++#
++category c0;
++category c1;
++category c2;
++category c3;
++category c4;
++category c5;
++category c6;
++category c7;
++category c8;
++category c9;
++category c10;
++category c11;
++category c12;
++category c13;
++category c14;
++category c15;
++category c16;
++category c17;
++category c18;
++category c19;
++category c20;
++category c21;
++category c22;
++category c23;
++category c24;
++category c25;
++category c26;
++category c27;
++category c28;
++category c29;
++category c30;
++category c31;
++category c32;
++category c33;
++category c34;
++category c35;
++category c36;
++category c37;
++category c38;
++category c39;
++category c40;
++category c41;
++category c42;
++category c43;
++category c44;
++category c45;
++category c46;
++category c47;
++category c48;
++category c49;
++category c50;
++category c51;
++category c52;
++category c53;
++category c54;
++category c55;
++category c56;
++category c57;
++category c58;
++category c59;
++category c60;
++category c61;
++category c62;
++category c63;
++category c64;
++category c65;
++category c66;
++category c67;
++category c68;
++category c69;
++category c70;
++category c71;
++category c72;
++category c73;
++category c74;
++category c75;
++category c76;
++category c77;
++category c78;
++category c79;
++category c80;
++category c81;
++category c82;
++category c83;
++category c84;
++category c85;
++category c86;
++category c87;
++category c88;
++category c89;
++category c90;
++category c91;
++category c92;
++category c93;
++category c94;
++category c95;
++category c96;
++category c97;
++category c98;
++category c99;
++category c100;
++category c101;
++category c102;
++category c103;
++category c104;
++category c105;
++category c106;
++category c107;
++category c108;
++category c109;
++category c110;
++category c111;
++category c112;
++category c113;
++category c114;
++category c115;
++category c116;
++category c117;
++category c118;
++category c119;
++category c120;
++category c121;
++category c122;
++category c123;
++category c124;
++category c125;
++category c126;
++category c127;
++
++
++#
++# Each MCS level specifies a sensitivity and zero or more categories which may
++# be associated with that sensitivity.
++#
++level s0:c0.c127;
++
++#
++# Define the MCS policy
++#
++# mlsconstrain class_set perm_set expression ;
++#
++# mlsvalidatetrans class_set expression ;
++#
++# expression : ( expression )
++#	     | not expression
++#	     | expression and expression
++#	     | expression or expression
++#	     | u1 op u2
++#	     | r1 role_mls_op r2
++#	     | t1 op t2
++#	     | l1 role_mls_op l2
++#	     | l1 role_mls_op h2
++#	     | h1 role_mls_op l2
++#	     | h1 role_mls_op h2
++#	     | l1 role_mls_op h1
++#	     | l2 role_mls_op h2
++#	     | u1 op names
++#	     | u2 op names
++#	     | r1 op names
++#	     | r2 op names
++#	     | t1 op names
++#	     | t2 op names
++#	     | u3 op names (NOTE: this is only available for mlsvalidatetrans)
++#	     | r3 op names (NOTE: this is only available for mlsvalidatetrans)
++#	     | t3 op names (NOTE: this is only available for mlsvalidatetrans)
++#
++# op : == | !=
++# role_mls_op : == | != | eq | dom | domby | incomp
++#
++# names : name | { name_list }
++# name_list : name | name_list name
++#
++
++#
++# MCS policy for the file classes
++#
++# Constrain file access so that the high range of the process dominates
++# the high range of the file.  We use the high range of the process so
++# that processes can always simply run at s0.
++#
++# Only files are constrained by MCS at this stage.
++#
++mlsconstrain file { read write setattr append unlink link rename
++		    create ioctl lock execute } (h1 dom h2);
++
++
++# XXX
++#
++# For some reason, we need to reference the mlsfileread attribute
++# or we get a build error.  Below is a dummy entry to do this.
++mlsconstrain xextension query ( t1 == mlsfileread );
++
+diff --exclude-from=exclude -N -u -r nsapolicy/net_contexts policy-1.25.4/net_contexts
 --- nsapolicy/net_contexts	2005-08-11 06:57:10.000000000 -0400
-+++ policy-1.25.3/net_contexts	2005-07-25 14:45:47.000000000 -0400
-@@ -223,13 +223,5 @@
++++ policy-1.25.4/net_contexts	2005-08-11 23:07:13.000000000 -0400
+@@ -223,14 +223,6 @@
  #
  # interface netif_context default_msg_context
  #
@@ -1110,9 +1464,10 @@
 -netifcon ipsec2 system_u:object_r:netif_ipsec2_t system_u:object_r:unlabeled_t
  
  # Nodes (default = initial SID "node")
-diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.25.3/tunables/distro.tun
+ #
+diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.25.4/tunables/distro.tun
 --- nsapolicy/tunables/distro.tun	2005-02-24 14:51:09.000000000 -0500
-+++ policy-1.25.3/tunables/distro.tun	2005-07-19 15:41:44.000000000 -0400
++++ policy-1.25.4/tunables/distro.tun	2005-08-11 23:07:13.000000000 -0400
 @@ -5,7 +5,7 @@
  # appropriate ifdefs.
  
@@ -1122,9 +1477,9 @@
  
  dnl define(`distro_suse')
  
-diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.25.3/tunables/tunable.tun
+diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.25.4/tunables/tunable.tun
 --- nsapolicy/tunables/tunable.tun	2005-08-11 06:57:20.000000000 -0400
-+++ policy-1.25.3/tunables/tunable.tun	2005-07-19 15:41:44.000000000 -0400
++++ policy-1.25.4/tunables/tunable.tun	2005-08-11 23:07:13.000000000 -0400
 @@ -1,5 +1,5 @@
  # Allow rpm to run unconfined.
 -dnl define(`unlimitedRPM')
@@ -1141,9 +1496,9 @@
  
  # Allow user_r to reach sysadm_r via su, sudo, or userhelper.
  # Otherwise, only staff_r can do so.
-diff --exclude-from=exclude -N -u -r nsapolicy/types/file.te policy-1.25.3/types/file.te
+diff --exclude-from=exclude -N -u -r nsapolicy/types/file.te policy-1.25.4/types/file.te
 --- nsapolicy/types/file.te	2005-08-11 06:57:20.000000000 -0400
-+++ policy-1.25.3/types/file.te	2005-07-22 08:48:48.000000000 -0400
++++ policy-1.25.4/types/file.te	2005-08-11 23:07:13.000000000 -0400
 @@ -333,6 +333,7 @@
  
  # Type for anonymous FTP data, used by ftp and rsync
@@ -1152,9 +1507,9 @@
  
  allow customizable self:filesystem associate;
  
-diff --exclude-from=exclude -N -u -r nsapolicy/types/network.te policy-1.25.3/types/network.te
+diff --exclude-from=exclude -N -u -r nsapolicy/types/network.te policy-1.25.4/types/network.te
 --- nsapolicy/types/network.te	2005-08-11 06:57:20.000000000 -0400
-+++ policy-1.25.3/types/network.te	2005-07-25 14:47:17.000000000 -0400
++++ policy-1.25.4/types/network.te	2005-08-11 23:07:13.000000000 -0400
 @@ -74,15 +74,6 @@
  # interfaces in net_contexts or net_contexts.mls.
  #


Index: selinux-policy-strict.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-strict/devel/selinux-policy-strict.spec,v
retrieving revision 1.367
retrieving revision 1.368
diff -u -r1.367 -r1.368
--- selinux-policy-strict.spec	11 Aug 2005 11:37:55 -0000	1.367
+++ selinux-policy-strict.spec	14 Aug 2005 20:04:09 -0000	1.368
@@ -2,16 +2,17 @@
 %define POLICYDIR /etc/selinux/%{type}
 %define FILE_CONTEXT %{POLICYDIR}/contexts/files/file_contexts
 %define PRE_FILE_CONTEXT %{FILE_CONTEXT}.pre
-%define POLICYVER 19
+%define POLICYVER 20
+%define PREVPOLICYVER 19
 %define POLICYCOREUTILSVER 1.22-2
-%define CHECKPOLICYVER 1.21.4
+%define CHECKPOLICYVER 1.25.8
 %define KERNELVER 2.6.11-1.1219 
 %define LIBSELINUXVER 1.23.5-1
 
 Summary: SELinux %{type} policy configuration
 Name: selinux-policy-%{type}
 Version: 1.25.4
-Release: 1
+Release: 2
 License: GPL
 Group: System Environment/Base
 Source: http://www.nsa.gov/selinux/archives/policy-%{version}.tgz
@@ -93,6 +94,7 @@
 %config %{_sysconfdir}/selinux/%{type}/booleans
 %ghost %config(noreplace) %{_sysconfdir}/selinux/%{type}/booleans.local
 %{_sysconfdir}/selinux/%{type}/policy/policy.%{POLICYVER}
+%{_sysconfdir}/selinux/%{type}/policy/policy.%{PREVPOLICYVER}
 %{_sysconfdir}/selinux/%{type}/contexts/files/file_contexts
 %{_sysconfdir}/selinux/%{type}/contexts/files/file_contexts.homedirs
 %config %{_sysconfdir}/selinux/%{type}/contexts/files/homedir_template
@@ -218,6 +220,7 @@
 %dir %{_sysconfdir}/selinux/%{type}/src/policy/macros
 %config %{_sysconfdir}/selinux/%{type}/src/policy/macros/*
 %config %{_sysconfdir}/selinux/%{type}/src/policy/mls
+%config %{_sysconfdir}/selinux/%{type}/src/policy/mcs
 %config %{_sysconfdir}/selinux/%{type}/src/policy/net_contexts
 %config %{_sysconfdir}/selinux/%{type}/src/policy/rbac
 %dir %{_sysconfdir}/selinux/%{type}/src/policy/types
@@ -236,6 +239,9 @@
 exit 0
 
 %changelog
+* Sun Aug 14 2005 Dan Walsh <dwalsh redhat com> 1.25.4-2
+- Support for policy.20 and policy.19
+
 * Thu Aug 11 2005 Dan Walsh <dwalsh redhat com> 1.25.4-1
 -Update to latest from NSA
 	* Merged small patches from Russell Coker for the restorecon,


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]