rpms/selinux-policy-strict/devel policy-20050811.patch, 1.6, 1.7 selinux-policy-strict.spec, 1.371, 1.372
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Wed Aug 24 15:37:24 UTC 2005
- Previous message (by thread): rpms/checkpolicy/devel .cvsignore, 1.37, 1.38 checkpolicy.spec, 1.48, 1.49 sources, 1.38, 1.39
- Next message (by thread): rpms/selinux-policy-targeted/devel policy-20050811.patch, 1.5, 1.6 selinux-policy-targeted.spec, 1.366, 1.367
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy-strict/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv15274
Modified Files:
policy-20050811.patch selinux-policy-strict.spec
Log Message:
* Mon Aug 22 2005 Dan Walsh <dwalsh at redhat.com> 1.25.4-8
- Apply russell's cleanups
policy-20050811.patch:
Makefile | 39 +++++
attrib.te | 2
domains/misc/kernel.te | 2
domains/program/crond.te | 7 -
domains/program/fsadm.te | 7 -
domains/program/hostname.te | 3
domains/program/ifconfig.te | 5
domains/program/initrc.te | 13 +
domains/program/ldconfig.te | 3
domains/program/load_policy.te | 6
domains/program/login.te | 12 -
domains/program/modutil.te | 14 +-
domains/program/mount.te | 3
domains/program/netutils.te | 3
domains/program/passwd.te | 3
domains/program/restorecon.te | 5
domains/program/setfiles.te | 2
domains/program/ssh.te | 18 +-
domains/program/unused/NetworkManager.te | 7 -
domains/program/unused/acct.te | 10 -
domains/program/unused/alsa.te | 11 +
domains/program/unused/amanda.te | 51 -------
domains/program/unused/apache.te | 12 +
domains/program/unused/apmd.te | 6
domains/program/unused/automount.te | 4
domains/program/unused/backup.te | 2
domains/program/unused/bluetooth.te | 5
domains/program/unused/bootloader.te | 2
domains/program/unused/cardmgr.te | 3
domains/program/unused/certwatch.te | 11 +
domains/program/unused/clockspeed.te | 3
domains/program/unused/cups.te | 1
domains/program/unused/cvs.te | 10 -
domains/program/unused/cyrus.te | 10 +
domains/program/unused/dbusd.te | 7 -
domains/program/unused/ddclient.te | 6
domains/program/unused/dhcpc.te | 4
domains/program/unused/dovecot.te | 4
domains/program/unused/dpkg.te | 3
domains/program/unused/firstboot.te | 7 -
domains/program/unused/fs_daemon.te | 2
domains/program/unused/ftpd.te | 8 -
domains/program/unused/hald.te | 1
domains/program/unused/hwclock.te | 3
domains/program/unused/ipsec.te | 7 -
domains/program/unused/kudzu.te | 4
domains/program/unused/lvm.te | 1
domains/program/unused/mailman.te | 2
domains/program/unused/mta.te | 6
domains/program/unused/mysqld.te | 7 -
domains/program/unused/ntpd.te | 2
domains/program/unused/openct.te | 16 ++
domains/program/unused/pamconsole.te | 2
domains/program/unused/ping.te | 11 -
domains/program/unused/postgresql.te | 4
domains/program/unused/pppd.te | 21 ++-
domains/program/unused/procmail.te | 3
domains/program/unused/readahead.te | 21 +++
domains/program/unused/rlogind.te | 2
domains/program/unused/roundup.te | 29 ++++
domains/program/unused/rpm.te | 3
domains/program/unused/rsync.te | 4
domains/program/unused/samba.te | 11 +
domains/program/unused/saslauthd.te | 10 +
domains/program/unused/slocate.te | 4
domains/program/unused/squid.te | 2
domains/program/unused/sxid.te | 1
domains/program/unused/udev.te | 4
domains/program/unused/vpnc.te | 17 ++
domains/program/unused/winbind.te | 1
domains/program/unused/ypserv.te | 1
domains/program/useradd.te | 2
file_contexts/distros.fc | 5
file_contexts/program/apache.fc | 8 -
file_contexts/program/certwatch.fc | 3
file_contexts/program/clamav.fc | 2
file_contexts/program/cups.fc | 1
file_contexts/program/dhcpc.fc | 1
file_contexts/program/dhcpd.fc | 2
file_contexts/program/fsadm.fc | 1
file_contexts/program/openct.fc | 2
file_contexts/program/postfix.fc | 2
file_contexts/program/postgresql.fc | 4
file_contexts/program/pppd.fc | 14 +-
file_contexts/program/qmail.fc | 2
file_contexts/program/radvd.fc | 1
file_contexts/program/readahead.fc | 1
file_contexts/program/roundup.fc | 2
file_contexts/program/xdm.fc | 2
file_contexts/program/ypserv.fc | 1
file_contexts/types.fc | 8 -
genfs_contexts | 1
macros/base_user_macros.te | 4
macros/core_macros.te | 3
macros/global_macros.te | 32 ++++
macros/network_macros.te | 18 ++
macros/program/apache_macros.te | 12 +
macros/program/cdrecord_macros.te | 16 --
macros/program/chkpwd_macros.te | 17 --
macros/program/ethereal_macros.te | 7 -
macros/program/evolution_macros.te | 2
macros/program/gpg_macros.te | 2
macros/program/mail_client_macros.te | 5
macros/program/mozilla_macros.te | 7 +
macros/program/mta_macros.te | 2
macros/program/pyzor_macros.te | 2
macros/program/razor_macros.te | 2
macros/program/spamassassin_macros.te | 2
macros/program/su_macros.te | 10 +
macros/program/thunderbird_macros.te | 6
macros/program/uml_macros.te | 2
mcs | 216 +++++++++++++++++++++++++++++++
net_contexts | 8 -
targeted/assert.te | 2
targeted/domains/unconfined.te | 1
tunables/distro.tun | 2
tunables/tunable.tun | 4
types/file.te | 4
types/network.te | 9 -
119 files changed, 741 insertions(+), 257 deletions(-)
Index: policy-20050811.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-strict/devel/policy-20050811.patch,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -r1.6 -r1.7
--- policy-20050811.patch 22 Aug 2005 16:26:27 -0000 1.6
+++ policy-20050811.patch 24 Aug 2005 15:37:21 -0000 1.7
@@ -1,3 +1,15 @@
+diff --exclude-from=exclude -N -u -r nsapolicy/attrib.te policy-1.25.4/attrib.te
+--- nsapolicy/attrib.te 2005-07-19 10:57:04.000000000 -0400
++++ policy-1.25.4/attrib.te 2005-08-22 16:29:14.000000000 -0400
+@@ -94,7 +94,7 @@
+
+ # The privowner attribute identifies every domain that can
+ # assign a different SELinux user identity to a file, or that
+-# can create a file with an identity that's not the same as the
++# can create a file with an identity that is not the same as the
+ # process identity. This attribute is used in the constraints
+ # configuration.
+ attribute privowner;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/misc/kernel.te policy-1.25.4/domains/misc/kernel.te
--- nsapolicy/domains/misc/kernel.te 2005-07-06 17:15:06.000000000 -0400
+++ policy-1.25.4/domains/misc/kernel.te 2005-08-11 23:07:13.000000000 -0400
@@ -104,8 +116,25 @@
allow ifconfig_t tun_tap_device_t:chr_file { read write };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/initrc.te policy-1.25.4/domains/program/initrc.te
--- nsapolicy/domains/program/initrc.te 2005-08-11 06:57:13.000000000 -0400
-+++ policy-1.25.4/domains/program/initrc.te 2005-08-11 23:07:13.000000000 -0400
-@@ -319,3 +319,6 @@
++++ policy-1.25.4/domains/program/initrc.te 2005-08-24 09:59:24.000000000 -0400
+@@ -214,7 +214,15 @@
+ allow initrc_t file_type:{ dir_file_class_set socket_class_set } getattr;
+ allow initrc_t self:capability sys_admin;
+ allow initrc_t device_t:dir create;
+-
++# wants to delete /poweroff and other files
++allow initrc_t root_t:file unlink;
++# wants to read /.fonts directory
++allow initrc_t default_t:file { getattr read };
++ifdef(`xserver.te', `
++# wants to cleanup xserver log dir
++allow initrc_t xserver_log_t:dir rw_dir_perms;
++allow initrc_t xserver_log_t:file unlink;
++')
+ ')dnl end distro_redhat
+
+ allow initrc_t system_map_t:{ file lnk_file } r_file_perms;
+@@ -319,3 +327,6 @@
')
allow initrc_t self:netlink_route_socket r_netlink_socket_perms;
allow initrc_t device_t:lnk_file create_file_perms;
@@ -280,7 +309,7 @@
')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/restorecon.te policy-1.25.4/domains/program/restorecon.te
--- nsapolicy/domains/program/restorecon.te 2005-08-11 06:57:13.000000000 -0400
-+++ policy-1.25.4/domains/program/restorecon.te 2005-08-16 14:14:56.000000000 -0400
++++ policy-1.25.4/domains/program/restorecon.te 2005-08-22 16:23:42.000000000 -0400
@@ -19,7 +19,7 @@
role sysadm_r types restorecon_t;
role secadm_r types restorecon_t;
@@ -290,6 +319,16 @@
allow restorecon_t { tty_device_t admin_tty_type user_tty_type devtty_t }:chr_file { read write ioctl };
domain_auto_trans({ initrc_t sysadm_t secadm_t }, restorecon_exec_t, restorecon_t)
+@@ -45,6 +45,9 @@
+ ifdef(`distro_redhat', `
+ allow restorecon_t tmpfs_t:{ chr_file blk_file } { rw_file_perms relabelfrom relabelto };
+ ')
++ifdef(`dpkg.te', `
++domain_auto_trans(dpkg_t, restorecon_exec_t, restorecon_t)
++')
+
+ allow restorecon_t ptyfile:chr_file getattr;
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/setfiles.te policy-1.25.4/domains/program/setfiles.te
--- nsapolicy/domains/program/setfiles.te 2005-05-25 11:28:09.000000000 -0400
+++ policy-1.25.4/domains/program/setfiles.te 2005-08-16 14:13:22.000000000 -0400
@@ -304,8 +343,23 @@
allow setfiles_t self:unix_dgram_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ssh.te policy-1.25.4/domains/program/ssh.te
--- nsapolicy/domains/program/ssh.te 2005-07-12 08:50:43.000000000 -0400
-+++ policy-1.25.4/domains/program/ssh.te 2005-08-16 14:15:31.000000000 -0400
-@@ -145,6 +145,7 @@
++++ policy-1.25.4/domains/program/ssh.te 2005-08-22 16:23:42.000000000 -0400
+@@ -114,6 +114,14 @@
+ can_create_pty($1, `, server_pty')
+ allow $1_t $1_devpts_t:chr_file { setattr getattr relabelfrom };
+ dontaudit sshd_t userpty_type:chr_file relabelfrom;
++
++allow $1_t faillog_t:file { append getattr };
++allow $1_t sbin_t:file getattr;
++
++# Allow checking users mail at login
++allow $1_t { var_spool_t mail_spool_t }:dir search;
++allow $1_t mail_spool_t:lnk_file read;
++allow $1_t mail_spool_t:file getattr;
+ ')dnl end sshd_program_domain
+
+ # macro for defining which domains a sshd can spawn
+@@ -145,6 +153,7 @@
#
sshd_program_domain(sshd)
if (ssh_sysadm_login) {
@@ -313,7 +367,19 @@
sshd_spawn_domain(sshd, userdomain, { sysadm_devpts_t userpty_type })
} else {
sshd_spawn_domain(sshd, unpriv_userdomain, userpty_type)
-@@ -175,7 +176,7 @@
+@@ -160,11 +169,6 @@
+ # for when the network connection breaks after running newrole -r sysadm_r
+ dontaudit sshd_t sysadm_devpts_t:chr_file setattr;
+
+-# Allow checking users mail at login
+-allow sshd_t { var_spool_t mail_spool_t }:dir search;
+-allow sshd_t mail_spool_t:lnk_file read;
+-allow sshd_t mail_spool_t:file getattr;
+-
+ ifdef(`inetd.te', `
+ if (run_ssh_inetd) {
+ allow inetd_t ssh_port_t:tcp_socket name_bind;
+@@ -175,7 +179,7 @@
allow { sshd_t sshd_extern_t } self:process signal;
} else {
')
@@ -322,9 +388,57 @@
allow { sshd_t sshd_extern_t } self:capability net_bind_service;
allow { sshd_t sshd_extern_t } ssh_port_t:tcp_socket name_bind;
+@@ -228,5 +232,3 @@
+ allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
+ allow ssh_keygen_t sysadm_tty_device_t:chr_file { read write };
+ allow ssh_keygen_t urandom_device_t:chr_file { getattr read };
+-allow sshd_t faillog_t:file { append getattr };
+-allow sshd_t sbin_t:file getattr;
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/acct.te policy-1.25.4/domains/program/unused/acct.te
+--- nsapolicy/domains/program/unused/acct.te 2005-07-06 17:15:06.000000000 -0400
++++ policy-1.25.4/domains/program/unused/acct.te 2005-08-22 16:23:42.000000000 -0400
+@@ -23,10 +23,11 @@
+
+ type acct_data_t, file_type, logfile, sysadmfile;
+
+-allow acct_t self:capability sys_pacct;
++# not sure why we need this, the command "last" is reported as using it
++dontaudit acct_t self:capability kill;
+
+ # gzip needs chown capability for some reason
+-allow acct_t self:capability chown;
++allow acct_t self:capability { chown fsetid sys_pacct };
+
+ allow acct_t var_t:dir { getattr search };
+ rw_dir_create_file(acct_t, acct_data_t)
+@@ -37,14 +38,13 @@
+
+ read_locale(acct_t)
+
+-allow acct_t self:capability fsetid;
+ allow acct_t fs_t:filesystem getattr;
+
+ allow acct_t self:unix_stream_socket create_socket_perms;
+
+ allow acct_t self:fifo_file { read write getattr };
+
+-allow acct_t proc_t:file { read getattr };
++allow acct_t { self proc_t }:file { read getattr };
+
+ read_sysctl(acct_t)
+
+@@ -53,8 +53,6 @@
+ # for nscd
+ dontaudit acct_t var_run_t:dir search;
+
+-# not sure why we need this, the command "last" is reported as using it
+-dontaudit acct_t self:capability kill;
+
+ allow acct_t devtty_t:chr_file { read write };
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/alsa.te policy-1.25.4/domains/program/unused/alsa.te
--- nsapolicy/domains/program/unused/alsa.te 2005-07-05 15:25:45.000000000 -0400
-+++ policy-1.25.4/domains/program/unused/alsa.te 2005-08-16 21:59:46.000000000 -0400
++++ policy-1.25.4/domains/program/unused/alsa.te 2005-08-23 11:55:45.000000000 -0400
@@ -6,12 +6,19 @@
type alsa_t, domain, privlog, daemon;
type alsa_exec_t, file_type, sysadmfile, exec_type;
@@ -336,7 +450,7 @@
allow alsa_t self:unix_stream_socket create_stream_socket_perms;
+allow alsa_t self:unix_dgram_socket create_socket_perms;
+allow unpriv_userdomain alsa_t:sem { unix_read unix_write associate read write };
-+allow unpriv_userdomain alsa_t:shm { unix_read unix_write };
++allow unpriv_userdomain alsa_t:shm { unix_read unix_write create_shm_perms };
+
type alsa_etc_rw_t, file_type, sysadmfile, usercanread;
rw_dir_create_file(alsa_t,alsa_etc_rw_t)
@@ -729,6 +843,19 @@
create_dir_file(dovecot_t, dovecot_spool_t)
create_dir_file(mta_delivery_agent, dovecot_spool_t)
allow dovecot_t mail_spool_t:lnk_file read;
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dpkg.te policy-1.25.4/domains/program/unused/dpkg.te
+--- nsapolicy/domains/program/unused/dpkg.te 2005-04-27 10:28:50.000000000 -0400
++++ policy-1.25.4/domains/program/unused/dpkg.te 2005-08-22 16:23:42.000000000 -0400
+@@ -178,6 +178,9 @@
+ type apt_rw_etc_t, file_type, sysadmfile;
+ tmp_domain(apt, `', `{ dir file lnk_file }')
+ can_exec(apt_t, apt_tmp_t)
++ifdef(`crond.te', `
++allow system_crond_t apt_etc_t:file { getattr read };
++')
+
+ rw_dir_create_file(apt_t, apt_rw_etc_t)
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/firstboot.te policy-1.25.4/domains/program/unused/firstboot.te
--- nsapolicy/domains/program/unused/firstboot.te 2005-06-01 06:11:22.000000000 -0400
+++ policy-1.25.4/domains/program/unused/firstboot.te 2005-08-11 23:07:13.000000000 -0400
@@ -753,6 +880,18 @@
allow firstboot_t port_t:tcp_socket { recv_msg send_msg };
allow firstboot_t proc_t:lnk_file read;
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/fs_daemon.te policy-1.25.4/domains/program/unused/fs_daemon.te
+--- nsapolicy/domains/program/unused/fs_daemon.te 2005-04-27 10:28:50.000000000 -0400
++++ policy-1.25.4/domains/program/unused/fs_daemon.te 2005-08-22 16:23:42.000000000 -0400
+@@ -15,6 +15,8 @@
+ allow fsdaemon_t self:capability { setgid sys_rawio sys_admin };
+ allow fsdaemon_t etc_runtime_t:file { getattr read };
+
++allow fsdaemon_t proc_mdstat_t:file { getattr read };
++
+ can_exec_any(fsdaemon_t)
+ allow fsdaemon_t self:fifo_file rw_file_perms;
+ can_network_udp(fsdaemon_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ftpd.te policy-1.25.4/domains/program/unused/ftpd.te
--- nsapolicy/domains/program/unused/ftpd.te 2005-07-12 08:50:43.000000000 -0400
+++ policy-1.25.4/domains/program/unused/ftpd.te 2005-08-11 23:07:13.000000000 -0400
@@ -850,6 +989,29 @@
ifdef(`anaconda.te', `
domain_auto_trans(anaconda_t, kudzu_exec_t, kudzu_t)
')
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/lvm.te policy-1.25.4/domains/program/unused/lvm.te
+--- nsapolicy/domains/program/unused/lvm.te 2005-08-11 06:57:15.000000000 -0400
++++ policy-1.25.4/domains/program/unused/lvm.te 2005-08-22 16:23:42.000000000 -0400
+@@ -101,6 +101,7 @@
+ dontaudit lvm_t ttyfile:chr_file getattr;
+ dontaudit lvm_t device_t:{ fifo_file dir chr_file blk_file } getattr;
+ dontaudit lvm_t devpts_t:dir { getattr read };
++dontaudit lvm_t xconsole_device_t:fifo_file getattr;
+
+ ifdef(`gpm.te', `
+ dontaudit lvm_t gpmctl_t:sock_file getattr;
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mailman.te policy-1.25.4/domains/program/unused/mailman.te
+--- nsapolicy/domains/program/unused/mailman.te 2005-04-27 10:28:51.000000000 -0400
++++ policy-1.25.4/domains/program/unused/mailman.te 2005-08-22 16:23:42.000000000 -0400
+@@ -91,6 +91,8 @@
+
+ allow mta_delivery_agent mailman_data_t:dir search;
+ allow mta_delivery_agent mailman_data_t:lnk_file read;
++allow initrc_t mailman_data_t:lnk_file read;
++allow initrc_t mailman_data_t:dir r_dir_perms;
+ domain_auto_trans({ mta_delivery_agent initrc_t }, mailman_mail_exec_t, mailman_mail_t)
+ ifdef(`direct_sysadm_daemon', `
+ domain_auto_trans(sysadm_t, mailman_mail_exec_t, mailman_mail_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mta.te policy-1.25.4/domains/program/unused/mta.te
--- nsapolicy/domains/program/unused/mta.te 2005-08-11 06:57:15.000000000 -0400
+++ policy-1.25.4/domains/program/unused/mta.te 2005-08-17 17:37:56.000000000 -0400
@@ -872,7 +1034,7 @@
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mysqld.te policy-1.25.4/domains/program/unused/mysqld.te
--- nsapolicy/domains/program/unused/mysqld.te 2005-07-06 17:15:07.000000000 -0400
-+++ policy-1.25.4/domains/program/unused/mysqld.te 2005-08-15 11:27:51.000000000 -0400
++++ policy-1.25.4/domains/program/unused/mysqld.te 2005-08-22 16:25:08.000000000 -0400
@@ -12,7 +12,7 @@
#
daemon_domain(mysqld, `, nscd_client_domain')
@@ -891,6 +1053,13 @@
can_ypbind(mysqld_t)
# read config files
+@@ -89,3 +89,6 @@
+ ')
+
+ allow mysqld_t self:netlink_route_socket r_netlink_socket_perms;
++ifdef(`crond.te', `
++allow system_crond_t mysqld_etc_t:file { getattr read };
++')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/NetworkManager.te policy-1.25.4/domains/program/unused/NetworkManager.te
--- nsapolicy/domains/program/unused/NetworkManager.te 2005-08-11 06:57:14.000000000 -0400
+++ policy-1.25.4/domains/program/unused/NetworkManager.te 2005-08-11 23:07:13.000000000 -0400
@@ -919,6 +1088,38 @@
domain_auto_trans(NetworkManager_t, initrc_exec_t, initrc_t)
domain_auto_trans(NetworkManager_t, dhcpc_exec_t, dhcpc_t)
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ntpd.te policy-1.25.4/domains/program/unused/ntpd.te
+--- nsapolicy/domains/program/unused/ntpd.te 2005-07-06 17:15:07.000000000 -0400
++++ policy-1.25.4/domains/program/unused/ntpd.te 2005-08-22 16:23:42.000000000 -0400
+@@ -26,7 +26,7 @@
+ # for SSP
+ allow ntpd_t urandom_device_t:chr_file { getattr read };
+
+-allow ntpd_t self:capability { kill setgid setuid sys_time net_bind_service ipc_lock sys_chroot };
++allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time net_bind_service ipc_lock sys_chroot };
+ dontaudit ntpd_t self:capability { net_admin };
+ allow ntpd_t self:process { setcap setsched };
+ # ntpdate wants sys_nice
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/openct.te policy-1.25.4/domains/program/unused/openct.te
+--- nsapolicy/domains/program/unused/openct.te 1969-12-31 19:00:00.000000000 -0500
++++ policy-1.25.4/domains/program/unused/openct.te 2005-08-23 06:57:53.000000000 -0400
+@@ -0,0 +1,16 @@
++#DESC openct - read files in page cache
++#
++# Author: Dan Walsh (dwalsh at redhat.com)
++#
++
++#################################
++#
++# Declarations for openct
++#
++
++daemon_domain(openct)
++#
++# openct asks for these
++#
++rw_dir_file(openct_t, usbfs_t)
++allow openct_t etc_t:file r_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pamconsole.te policy-1.25.4/domains/program/unused/pamconsole.te
--- nsapolicy/domains/program/unused/pamconsole.te 2005-08-11 06:57:15.000000000 -0400
+++ policy-1.25.4/domains/program/unused/pamconsole.te 2005-08-16 08:53:16.000000000 -0400
@@ -1053,6 +1254,31 @@
allow procmail_t self:capability { sys_nice chown setuid setgid dac_override };
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/readahead.te policy-1.25.4/domains/program/unused/readahead.te
+--- nsapolicy/domains/program/unused/readahead.te 1969-12-31 19:00:00.000000000 -0500
++++ policy-1.25.4/domains/program/unused/readahead.te 2005-08-23 06:57:53.000000000 -0400
+@@ -0,0 +1,21 @@
++#DESC readahead - read files in page cache
++#
++# Author: Dan Walsh (dwalsh at redhat.com)
++#
++
++#################################
++#
++# Declarations for readahead
++#
++
++daemon_domain(readahead)
++#
++# readahead asks for these
++#
++allow readahead_t { file_type -secure_file_type }:{ file lnk_file } { getattr read };
++allow readahead_t { file_type -secure_file_type }:dir r_dir_perms;
++dontaudit readahead_t shadow_t:file { getattr read };
++allow readahead_t { device_t device_type }:{ lnk_file chr_file blk_file } getattr;
++dontaudit readahead_t file_type:sock_file getattr;
++allow readahead_t proc_t:file { getattr read };
++dontaudit readahead_t device_type:blk_file read;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rlogind.te policy-1.25.4/domains/program/unused/rlogind.te
--- nsapolicy/domains/program/unused/rlogind.te 2005-08-11 06:57:15.000000000 -0400
+++ policy-1.25.4/domains/program/unused/rlogind.te 2005-08-11 23:07:13.000000000 -0400
@@ -1214,6 +1440,29 @@
allow locate_t file_type:lnk_file r_file_perms;
allow locate_t { file_type -shadow_t }:{ lnk_file sock_file fifo_file file } getattr;
dontaudit locate_t { file_type -shadow_t }:{ lnk_file sock_file fifo_file file } read;
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/squid.te policy-1.25.4/domains/program/unused/squid.te
+--- nsapolicy/domains/program/unused/squid.te 2005-08-11 06:57:15.000000000 -0400
++++ policy-1.25.4/domains/program/unused/squid.te 2005-08-23 14:41:20.000000000 -0400
+@@ -60,7 +60,7 @@
+ can_tcp_connect(web_client_domain, squid_t)
+
+ # tcp port 8080 and udp port 3130 is http_cache_port_t (see net_contexts)
+-allow squid_t http_cache_port_t:{ tcp_socket udp_socket } name_bind;
++allow squid_t { gopher_port_t ftp_port_t http_port_t http_cache_port_t }:{ tcp_socket udp_socket } name_bind;
+ allow squid_t { gopher_port_t ftp_port_t http_port_t http_cache_port_t }:tcp_socket name_connect;
+
+ # to allow running programs from /usr/lib/squid (IE unlinkd)
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/sxid.te policy-1.25.4/domains/program/unused/sxid.te
+--- nsapolicy/domains/program/unused/sxid.te 2005-05-25 11:28:10.000000000 -0400
++++ policy-1.25.4/domains/program/unused/sxid.te 2005-08-22 16:23:42.000000000 -0400
+@@ -32,6 +32,7 @@
+ allow sxid_t ttyfile:chr_file getattr;
+ allow sxid_t file_type:dir { getattr read search };
+ allow sxid_t sysadmfile:file { getattr read };
++dontaudit sxid_t devpts_t:dir r_dir_perms;
+ allow sxid_t fs_type:dir { getattr read search };
+
+ # Use the network.
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/udev.te policy-1.25.4/domains/program/unused/udev.te
--- nsapolicy/domains/program/unused/udev.te 2005-08-11 06:57:15.000000000 -0400
+++ policy-1.25.4/domains/program/unused/udev.te 2005-08-15 15:53:06.000000000 -0400
@@ -1292,6 +1541,14 @@
allow winbind_helper_t winbind_var_run_t:dir r_dir_perms;
can_winbind(winbind_helper_t)
allow winbind_helper_t privfd:fd use;
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ypserv.te policy-1.25.4/domains/program/unused/ypserv.te
+--- nsapolicy/domains/program/unused/ypserv.te 2005-04-27 10:28:54.000000000 -0400
++++ policy-1.25.4/domains/program/unused/ypserv.te 2005-08-22 14:11:25.000000000 -0400
+@@ -39,3 +39,4 @@
+ ')
+ allow ypserv_t reserved_port_t:{ udp_socket tcp_socket } name_bind;
+ dontaudit ypserv_t reserved_port_type:{ tcp_socket udp_socket } name_bind;
++can_exec(ypserv_t, bin_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/useradd.te policy-1.25.4/domains/program/useradd.te
--- nsapolicy/domains/program/useradd.te 2005-04-27 10:28:49.000000000 -0400
+++ policy-1.25.4/domains/program/useradd.te 2005-08-16 08:53:30.000000000 -0400
@@ -1308,9 +1565,35 @@
allow useradd_t file_context_t:dir search;
allow useradd_t file_context_t:file { getattr read };
+allow useradd_t var_lib_t:dir search;
+diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/distros.fc policy-1.25.4/file_contexts/distros.fc
+--- nsapolicy/file_contexts/distros.fc 2005-08-11 06:57:15.000000000 -0400
++++ policy-1.25.4/file_contexts/distros.fc 2005-08-23 11:56:05.000000000 -0400
+@@ -99,6 +99,7 @@
+ /usr/lib(64)?/.*/program/librecentfile\.so -- system_u:object_r:texrel_shlib_t
+ /usr/lib(64)?/.*/program/libsvx680li\.so -- system_u:object_r:texrel_shlib_t
+ /usr/lib(64)?/.*/program/libcomphelp4gcc3\.so -- system_u:object_r:texrel_shlib_t
++/usr/lib(64)?/.*/program/libsoffice\.so -- system_u:object_r:texrel_shlib_t
+
+ # Fedora Extras packages: ladspa, imlib2, ocaml
+ /usr/lib/ladspa/analogue_osc_1416\.so -- system_u:object_r:texrel_shlib_t
+@@ -145,7 +146,6 @@
+
+ # Java, Sun Microsystems (JPackage SRPM)
+ /usr/.*/jre/lib/i386/libdeploy.so -- system_u:object_r:texrel_shlib_t
+-
+ /usr(/.*)?/Reader/intellinux/plug_ins/.*\.api -- system_u:object_r:shlib_t
+ /usr(/.*)?/Reader/intellinux/plug_ins/AcroForm\.api -- system_u:object_r:texrel_shlib_t
+ /usr(/.*)?/Reader/intellinux/plug_ins/EScript\.api -- system_u:object_r:texrel_shlib_t
+@@ -159,4 +159,5 @@
+ /usr/lib/samba/classic/[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t
+ /success -- system_u:object_r:etc_runtime_t
+ /etc/defkeymap\.map -- system_u:object_r:etc_runtime_t
+-')
++'
++)
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/apache.fc policy-1.25.4/file_contexts/program/apache.fc
--- nsapolicy/file_contexts/program/apache.fc 2005-07-19 10:57:05.000000000 -0400
-+++ policy-1.25.4/file_contexts/program/apache.fc 2005-08-11 23:07:13.000000000 -0400
++++ policy-1.25.4/file_contexts/program/apache.fc 2005-08-22 16:23:42.000000000 -0400
@@ -7,6 +7,8 @@
/var/www/perl(/.*)? system_u:object_r:httpd_sys_script_exec_t
/var/www/icons(/.*)? system_u:object_r:httpd_sys_content_t
@@ -1320,6 +1603,26 @@
/etc/httpd -d system_u:object_r:httpd_config_t
/etc/httpd/conf.* system_u:object_r:httpd_config_t
/etc/httpd/logs system_u:object_r:httpd_log_t
+@@ -26,15 +28,17 @@
+ /var/log/cgiwrap\.log.* -- system_u:object_r:httpd_log_t
+ /var/cache/ssl.*\.sem -- system_u:object_r:httpd_cache_t
+ /var/cache/mod_ssl(/.*)? system_u:object_r:httpd_cache_t
+-/var/run/apache(2)?\.pid.* -- system_u:object_r:httpd_var_run_t
++/var/run/apache.* system_u:object_r:httpd_var_run_t
+ /var/lib/httpd(/.*)? system_u:object_r:httpd_var_lib_t
+ /var/lib/php/session(/.*)? system_u:object_r:httpd_var_run_t
+ /etc/apache-ssl(2)?(/.*)? system_u:object_r:httpd_config_t
+ /usr/lib/apache-ssl/.+ -- system_u:object_r:httpd_exec_t
+ /usr/sbin/apache-ssl(2)? -- system_u:object_r:httpd_exec_t
+ /var/log/apache-ssl(2)?(/.*)? system_u:object_r:httpd_log_t
+-/var/run/apache-ssl(2)?\.pid.* -- system_u:object_r:httpd_var_run_t
+ /var/run/gcache_port -s system_u:object_r:httpd_var_run_t
++ifdef(`distro_debian', `
++/var/log/horde2(/.*)? system_u:object_r:httpd_log_t
++')
+ ifdef(`distro_suse', `
+ # suse puts shell scripts there :-(
+ /usr/share/apache2/[^/]* -- system_u:object_r:bin_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/certwatch.fc policy-1.25.4/file_contexts/program/certwatch.fc
--- nsapolicy/file_contexts/program/certwatch.fc 1969-12-31 19:00:00.000000000 -0500
+++ policy-1.25.4/file_contexts/program/certwatch.fc 2005-08-11 23:07:13.000000000 -0400
@@ -1327,6 +1630,15 @@
+# certwatch.fc
+/usr/bin/certwatch -- system_u:object_r:certwatch_exec_t
+
+diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/clamav.fc policy-1.25.4/file_contexts/program/clamav.fc
+--- nsapolicy/file_contexts/program/clamav.fc 2005-04-06 06:57:44.000000000 -0400
++++ policy-1.25.4/file_contexts/program/clamav.fc 2005-08-22 16:23:42.000000000 -0400
+@@ -12,4 +12,4 @@
+ /var/run/clamd\.ctl -s system_u:object_r:clamd_sock_t
+ /var/run/clamd\.pid -- system_u:object_r:clamd_var_run_t
+ /var/run/clamav(/.*)? system_u:object_r:clamd_var_run_t
+-/var/run/clamav/clamd.sock -s system_u:object_r:clamd_sock_t
++/var/run/clamav/clamd\.sock -s system_u:object_r:clamd_sock_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/cups.fc policy-1.25.4/file_contexts/program/cups.fc
--- nsapolicy/file_contexts/program/cups.fc 2005-07-12 08:50:43.000000000 -0400
+++ policy-1.25.4/file_contexts/program/cups.fc 2005-08-11 23:07:13.000000000 -0400
@@ -1338,6 +1650,29 @@
/etc/cups/lpoptions -- system_u:object_r:cupsd_rw_etc_t
/etc/cups/printers\.conf.* -- system_u:object_r:cupsd_rw_etc_t
/etc/cups/ppd/.* -- system_u:object_r:cupsd_rw_etc_t
+diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/dhcpc.fc policy-1.25.4/file_contexts/program/dhcpc.fc
+--- nsapolicy/file_contexts/program/dhcpc.fc 2005-04-14 15:01:54.000000000 -0400
++++ policy-1.25.4/file_contexts/program/dhcpc.fc 2005-08-24 11:19:13.000000000 -0400
+@@ -4,6 +4,7 @@
+ /etc/dhclient.*conf -- system_u:object_r:dhcp_etc_t
+ /etc/dhclient-script -- system_u:object_r:dhcp_etc_t
+ /sbin/dhcpcd -- system_u:object_r:dhcpc_exec_t
++/sbin/dhcdbd -- system_u:object_r:dhcpc_exec_t
+ /sbin/dhclient.* -- system_u:object_r:dhcpc_exec_t
+ /var/lib/dhcp(3)?/dhclient.* system_u:object_r:dhcpc_state_t
+ /var/lib/dhcpcd(/.*)? system_u:object_r:dhcpc_state_t
+diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/dhcpd.fc policy-1.25.4/file_contexts/program/dhcpd.fc
+--- nsapolicy/file_contexts/program/dhcpd.fc 2005-02-24 14:51:08.000000000 -0500
++++ policy-1.25.4/file_contexts/program/dhcpd.fc 2005-08-24 11:18:44.000000000 -0400
+@@ -3,7 +3,7 @@
+ /etc/dhcp3(/.*)? system_u:object_r:dhcp_etc_t
+ /usr/sbin/dhcpd.* -- system_u:object_r:dhcpd_exec_t
+ /var/lib/dhcp(3)?/dhcpd\.leases.* -- system_u:object_r:dhcpd_state_t
+-/var/run/dhcpd\.pid -d system_u:object_r:dhcpd_var_run_t
++/var/run/dhcpd\.pid -- system_u:object_r:dhcpd_var_run_t
+ ifdef(`dhcp_defined', `', `
+ /var/lib/dhcp(3)? -d system_u:object_r:dhcp_state_t
+ define(`dhcp_defined')
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/fsadm.fc policy-1.25.4/file_contexts/program/fsadm.fc
--- nsapolicy/file_contexts/program/fsadm.fc 2005-07-06 17:15:07.000000000 -0400
+++ policy-1.25.4/file_contexts/program/fsadm.fc 2005-08-16 13:38:13.000000000 -0400
@@ -1346,6 +1681,31 @@
/usr/bin/partition_uuid -- system_u:object_r:fsadm_exec_t
/sbin/partprobe -- system_u:object_r:fsadm_exec_t
+/usr/bin/syslinux -- system_u:object_r:fsadm_exec_t
+diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/openct.fc policy-1.25.4/file_contexts/program/openct.fc
+--- nsapolicy/file_contexts/program/openct.fc 1969-12-31 19:00:00.000000000 -0500
++++ policy-1.25.4/file_contexts/program/openct.fc 2005-08-24 09:57:53.000000000 -0400
+@@ -0,0 +1,2 @@
++/usr/sbin/openct-control -- system_u:object_r:openct_exec_t
++/var/run/openct(/.*)? system_u:object_r:openct_var_run_t
+diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/postfix.fc policy-1.25.4/file_contexts/program/postfix.fc
+--- nsapolicy/file_contexts/program/postfix.fc 2005-05-25 11:28:10.000000000 -0400
++++ policy-1.25.4/file_contexts/program/postfix.fc 2005-08-22 16:23:42.000000000 -0400
+@@ -10,6 +10,7 @@
+ /usr/libexec/postfix/(n)?qmgr -- system_u:object_r:postfix_qmgr_exec_t
+ /usr/libexec/postfix/showq -- system_u:object_r:postfix_showq_exec_t
+ /usr/libexec/postfix/smtp -- system_u:object_r:postfix_smtp_exec_t
++/usr/libexec/postfix/scache -- system_u:object_r:postfix_smtp_exec_t
+ /usr/libexec/postfix/smtpd -- system_u:object_r:postfix_smtpd_exec_t
+ /usr/libexec/postfix/bounce -- system_u:object_r:postfix_bounce_exec_t
+ /usr/libexec/postfix/pipe -- system_u:object_r:postfix_pipe_exec_t
+@@ -22,6 +23,7 @@
+ /usr/lib/postfix/(n)?qmgr -- system_u:object_r:postfix_qmgr_exec_t
+ /usr/lib/postfix/showq -- system_u:object_r:postfix_showq_exec_t
+ /usr/lib/postfix/smtp -- system_u:object_r:postfix_smtp_exec_t
++/usr/lib/postfix/scache -- system_u:object_r:postfix_smtp_exec_t
+ /usr/lib/postfix/smtpd -- system_u:object_r:postfix_smtpd_exec_t
+ /usr/lib/postfix/bounce -- system_u:object_r:postfix_bounce_exec_t
+ /usr/lib/postfix/pipe -- system_u:object_r:postfix_pipe_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/postgresql.fc policy-1.25.4/file_contexts/program/postgresql.fc
--- nsapolicy/file_contexts/program/postgresql.fc 2005-03-11 15:31:06.000000000 -0500
+++ policy-1.25.4/file_contexts/program/postgresql.fc 2005-08-11 23:07:13.000000000 -0400
@@ -1379,14 +1739,31 @@
+/var/run/pptp(/.*)? -- system_u:object_r:pptp_var_run_t
+# Fix /etc/ppp {up,down} family scripts (see man pppd)
+/etc/ppp/(auth|ip(v6|x)?)-(up|down) -- system_u:object_r:pppd_script_exec_t
+diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/qmail.fc policy-1.25.4/file_contexts/program/qmail.fc
+--- nsapolicy/file_contexts/program/qmail.fc 2005-02-24 14:51:08.000000000 -0500
++++ policy-1.25.4/file_contexts/program/qmail.fc 2005-08-22 16:29:14.000000000 -0400
+@@ -17,7 +17,7 @@
+ /usr/sbin/splogger -- system_u:object_r:qmail_splogger_exec_t
+ /usr/sbin/qmail-getpw -- system_u:object_r:qmail_exec_t
+ /usr/local/bin/serialmail/.* -- system_u:object_r:qmail_serialmail_exec_t
+-# qmail - djb's locations
++# qmail - djb locations
+ /var/qmail/control(/.*)? system_u:object_r:qmail_etc_t
+ /var/qmail/bin -d system_u:object_r:bin_t
+ /var/qmail/queue(/.*)? system_u:object_r:qmail_spool_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/radvd.fc policy-1.25.4/file_contexts/program/radvd.fc
--- nsapolicy/file_contexts/program/radvd.fc 2005-02-24 14:51:09.000000000 -0500
-+++ policy-1.25.4/file_contexts/program/radvd.fc 2005-08-15 10:01:10.000000000 -0400
++++ policy-1.25.4/file_contexts/program/radvd.fc 2005-08-22 16:23:42.000000000 -0400
@@ -2,3 +2,4 @@
/etc/radvd\.conf -- system_u:object_r:radvd_etc_t
/usr/sbin/radvd -- system_u:object_r:radvd_exec_t
/var/run/radvd\.pid -- system_u:object_r:radvd_var_run_t
+/var/run/radvd(/.*)? system_u:object_r:radvd_var_run_t
+diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/readahead.fc policy-1.25.4/file_contexts/program/readahead.fc
+--- nsapolicy/file_contexts/program/readahead.fc 1969-12-31 19:00:00.000000000 -0500
++++ policy-1.25.4/file_contexts/program/readahead.fc 2005-08-24 09:57:59.000000000 -0400
+@@ -0,0 +1 @@
++/usr/sbin/readahead -- system_u:object_r:readahead_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/roundup.fc policy-1.25.4/file_contexts/program/roundup.fc
--- nsapolicy/file_contexts/program/roundup.fc 1969-12-31 19:00:00.000000000 -0500
+++ policy-1.25.4/file_contexts/program/roundup.fc 2005-08-22 09:52:34.000000000 -0400
@@ -1405,9 +1782,29 @@
/var/[xgk]dm(/.*)? system_u:object_r:xserver_log_t
/usr/var/[xgkw]dm(/.*)? system_u:object_r:xserver_log_t
/var/log/[kw]dm\.log -- system_u:object_r:xserver_log_t
+diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/ypserv.fc policy-1.25.4/file_contexts/program/ypserv.fc
+--- nsapolicy/file_contexts/program/ypserv.fc 2005-02-24 14:51:08.000000000 -0500
++++ policy-1.25.4/file_contexts/program/ypserv.fc 2005-08-22 14:10:35.000000000 -0400
+@@ -1,3 +1,4 @@
+ # ypserv
+ /usr/sbin/ypserv -- system_u:object_r:ypserv_exec_t
++/usr/lib/yp/.+ -- system_u:object_r:bin_t
+ /etc/ypserv\.conf -- system_u:object_r:ypserv_conf_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/types.fc policy-1.25.4/file_contexts/types.fc
--- nsapolicy/file_contexts/types.fc 2005-07-12 08:50:43.000000000 -0400
-+++ policy-1.25.4/file_contexts/types.fc 2005-08-11 23:07:13.000000000 -0400
++++ policy-1.25.4/file_contexts/types.fc 2005-08-22 16:29:14.000000000 -0400
+@@ -46,9 +46,9 @@
+ #
+ # Ordinary user home directories.
+ # HOME_ROOT expands to all valid home directory prefixes found in /etc/passwd
+-# HOME_DIR expands to each user's home directory,
++# HOME_DIR expands to each users home directory,
+ # and to HOME_ROOT/[^/]+ for each HOME_ROOT.
+-# ROLE expands to each user's role when role != user_r, and to "user" otherwise.
++# ROLE expands to each users role when role != user_r, and to "user" otherwise.
+ #
+ HOME_ROOT -d system_u:object_r:home_root_t
+ HOME_DIR -d system_u:object_r:ROLE_home_dir_t
@@ -503,8 +503,8 @@
/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird -- system_u:object_r:bin_t
/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird-bin -- system_u:object_r:bin_t
@@ -1707,6 +2104,18 @@
') dnl evolution_data_server
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/gpg_macros.te policy-1.25.4/macros/program/gpg_macros.te
+--- nsapolicy/macros/program/gpg_macros.te 2005-07-06 17:15:07.000000000 -0400
++++ policy-1.25.4/macros/program/gpg_macros.te 2005-08-22 16:23:42.000000000 -0400
+@@ -48,7 +48,7 @@
+ allow { $1_t $1_gpg_t } $1_gpg_t:process signal;
+
+ # setrlimit is for ulimit -c 0
+-allow $1_gpg_t self:process { setrlimit setcap };
++allow $1_gpg_t self:process { setrlimit setcap setpgid };
+
+ # allow ps to show gpg
+ can_ps($1_t, $1_gpg_t)
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mail_client_macros.te policy-1.25.4/macros/program/mail_client_macros.te
--- nsapolicy/macros/program/mail_client_macros.te 2005-08-11 06:57:18.000000000 -0400
+++ policy-1.25.4/macros/program/mail_client_macros.te 2005-08-11 23:07:13.000000000 -0400
@@ -1854,7 +2263,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/Makefile policy-1.25.4/Makefile
--- nsapolicy/Makefile 2005-07-06 17:15:06.000000000 -0400
-+++ policy-1.25.4/Makefile 2005-08-11 23:14:04.000000000 -0400
++++ policy-1.25.4/Makefile 2005-08-22 16:46:57.000000000 -0400
@@ -15,6 +15,9 @@
# Set to y if MLS is enabled in the policy.
MLS=n
@@ -1865,7 +2274,7 @@
FLASKDIR = flask/
PREFIX = /usr
BINDIR = $(PREFIX)/bin
-@@ -24,14 +27,18 @@
+@@ -24,14 +27,15 @@
GENHOMEDIRCON = $(SBINDIR)/genhomedircon
SETFILES = $(SBINDIR)/setfiles
VERS := $(shell $(CHECKPOLICY) $(POLICYCOMPAT) -V |cut -f 1 -d ' ')
@@ -1879,14 +2288,11 @@
-else
-TYPE=strict
endif
-+ifeq ($(MCS),y)
-+TYPE=mcs
-+endif
+
INSTALLDIR = $(TOPDIR)/$(TYPE)
POLICYPATH = $(INSTALLDIR)/policy
SRCPATH = $(INSTALLDIR)/src
-@@ -54,6 +61,10 @@
+@@ -54,6 +58,10 @@
POLICYFILES += mls
CHECKPOLMLS += -M
endif
@@ -1897,19 +2303,19 @@
DEFCONTEXTFILES = initial_sid_contexts fs_use genfs_contexts net_contexts
POLICYFILES += $(ALL_TUNABLES) $(TE_RBAC_FILES)
POLICYFILES += $(USER_FILES)
-@@ -148,8 +159,10 @@
+@@ -148,8 +156,10 @@
@echo "Compiling policy ..."
@mkdir -p $(POLICYPATH)
$(CHECKPOLICY) $(CHECKPOLMLS) -o $@ policy.conf
-ifneq ($(MLS),y)
+ifneq ($(VERS),$(PREVERS))
-+ $(CHECKPOLICY) -c $(PREVERS) -o $(POLICYPATH)/policy.$(PREVERS) policy.conf
++ $(CHECKPOLICY) $(CHECKPOLMLS) -c $(PREVERS) -o $(POLICYPATH)/policy.$(PREVERS) policy.conf
endif
+
# Note: Can't use install, so not sure how to deal with mode, user, and group
# other than by default.
-@@ -162,7 +175,11 @@
+@@ -162,7 +172,11 @@
reload tmp/load: $(LOADPATH)
@echo "Loading Policy ..."
@@ -1921,7 +2327,7 @@
touch tmp/load
load: tmp/load $(FCPATH)
-@@ -328,3 +345,22 @@
+@@ -328,3 +342,22 @@
@sed "s/MLS=n/MLS=y/" Makefile > Makefile.new
@mv Makefile.new Makefile
@echo "Done"
@@ -1946,8 +2352,8 @@
+
diff --exclude-from=exclude -N -u -r nsapolicy/mcs policy-1.25.4/mcs
--- nsapolicy/mcs 1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.25.4/mcs 2005-08-11 23:15:17.000000000 -0400
-@@ -0,0 +1,212 @@
++++ policy-1.25.4/mcs 2005-08-23 16:13:48.000000000 -0400
+@@ -0,0 +1,216 @@
+#
+# Define sensitivities
+#
@@ -2153,6 +2559,10 @@
+mlsconstrain file { read write setattr append unlink link rename
+ create ioctl lock execute } (h1 dom h2);
+
++# new file labels must be dominated by the relabeling subject's clearance
++mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom relabelto }
++ ( h1 dom h2 );
++
+
+# XXX
+#
@@ -2178,6 +2588,18 @@
# Nodes (default = initial SID "node")
#
+diff --exclude-from=exclude -N -u -r nsapolicy/targeted/assert.te policy-1.25.4/targeted/assert.te
+--- nsapolicy/targeted/assert.te 2005-05-25 11:28:11.000000000 -0400
++++ policy-1.25.4/targeted/assert.te 2005-08-22 16:29:14.000000000 -0400
+@@ -24,7 +24,7 @@
+ # send SIGCHLD for child termination notifications.
+ neverallow { domain -unrestricted } unconfined_t:process ~sigchld;
+
+-# Confined domains must never see unconfined domain's /proc/pid entries.
++# Confined domains must never see /proc/pid entries for an unconfined domain.
+ neverallow { domain -unrestricted -snmpd_t } unconfined_t:dir { getattr search };
+
+ #
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/unconfined.te policy-1.25.4/targeted/domains/unconfined.te
--- nsapolicy/targeted/domains/unconfined.te 2005-07-12 08:50:44.000000000 -0400
+++ policy-1.25.4/targeted/domains/unconfined.te 2005-08-17 17:38:44.000000000 -0400
Index: selinux-policy-strict.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-strict/devel/selinux-policy-strict.spec,v
retrieving revision 1.371
retrieving revision 1.372
diff -u -r1.371 -r1.372
--- selinux-policy-strict.spec 22 Aug 2005 16:26:27 -0000 1.371
+++ selinux-policy-strict.spec 24 Aug 2005 15:37:21 -0000 1.372
@@ -4,14 +4,14 @@
%define PRE_FILE_CONTEXT %{FILE_CONTEXT}.pre
%define POLICYVER 20
%define PREVPOLICYVER 19
-%define POLICYCOREUTILSVER 1.22-2
-%define CHECKPOLICYVER 1.25.8
+%define POLICYCOREUTILSVER 1.25.5-2
+%define CHECKPOLICYVER 1.25.11-2
%define LIBSELINUXVER 1.23.5-1
Summary: SELinux %{type} policy configuration
Name: selinux-policy-%{type}
Version: 1.25.4
-Release: 5
+Release: 8
License: GPL
Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policy-%{version}.tgz
@@ -237,6 +237,15 @@
exit 0
%changelog
+* Mon Aug 22 2005 Dan Walsh <dwalsh at redhat.com> 1.25.4-8
+- Apply russell's cleanups
+
+* Mon Aug 22 2005 Dan Walsh <dwalsh at redhat.com> 1.25.4-7
+- Bump for FC-4
+
+* Mon Aug 22 2005 Dan Walsh <dwalsh at redhat.com> 1.25.4-5
+- Fix /var/lib/yp/* file_context
+
* Mon Aug 22 2005 Dan Walsh <dwalsh at redhat.com> 1.25.4-5
- Add capifs
- Add roundup policy
- Previous message (by thread): rpms/checkpolicy/devel .cvsignore, 1.37, 1.38 checkpolicy.spec, 1.48, 1.49 sources, 1.38, 1.39
- Next message (by thread): rpms/selinux-policy-targeted/devel policy-20050811.patch, 1.5, 1.6 selinux-policy-targeted.spec, 1.366, 1.367
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-cvs-commits
mailing list