rpms/selinux-policy/devel modules-mls.conf, 1.5, 1.6 policy-20051208.patch, 1.26, 1.27 selinux-policy.spec, 1.62, 1.63
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Thu Dec 22 21:40:20 UTC 2005
- Previous message (by thread): rpms/frysk/devel frysk-makefileam.patch, NONE, 1.1 .cvsignore, 1.5, 1.6 frysk.spec, 1.18, 1.19 sources, 1.5, 1.6
- Next message (by thread): rpms/gnucash/devel gnucash-1.8.6-64bit-fixes.patch, 1.1, 1.2 gnucash.spec, 1.18, 1.19 sources, 1.12, 1.13
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv20536
Modified Files:
modules-mls.conf policy-20051208.patch selinux-policy.spec
Log Message:
* Wed Dec 21 2005 Dan Walsh <dwalsh at redhat.com> 2.1.6-15
- Fix passwd command on mls
Index: modules-mls.conf
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/modules-mls.conf,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -r1.5 -r1.6
--- modules-mls.conf 21 Dec 2005 18:07:27 -0000 1.5
+++ modules-mls.conf 22 Dec 2005 21:40:15 -0000 1.6
@@ -928,3 +928,17 @@
# java executable
#
java = off
+
+# Layer: services
+# Module: prelink
+#
+# prelink executable
+#
+prelink = base
+
+# Layer: services
+# Module: locate
+#
+# locate executable
+#
+locate = base
policy-20051208.patch:
Makefile | 2
Rules.modular | 10
config/appconfig-strict-mcs/default_type | 6
config/appconfig-strict-mls/default_type | 7
config/appconfig-strict-mls/initrc_context | 2
config/appconfig-targeted-mcs/default_type | 2
config/appconfig-targeted-mls/default_type | 2
config/appconfig-targeted-mls/initrc_context | 2
man/man8/ftpd_selinux.8 | 56 ++++
man/man8/httpd_selinux.8 | 123 ++++++++
man/man8/kerberos_selinux.8 | 31 ++
man/man8/named_selinux.8 | 29 ++
man/man8/nfs_selinux.8 | 30 ++
man/man8/nis_selinux.8 | 1
man/man8/rsync_selinux.8 | 41 ++
man/man8/samba_selinux.8 | 60 ++++
man/man8/ypbind_selinux.8 | 19 +
policy/global_tunables | 3
policy/mcs | 321 ++++-------------------
policy/mls | 371 +++++----------------------
policy/modules/admin/amanda.te | 4
policy/modules/admin/kudzu.te | 2
policy/modules/admin/logrotate.te | 4
policy/modules/admin/rpm.fc | 1
policy/modules/admin/rpm.te | 19 -
policy/modules/admin/tmpreaper.te | 3
policy/modules/admin/usermanage.te | 15 -
policy/modules/apps/java.fc | 4
policy/modules/apps/java.if | 23 +
policy/modules/apps/java.te | 25 +
policy/modules/apps/webalizer.te | 1
policy/modules/kernel/corecommands.fc | 3
policy/modules/kernel/corecommands.te | 6
policy/modules/kernel/corenetwork.te.in | 12
policy/modules/kernel/devices.fc | 9
policy/modules/kernel/domain.if | 1
policy/modules/kernel/domain.te | 4
policy/modules/kernel/files.fc | 27 +
policy/modules/kernel/files.if | 17 +
policy/modules/kernel/kernel.if | 2
policy/modules/kernel/kernel.te | 30 +-
policy/modules/kernel/mls.te | 9
policy/modules/kernel/selinux.te | 2
policy/modules/kernel/storage.fc | 44 +--
policy/modules/services/apache.te | 9
policy/modules/services/automount.te | 9
policy/modules/services/bluetooth.te | 1
policy/modules/services/cron.te | 2
policy/modules/services/cups.te | 1
policy/modules/services/cvs.fc | 2
policy/modules/services/cvs.te | 6
policy/modules/services/dbus.te | 1
policy/modules/services/hal.te | 4
policy/modules/services/ldap.te | 4
policy/modules/services/locate.fc | 4
policy/modules/services/locate.if | 1
policy/modules/services/locate.te | 50 +++
policy/modules/services/mta.te | 13
policy/modules/services/prelink.fc | 7
policy/modules/services/prelink.if | 39 ++
policy/modules/services/prelink.te | 64 ++++
policy/modules/services/remotelogin.te | 1
policy/modules/services/sasl.te | 8
policy/modules/services/sendmail.te | 36 --
policy/modules/services/ssh.te | 10
policy/modules/services/xdm.te | 4
policy/modules/system/authlogin.if | 12
policy/modules/system/authlogin.te | 1
policy/modules/system/getty.te | 3
policy/modules/system/hostname.if | 15 +
policy/modules/system/hostname.te | 37 --
policy/modules/system/init.if | 14 +
policy/modules/system/init.te | 22 +
policy/modules/system/iptables.te | 2
policy/modules/system/libraries.fc | 17 +
policy/modules/system/libraries.te | 4
policy/modules/system/locallogin.te | 2
policy/modules/system/logging.fc | 7
policy/modules/system/logging.if | 21 +
policy/modules/system/logging.te | 5
policy/modules/system/lvm.te | 2
policy/modules/system/selinuxutil.fc | 6
policy/modules/system/selinuxutil.te | 10
policy/modules/system/udev.fc | 1
policy/modules/system/udev.te | 4
policy/modules/system/unconfined.fc | 2
policy/modules/system/unconfined.te | 9
policy/modules/system/userdomain.fc | 2
policy/modules/system/userdomain.if | 18 +
policy/modules/system/userdomain.te | 16 +
policy/users | 8
91 files changed, 1190 insertions(+), 711 deletions(-)
Index: policy-20051208.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/policy-20051208.patch,v
retrieving revision 1.26
retrieving revision 1.27
diff -u -r1.26 -r1.27
--- policy-20051208.patch 21 Dec 2005 18:21:19 -0000 1.26
+++ policy-20051208.patch 22 Dec 2005 21:40:15 -0000 1.27
@@ -1,6 +1,6 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-strict-mcs/default_type serefpolicy-2.1.6/config/appconfig-strict-mcs/default_type
--- nsaserefpolicy/config/appconfig-strict-mcs/default_type 2005-11-14 18:24:05.000000000 -0500
-+++ serefpolicy-2.1.6/config/appconfig-strict-mcs/default_type 2005-12-16 23:22:51.000000000 -0500
++++ serefpolicy-2.1.6/config/appconfig-strict-mcs/default_type 2005-12-22 15:17:06.000000000 -0500
@@ -1,3 +1,3 @@
-sysadm_r:sysadm_t:s0
-staff_r:staff_t:s0
@@ -10,7 +10,7 @@
+user_r:user_t
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-strict-mls/default_type serefpolicy-2.1.6/config/appconfig-strict-mls/default_type
--- nsaserefpolicy/config/appconfig-strict-mls/default_type 2005-11-14 18:24:05.000000000 -0500
-+++ serefpolicy-2.1.6/config/appconfig-strict-mls/default_type 2005-12-21 10:17:10.000000000 -0500
++++ serefpolicy-2.1.6/config/appconfig-strict-mls/default_type 2005-12-22 15:17:06.000000000 -0500
@@ -1,3 +1,4 @@
-sysadm_r:sysadm_t:s0
-staff_r:staff_t:s0
@@ -21,31 +21,31 @@
+user_r:user_t
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-strict-mls/initrc_context serefpolicy-2.1.6/config/appconfig-strict-mls/initrc_context
--- nsaserefpolicy/config/appconfig-strict-mls/initrc_context 2005-11-14 18:24:05.000000000 -0500
-+++ serefpolicy-2.1.6/config/appconfig-strict-mls/initrc_context 2005-12-21 13:05:59.000000000 -0500
++++ serefpolicy-2.1.6/config/appconfig-strict-mls/initrc_context 2005-12-22 15:17:06.000000000 -0500
@@ -1 +1 @@
-system_u:system_r:initrc_t:s0
+system_u:system_r:initrc_t:s0-s15:c0.c255
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-targeted-mcs/default_type serefpolicy-2.1.6/config/appconfig-targeted-mcs/default_type
--- nsaserefpolicy/config/appconfig-targeted-mcs/default_type 2005-11-14 18:24:05.000000000 -0500
-+++ serefpolicy-2.1.6/config/appconfig-targeted-mcs/default_type 2005-12-16 23:22:51.000000000 -0500
++++ serefpolicy-2.1.6/config/appconfig-targeted-mcs/default_type 2005-12-22 15:17:06.000000000 -0500
@@ -1 +1 @@
-system_r:unconfined_t:s0
+system_r:unconfined_t
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-targeted-mls/default_type serefpolicy-2.1.6/config/appconfig-targeted-mls/default_type
--- nsaserefpolicy/config/appconfig-targeted-mls/default_type 2005-11-14 18:24:05.000000000 -0500
-+++ serefpolicy-2.1.6/config/appconfig-targeted-mls/default_type 2005-12-16 23:22:51.000000000 -0500
++++ serefpolicy-2.1.6/config/appconfig-targeted-mls/default_type 2005-12-22 15:17:06.000000000 -0500
@@ -1 +1 @@
-system_r:unconfined_t:s0
+system_r:unconfined_t
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-targeted-mls/initrc_context serefpolicy-2.1.6/config/appconfig-targeted-mls/initrc_context
--- nsaserefpolicy/config/appconfig-targeted-mls/initrc_context 2005-11-14 18:24:05.000000000 -0500
-+++ serefpolicy-2.1.6/config/appconfig-targeted-mls/initrc_context 2005-12-21 13:06:16.000000000 -0500
++++ serefpolicy-2.1.6/config/appconfig-targeted-mls/initrc_context 2005-12-22 15:17:06.000000000 -0500
@@ -1 +1 @@
-user_u:system_r:unconfined_t:s0
+user_u:system_r:unconfined_t:s0-s15:c0.c255
diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-2.1.6/Makefile
--- nsaserefpolicy/Makefile 2005-12-09 23:35:04.000000000 -0500
-+++ serefpolicy-2.1.6/Makefile 2005-12-16 23:22:51.000000000 -0500
++++ serefpolicy-2.1.6/Makefile 2005-12-22 15:17:06.000000000 -0500
@@ -92,7 +92,7 @@
# enable MLS if requested.
@@ -57,7 +57,7 @@
endif
diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/ftpd_selinux.8 serefpolicy-2.1.6/man/man8/ftpd_selinux.8
--- nsaserefpolicy/man/man8/ftpd_selinux.8 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.1.6/man/man8/ftpd_selinux.8 2005-12-19 22:50:32.000000000 -0500
++++ serefpolicy-2.1.6/man/man8/ftpd_selinux.8 2005-12-22 15:17:06.000000000 -0500
@@ -0,0 +1,56 @@
+.TH "ftpd_selinux" "8" "17 Jan 2005" "dwalsh at redhat.com" "ftpd Selinux Policy documentation"
+.SH "NAME"
@@ -117,7 +117,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/httpd_selinux.8 serefpolicy-2.1.6/man/man8/httpd_selinux.8
--- nsaserefpolicy/man/man8/httpd_selinux.8 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.1.6/man/man8/httpd_selinux.8 2005-12-19 22:50:32.000000000 -0500
++++ serefpolicy-2.1.6/man/man8/httpd_selinux.8 2005-12-22 15:17:06.000000000 -0500
@@ -0,0 +1,123 @@
+.TH "httpd_selinux" "8" "17 Jan 2005" "dwalsh at redhat.com" "httpd Selinux Policy documentation"
+.SH "NAME"
@@ -244,7 +244,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/kerberos_selinux.8 serefpolicy-2.1.6/man/man8/kerberos_selinux.8
--- nsaserefpolicy/man/man8/kerberos_selinux.8 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.1.6/man/man8/kerberos_selinux.8 2005-12-19 22:50:32.000000000 -0500
++++ serefpolicy-2.1.6/man/man8/kerberos_selinux.8 2005-12-22 15:17:06.000000000 -0500
@@ -0,0 +1,31 @@
+.TH "kerberos_selinux" "8" "17 Jan 2005" "dwalsh at redhat.com" "kerberos Selinux Policy documentation"
+.SH "NAME"
@@ -279,7 +279,7 @@
+selinux(8), kerberos(1), chcon(1), setsebool(8)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/named_selinux.8 serefpolicy-2.1.6/man/man8/named_selinux.8
--- nsaserefpolicy/man/man8/named_selinux.8 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.1.6/man/man8/named_selinux.8 2005-12-19 22:50:32.000000000 -0500
++++ serefpolicy-2.1.6/man/man8/named_selinux.8 2005-12-22 15:17:06.000000000 -0500
@@ -0,0 +1,29 @@
+.TH "named_selinux" "8" "17 Jan 2005" "dwalsh at redhat.com" "named Selinux Policy documentation"
+.SH "NAME"
@@ -312,7 +312,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/nfs_selinux.8 serefpolicy-2.1.6/man/man8/nfs_selinux.8
--- nsaserefpolicy/man/man8/nfs_selinux.8 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.1.6/man/man8/nfs_selinux.8 2005-12-19 22:50:32.000000000 -0500
++++ serefpolicy-2.1.6/man/man8/nfs_selinux.8 2005-12-22 15:17:06.000000000 -0500
@@ -0,0 +1,30 @@
+.TH "nfs_selinux" "8" "17 Jan 2005" "dwalsh at redhat.com" "nfs Selinux Policy documentation"
+.SH "NAME"
@@ -346,12 +346,12 @@
+selinux(8), chcon(1), setsebool(8)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/nis_selinux.8 serefpolicy-2.1.6/man/man8/nis_selinux.8
--- nsaserefpolicy/man/man8/nis_selinux.8 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.1.6/man/man8/nis_selinux.8 2005-12-19 22:50:32.000000000 -0500
++++ serefpolicy-2.1.6/man/man8/nis_selinux.8 2005-12-22 15:17:06.000000000 -0500
@@ -0,0 +1 @@
+.so man8/ypbind_selinux.8
diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/rsync_selinux.8 serefpolicy-2.1.6/man/man8/rsync_selinux.8
--- nsaserefpolicy/man/man8/rsync_selinux.8 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.1.6/man/man8/rsync_selinux.8 2005-12-19 22:50:32.000000000 -0500
++++ serefpolicy-2.1.6/man/man8/rsync_selinux.8 2005-12-22 15:17:06.000000000 -0500
@@ -0,0 +1,41 @@
+.TH "rsync_selinux" "8" "17 Jan 2005" "dwalsh at redhat.com" "rsync Selinux Policy documentation"
+.SH "NAME"
@@ -396,7 +396,7 @@
+selinux(8), rsync(1), chcon(1), setsebool(8)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/samba_selinux.8 serefpolicy-2.1.6/man/man8/samba_selinux.8
--- nsaserefpolicy/man/man8/samba_selinux.8 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.1.6/man/man8/samba_selinux.8 2005-12-19 22:50:32.000000000 -0500
++++ serefpolicy-2.1.6/man/man8/samba_selinux.8 2005-12-22 15:17:06.000000000 -0500
@@ -0,0 +1,60 @@
+.TH "samba_selinux" "8" "17 Jan 2005" "dwalsh at redhat.com" "Samba Selinux Policy documentation"
+.SH "NAME"
@@ -460,7 +460,7 @@
+selinux(8), samba(7), chcon(1), setsebool(8)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/ypbind_selinux.8 serefpolicy-2.1.6/man/man8/ypbind_selinux.8
--- nsaserefpolicy/man/man8/ypbind_selinux.8 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.1.6/man/man8/ypbind_selinux.8 2005-12-19 22:50:32.000000000 -0500
++++ serefpolicy-2.1.6/man/man8/ypbind_selinux.8 2005-12-22 15:17:06.000000000 -0500
@@ -0,0 +1,19 @@
+.TH "ypbind_selinux" "8" "17 Jan 2005" "dwalsh at redhat.com" "ypbind Selinux Policy documentation"
+.SH "NAME"
@@ -483,7 +483,7 @@
+selinux(8), ypbind(8), chcon(1), setsebool(8)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-2.1.6/policy/global_tunables
--- nsaserefpolicy/policy/global_tunables 2005-12-12 23:05:35.000000000 -0500
-+++ serefpolicy-2.1.6/policy/global_tunables 2005-12-16 23:22:51.000000000 -0500
++++ serefpolicy-2.1.6/policy/global_tunables 2005-12-22 15:17:06.000000000 -0500
@@ -42,6 +42,9 @@
## Allow sasl to read shadow
gen_tunable(allow_saslauthd_read_shadow,false)
@@ -496,7 +496,7 @@
gen_tunable(allow_smbd_anon_write,false)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-2.1.6/policy/mcs
--- nsaserefpolicy/policy/mcs 2005-11-14 18:24:05.000000000 -0500
-+++ serefpolicy-2.1.6/policy/mcs 2005-12-16 23:22:51.000000000 -0500
++++ serefpolicy-2.1.6/policy/mcs 2005-12-22 15:17:06.000000000 -0500
@@ -19,263 +19,70 @@
#
# Each category has a name and zero or more aliases.
@@ -827,13 +827,8 @@
# Each MCS level specifies a sensitivity and zero or more categories which may
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mls serefpolicy-2.1.6/policy/mls
--- nsaserefpolicy/policy/mls 2005-11-14 18:24:05.000000000 -0500
-+++ serefpolicy-2.1.6/policy/mls 2005-12-16 23:22:51.000000000 -0500
-@@ -1,4 +1,3 @@
--
- ifdef(`enable_mls',`
- #
- # Define sensitivities
-@@ -33,262 +32,70 @@
++++ serefpolicy-2.1.6/policy/mls 2005-12-22 15:17:06.000000000 -0500
+@@ -33,262 +33,70 @@
#
# Each category has a name and zero or more aliases.
#
@@ -1160,7 +1155,7 @@
#
-@@ -358,7 +165,7 @@
+@@ -358,7 +166,7 @@
mlsconstrain { file lnk_file fifo_file } { create relabelto }
( l2 eq h2 );
@@ -1169,7 +1164,7 @@
mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } relabelto
( h1 dom h2 );
-@@ -431,7 +238,7 @@
+@@ -431,7 +239,7 @@
# MLS policy for the filesystem class
#
@@ -1178,7 +1173,7 @@
mlsconstrain filesystem relabelto
( h1 dom h2 );
-@@ -457,7 +264,7 @@
+@@ -457,7 +265,7 @@
# MLS policy for the socket classes
#
@@ -1187,7 +1182,7 @@
mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } relabelto
( h1 dom h2 );
-@@ -566,7 +373,7 @@
+@@ -566,7 +374,7 @@
# MLS policy for the process class
#
@@ -1196,7 +1191,7 @@
# and sensitivity level changes require privilege
mlsconstrain process transition
(( h1 dom h2 ) and
-@@ -686,7 +493,8 @@
+@@ -686,7 +494,8 @@
mlsconstrain window { addchild create destroy chstack chproplist chprop setattr setfocus move chselection chparent ctrllife transparent clientcomevent }
(( l1 eq l2 ) or
(( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
@@ -1206,7 +1201,7 @@
# these access vectors have no MLS restrictions
# window { map unmap }
-@@ -724,12 +532,14 @@
+@@ -724,12 +533,14 @@
mlsconstrain colormap { list read getattr }
(( l1 dom l2 ) or
(( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
@@ -1221,7 +1216,7 @@
( t1 == mlsxwinwrite ));
-@@ -743,12 +553,14 @@
+@@ -743,12 +554,14 @@
mlsconstrain property { read }
(( l1 dom l2 ) or
(( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
@@ -1236,7 +1231,7 @@
( t1 == mlsxwinwrite ));
-@@ -784,16 +596,14 @@
+@@ -784,16 +597,14 @@
# MLS policy for the xinput class
#
@@ -1257,7 +1252,7 @@
( t1 == mlsxwinwrite ));
-@@ -803,17 +613,8 @@
+@@ -803,17 +614,8 @@
# MLS policy for the xserver class
#
@@ -1277,7 +1272,7 @@
-@@ -822,17 +623,8 @@
+@@ -822,17 +624,8 @@
# MLS policy for the xextension class
#
@@ -1297,9 +1292,23 @@
#
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.te serefpolicy-2.1.6/policy/modules/admin/amanda.te
+--- nsaserefpolicy/policy/modules/admin/amanda.te 2005-12-09 23:35:04.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/admin/amanda.te 2005-12-22 15:17:06.000000000 -0500
+@@ -165,6 +165,10 @@
+
+ sysnet_read_config(amanda_t)
+
++optional_policy(`prelink', `
++ prelink_relabel(amanda_usr_lib_t)
++')
++
+ optional_policy(`authlogin',`
+ auth_read_shadow(amanda_t)
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kudzu.te serefpolicy-2.1.6/policy/modules/admin/kudzu.te
--- nsaserefpolicy/policy/modules/admin/kudzu.te 2005-12-09 23:35:04.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/admin/kudzu.te 2005-12-16 23:22:51.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/admin/kudzu.te 2005-12-22 15:17:06.000000000 -0500
@@ -47,6 +47,8 @@
kernel_rw_hotplug_sysctl(kudzu_t)
kernel_rw_kernel_sysctl(kudzu_t)
@@ -1311,7 +1320,7 @@
dev_list_sysfs(kudzu_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-2.1.6/policy/modules/admin/logrotate.te
--- nsaserefpolicy/policy/modules/admin/logrotate.te 2005-12-09 23:35:04.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/admin/logrotate.te 2005-12-16 23:22:51.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/admin/logrotate.te 2005-12-22 15:17:06.000000000 -0500
@@ -67,6 +67,10 @@
kernel_read_system_state(logrotate_t)
kernel_read_kernel_sysctl(logrotate_t)
@@ -1325,7 +1334,7 @@
fs_search_auto_mountpoints(logrotate_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-2.1.6/policy/modules/admin/rpm.fc
--- nsaserefpolicy/policy/modules/admin/rpm.fc 2005-11-14 18:24:06.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/admin/rpm.fc 2005-12-16 23:22:51.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/admin/rpm.fc 2005-12-22 15:17:06.000000000 -0500
@@ -1,5 +1,6 @@
/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -1335,7 +1344,7 @@
/usr/bin/apt-shell -- gen_context(system_u:object_r:rpm_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-2.1.6/policy/modules/admin/rpm.te
--- nsaserefpolicy/policy/modules/admin/rpm.te 2005-12-14 10:38:49.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/admin/rpm.te 2005-12-16 23:22:51.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/admin/rpm.te 2005-12-22 16:35:21.000000000 -0500
@@ -114,6 +114,10 @@
fs_getattr_all_fs(rpm_t)
fs_search_auto_mountpoints(rpm_t)
@@ -1357,9 +1366,33 @@
selinux_get_fs_mount(rpm_script_t)
selinux_validate_context(rpm_script_t)
selinux_compute_access_vector(rpm_script_t)
+@@ -328,17 +335,17 @@
+ ifdef(`targeted_policy',`
+ unconfined_domain_template(rpm_script_t)
+ ',`
+- ifdef(`distro_redhat',`
+- optional_policy(`mta',`
+- mta_send_mail(rpm_script_t)
+- ')
+- ')
+-
+ optional_policy(`bootloader',`
+ bootloader_domtrans(rpm_script_t)
+ ')
+ ')
+
++ifdef(`distro_redhat',`
++ optional_policy(`mta',`
++ mta_send_mail(rpm_script_t)
++ ')
++')
++
+ tunable_policy(`allow_execmem',`
+ allow rpm_script_t self:process execmem;
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-2.1.6/policy/modules/admin/tmpreaper.te
--- nsaserefpolicy/policy/modules/admin/tmpreaper.te 2005-12-09 23:35:04.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/admin/tmpreaper.te 2005-12-16 23:22:51.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/admin/tmpreaper.te 2005-12-22 15:17:06.000000000 -0500
@@ -39,6 +39,9 @@
miscfiles_read_localization(tmpreaper_t)
miscfiles_delete_man_pages(tmpreaper_t)
@@ -1372,7 +1405,7 @@
ifdef(`TODO',`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-2.1.6/policy/modules/admin/usermanage.te
--- nsaserefpolicy/policy/modules/admin/usermanage.te 2005-12-09 23:35:04.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/admin/usermanage.te 2005-12-21 13:13:41.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/admin/usermanage.te 2005-12-22 15:17:06.000000000 -0500
@@ -44,6 +44,10 @@
type passwd_exec_t;
domain_entry_file(passwd_t,passwd_exec_t)
@@ -1396,9 +1429,36 @@
########################################
#
# Crack local policy
+@@ -197,7 +206,7 @@
+ allow groupadd_t self:unix_stream_socket create_stream_socket_perms;
+ allow groupadd_t self:unix_dgram_socket sendto;
+ allow groupadd_t self:unix_stream_socket connectto;
+-allow groupadd_t self:netlink_audit_socket { create_socket_perms nlmsg_relay };
++allow groupadd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+
+ fs_getattr_xattr_fs(groupadd_t)
+ fs_search_auto_mountpoints(groupadd_t)
+@@ -262,7 +271,7 @@
+ # Passwd local policy
+ #
+
+-allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_resource };
++allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_resource audit_control audit_write };
+ allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow passwd_t self:process { setrlimit setfscreate };
+ allow passwd_t self:fd use;
+@@ -443,7 +452,7 @@
+ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
+ allow useradd_t self:unix_dgram_socket sendto;
+ allow useradd_t self:unix_stream_socket connectto;
+-allow useradd_t self:netlink_audit_socket { create_socket_perms nlmsg_relay };
++allow useradd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+
+ # Allow access to context for shadow file
+ selinux_get_fs_mount(useradd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-2.1.6/policy/modules/apps/java.fc
--- nsaserefpolicy/policy/modules/apps/java.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/apps/java.fc 2005-12-16 23:22:51.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/apps/java.fc 2005-12-22 15:17:06.000000000 -0500
@@ -0,0 +1,4 @@
+
+/usr/.*/java -- gen_context(system_u:object_r:java_exec_t,s0)
@@ -1406,7 +1466,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-2.1.6/policy/modules/apps/java.if
--- nsaserefpolicy/policy/modules/apps/java.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/apps/java.if 2005-12-16 23:22:51.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/apps/java.if 2005-12-22 15:17:06.000000000 -0500
@@ -0,0 +1,23 @@
+## <summary>Load keyboard mappings.</summary>
+
@@ -1433,7 +1493,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-2.1.6/policy/modules/apps/java.te
--- nsaserefpolicy/policy/modules/apps/java.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/apps/java.te 2005-12-20 14:26:13.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/apps/java.te 2005-12-22 15:17:06.000000000 -0500
@@ -0,0 +1,25 @@
+policy_module(java,1.0.0)
+
@@ -1462,7 +1522,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/webalizer.te serefpolicy-2.1.6/policy/modules/apps/webalizer.te
--- nsaserefpolicy/policy/modules/apps/webalizer.te 2005-12-09 23:35:04.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/apps/webalizer.te 2005-12-16 23:22:51.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/apps/webalizer.te 2005-12-22 15:17:06.000000000 -0500
@@ -87,6 +87,7 @@
sysnet_read_config(webalizer_t)
@@ -1471,9 +1531,35 @@
apache_read_log(webalizer_t)
apache_manage_sys_content(webalizer_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-2.1.6/policy/modules/kernel/corecommands.fc
+--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2005-12-01 17:57:16.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/kernel/corecommands.fc 2005-12-22 15:17:06.000000000 -0500
+@@ -130,6 +130,9 @@
+
+ /usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
+
++# DJW
++# Probably need policy for this
++/usr/share/logwatch/scripts/logwatch.pl -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/mc/extfs/.* -- gen_context(system_u:object_r:bin_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.te serefpolicy-2.1.6/policy/modules/kernel/corecommands.te
+--- nsaserefpolicy/policy/modules/kernel/corecommands.te 2005-12-09 23:35:04.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/kernel/corecommands.te 2005-12-22 15:17:06.000000000 -0500
+@@ -35,3 +35,9 @@
+
+ type chroot_exec_t;
+ files_type(chroot_exec_t)
++
++optional_policy(`prelink', `
++ prelink_relabel({ sbin_t bin_t })
++')
++
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-2.1.6/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2005-12-02 17:53:26.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/kernel/corenetwork.te.in 2005-12-16 23:26:11.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/kernel/corenetwork.te.in 2005-12-22 15:17:06.000000000 -0500
@@ -143,15 +143,15 @@
# nodes in net_contexts or net_contexts.mls.
#
@@ -1507,7 +1593,7 @@
#network_interface(eth0, eth0,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-2.1.6/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2005-11-14 18:24:07.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/kernel/devices.fc 2005-12-16 23:22:51.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/kernel/devices.fc 2005-12-22 15:17:06.000000000 -0500
@@ -17,10 +17,10 @@
/dev/full -c gen_context(system_u:object_r:null_device_t,s0)
/dev/irlpt[0-9]+ -c gen_context(system_u:object_r:printer_device_t,s0)
@@ -1545,7 +1631,7 @@
/dev/s(ou)?nd/.* -c gen_context(system_u:object_r:sound_device_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-2.1.6/policy/modules/kernel/domain.if
--- nsaserefpolicy/policy/modules/kernel/domain.if 2005-12-12 15:35:53.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/kernel/domain.if 2005-12-21 10:52:19.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/kernel/domain.if 2005-12-22 15:17:06.000000000 -0500
@@ -501,6 +501,7 @@
')
@@ -1554,9 +1640,21 @@
')
########################################
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-2.1.6/policy/modules/kernel/domain.te
+--- nsaserefpolicy/policy/modules/kernel/domain.te 2005-12-09 23:35:04.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/kernel/domain.te 2005-12-22 15:17:06.000000000 -0500
+@@ -67,3 +67,7 @@
+ # cjp: also need to except correctly for SEFramework
+ neverallow { domain unlabeled_t } file_type:process *;
+ neverallow ~{ domain unlabeled_t } *:process *;
++
++optional_policy(`prelink', `
++ prelink_relabel(entry_type)
++')
+\ No newline at end of file
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-2.1.6/policy/modules/kernel/files.fc
--- nsaserefpolicy/policy/modules/kernel/files.fc 2005-12-01 17:57:16.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/kernel/files.fc 2005-12-16 23:22:51.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/kernel/files.fc 2005-12-22 15:17:06.000000000 -0500
@@ -24,7 +24,7 @@
# /boot
#
@@ -1646,9 +1744,34 @@
+/var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c255)
/var/tmp/lost\+found/.* <<none>>
/var/tmp/vi\.recover -d gen_context(system_u:object_r:tmp_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.1.6/policy/modules/kernel/files.if
+--- nsaserefpolicy/policy/modules/kernel/files.if 2005-12-09 23:35:04.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/kernel/files.if 2005-12-22 15:17:06.000000000 -0500
+@@ -3149,3 +3149,20 @@
+ ')
+ ')
+ ')
++
++
++########################################
++## <summary>
++## Allow attempts to modify any directory
++## </summary>
++## <param name="domain">
++## Domain to allow
++## </param>
++#
++interface(`files_write_non_security_dir',`
++ gen_require(`
++ attribute file_type, security_file_type;
++ ')
++
++ allow $1 file_type:dir write;
++')
+\ No newline at end of file
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-2.1.6/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2005-12-06 19:49:49.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/kernel/kernel.if 2005-12-21 10:56:37.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/kernel/kernel.if 2005-12-22 15:17:06.000000000 -0500
@@ -436,7 +436,7 @@
type debugfs_t;
')
@@ -1660,7 +1783,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-2.1.6/policy/modules/kernel/kernel.te
--- nsaserefpolicy/policy/modules/kernel/kernel.te 2005-12-09 23:35:04.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/kernel/kernel.te 2005-12-21 10:38:23.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/kernel/kernel.te 2005-12-22 15:17:06.000000000 -0500
@@ -38,7 +38,7 @@
domain_base_type(kernel_t)
mls_rangetrans_source(kernel_t)
@@ -1747,7 +1870,7 @@
term_use_console(kernel_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mls.te serefpolicy-2.1.6/policy/modules/kernel/mls.te
--- nsaserefpolicy/policy/modules/kernel/mls.te 2005-12-13 15:51:49.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/kernel/mls.te 2005-12-16 23:22:51.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/kernel/mls.te 2005-12-22 15:17:06.000000000 -0500
@@ -36,8 +36,11 @@
attribute mlsxwinreadtoclr;
attribute mlsxwinwrite;
@@ -1776,7 +1899,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.te serefpolicy-2.1.6/policy/modules/kernel/selinux.te
--- nsaserefpolicy/policy/modules/kernel/selinux.te 2005-12-09 23:35:04.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/kernel/selinux.te 2005-12-16 23:22:51.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/kernel/selinux.te 2005-12-22 15:17:06.000000000 -0500
@@ -18,7 +18,7 @@
type security_t;
fs_type(security_t)
@@ -1788,7 +1911,7 @@
neverallow ~can_load_policy security_t:security load_policy;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-2.1.6/policy/modules/kernel/storage.fc
--- nsaserefpolicy/policy/modules/kernel/storage.fc 2005-11-14 18:24:07.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/kernel/storage.fc 2005-12-16 23:22:51.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/kernel/storage.fc 2005-12-22 15:17:06.000000000 -0500
@@ -5,35 +5,35 @@
/dev/n?osst[0-3].* -c gen_context(system_u:object_r:tape_device_t,s0)
/dev/n?pt[0-9]+ -c gen_context(system_u:object_r:tape_device_t,s0)
@@ -1869,9 +1992,32 @@
+/dev/scramdisk/.* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
/dev/usb/rio500 -c gen_context(system_u:object_r:removable_device_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-2.1.6/policy/modules/services/apache.te
+--- nsaserefpolicy/policy/modules/services/apache.te 2005-12-12 23:05:35.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/services/apache.te 2005-12-22 15:17:06.000000000 -0500
+@@ -391,6 +391,10 @@
+ userdom_dontaudit_use_sysadm_terms(httpd_t)
+ ')
+
++optional_policy(`prelink', `
++ prelink_relabel(httpd_modules_t)
++')
++
+ optional_policy(`kerberos',`
+ kerberos_use(httpd_t)
+ ')
+@@ -685,3 +689,8 @@
+ optional_policy(`nscd',`
+ nscd_use_socket(httpd_unconfined_script_t)
+ ')
++
++optional_policy(`crond',`
++ cron_system_entry(httpd_t, httpd_exec_t)
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-2.1.6/policy/modules/services/automount.te
--- nsaserefpolicy/policy/modules/services/automount.te 2005-12-13 15:51:49.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/services/automount.te 2005-12-16 23:22:51.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/services/automount.te 2005-12-22 15:17:06.000000000 -0500
@@ -28,7 +28,7 @@
# Local policy
#
@@ -1911,7 +2057,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-2.1.6/policy/modules/services/bluetooth.te
--- nsaserefpolicy/policy/modules/services/bluetooth.te 2005-12-09 23:35:05.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/services/bluetooth.te 2005-12-21 11:54:09.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/services/bluetooth.te 2005-12-22 15:17:06.000000000 -0500
@@ -54,6 +54,7 @@
allow bluetooth_t bluetooth_conf_t:dir rw_dir_perms;
@@ -1920,9 +2066,19 @@
allow bluetooth_t bluetooth_conf_rw_t:dir create_dir_perms;
allow bluetooth_t bluetooth_conf_rw_t:file create_file_perms;
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-2.1.6/policy/modules/services/cron.te
+--- nsaserefpolicy/policy/modules/services/cron.te 2005-12-13 15:51:49.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/services/cron.te 2005-12-22 15:17:06.000000000 -0500
+@@ -1,5 +1,5 @@
+
+-policy_module(cron, 1.1.1)
++policy_module(cron,1.1.1)
+
+ gen_require(`
+ class passwd rootok;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-2.1.6/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2005-12-09 23:35:05.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/services/cups.te 2005-12-21 12:07:14.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/services/cups.te 2005-12-22 15:17:06.000000000 -0500
@@ -365,6 +365,7 @@
allow initrc_t ptal_var_run_t:dir rmdir;
@@ -1933,7 +2089,7 @@
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.fc serefpolicy-2.1.6/policy/modules/services/cvs.fc
--- nsaserefpolicy/policy/modules/services/cvs.fc 2005-11-14 18:24:07.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/services/cvs.fc 2005-12-16 23:22:51.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/services/cvs.fc 2005-12-22 15:17:06.000000000 -0500
@@ -1,2 +1,4 @@
/usr/bin/cvs -- gen_context(system_u:object_r:cvs_exec_t,s0)
@@ -1941,7 +2097,7 @@
+/opt/cvs(/.*)? gen_context(system_u:object_r:cvs_data_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-2.1.6/policy/modules/services/cvs.te
--- nsaserefpolicy/policy/modules/services/cvs.te 2005-12-09 23:35:05.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/services/cvs.te 2005-12-16 23:22:51.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/services/cvs.te 2005-12-22 15:17:06.000000000 -0500
@@ -86,6 +86,12 @@
mta_send_mail(cvs_t)
@@ -1957,7 +2113,7 @@
kerberos_read_keytab(cvs_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-2.1.6/policy/modules/services/dbus.te
--- nsaserefpolicy/policy/modules/services/dbus.te 2005-12-09 23:35:05.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/services/dbus.te 2005-12-21 12:06:31.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/services/dbus.te 2005-12-22 15:17:06.000000000 -0500
@@ -44,6 +44,7 @@
allow system_dbusd_t dbusd_etc_t:dir r_dir_perms;
allow system_dbusd_t dbusd_etc_t:file r_file_perms;
@@ -1968,7 +2124,7 @@
allow system_dbusd_t system_dbusd_tmp_t:file create_file_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-2.1.6/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2005-12-14 10:38:50.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/services/hal.te 2005-12-21 12:29:50.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/services/hal.te 2005-12-22 15:17:06.000000000 -0500
@@ -49,6 +49,8 @@
kernel_read_kernel_sysctl(hald_t)
kernel_write_proc_file(hald_t)
@@ -1996,7 +2152,7 @@
init_use_script_pty(hald_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.te serefpolicy-2.1.6/policy/modules/services/ldap.te
--- nsaserefpolicy/policy/modules/services/ldap.te 2005-12-09 23:35:05.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/services/ldap.te 2005-12-20 15:43:29.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/services/ldap.te 2005-12-22 15:17:06.000000000 -0500
@@ -142,6 +142,10 @@
nis_use_ypbind(slapd_t)
')
@@ -2008,9 +2164,76 @@
optional_policy(`selinuxutil',`
seutil_sigchld_newrole(slapd_t)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/locate.fc serefpolicy-2.1.6/policy/modules/services/locate.fc
+--- nsaserefpolicy/policy/modules/services/locate.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/services/locate.fc 2005-12-22 15:17:06.000000000 -0500
+@@ -0,0 +1,4 @@
++# locate - file locater
++/usr/bin/updatedb -- gen_context(system_u:object_r:locate_exec_t, s0)
++/var/lib/[sm]locate(/.*)? gen_context(system_u:object_r:locate_var_lib_t,s0)
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/locate.if serefpolicy-2.1.6/policy/modules/services/locate.if
+--- nsaserefpolicy/policy/modules/services/locate.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/services/locate.if 2005-12-22 15:17:06.000000000 -0500
+@@ -0,0 +1 @@
++## <summary>Update database for mlocate</summary>
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/locate.te serefpolicy-2.1.6/policy/modules/services/locate.te
+--- nsaserefpolicy/policy/modules/services/locate.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/services/locate.te 2005-12-22 15:17:06.000000000 -0500
+@@ -0,0 +1,50 @@
++policy_module(locate,1.0.0)
++
++#DESC LOCATE - Security Enhanced version of the GNU Locate
++#
++# Author: Dan Walsh <dwalsh at redhat.com>
++#
++
++#################################
++#
++# Rules for the locate_t domain.
++#
++# locate_exec_t is the type of the locate executable.
++#
++type locate_t;
++type locate_exec_t;
++init_daemon_domain(locate_t,locate_exec_t)
++
++type locate_log_t;
++logging_log_file(locate_log_t)
++
++type locate_var_lib_t;
++files_type(locate_var_lib_t)
++
++allow locate_t self:capability { chown dac_read_search dac_override fowner fsetid };
++allow locate_t self:process { execheap execmem execstack };
++allow locate_t self:fifo_file rw_file_perms;
++allow locate_t self:file { getattr read };
++allow locate_t self:unix_stream_socket create_socket_perms;
++
++allow locate_t locate_var_lib_t:dir create_dir_perms;
++allow locate_t locate_var_lib_t:file create_file_perms;
++
++fs_getattr_xattr_fs(locate_t)
++
++files_list_all(locate_t)
++files_getattr_all_files(locate_t)
++
++kernel_dontaudit_search_sysctl(locate_t)
++kernel_read_system_state(locate_t)
++
++corecmd_exec_bin(locate_t)
++
++files_read_etc_runtime_files(locate_t)
++files_read_etc_files(locate_t)
++
++optional_policy(`crond',`
++ cron_system_entry(locate_t, locate_exec_t)
++ allow system_crond_t locate_log_t:dir rw_dir_perms;
++ allow system_crond_t locate_log_t:file { create append getattr };
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-2.1.6/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2005-12-09 23:35:05.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/services/mta.te 2005-12-21 12:16:27.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/services/mta.te 2005-12-22 16:35:54.000000000 -0500
@@ -47,6 +47,9 @@
allow system_mail_t etc_mail_t:dir { getattr search };
allow system_mail_t etc_mail_t:file r_file_perms;
@@ -2021,9 +2244,152 @@
kernel_read_system_state(system_mail_t)
kernel_read_network_state(system_mail_t)
+@@ -124,6 +127,10 @@
+ logrotate_read_tmp_files(system_mail_t)
+ ')
+
++optional_policy(`sendmail',`
++ files_create_etc_config(sendmail_t,etc_aliases_t, file)
++')
++
+ optional_policy(`postfix',`
+ allow system_mail_t etc_aliases_t:dir create_dir_perms;
+ allow system_mail_t etc_aliases_t:file create_file_perms;
+@@ -170,3 +177,9 @@
+ cron_read_system_job_tmp_files(mta_user_agent)
+ ')
+ ')
++
++ifdef(`TODO',`
++# for the start script to run make -C /etc/mail
++allow initrc_t etc_mail_t:dir rw_dir_perms;
++allow initrc_t etc_mail_t:file create_file_perms;
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelink.fc serefpolicy-2.1.6/policy/modules/services/prelink.fc
+--- nsaserefpolicy/policy/modules/services/prelink.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/services/prelink.fc 2005-12-22 15:17:06.000000000 -0500
+@@ -0,0 +1,7 @@
++# prelink - prelink ELF shared libraries and binaries to speed up startup time
++/usr/sbin/prelink -- gen_context(system_u:object_r:prelink_exec_t,s0)
++ifdef(`distro_debian', `
++/usr/sbin/prelink\.bin -- gen_context(system_u:object_r:prelink_exec_t,s0)
++')
++/var/log/prelink\.log -- gen_context(system_u:object_r:prelink_log_t,s0)
++/etc/prelink\.cache -- gen_context(system_u:object_r:prelink_cache_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelink.if serefpolicy-2.1.6/policy/modules/services/prelink.if
+--- nsaserefpolicy/policy/modules/services/prelink.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/services/prelink.if 2005-12-22 15:17:06.000000000 -0500
+@@ -0,0 +1,39 @@
++## <summary>Prelink mappings.</summary>
++
++########################################
++## <summary>
++## Execute the prelink program in the prelink domain.
++## </summary>
++## <param name="domain">
++## The type of the process performing this action.
++## </param>
++#
++interface(`prelink_domtrans',`
++ gen_require(`
++ type prelink_t, prelink_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domain_auto_trans($1, prelink_exec_t, prelink_t)
++
++ allow $1 prelink_t:fd use;
++ allow prelink_t $1:fd use;
++ allow prelink_t $1:fifo_file rw_file_perms;
++ allow prelink_t $1:process sigchld;
++')
++
++
++########################################
++## <summary>
++## Allow prelink to rebuild the executable or library
++## </summary>
++## <param name="domain">
++## The type of the process performing this action.
++## </param>
++#
++interface(`prelink_relabel',`
++ gen_require(`
++ type prelink_t;
++ ')
++ allow prelink_t $1:file { create_file_perms execute relabelto relabelfrom };
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelink.te serefpolicy-2.1.6/policy/modules/services/prelink.te
+--- nsaserefpolicy/policy/modules/services/prelink.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/services/prelink.te 2005-12-22 15:17:06.000000000 -0500
+@@ -0,0 +1,64 @@
++policy_module(prelink,1.0.0)
++
++#DESC PRELINK - Security Enhanced version of the GNU Prelink
++#
++# Author: Dan Walsh <dwalsh at redhat.com>
++#
++
++#################################
++#
++# Rules for the prelink_t domain.
++#
++# prelink_exec_t is the type of the prelink executable.
++#
++type prelink_t;
++type prelink_exec_t;
++init_daemon_domain(prelink_t,prelink_exec_t)
++#
++# prelink_cache_t is the type of /etc/prelink.cache.
++#
++type prelink_cache_t;
++files_type(prelink_cache_t)
++
++type prelink_log_t;
++logging_log_file(prelink_log_t)
++
++allow prelink_t self:capability { chown dac_override fowner fsetid };
++allow prelink_t self:process { execheap execmem execstack };
++allow prelink_t self:fifo_file rw_file_perms;
++allow prelink_t self:file { getattr read };
++
++allow prelink_t prelink_log_t:dir { setattr rw_dir_perms };
++allow prelink_t prelink_log_t:file { create ra_file_perms };
++allow prelink_t prelink_log_t:lnk_file read;
++logging_create_log(prelink_t, prelink_log_t)
++
++fs_getattr_xattr_fs(prelink_t)
++
++libs_use_ld_so(prelink_t)
++libs_use_shared_libs(prelink_t)
++
++files_list_all(prelink_t)
++files_getattr_all_files(prelink_t)
++files_write_non_security_dir(prelink_t)
++files_create_etc_config(prelink_t, prelink_cache_t, file)
++
++kernel_dontaudit_search_kernel_sysctl(prelink_t)
++kernel_dontaudit_search_sysctl(prelink_t)
++kernel_read_system_state(prelink_t)
++
++files_read_etc_runtime_files(prelink_t)
++
++miscfiles_read_localization(prelink_t)
++
++dev_read_urand(prelink_t)
++
++optional_policy(`crond',`
++ cron_system_entry(prelink_t, prelink_exec_t)
++ allow system_crond_t prelink_log_t:dir rw_dir_perms;
++ allow system_crond_t prelink_log_t:file create_file_perms;
++ allow system_crond_t prelink_cache_t:file { getattr read unlink };
++ allow prelink_t crond_log_t:file append;
++')
++
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/remotelogin.te serefpolicy-2.1.6/policy/modules/services/remotelogin.te
--- nsaserefpolicy/policy/modules/services/remotelogin.te 2005-12-09 23:35:06.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/services/remotelogin.te 2005-12-16 23:22:51.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/services/remotelogin.te 2005-12-22 15:17:06.000000000 -0500
@@ -106,6 +106,7 @@
logging_send_syslog_msg(remote_login_t)
@@ -2034,7 +2400,7 @@
mls_file_downgrade(remote_login_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-2.1.6/policy/modules/services/sasl.te
--- nsaserefpolicy/policy/modules/services/sasl.te 2005-12-09 23:35:06.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/services/sasl.te 2005-12-16 23:22:51.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/services/sasl.te 2005-12-22 15:17:06.000000000 -0500
@@ -88,9 +88,11 @@
')
@@ -2052,8 +2418,36 @@
mysql_search_db_dir(saslauthd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-2.1.6/policy/modules/services/sendmail.te
--- nsaserefpolicy/policy/modules/services/sendmail.te 2005-12-09 23:35:06.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/services/sendmail.te 2005-12-21 12:22:09.000000000 -0500
-@@ -56,6 +56,7 @@
++++ serefpolicy-2.1.6/policy/modules/services/sendmail.te 2005-12-22 16:31:54.000000000 -0500
+@@ -15,15 +15,10 @@
+ type sendmail_var_run_t;
+ files_pid_file(sendmail_var_run_t)
+
+-ifdef(`targeted_policy',`
+- unconfined_alias_domain(sendmail_t)
+- mta_sendmail_mailserver(sendmail_t)
+-',`
+- type sendmail_t;
+- mta_sendmail_mailserver(sendmail_t)
+- mta_mailserver_delivery(sendmail_t)
+- mta_mailserver_sender(sendmail_t)
+-')
++type sendmail_t;
++mta_sendmail_mailserver(sendmail_t)
++mta_mailserver_delivery(sendmail_t)
++mta_mailserver_sender(sendmail_t)
+
+ ########################################
+ #
+@@ -31,6 +26,7 @@
+ #
+
+ allow sendmail_t self:capability { setuid setgid net_bind_service sys_nice chown sys_tty_config };
++allow sendmail_t sendmail_t:process signal;
+ allow sendmail_t self:fifo_file rw_file_perms;
+ allow sendmail_t self:unix_stream_socket create_stream_socket_perms;
+ allow sendmail_t self:unix_dgram_socket create_socket_perms;
+@@ -56,6 +52,7 @@
corenet_udp_bind_all_nodes(sendmail_t)
corenet_tcp_bind_smtp_port(sendmail_t)
corenet_tcp_connect_all_ports(sendmail_t)
@@ -2061,7 +2455,7 @@
dev_read_urand(sendmail_t)
dev_read_sysfs(sendmail_t)
-@@ -111,7 +112,7 @@
+@@ -111,7 +108,7 @@
allow sendmail_t sendmail_tmp_t:file create_file_perms;
files_create_tmp_files(sendmail_t, sendmail_tmp_t, { file dir })
@@ -2070,22 +2464,44 @@
files_create_pid(sendmail_t,sendmail_var_run_t)
')
-@@ -136,9 +137,11 @@
+@@ -136,15 +133,15 @@
udev_read_db(sendmail_t)
')
-ifdef(`TODO',`
++optional_policy(`procmail',`
++ procmail_domtrans(sendmail_t)
++')
++
+# needed for the newaliases file to run
allow sendmail_t etc_mail_t:dir rw_dir_perms;
allow sendmail_t etc_mail_t:file create_file_perms;
-+
+-# for the start script to run make -C /etc/mail
+-allow initrc_t etc_mail_t:dir rw_dir_perms;
+-allow initrc_t etc_mail_t:file create_file_perms;
+-allow system_mail_t initrc_t:fd use;
+-allow system_mail_t initrc_t:fifo_file write;
+
+ifdef(`TODO',`
- # for the start script to run make -C /etc/mail
- allow initrc_t etc_mail_t:dir rw_dir_perms;
- allow initrc_t etc_mail_t:file create_file_perms;
+ # When sendmail runs as user_mail_domain, it needs some extra permissions
+ # to update /etc/mail/statistics.
+ allow user_mail_domain etc_mail_t:file rw_file_perms;
+@@ -152,12 +149,5 @@
+ # Silently deny attempts to access /root.
+ dontaudit system_mail_t { staff_home_dir_t sysadm_home_dir_t}:dir { getattr search };
+
+-# Run procmail in its own domain, if defined.
+-ifdef(`procmail.te',`
+-corecmd_search_bin(sendmail_t)
+-procmail_domtrans(sendmail_t)
+-domain_auto_trans(system_mail_t, procmail_exec_t, procmail_t)
+-')
+-
+ dontaudit sendmail_t admin_tty_type:chr_file { getattr ioctl };
+ ') dnl end TODO
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-2.1.6/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2005-12-09 23:35:06.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/services/ssh.te 2005-12-16 23:22:51.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/services/ssh.te 2005-12-22 15:17:06.000000000 -0500
@@ -91,10 +91,6 @@
seutil_read_config(sshd_t)
@@ -2110,9 +2526,23 @@
ifdef(`TODO',`
tunable_policy(`ssh_sysadm_login',`
# Relabel and access ptys created by sshd
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xdm.te serefpolicy-2.1.6/policy/modules/services/xdm.te
+--- nsaserefpolicy/policy/modules/services/xdm.te 2005-12-09 23:35:06.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/services/xdm.te 2005-12-22 15:17:06.000000000 -0500
+@@ -319,6 +319,10 @@
+ allow xdm_xserver_t xkb_var_lib_t:lnk_file read;
+ can_exec(xdm_xserver_t, xkb_var_lib_t)
+
++optional_policy(`prelink', `
++ prelink_relabel(xkb_var_lib_t)
++')
++
+ # Insert video drivers.
+ allow xdm_xserver_t self:capability mknod;
+ allow xdm_xserver_t sysctl_modprobe_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-2.1.6/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2005-12-08 15:57:16.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/system/authlogin.if 2005-12-16 23:22:51.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/system/authlogin.if 2005-12-22 15:17:06.000000000 -0500
@@ -320,15 +320,25 @@
## </param>
#
@@ -2142,7 +2572,7 @@
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-2.1.6/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te 2005-12-09 23:35:06.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/system/authlogin.te 2005-12-16 23:22:51.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/system/authlogin.te 2005-12-22 15:17:06.000000000 -0500
@@ -211,6 +211,7 @@
logging_send_syslog_msg(pam_console_t)
@@ -2153,7 +2583,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.te serefpolicy-2.1.6/policy/modules/system/getty.te
--- nsaserefpolicy/policy/modules/system/getty.te 2005-12-09 23:35:06.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/system/getty.te 2005-12-16 23:22:51.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/system/getty.te 2005-12-22 15:17:06.000000000 -0500
@@ -63,6 +63,9 @@
kernel_list_proc(getty_t)
kernel_read_proc_symlinks(getty_t)
@@ -2166,7 +2596,7 @@
fs_search_auto_mountpoints(getty_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.if serefpolicy-2.1.6/policy/modules/system/hostname.if
--- nsaserefpolicy/policy/modules/system/hostname.if 2005-11-14 18:24:05.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/system/hostname.if 2005-12-21 11:33:08.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/system/hostname.if 2005-12-22 15:17:06.000000000 -0500
@@ -66,3 +66,18 @@
can_exec($1,hostname_exec_t)
@@ -2188,7 +2618,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-2.1.6/policy/modules/system/hostname.te
--- nsaserefpolicy/policy/modules/system/hostname.te 2005-12-09 23:35:06.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/system/hostname.te 2005-12-21 12:36:31.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/system/hostname.te 2005-12-22 15:17:06.000000000 -0500
@@ -7,8 +7,10 @@
#
@@ -2241,7 +2671,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-2.1.6/policy/modules/system/init.if
--- nsaserefpolicy/policy/modules/system/init.if 2005-12-09 23:35:06.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/system/init.if 2005-12-21 10:58:42.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/system/init.if 2005-12-22 15:17:06.000000000 -0500
@@ -195,6 +195,19 @@
########################################
@@ -2269,7 +2699,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-2.1.6/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2005-12-12 15:35:53.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/system/init.te 2005-12-21 12:15:59.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/system/init.te 2005-12-22 15:17:06.000000000 -0500
@@ -369,6 +369,7 @@
mls_file_write_down(initrc_t)
mls_process_read_up(initrc_t)
@@ -2333,7 +2763,7 @@
') dnl end TODO
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-2.1.6/policy/modules/system/iptables.te
--- nsaserefpolicy/policy/modules/system/iptables.te 2005-12-09 23:35:07.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/system/iptables.te 2005-12-16 23:22:51.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/system/iptables.te 2005-12-22 15:17:06.000000000 -0500
@@ -43,6 +43,8 @@
kernel_read_modprobe_sysctl(iptables_t)
kernel_use_fd(iptables_t)
@@ -2345,7 +2775,7 @@
fs_getattr_xattr_fs(iptables_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-2.1.6/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2005-12-14 10:38:50.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/system/libraries.fc 2005-12-20 13:59:12.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/system/libraries.fc 2005-12-22 15:17:06.000000000 -0500
@@ -11,6 +11,20 @@
/emul/ia32-linux/lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
/emul/ia32-linux/lib/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
@@ -2384,22 +2814,23 @@
/usr/lib(64)?/firefox.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/mozilla.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/sunbird.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -187,3 +202,4 @@
- ifdef(`distro_suse',`
- /var/lib/samba/bin/.*\.so(\.[^/]*)* -l gen_context(system_u:object_r:lib_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-2.1.6/policy/modules/system/libraries.te
+--- nsaserefpolicy/policy/modules/system/libraries.te 2005-12-12 15:35:54.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/system/libraries.te 2005-12-22 15:17:06.000000000 -0500
+@@ -94,6 +94,10 @@
+ unconfined_domain_template(ldconfig_t)
')
-+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.if serefpolicy-2.1.6/policy/modules/system/locallogin.if
---- nsaserefpolicy/policy/modules/system/locallogin.if 2005-11-14 18:24:06.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/system/locallogin.if 2005-12-21 09:56:58.000000000 -0500
-@@ -66,3 +66,4 @@
- allow $1 local_login_t:process signull;
- ')
++optional_policy(`prelink', `
++ prelink_relabel({ ld_so_t texrel_shlib_t shlib_t lib_t })
++')
+
+ optional_policy(`apache',`
+ # dontaudit access to /usr/lib/apache, normal programs cannot read these libs anyway
+ apache_dontaudit_search_modules(ldconfig_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-2.1.6/policy/modules/system/locallogin.te
--- nsaserefpolicy/policy/modules/system/locallogin.te 2005-12-09 23:35:08.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/system/locallogin.te 2005-12-21 09:58:37.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/system/locallogin.te 2005-12-22 15:17:06.000000000 -0500
@@ -152,6 +152,7 @@
miscfiles_read_localization(local_login_t)
@@ -2418,7 +2849,7 @@
mta_getattr_spool(local_login_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-2.1.6/policy/modules/system/logging.fc
--- nsaserefpolicy/policy/modules/system/logging.fc 2005-11-14 18:24:06.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/system/logging.fc 2005-12-16 23:22:51.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/system/logging.fc 2005-12-22 15:17:06.000000000 -0500
@@ -19,10 +19,11 @@
/var/lib/stunnel/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
')
@@ -2436,7 +2867,7 @@
/var/run/log -s gen_context(system_u:object_r:devlog_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-2.1.6/policy/modules/system/logging.if
--- nsaserefpolicy/policy/modules/system/logging.if 2005-11-14 18:24:05.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/system/logging.if 2005-12-21 10:24:59.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/system/logging.if 2005-12-22 15:17:06.000000000 -0500
@@ -341,3 +341,24 @@
allow $1 var_log_t:dir rw_dir_perms;
allow $1 var_log_t:file create_file_perms;
@@ -2464,7 +2895,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-2.1.6/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2005-12-09 23:35:08.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/system/logging.te 2005-12-16 23:22:51.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/system/logging.te 2005-12-22 15:17:06.000000000 -0500
@@ -71,6 +71,8 @@
kernel_read_kernel_sysctl(auditctl_t)
kernel_read_proc_symlinks(auditctl_t)
@@ -2493,7 +2924,7 @@
optional_policy(`udev',`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-2.1.6/policy/modules/system/lvm.te
--- nsaserefpolicy/policy/modules/system/lvm.te 2005-12-09 23:35:08.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/system/lvm.te 2005-12-21 12:00:47.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/system/lvm.te 2005-12-22 15:17:06.000000000 -0500
@@ -155,6 +155,8 @@
allow lvm_t lvm_etc_t:file r_file_perms;
@@ -2505,7 +2936,7 @@
allow lvm_t lvm_metadata_t:file create_file_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-2.1.6/policy/modules/system/selinuxutil.fc
--- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2005-11-14 18:24:05.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/system/selinuxutil.fc 2005-12-16 23:22:51.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/system/selinuxutil.fc 2005-12-22 15:17:06.000000000 -0500
@@ -9,9 +9,9 @@
/etc/selinux/([^/]*/)?contexts/files(/.*)? gen_context(system_u:object_r:file_context_t,s0)
@@ -2521,7 +2952,7 @@
# /root
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-2.1.6/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2005-12-09 23:35:08.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/system/selinuxutil.te 2005-12-21 12:59:41.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/system/selinuxutil.te 2005-12-22 15:17:06.000000000 -0500
@@ -198,7 +198,6 @@
# cjp: temporary hack to cover
# up stray file descriptors.
@@ -2564,7 +2995,7 @@
# by a different user or has restrictive SE permissions, do not want to audit
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.fc serefpolicy-2.1.6/policy/modules/system/udev.fc
--- nsaserefpolicy/policy/modules/system/udev.fc 2005-11-14 18:24:06.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/system/udev.fc 2005-12-16 23:22:51.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/system/udev.fc 2005-12-22 15:17:06.000000000 -0500
@@ -17,3 +17,4 @@
/sbin/wait_for_sysfs -- gen_context(system_u:object_r:udev_exec_t,s0)
@@ -2572,7 +3003,7 @@
+/lib/udev/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-2.1.6/policy/modules/system/udev.te
--- nsaserefpolicy/policy/modules/system/udev.te 2005-12-09 23:35:08.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/system/udev.te 2005-12-21 11:00:40.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/system/udev.te 2005-12-22 15:17:06.000000000 -0500
@@ -39,7 +39,7 @@
# Local policy
#
@@ -2600,7 +3031,7 @@
fs_manage_tmpfs_dirs(udev_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-2.1.6/policy/modules/system/unconfined.fc
--- nsaserefpolicy/policy/modules/system/unconfined.fc 2005-11-14 18:24:06.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/system/unconfined.fc 2005-12-20 15:42:20.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/system/unconfined.fc 2005-12-22 15:17:06.000000000 -0500
@@ -1,3 +1,5 @@
# Add programs here which should not be confined by SELinux
# e.g.:
@@ -2609,7 +3040,7 @@
+/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-2.1.6/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2005-12-14 10:38:50.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/system/unconfined.te 2005-12-20 17:45:57.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/system/unconfined.te 2005-12-22 16:19:44.000000000 -0500
@@ -57,6 +57,10 @@
bluetooth_domtrans_helper(unconfined_t)
')
@@ -2629,9 +3060,20 @@
')
optional_policy(`samba',`
+@@ -142,6 +145,10 @@
+ webalizer_domtrans(unconfined_t)
+ ')
+
++ optional_policy(`sendmail',`
++ sendmail_domtrans(unconfined_t)
++ ')
++
+ ifdef(`TODO',`
+ ifdef(`use_mcs',`
+ rw_dir_create_file(sysadm_su_t, home_dir_type)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-2.1.6/policy/modules/system/userdomain.fc
--- nsaserefpolicy/policy/modules/system/userdomain.fc 2005-11-15 09:13:40.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/system/userdomain.fc 2005-12-16 23:22:51.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/system/userdomain.fc 2005-12-22 15:17:06.000000000 -0500
@@ -4,6 +4,6 @@
HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0)
HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0)
@@ -2642,7 +3084,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-2.1.6/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2005-12-06 19:49:51.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/system/userdomain.if 2005-12-21 11:42:08.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/system/userdomain.if 2005-12-22 15:17:06.000000000 -0500
@@ -568,6 +568,7 @@
corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
@@ -2677,7 +3119,7 @@
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-2.1.6/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2005-12-09 23:35:10.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/system/userdomain.te 2005-12-21 11:35:10.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/system/userdomain.te 2005-12-22 15:17:06.000000000 -0500
@@ -2,7 +2,7 @@
policy_module(userdomain,1.1.0)
@@ -2747,7 +3189,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-2.1.6/policy/users
--- nsaserefpolicy/policy/users 2005-12-05 22:35:02.000000000 -0500
-+++ serefpolicy-2.1.6/policy/users 2005-12-16 23:22:51.000000000 -0500
++++ serefpolicy-2.1.6/policy/users 2005-12-22 15:17:06.000000000 -0500
@@ -26,7 +26,9 @@
ifdef(`targeted_policy',`
gen_user(user_u, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
@@ -2772,7 +3214,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-2.1.6/Rules.modular
--- nsaserefpolicy/Rules.modular 2005-12-09 23:35:04.000000000 -0500
-+++ serefpolicy-2.1.6/Rules.modular 2005-12-17 08:30:24.000000000 -0500
++++ serefpolicy-2.1.6/Rules.modular 2005-12-22 15:17:06.000000000 -0500
@@ -170,6 +170,16 @@
########################################
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.62
retrieving revision 1.63
diff -u -r1.62 -r1.63
--- selinux-policy.spec 21 Dec 2005 18:07:27 -0000 1.62
+++ selinux-policy.spec 22 Dec 2005 21:40:15 -0000 1.63
@@ -7,7 +7,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 2.1.6
-Release: 14
+Release: 15
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -258,6 +258,9 @@
%endif
%changelog
+* Wed Dec 21 2005 Dan Walsh <dwalsh at redhat.com> 2.1.6-15
+- Fix passwd command on mls
+
* Wed Dec 21 2005 Dan Walsh <dwalsh at redhat.com> 2.1.6-14
- Lots of fixes to make mls policy work
- Previous message (by thread): rpms/frysk/devel frysk-makefileam.patch, NONE, 1.1 .cvsignore, 1.5, 1.6 frysk.spec, 1.18, 1.19 sources, 1.5, 1.6
- Next message (by thread): rpms/gnucash/devel gnucash-1.8.6-64bit-fixes.patch, 1.1, 1.2 gnucash.spec, 1.18, 1.19 sources, 1.12, 1.13
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-cvs-commits
mailing list