[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

rpms/selinux-policy-targeted/devel policy-20050606.patch, 1.1, 1.2 selinux-policy-targeted.spec, 1.314, 1.315



Author: dwalsh

Update of /cvs/dist/rpms/selinux-policy-targeted/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv16397

Modified Files:
	policy-20050606.patch selinux-policy-targeted.spec 
Log Message:
* Wed Jun 8 2005 Dan Walsh <dwalsh redhat com> 1.23.18-2
- Add alsa policy
- Policy cleanup from Ivan


policy-20050606.patch:
 attrib.te                             |    2 
 domains/misc/kernel.te                |    7 
 domains/program/bonobo.te             |    9 +
 domains/program/ethereal.te           |   48 ++++++
 domains/program/fsadm.te              |    5 
 domains/program/gnome_vfs.te          |    9 +
 domains/program/init.te               |    4 
 domains/program/initrc.te             |    2 
 domains/program/klogd.te              |    2 
 domains/program/login.te              |    2 
 domains/program/modutil.te            |    2 
 domains/program/mount.te              |    2 
 domains/program/restorecon.te         |    2 
 domains/program/ssh.te                |    2 
 domains/program/syslogd.te            |    2 
 domains/program/unused/acct.te        |    2 
 domains/program/unused/alsa.te        |   17 ++
 domains/program/unused/apache.te      |    2 
 domains/program/unused/bonobo.te      |    9 +
 domains/program/unused/consoletype.te |    2 
 domains/program/unused/cups.te        |    6 
 domains/program/unused/ethereal.te    |   73 ++++++++++
 domains/program/unused/evolution.te   |   13 +
 domains/program/unused/gconf.te       |   12 +
 domains/program/unused/gift.te        |    4 
 domains/program/unused/gnome.te       |    7 
 domains/program/unused/i18n_input.te  |    1 
 domains/program/unused/iceauth.te     |   12 +
 domains/program/unused/orbit.te       |    7 
 domains/program/unused/pamconsole.te  |    2 
 domains/program/unused/ping.te        |    2 
 domains/program/unused/rpcd.te        |    3 
 domains/program/unused/thunderbird.te |    9 +
 domains/program/unused/udev.te        |    2 
 domains/program/unused/xdm.te         |    5 
 domains/program/unused/xserver.te     |    4 
 file_contexts/distros.fc              |    2 
 file_contexts/program/alsa.fc         |    3 
 file_contexts/program/apache.fc       |    2 
 file_contexts/program/bonobo.fc       |    1 
 file_contexts/program/ethereal.fc     |    3 
 file_contexts/program/evolution.fc    |    8 +
 file_contexts/program/fontconfig.fc   |    6 
 file_contexts/program/gconf.fc        |    5 
 file_contexts/program/gnome.fc        |    9 +
 file_contexts/program/gnome_vfs.fc    |    1 
 file_contexts/program/iceauth.fc      |    3 
 file_contexts/program/mozilla.fc      |    3 
 file_contexts/program/orbit.fc        |    3 
 file_contexts/program/thunderbird.fc  |    2 
 file_contexts/program/xdm.fc          |    1 
 file_contexts/program/xserver.fc      |    2 
 file_contexts/types.fc                |    2 
 macros/admin_macros.te                |    5 
 macros/base_user_macros.te            |   29 +++-
 macros/global_macros.te               |   60 +++++---
 macros/program/bonobo_macros.te       |  118 ++++++++++++++++
 macros/program/ethereal_macros.te     |   61 ++++++++
 macros/program/evolution_macros.te    |  240 ++++++++++++++++++++++++++++++++++
 macros/program/fontconfig_macros.te   |   36 ++++-
 macros/program/games_domain.te        |   38 +----
 macros/program/gconf_macros.te        |   56 +++++++
 macros/program/gift_macros.te         |   54 +------
 macros/program/gnome_macros.te        |  113 ++++++++++++++++
 macros/program/gnome_vfs_macros.te    |   49 ++++++
 macros/program/ice_macros.te          |   42 +++++
 macros/program/iceauth_macros.te      |   34 ++++
 macros/program/mail_client_macros.te  |   60 ++++++++
 macros/program/mozilla_macros.te      |   63 +++-----
 macros/program/orbit_macros.te        |   44 ++++++
 macros/program/spamassassin_macros.te |    7 
 macros/program/thunderbird_macros.te  |   59 ++++++++
 macros/program/x_client_macros.te     |    9 -
 macros/program/xauth_macros.te        |    2 
 macros/program/xserver_macros.te      |   17 +-
 mls                                   |   41 ++---
 net_contexts                          |   25 +--
 targeted/domains/program/crond.te     |    2 
 targeted/domains/unconfined.te        |    3 
 tunables/distro.tun                   |    2 
 tunables/tunable.tun                  |    4 
 types/device.te                       |    7 
 types/devpts.te                       |    2 
 types/file.te                         |    2 
 types/network.te                      |    8 -
 types/security.te                     |    2 
 86 files changed, 1412 insertions(+), 232 deletions(-)

Index: policy-20050606.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-targeted/devel/policy-20050606.patch,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- policy-20050606.patch	8 Jun 2005 12:29:27 -0000	1.1
+++ policy-20050606.patch	9 Jun 2005 03:01:40 -0000	1.2
@@ -1,6 +1,6 @@
-diff --exclude-from=exclude -N -u -r nsapolicy/attrib.te policy-1.23.17/attrib.te
+diff --exclude-from=exclude -N -u -r nsapolicy/attrib.te policy-1.23.18/attrib.te
 --- nsapolicy/attrib.te	2005-05-25 11:28:09.000000000 -0400
-+++ policy-1.23.17/attrib.te	2005-06-07 14:49:57.000000000 -0400
++++ policy-1.23.18/attrib.te	2005-06-08 09:04:15.000000000 -0400
 @@ -30,7 +30,7 @@
  attribute mlsnetwritetoclr;
  attribute mlsnetupgrade;
@@ -10,27 +10,9 @@
  
  attribute mlsipcread;
  attribute mlsipcreadtoclr;
-diff --exclude-from=exclude -N -u -r nsapolicy/ChangeLog policy-1.23.17/ChangeLog
---- nsapolicy/ChangeLog	2005-06-01 06:11:22.000000000 -0400
-+++ policy-1.23.17/ChangeLog	2005-05-25 11:28:29.000000000 -0400
-@@ -1,14 +1,3 @@
--1.23.18 2005-05-31
--	* Merged minor fixes to pppd.fc and courier.te by Russell Coker.
--	* Removed devfsd policy as suggested by Russell Coker.
--	* Merged patch from Dan Walsh.  Includes beginnings of Ivan
--	Gyurdiev's Font Config policy.  Don't transition to fsadm_t from
--	unconfined_t (sysadm_t) in targeted policy.  Add support for
--	debugfs in modutil.  Allow automount to create and delete
--	directories in /root and /home dirs.  Move can_ypbind to
--	chkpwd_macro.te.  Allow useradd to create additional files and
--	types via the skell mechanism.  Other minor cleanups and fixes.
--
- 1.23.17 2005-05-23
- 	* Merged minor fixes by Petre Rodan to the daemontools, dante,
- 	gpg, kerberos, and ucspi-tcp policies.
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/misc/kernel.te policy-1.23.17/domains/misc/kernel.te
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/misc/kernel.te policy-1.23.18/domains/misc/kernel.te
 --- nsapolicy/domains/misc/kernel.te	2005-06-01 06:11:22.000000000 -0400
-+++ policy-1.23.17/domains/misc/kernel.te	2005-06-07 15:03:08.000000000 -0400
++++ policy-1.23.18/domains/misc/kernel.te	2005-06-08 09:04:15.000000000 -0400
 @@ -11,7 +11,7 @@
  # kernel_t is the domain of kernel threads.
  # It is also the target type when checking permissions in the system class.
@@ -52,9 +34,9 @@
  # Share state with the init process.
  allow kernel_t init_t:process share;
  
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/bonobo.te policy-1.23.17/domains/program/bonobo.te
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/bonobo.te policy-1.23.18/domains/program/bonobo.te
 --- nsapolicy/domains/program/bonobo.te	1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.23.17/domains/program/bonobo.te	2005-06-06 11:20:52.000000000 -0400
++++ policy-1.23.18/domains/program/bonobo.te	2005-06-08 09:04:15.000000000 -0400
 @@ -0,0 +1,9 @@
 +# DESC - Bonobo Activation Server 
 +#
@@ -65,9 +47,9 @@
 +type bonobo_exec_t, file_type, exec_type, sysadmfile;
 +
 +# Everything else is in macros/bonobo_macros.te
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ethereal.te policy-1.23.17/domains/program/ethereal.te
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ethereal.te policy-1.23.18/domains/program/ethereal.te
 --- nsapolicy/domains/program/ethereal.te	1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.23.17/domains/program/ethereal.te	2005-06-06 11:20:52.000000000 -0400
++++ policy-1.23.18/domains/program/ethereal.te	2005-06-08 09:04:15.000000000 -0400
 @@ -0,0 +1,48 @@
 +# DESC - Ethereal  
 +#
@@ -117,9 +99,9 @@
 +#####################################
 +# Ethereal (GNOME) policy can be found
 +# in ethereal_macros.te 
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/fsadm.te policy-1.23.17/domains/program/fsadm.te
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/fsadm.te policy-1.23.18/domains/program/fsadm.te
 --- nsapolicy/domains/program/fsadm.te	2005-06-01 06:11:22.000000000 -0400
-+++ policy-1.23.17/domains/program/fsadm.te	2005-06-07 14:51:48.000000000 -0400
++++ policy-1.23.18/domains/program/fsadm.te	2005-06-08 09:38:00.000000000 -0400
 @@ -12,14 +12,14 @@
  # administration.
  # fsadm_exec_t is the type of the corresponding programs.
@@ -137,9 +119,14 @@
  
  # Read system information files in /proc.
  r_dir_file(fsadm_t, proc_t)
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/gnome_vfs.te policy-1.23.17/domains/program/gnome_vfs.te
+@@ -116,3 +116,4 @@
+ allow fsadm_t { file_t unlabeled_t }:dir rw_dir_perms;
+ allow fsadm_t { file_t unlabeled_t }:blk_file rw_file_perms;
+ allow fsadm_t usbfs_t:dir { getattr search };
++allow fsadm_t ramfs_t:fifo_file rw_file_perms;
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/gnome_vfs.te policy-1.23.18/domains/program/gnome_vfs.te
 --- nsapolicy/domains/program/gnome_vfs.te	1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.23.17/domains/program/gnome_vfs.te	2005-06-06 11:20:52.000000000 -0400
++++ policy-1.23.18/domains/program/gnome_vfs.te	2005-06-08 09:04:15.000000000 -0400
 @@ -0,0 +1,9 @@
 +# DESC - GNOME VFS Daemon
 +#
@@ -150,9 +137,9 @@
 +type gnome_vfs_exec_t, file_type, exec_type, sysadmfile;
 +
 +# Everything else is in macros/gnome_vfs_macros.te
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/initrc.te policy-1.23.17/domains/program/initrc.te
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/initrc.te policy-1.23.18/domains/program/initrc.te
 --- nsapolicy/domains/program/initrc.te	2005-05-25 11:28:09.000000000 -0400
-+++ policy-1.23.17/domains/program/initrc.te	2005-06-07 14:51:48.000000000 -0400
++++ policy-1.23.18/domains/program/initrc.te	2005-06-08 09:04:15.000000000 -0400
 @@ -12,7 +12,7 @@
  # initrc_exec_t is the type of the init program.
  #
@@ -162,9 +149,9 @@
  
  role system_r types initrc_t;
  uses_shlib(initrc_t);
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/init.te policy-1.23.17/domains/program/init.te
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/init.te policy-1.23.18/domains/program/init.te
 --- nsapolicy/domains/program/init.te	2005-05-25 11:28:09.000000000 -0400
-+++ policy-1.23.17/domains/program/init.te	2005-06-07 14:51:48.000000000 -0400
++++ policy-1.23.18/domains/program/init.te	2005-06-08 09:04:15.000000000 -0400
 @@ -14,11 +14,11 @@
  # by init during initialization.  This pipe is used
  # to communicate with init.
@@ -179,9 +166,9 @@
  
  # for init to determine whether SE Linux is active so it can know whether to
  # activate it
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/klogd.te policy-1.23.17/domains/program/klogd.te
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/klogd.te policy-1.23.18/domains/program/klogd.te
 --- nsapolicy/domains/program/klogd.te	2005-05-25 11:28:09.000000000 -0400
-+++ policy-1.23.17/domains/program/klogd.te	2005-06-07 14:51:48.000000000 -0400
++++ policy-1.23.18/domains/program/klogd.te	2005-06-08 09:04:15.000000000 -0400
 @@ -8,7 +8,7 @@
  #
  # Rules for the klogd_t domain.
@@ -191,9 +178,9 @@
  
  tmp_domain(klogd)
  allow klogd_t proc_t:dir r_dir_perms;
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/login.te policy-1.23.17/domains/program/login.te
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/login.te policy-1.23.18/domains/program/login.te
 --- nsapolicy/domains/program/login.te	2005-05-25 11:28:09.000000000 -0400
-+++ policy-1.23.17/domains/program/login.te	2005-06-07 14:51:48.000000000 -0400
++++ policy-1.23.18/domains/program/login.te	2005-06-08 09:04:15.000000000 -0400
 @@ -13,7 +13,7 @@
  
  # $1 is the name of the domain (local or remote)
@@ -203,9 +190,9 @@
  role system_r types $1_login_t;
  
  dontaudit $1_login_t shadow_t:file { getattr read };
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/modutil.te policy-1.23.17/domains/program/modutil.te
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/modutil.te policy-1.23.18/domains/program/modutil.te
 --- nsapolicy/domains/program/modutil.te	2005-06-01 06:11:22.000000000 -0400
-+++ policy-1.23.17/domains/program/modutil.te	2005-06-07 14:51:48.000000000 -0400
++++ policy-1.23.18/domains/program/modutil.te	2005-06-08 09:04:15.000000000 -0400
 @@ -72,7 +72,7 @@
  # Rules for the insmod_t domain.
  #
@@ -215,9 +202,9 @@
  ;
  role system_r types insmod_t;
  role sysadm_r types insmod_t;
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/mount.te policy-1.23.17/domains/program/mount.te
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/mount.te policy-1.23.18/domains/program/mount.te
 --- nsapolicy/domains/program/mount.te	2005-05-25 11:28:09.000000000 -0400
-+++ policy-1.23.17/domains/program/mount.te	2005-06-07 14:51:48.000000000 -0400
++++ policy-1.23.18/domains/program/mount.te	2005-06-08 09:04:15.000000000 -0400
 @@ -11,7 +11,7 @@
  
  type mount_exec_t, file_type, sysadmfile, exec_type;
@@ -227,9 +214,9 @@
  mount_loopback_privs(sysadm, mount)
  role sysadm_r types mount_t;
  role system_r types mount_t;
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/restorecon.te policy-1.23.17/domains/program/restorecon.te
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/restorecon.te policy-1.23.18/domains/program/restorecon.te
 --- nsapolicy/domains/program/restorecon.te	2005-05-25 11:28:09.000000000 -0400
-+++ policy-1.23.17/domains/program/restorecon.te	2005-06-07 14:52:03.000000000 -0400
++++ policy-1.23.18/domains/program/restorecon.te	2005-06-08 09:04:15.000000000 -0400
 @@ -12,7 +12,7 @@
  #
  # needs auth_write attribute because it has relabelfrom/relabelto
@@ -239,9 +226,9 @@
  type restorecon_exec_t, file_type, sysadmfile, exec_type;
  
  role system_r types restorecon_t;
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ssh.te policy-1.23.17/domains/program/ssh.te
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ssh.te policy-1.23.18/domains/program/ssh.te
 --- nsapolicy/domains/program/ssh.te	2005-05-25 11:28:09.000000000 -0400
-+++ policy-1.23.17/domains/program/ssh.te	2005-06-07 14:52:03.000000000 -0400
++++ policy-1.23.18/domains/program/ssh.te	2005-06-08 09:04:15.000000000 -0400
 @@ -25,7 +25,7 @@
  # privowner is for changing the identity on the terminal device
  # privfd is for passing the terminal file handle to the user process
@@ -251,9 +238,9 @@
  can_exec($1_t, sshd_exec_t)
  r_dir_file($1_t, self)
  role system_r types $1_t;
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/syslogd.te policy-1.23.17/domains/program/syslogd.te
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/syslogd.te policy-1.23.18/domains/program/syslogd.te
 --- nsapolicy/domains/program/syslogd.te	2005-05-25 11:28:09.000000000 -0400
-+++ policy-1.23.17/domains/program/syslogd.te	2005-06-07 14:51:32.000000000 -0400
++++ policy-1.23.18/domains/program/syslogd.te	2005-06-08 09:04:15.000000000 -0400
 @@ -25,7 +25,7 @@
  
  r_dir_file(syslogd_t, sysfs_t)
@@ -263,9 +250,9 @@
  
  # if something can log to syslog they should be able to log to the console
  allow privlog console_device_t:chr_file { ioctl read write getattr };
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/acct.te policy-1.23.17/domains/program/unused/acct.te
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/acct.te policy-1.23.18/domains/program/unused/acct.te
 --- nsapolicy/domains/program/unused/acct.te	2005-04-27 10:28:49.000000000 -0400
-+++ policy-1.23.17/domains/program/unused/acct.te	2005-05-31 14:57:13.000000000 -0400
++++ policy-1.23.18/domains/program/unused/acct.te	2005-06-08 09:04:15.000000000 -0400
 @@ -21,7 +21,7 @@
  # for SSP
  allow acct_t urandom_device_t:chr_file read;
@@ -275,9 +262,42 @@
  
  allow acct_t self:capability sys_pacct;
  
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/bonobo.te policy-1.23.17/domains/program/unused/bonobo.te
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/alsa.te policy-1.23.18/domains/program/unused/alsa.te
+--- nsapolicy/domains/program/unused/alsa.te	1969-12-31 19:00:00.000000000 -0500
++++ policy-1.23.18/domains/program/unused/alsa.te	2005-06-08 14:42:59.000000000 -0400
+@@ -0,0 +1,17 @@
++#DESC       ainit - configuration tool for ALSA
++#
++# Author:  Dan Walsh <dwalsh redhat com>
++#
++#
++type alsa_t, domain, privlog, daemon;
++type alsa_exec_t, file_type, sysadmfile, exec_type;
++uses_shlib(alsa_t)
++allow alsa_t self:sem  create_sem_perms;
++allow alsa_t self:shm  create_shm_perms;
++allow alsa_t self:unix_stream_socket create_stream_socket_perms;
++type alsa_etc_rw_t, file_type, sysadmfile, usercanread;
++rw_dir_create_file(alsa_t,alsa_etc_rw_t)
++allow alsa_t self:capability { setgid setuid ipc_owner };
++allow alsa_t devpts_t:chr_file { read write };
++allow alsa_t etc_t:file { getattr read };
++domain_auto_trans(pam_console_t, alsa_exec_t, alsa_t)
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.23.18/domains/program/unused/apache.te
+--- nsapolicy/domains/program/unused/apache.te	2005-05-25 11:28:09.000000000 -0400
++++ policy-1.23.18/domains/program/unused/apache.te	2005-06-08 09:04:15.000000000 -0400
+@@ -86,6 +86,8 @@
+ 
+ read_sysctl(httpd_t)
+ 
++allow httpd_t crypt_device_t:chr_file rw_file_perms;
++
+ # for modules that want to access /etc/mtab and /proc/meminfo
+ allow httpd_t { proc_t etc_runtime_t }:file { getattr read };
+ 
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/bonobo.te policy-1.23.18/domains/program/unused/bonobo.te
 --- nsapolicy/domains/program/unused/bonobo.te	1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.23.17/domains/program/unused/bonobo.te	2005-06-06 11:20:19.000000000 -0400
++++ policy-1.23.18/domains/program/unused/bonobo.te	2005-06-08 09:04:15.000000000 -0400
 @@ -0,0 +1,9 @@
 +# DESC - Bonobo Activation Server 
 +#
@@ -288,9 +308,9 @@
 +type bonobo_exec_t, file_type, exec_type, sysadmfile;
 +
 +# Everything else is in macros/bonobo_macros.te
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/consoletype.te policy-1.23.17/domains/program/unused/consoletype.te
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/consoletype.te policy-1.23.18/domains/program/unused/consoletype.te
 --- nsapolicy/domains/program/unused/consoletype.te	2005-05-07 00:41:09.000000000 -0400
-+++ policy-1.23.17/domains/program/unused/consoletype.te	2005-06-07 14:51:48.000000000 -0400
++++ policy-1.23.18/domains/program/unused/consoletype.te	2005-06-08 09:04:15.000000000 -0400
 @@ -11,7 +11,7 @@
  # consoletype_t is the domain for the consoletype program.
  # consoletype_exec_t is the type of the corresponding program.
@@ -300,21 +320,9 @@
  type consoletype_exec_t, file_type, sysadmfile, exec_type;
  
  role system_r types consoletype_t;
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/courier.te policy-1.23.17/domains/program/unused/courier.te
---- nsapolicy/domains/program/unused/courier.te	2005-06-01 06:11:22.000000000 -0400
-+++ policy-1.23.17/domains/program/unused/courier.te	2005-05-31 15:31:16.000000000 -0400
-@@ -92,7 +92,7 @@
- allow courier_tcpd_t sbin_t:dir search;
- allow courier_tcpd_t var_lib_t:dir search;
- # for TLS
--allow courier_tcpd_t { random_device_t urandom_device_t }:chr_file { getattr read };
-+allow courier_tcpd_t { random_device_t urandom_device_t }:chr_file read;
- read_locale(courier_tcpd_t)
- can_exec(courier_tcpd_t, courier_exec_t)
- allow courier_authdaemon_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms;
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.23.17/domains/program/unused/cups.te
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.23.18/domains/program/unused/cups.te
 --- nsapolicy/domains/program/unused/cups.te	2005-06-01 06:11:22.000000000 -0400
-+++ policy-1.23.17/domains/program/unused/cups.te	2005-05-31 15:14:26.000000000 -0400
++++ policy-1.23.18/domains/program/unused/cups.te	2005-06-08 09:04:15.000000000 -0400
 @@ -150,6 +150,12 @@
  allow ptal_t self:capability { chown sys_rawio };
  allow ptal_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms;
@@ -328,106 +336,9 @@
  allow ptal_t self:fifo_file rw_file_perms;
  allow ptal_t device_t:dir read;
  allow ptal_t printer_device_t:chr_file rw_file_perms;
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/devfsd.te policy-1.23.17/domains/program/unused/devfsd.te
---- nsapolicy/domains/program/unused/devfsd.te	1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.23.17/domains/program/unused/devfsd.te	2005-05-25 11:28:28.000000000 -0400
-@@ -0,0 +1,93 @@
-+#DESC Devfsd - Control daemon for devfs device file system
-+#
-+# Author:  Russell Coker <russell coker com au>
-+# X-Debian-Packages: devfsd
-+#
-+
-+#################################
-+#
-+# Rules for the devfsd_t domain.
-+#
-+etcdir_domain(devfsd)
-+
-+allow kernel_t { device_t root_t }:dir mounton;
-+
-+daemon_domain(devfsd, `, privmodule')
-+
-+allow devfsd_t urandom_device_t:chr_file read;
-+
-+# for startup scripts
-+can_exec(devfsd_t, bin_t)
-+allow devfsd_t self:fifo_file rw_file_perms;
-+allow devfsd_t proc_t:dir r_dir_perms;
-+allow devfsd_t { etc_t etc_runtime_t proc_t }:file r_file_perms;
-+allow devfsd_t devtty_t:chr_file rw_file_perms;
-+
-+# for alsa
-+allow devfsd_t proc_t:file setattr;
-+
-+# for /sbin/modprobe
-+allow devfsd_t { bin_t sbin_t }:dir r_dir_perms;
-+
-+ifdef(`distro_debian', `
-+# for the makedev script - this may be a bad idea
-+domain_auto_trans(dpkg_t, devfsd_exec_t, devfsd_t)
-+
-+# for package upgrade
-+allow devfsd_t lib_t:file execute;
-+')
-+
-+# mknod capability is for the startup scripts
-+allow devfsd_t self:capability { chown dac_override fowner fsetid sys_tty_config mknod };
-+
-+# allow devfsd to change any object from type devfsd_t to any other type
-+# also allow to unlink
-+allow devfsd_t device_t:dir_file_class_set { create getattr setattr relabelfrom unlink };
-+# allow devfsd to get and set attributes of any device node and to change the
-+# type to any device type
-+allow devfsd_t { device_type ttyfile ptyfile }:{ lnk_file sock_file fifo_file chr_file blk_file } { getattr setattr relabelto };
-+allow devfsd_t mtrr_device_t:file { getattr setattr relabelto };
-+allow devfsd_t initctl_t:fifo_file getattr;
-+allow devfsd_t device_t:{ dir lnk_file sock_file fifo_file chr_file blk_file } setattr;
-+allow devfsd_t device_t:dir { r_dir_perms setattr };
-+
-+allow devfsd_t devpts_t:dir { r_dir_perms relabelto };
-+allow devfsd_t devpts_t:chr_file { getattr setattr };
-+allow devpts_t device_t:filesystem associate;
-+allow initctl_t device_t:filesystem associate;
-+allow device_t device_t:filesystem associate;
-+allow devlog_t device_t:filesystem associate;
-+
-+# allow all devices to be under device_t
-+allow { device_type ttyfile ptyfile } device_t:filesystem associate;
-+
-+allow domain device_t:lnk_file r_file_perms;
-+
-+# read the config files
-+allow devfsd_t etc_t:dir r_dir_perms;
-+
-+# allow the permissions and symlinks to be done
-+allow devfsd_t device_t:lnk_file create_file_perms;
-+allow devfsd_t device_t:dir rw_dir_perms;
-+allow devfsd_t { file_type ttyfile ptyfile }:{ chr_file blk_file } getattr;
-+allow devfsd_t file_type:lnk_file r_file_perms;
-+
-+allow devfsd_t self:unix_dgram_socket create_socket_perms;
-+allow devfsd_t self:unix_stream_socket create_stream_socket_perms;
-+allow devfsd_t self:unix_dgram_socket sendto;
-+allow devfsd_t self:unix_stream_socket connect;
-+
-+allow devfsd_t devfs_control_t:chr_file { getattr read ioctl };
-+dontaudit userdomain devfs_control_t:chr_file getattr;
-+
-+# allow resolv.conf and UDP access for LDAP or other NSS data source
-+allow devfsd_t self:udp_socket create_socket_perms;
-+
-+allow devfsd_t privfd:fd use;
-+
-+allow kernel_t device_t:filesystem mount;
-+
-+# for nss-ldap etc
-+can_network_client_tcp(devfsd_t)
-+allow devfsd_t port_type:tcp_socket name_connect;
-+can_ypbind(devfsd_t)
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ethereal.te policy-1.23.17/domains/program/unused/ethereal.te
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ethereal.te policy-1.23.18/domains/program/unused/ethereal.te
 --- nsapolicy/domains/program/unused/ethereal.te	1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.23.17/domains/program/unused/ethereal.te	2005-05-31 17:03:05.000000000 -0400
++++ policy-1.23.18/domains/program/unused/ethereal.te	2005-06-08 09:04:15.000000000 -0400
 @@ -0,0 +1,73 @@
 +# DESC - Ethereal  
 +#
@@ -502,9 +413,9 @@
 +ethereal_common(ethereal)
 +
 +') dnl gnome.te
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/evolution.te policy-1.23.17/domains/program/unused/evolution.te
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/evolution.te policy-1.23.18/domains/program/unused/evolution.te
 --- nsapolicy/domains/program/unused/evolution.te	1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.23.17/domains/program/unused/evolution.te	2005-05-28 01:46:18.000000000 -0400
++++ policy-1.23.18/domains/program/unused/evolution.te	2005-06-08 09:04:15.000000000 -0400
 @@ -0,0 +1,13 @@
 +# DESC - Evolution  
 +#
@@ -519,9 +430,9 @@
 +type evolution_exchange_exec_t, file_type, exec_type, sysadmfile;
 +
 +# Everything else is in macros/evolution_macros.te
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/gconf.te policy-1.23.17/domains/program/unused/gconf.te
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/gconf.te policy-1.23.18/domains/program/unused/gconf.te
 --- nsapolicy/domains/program/unused/gconf.te	1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.23.17/domains/program/unused/gconf.te	2005-05-28 01:47:52.000000000 -0400
++++ policy-1.23.18/domains/program/unused/gconf.te	2005-06-08 09:04:15.000000000 -0400
 @@ -0,0 +1,12 @@
 +# DESC - GConf preference daemon
 +#
@@ -535,9 +446,9 @@
 +type gconf_etc_t, file_type, sysadmfile;
 +
 +# Everything else is in macros/gconfd_macros.te
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/gift.te policy-1.23.17/domains/program/unused/gift.te
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/gift.te policy-1.23.18/domains/program/unused/gift.te
 --- nsapolicy/domains/program/unused/gift.te	2005-04-27 10:28:50.000000000 -0400
-+++ policy-1.23.17/domains/program/unused/gift.te	2005-06-06 11:20:52.000000000 -0400
++++ policy-1.23.18/domains/program/unused/gift.te	2005-06-08 09:04:15.000000000 -0400
 @@ -5,5 +5,9 @@
  
  type gift_exec_t, file_type, exec_type, sysadmfile;
@@ -548,9 +459,9 @@
 +type giftd_gnutella_port_t, port_type;
  
  # Everything else is in macros/gift_macros.te
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/gnome.te policy-1.23.17/domains/program/unused/gnome.te
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/gnome.te policy-1.23.18/domains/program/unused/gnome.te
 --- nsapolicy/domains/program/unused/gnome.te	1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.23.17/domains/program/unused/gnome.te	2005-05-28 01:46:56.000000000 -0400
++++ policy-1.23.18/domains/program/unused/gnome.te	2005-06-08 09:04:15.000000000 -0400
 @@ -0,0 +1,7 @@
 +#
 +# GNOME related types 
@@ -559,17 +470,17 @@
 +#
 +
 +# Look in gnome_macros.te
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/i18n_input.te policy-1.23.17/domains/program/unused/i18n_input.te
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/i18n_input.te policy-1.23.18/domains/program/unused/i18n_input.te
 --- nsapolicy/domains/program/unused/i18n_input.te	2005-05-07 00:41:09.000000000 -0400
-+++ policy-1.23.17/domains/program/unused/i18n_input.te	2005-06-06 09:37:40.000000000 -0400
++++ policy-1.23.18/domains/program/unused/i18n_input.te	2005-06-08 09:04:15.000000000 -0400
 @@ -30,3 +30,4 @@
  allow i18n_input_t i18n_input_var_run_t:dir create_dir_perms;
  allow i18n_input_t i18n_input_var_run_t:sock_file create_file_perms;
  allow i18n_input_t usr_t:file { getattr read };
 +allow i18n_input_t home_root_t:dir search;
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/iceauth.te policy-1.23.17/domains/program/unused/iceauth.te
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/iceauth.te policy-1.23.18/domains/program/unused/iceauth.te
 --- nsapolicy/domains/program/unused/iceauth.te	1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.23.17/domains/program/unused/iceauth.te	2005-05-28 01:46:42.000000000 -0400
++++ policy-1.23.18/domains/program/unused/iceauth.te	2005-06-08 09:04:15.000000000 -0400
 @@ -0,0 +1,12 @@
 +#DESC ICEauth - ICE authority file utility
 +#
@@ -583,9 +494,9 @@
 +
 +# Everything else is in the iceauth_domain macro in
 +# macros/program/iceauth_macros.te.
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/orbit.te policy-1.23.17/domains/program/unused/orbit.te
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/orbit.te policy-1.23.18/domains/program/unused/orbit.te
 --- nsapolicy/domains/program/unused/orbit.te	1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.23.17/domains/program/unused/orbit.te	2005-05-28 01:48:13.000000000 -0400
++++ policy-1.23.18/domains/program/unused/orbit.te	2005-06-08 09:04:15.000000000 -0400
 @@ -0,0 +1,7 @@
 +#
 +# ORBit related types 
@@ -594,9 +505,9 @@
 +#
 +
 +# Look in orbit_macros.te
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pamconsole.te policy-1.23.17/domains/program/unused/pamconsole.te
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pamconsole.te policy-1.23.18/domains/program/unused/pamconsole.te
 --- nsapolicy/domains/program/unused/pamconsole.te	2005-05-25 11:28:10.000000000 -0400
-+++ policy-1.23.17/domains/program/unused/pamconsole.te	2005-06-07 14:52:03.000000000 -0400
++++ policy-1.23.18/domains/program/unused/pamconsole.te	2005-06-08 09:04:15.000000000 -0400
 @@ -3,7 +3,7 @@
  #
  # pam_console_apply
@@ -606,9 +517,9 @@
  
  type pam_var_console_t, file_type, sysadmfile;
  
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ping.te policy-1.23.17/domains/program/unused/ping.te
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ping.te policy-1.23.18/domains/program/unused/ping.te
 --- nsapolicy/domains/program/unused/ping.te	2005-04-27 10:28:52.000000000 -0400
-+++ policy-1.23.17/domains/program/unused/ping.te	2005-06-02 08:26:20.000000000 -0400
++++ policy-1.23.18/domains/program/unused/ping.te	2005-06-08 09:04:15.000000000 -0400
 @@ -32,7 +32,7 @@
  
  uses_shlib(ping_t)
@@ -618,9 +529,9 @@
  can_ypbind(ping_t)
  allow ping_t etc_t:file { getattr read };
  allow ping_t self:unix_stream_socket create_socket_perms;
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rpcd.te policy-1.23.17/domains/program/unused/rpcd.te
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rpcd.te policy-1.23.18/domains/program/unused/rpcd.te
 --- nsapolicy/domains/program/unused/rpcd.te	2005-05-25 11:28:10.000000000 -0400
-+++ policy-1.23.17/domains/program/unused/rpcd.te	2005-06-06 07:47:17.000000000 -0400
++++ policy-1.23.18/domains/program/unused/rpcd.te	2005-06-08 09:04:15.000000000 -0400
 @@ -142,4 +142,5 @@
  allow gssd_t rpc_pipefs_t:sock_file { read write };
  allow gssd_t rpc_pipefs_t:file r_file_perms;
@@ -628,9 +539,9 @@
 -
 +allow nfsd_t devtty_t:chr_file rw_file_perms;
 +allow rpcd_t devtty_t:chr_file rw_file_perms;
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/thunderbird.te policy-1.23.17/domains/program/unused/thunderbird.te
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/thunderbird.te policy-1.23.18/domains/program/unused/thunderbird.te
 --- nsapolicy/domains/program/unused/thunderbird.te	1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.23.17/domains/program/unused/thunderbird.te	2005-05-28 01:46:13.000000000 -0400
++++ policy-1.23.18/domains/program/unused/thunderbird.te	2005-06-08 09:04:15.000000000 -0400
 @@ -0,0 +1,9 @@
 +# DESC - Thunderbird  
 +#
@@ -641,9 +552,9 @@
 +type thunderbird_exec_t, file_type, exec_type, sysadmfile;
 +
 +# Everything else is in macros/thunderbird_macros.te
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/udev.te policy-1.23.17/domains/program/unused/udev.te
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/udev.te policy-1.23.18/domains/program/unused/udev.te
 --- nsapolicy/domains/program/unused/udev.te	2005-05-25 11:28:10.000000000 -0400
-+++ policy-1.23.17/domains/program/unused/udev.te	2005-06-07 14:52:20.000000000 -0400
++++ policy-1.23.18/domains/program/unused/udev.te	2005-06-08 09:04:15.000000000 -0400
 @@ -9,7 +9,7 @@
  #
  # udev_exec_t is the type of the udev executable.
@@ -653,9 +564,9 @@
  
  general_domain_access(udev_t)
  
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/xdm.te policy-1.23.17/domains/program/unused/xdm.te
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/xdm.te policy-1.23.18/domains/program/unused/xdm.te
 --- nsapolicy/domains/program/unused/xdm.te	2005-05-25 11:28:10.000000000 -0400
-+++ policy-1.23.17/domains/program/unused/xdm.te	2005-05-28 01:45:23.000000000 -0400
++++ policy-1.23.18/domains/program/unused/xdm.te	2005-06-08 09:04:15.000000000 -0400
 @@ -279,6 +279,11 @@
  # Search /var/run.
  allow xdm_xserver_t var_run_t:dir search;
@@ -668,9 +579,9 @@
  # Search home directories.
  allow xdm_xserver_t user_home_type:dir search;
  allow xdm_xserver_t user_home_type:file { getattr read };
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/xserver.te policy-1.23.17/domains/program/unused/xserver.te
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/xserver.te policy-1.23.18/domains/program/unused/xserver.te
 --- nsapolicy/domains/program/unused/xserver.te	2005-05-07 00:41:11.000000000 -0400
-+++ policy-1.23.17/domains/program/unused/xserver.te	2005-05-31 17:03:20.000000000 -0400
++++ policy-1.23.18/domains/program/unused/xserver.te	2005-06-08 09:04:15.000000000 -0400
 @@ -14,8 +14,8 @@
  type xkb_var_lib_t, file_type, sysadmfile, usercanread;
  typealias xkb_var_lib_t alias var_lib_xkb_t;
@@ -682,9 +593,9 @@
  
  # Everything else is in the xserver_domain macro in
  # macros/program/xserver_macros.te.
-diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/distros.fc policy-1.23.17/file_contexts/distros.fc
+diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/distros.fc policy-1.23.18/file_contexts/distros.fc
 --- nsapolicy/file_contexts/distros.fc	2005-05-25 11:28:10.000000000 -0400
-+++ policy-1.23.17/file_contexts/distros.fc	2005-05-31 15:18:54.000000000 -0400
++++ policy-1.23.18/file_contexts/distros.fc	2005-06-08 09:04:15.000000000 -0400
 @@ -156,7 +156,7 @@
  /usr(/.*)?/Reader/intellinux/plug_ins/.*\.api	-- system_u:object_r:shlib_t
  /usr(/.*)?/Reader/intellinux/plug_ins/AcroForm\.api	-- system_u:object_r:texrel_shlib_t
@@ -694,9 +605,16 @@
  ')
  
  ifdef(`distro_suse', `
-diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/apache.fc policy-1.23.17/file_contexts/program/apache.fc
+diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/alsa.fc policy-1.23.18/file_contexts/program/alsa.fc
+--- nsapolicy/file_contexts/program/alsa.fc	1969-12-31 19:00:00.000000000 -0500
++++ policy-1.23.18/file_contexts/program/alsa.fc	2005-06-08 14:43:16.000000000 -0400
+@@ -0,0 +1,3 @@
++#DESC       ainit - configuration tool for ALSA
++/usr/bin/ainit 			-- system_u:object_r:alsa_exec_t
++/etc/alsa/pcm(/.*)? 		 system_u:object_r:alsa_etc_rw_t
+diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/apache.fc policy-1.23.18/file_contexts/program/apache.fc
 --- nsapolicy/file_contexts/program/apache.fc	2005-05-02 14:06:56.000000000 -0400
-+++ policy-1.23.17/file_contexts/program/apache.fc	2005-06-06 11:15:31.000000000 -0400
++++ policy-1.23.18/file_contexts/program/apache.fc	2005-06-08 09:04:15.000000000 -0400
 @@ -16,7 +16,7 @@
  /usr/lib(64)?/apache(/.*)?		system_u:object_r:httpd_modules_t
  /usr/lib(64)?/apache2/modules(/.*)?	system_u:object_r:httpd_modules_t
@@ -706,29 +624,21 @@
  /usr/sbin/apache(2)?	--	system_u:object_r:httpd_exec_t
  /usr/sbin/suexec	--	system_u:object_r:httpd_suexec_exec_t
  /usr/lib(64)?/cgi-bin/(nph-)?cgiwrap(d)? -- system_u:object_r:httpd_suexec_exec_t
-diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/bonobo.fc policy-1.23.17/file_contexts/program/bonobo.fc
+diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/bonobo.fc policy-1.23.18/file_contexts/program/bonobo.fc
 --- nsapolicy/file_contexts/program/bonobo.fc	1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.23.17/file_contexts/program/bonobo.fc	2005-06-06 11:21:18.000000000 -0400
++++ policy-1.23.18/file_contexts/program/bonobo.fc	2005-06-08 09:04:15.000000000 -0400
 @@ -0,0 +1 @@
 +/usr/libexec/bonobo-activation-server	--	system_u:object_r:bonobo_exec_t
-diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/devfsd.fc policy-1.23.17/file_contexts/program/devfsd.fc
---- nsapolicy/file_contexts/program/devfsd.fc	1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.23.17/file_contexts/program/devfsd.fc	2005-05-25 11:28:30.000000000 -0400
-@@ -0,0 +1,4 @@
-+# devfsd
-+/etc/devfs(/.*)?		system_u:object_r:devfsd_etc_t
-+/sbin/devfsd.*		--	system_u:object_r:devfsd_exec_t
-+/etc/init\.d/makedev	--	system_u:object_r:devfsd_exec_t
-diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/ethereal.fc policy-1.23.17/file_contexts/program/ethereal.fc
+diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/ethereal.fc policy-1.23.18/file_contexts/program/ethereal.fc
 --- nsapolicy/file_contexts/program/ethereal.fc	1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.23.17/file_contexts/program/ethereal.fc	2005-06-06 11:31:48.000000000 -0400
++++ policy-1.23.18/file_contexts/program/ethereal.fc	2005-06-08 09:04:15.000000000 -0400
 @@ -0,0 +1,3 @@
 +/usr/sbin/tethereal.*		--	system_u:object_r:tethereal_exec_t
 +/usr/sbin/ethereal.*		--	system_u:object_r:ethereal_exec_t				
 +HOME_DIR/\.ethereal(/.*)? 		system_u:object_r:ROLE_ethereal_home_t		
-diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/evolution.fc policy-1.23.17/file_contexts/program/evolution.fc
+diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/evolution.fc policy-1.23.18/file_contexts/program/evolution.fc
 --- nsapolicy/file_contexts/program/evolution.fc	1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.23.17/file_contexts/program/evolution.fc	2005-06-06 11:30:56.000000000 -0400
++++ policy-1.23.18/file_contexts/program/evolution.fc	2005-06-08 09:04:15.000000000 -0400
 @@ -0,0 +1,8 @@
 +/usr/bin/evolution.*					--	system_u:object_r:evolution_exec_t
 +/usr/libexec/evolution/.*evolution-alarm-notify.*	--	system_u:object_r:evolution_alarm_exec_t
@@ -738,9 +648,9 @@
 +HOME_DIR/\.evolution(/.*)?					system_u:object_r:ROLE_evolution_home_t
 +HOME_DIR/\.camel_certs(/.*)?					system_u:object_r:ROLE_evolution_home_t
 +/tmp/\.exchange-USER(/.*)?					system_u:object_r:ROLE_evolution_exchange_tmp_t
-diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/fontconfig.fc policy-1.23.17/file_contexts/program/fontconfig.fc
+diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/fontconfig.fc policy-1.23.18/file_contexts/program/fontconfig.fc
 --- nsapolicy/file_contexts/program/fontconfig.fc	2005-05-31 14:19:59.000000000 -0400
-+++ policy-1.23.17/file_contexts/program/fontconfig.fc	2005-05-28 01:55:16.000000000 -0400
++++ policy-1.23.18/file_contexts/program/fontconfig.fc	2005-06-08 09:04:15.000000000 -0400
 @@ -1,2 +1,4 @@
 -HOME_DIR/\.fonts(/.*)?				system_u:object_r:ROLE_fonts_t	
 -HOME_DIR/\.fonts.cache-1		--	system_u:object_r:ROLE_fonts_cache_t
@@ -748,18 +658,18 @@
 +HOME_DIR/\.fonts.conf		--	system_u:object_r:ROLE_fonts_config_t
 +HOME_DIR/\.fonts(/.*)?			system_u:object_r:ROLE_fonts_t
 +HOME_DIR/\.fonts.cache-.*	--	system_u:object_r:ROLE_fonts_cache_t
-diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/gconf.fc policy-1.23.17/file_contexts/program/gconf.fc
+diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/gconf.fc policy-1.23.18/file_contexts/program/gconf.fc
 --- nsapolicy/file_contexts/program/gconf.fc	1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.23.17/file_contexts/program/gconf.fc	2005-05-28 01:54:01.000000000 -0400
++++ policy-1.23.18/file_contexts/program/gconf.fc	2005-06-08 09:04:15.000000000 -0400
 @@ -0,0 +1,5 @@
 +/usr/libexec/gconfd-2	--	system_u:object_r:gconfd_exec_t
 +/etc/gconf(/.*)?		system_u:object_r:gconf_etc_t
 +HOME_DIR/\.gconf(/.*)?		system_u:object_r:ROLE_gconfd_home_t
 +HOME_DIR/\.gconfd(/.*)?		system_u:object_r:ROLE_gconfd_home_t
 +/tmp/gconfd-USER(/.*)?		system_u:object_r:ROLE_gconfd_tmp_t
-diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/gnome.fc policy-1.23.17/file_contexts/program/gnome.fc
+diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/gnome.fc policy-1.23.18/file_contexts/program/gnome.fc
 --- nsapolicy/file_contexts/program/gnome.fc	1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.23.17/file_contexts/program/gnome.fc	2005-06-06 11:33:57.000000000 -0400
++++ policy-1.23.18/file_contexts/program/gnome.fc	2005-06-08 09:04:15.000000000 -0400
 @@ -0,0 +1,9 @@
 +# FIXME: add a lot more GNOME folders
 +# FIXME: Those folders will be created with the wrong type 
@@ -770,21 +680,21 @@
 +')
 +HOME_DIR/\.gnome(2)?/share/fonts(/.*)?          system_u:object_r:ROLE_fonts_t
 +HOME_DIR/\.gnome(2)?/share/cursor-fonts(/.*)?   system_u:object_r:ROLE_fonts_t
-diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/gnome_vfs.fc policy-1.23.17/file_contexts/program/gnome_vfs.fc
+diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/gnome_vfs.fc policy-1.23.18/file_contexts/program/gnome_vfs.fc
 --- nsapolicy/file_contexts/program/gnome_vfs.fc	1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.23.17/file_contexts/program/gnome_vfs.fc	2005-06-06 11:21:32.000000000 -0400
++++ policy-1.23.18/file_contexts/program/gnome_vfs.fc	2005-06-08 09:04:15.000000000 -0400
 @@ -0,0 +1 @@
 +/usr/libexec/gnome-vfs-daemon 	--	system_u:object_r:gnome_vfs_exec_t
-diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/iceauth.fc policy-1.23.17/file_contexts/program/iceauth.fc
+diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/iceauth.fc policy-1.23.18/file_contexts/program/iceauth.fc
 --- nsapolicy/file_contexts/program/iceauth.fc	1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.23.17/file_contexts/program/iceauth.fc	2005-05-28 01:54:19.000000000 -0400
++++ policy-1.23.18/file_contexts/program/iceauth.fc	2005-06-08 09:04:15.000000000 -0400
 @@ -0,0 +1,3 @@
 +# iceauth
 +/usr/X11R6/bin/iceauth	--      system_u:object_r:iceauth_exec_t
 +HOME_DIR/\.ICEauthority.* --      system_u:object_r:ROLE_iceauth_home_t
-diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/mozilla.fc policy-1.23.17/file_contexts/program/mozilla.fc
+diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/mozilla.fc policy-1.23.18/file_contexts/program/mozilla.fc
 --- nsapolicy/file_contexts/program/mozilla.fc	2005-03-11 15:31:06.000000000 -0500
-+++ policy-1.23.17/file_contexts/program/mozilla.fc	2005-05-28 01:55:06.000000000 -0400
++++ policy-1.23.18/file_contexts/program/mozilla.fc	2005-06-08 09:04:15.000000000 -0400
 @@ -3,9 +3,6 @@
  HOME_DIR/\.netscape(/.*)?	system_u:object_r:ROLE_mozilla_home_t
  HOME_DIR/\.mozilla(/.*)?	system_u:object_r:ROLE_mozilla_home_t
@@ -795,34 +705,33 @@
  HOME_DIR/My.Downloads(/.*)?	system_u:object_r:ROLE_mozilla_home_t
  HOME_DIR/\.java(/.*)?		system_u:object_r:ROLE_mozilla_home_t
  /usr/bin/netscape	--	system_u:object_r:mozilla_exec_t
-diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/orbit.fc policy-1.23.17/file_contexts/program/orbit.fc
+diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/orbit.fc policy-1.23.18/file_contexts/program/orbit.fc
 --- nsapolicy/file_contexts/program/orbit.fc	1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.23.17/file_contexts/program/orbit.fc	2005-06-06 11:21:32.000000000 -0400
++++ policy-1.23.18/file_contexts/program/orbit.fc	2005-06-08 09:04:15.000000000 -0400
 @@ -0,0 +1,3 @@
 +/tmp/orbit-USER(-.*)?		-d      system_u:object_r:ROLE_orbit_tmp_t
 +/tmp/orbit-USER(-.*)?/linc.*	-s	<<none>>
 +/tmp/orbit-USER(-.*)?/bonobo.*		system_u:object_r:ROLE_bonobo_orbit_tmp_t
-diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/pppd.fc policy-1.23.17/file_contexts/program/pppd.fc
---- nsapolicy/file_contexts/program/pppd.fc	2005-06-01 06:11:22.000000000 -0400
-+++ policy-1.23.17/file_contexts/program/pppd.fc	2005-05-25 11:28:29.000000000 -0400
-@@ -4,7 +4,7 @@
- /dev/ppp		-c	system_u:object_r:ppp_device_t
- /dev/pppox.*		-c	system_u:object_r:ppp_device_t
- /dev/ippp.*		-c	system_u:object_r:ppp_device_t
--/var/run/pppd[0-9]*\.tdb --	system_u:object_r:pppd_var_run_t
-+/var/run/pppd\.tdb	--	system_u:object_r:pppd_var_run_t
- /var/run/ppp(/.*)?		system_u:object_r:pppd_var_run_t
- /etc/ppp		-d	system_u:object_r:pppd_etc_t
- /etc/ppp/.*		--	system_u:object_r:pppd_etc_rw_t
-diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/thunderbird.fc policy-1.23.17/file_contexts/program/thunderbird.fc
+diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/thunderbird.fc policy-1.23.18/file_contexts/program/thunderbird.fc
 --- nsapolicy/file_contexts/program/thunderbird.fc	1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.23.17/file_contexts/program/thunderbird.fc	2005-05-28 01:54:38.000000000 -0400
++++ policy-1.23.18/file_contexts/program/thunderbird.fc	2005-06-08 09:04:15.000000000 -0400
 @@ -0,0 +1,2 @@
 +/usr/bin/thunderbird.*			--	system_u:object_r:thunderbird_exec_t
 +HOME_DIR/\.thunderbird(/.*)?			system_u:object_r:ROLE_thunderbird_home_t
-diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/xserver.fc policy-1.23.17/file_contexts/program/xserver.fc
+diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/xdm.fc policy-1.23.18/file_contexts/program/xdm.fc
+--- nsapolicy/file_contexts/program/xdm.fc	2005-02-24 14:51:09.000000000 -0500
++++ policy-1.23.18/file_contexts/program/xdm.fc	2005-06-08 12:04:29.000000000 -0400
+@@ -3,6 +3,7 @@
+ /usr/X11R6/bin/[xgkw]dm	--	system_u:object_r:xdm_exec_t
+ /opt/kde3/bin/kdm	--	system_u:object_r:xdm_exec_t
+ /usr/bin/gpe-dm		--	system_u:object_r:xdm_exec_t
++/usr/bin/gdm-binary	--	system_u:object_r:xdm_exec_t
+ /var/[xgk]dm(/.*)?		system_u:object_r:xserver_log_t
+ /usr/var/[xgkw]dm(/.*)?		system_u:object_r:xserver_log_t
+ /var/log/[kw]dm\.log	--	system_u:object_r:xserver_log_t
+diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/xserver.fc policy-1.23.18/file_contexts/program/xserver.fc
 --- nsapolicy/file_contexts/program/xserver.fc	2005-04-04 10:21:11.000000000 -0400
-+++ policy-1.23.17/file_contexts/program/xserver.fc	2005-05-28 01:54:48.000000000 -0400
++++ policy-1.23.18/file_contexts/program/xserver.fc	2005-06-08 09:04:15.000000000 -0400
 @@ -13,5 +13,5 @@
  /etc/init\.d/xfree86-common --	system_u:object_r:xserver_exec_t
  /tmp/\.X11-unix		-d	system_u:object_r:xdm_tmp_t
@@ -830,10 +739,18 @@
 -/tmp/\.ICE-unix		-d	system_u:object_r:xdm_xserver_tmp_t
 +/tmp/\.ICE-unix		-d	system_u:object_r:ice_tmp_t
  /tmp/\.ICE-unix/.*	-s	<<none>>
-diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/types.fc policy-1.23.17/file_contexts/types.fc
+diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/types.fc policy-1.23.18/file_contexts/types.fc
 --- nsapolicy/file_contexts/types.fc	2005-06-01 06:11:22.000000000 -0400
-+++ policy-1.23.17/file_contexts/types.fc	2005-05-28 01:55:53.000000000 -0400
-@@ -499,6 +499,7 @@
++++ policy-1.23.18/file_contexts/types.fc	2005-06-08 09:04:15.000000000 -0400
+@@ -249,6 +249,7 @@
+ /dev/dri/.+		-c	system_u:object_r:dri_device_t
+ /dev/radeon		-c	system_u:object_r:dri_device_t
+ /dev/agpgart		-c	system_u:object_r:agp_device_t
++/dev/z90crypt		-c	system_u:object_r:crypt_device_t
+ 
+ #
+ # Misc
+@@ -499,6 +500,7 @@
  #
  /usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird --      system_u:object_r:bin_t
  /usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird-bin -- system_u:object_r:bin_t
@@ -841,9 +758,22 @@
  /usr/lib(64)?/[^/]*thunderbird[^/]*/run-mozilla\.sh -- system_u:object_r:bin_t
  /usr/lib(64)?/[^/]*thunderbird[^/]*/mozilla-xremote-client -- system_u:object_r:bin_t
  
-diff --exclude-from=exclude -N -u -r nsapolicy/macros/base_user_macros.te policy-1.23.17/macros/base_user_macros.te
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/admin_macros.te policy-1.23.18/macros/admin_macros.te
+--- nsapolicy/macros/admin_macros.te	2005-05-25 11:28:10.000000000 -0400
++++ policy-1.23.18/macros/admin_macros.te	2005-06-08 09:04:15.000000000 -0400
+@@ -213,5 +213,8 @@
+ # Set a context other than the default one for newly created files.
+ can_setfscreate($1)
+ 
+-') 
++allow $1 self:netlink_audit_socket nlmsg_readpriv;
++
++')
++
+ 
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/base_user_macros.te policy-1.23.18/macros/base_user_macros.te
 --- nsapolicy/macros/base_user_macros.te	2005-06-01 06:11:23.000000000 -0400
-+++ policy-1.23.17/macros/base_user_macros.te	2005-06-06 16:27:51.000000000 -0400
++++ policy-1.23.18/macros/base_user_macros.te	2005-06-08 22:57:41.000000000 -0400
 @@ -22,6 +22,14 @@
  undefine(`base_user_domain')
  define(`base_user_domain', `
@@ -872,31 +802,32 @@
  ifdef(`startx.te', `xserver_domain($1)')
  ifdef(`lpr.te', `lpr_domain($1)')
  ifdef(`ssh.te', `ssh_domain($1)')
-@@ -196,9 +205,23 @@
+@@ -196,10 +205,24 @@
  ifdef(`uml.te', `uml_domain($1)')
  ifdef(`cdrecord.te', `cdrecord_domain($1)')
  ifdef(`mplayer.te', `mplayer_domains($1)')
-+
-+ifdef(`fontconfig.te', `fontconfig_domain($1)')
-+
+-ifdef(`gift.te', `gift_domains($1)')
+ 
+ fontconfig_domain($1)
+ 
 +# GNOME
 +ifdef(`gnome.te', `
 +gnome_domain($1)
 +ifdef(`games.te', `games_domain($1)')
- ifdef(`gift.te', `gift_domains($1)')
++ifdef(`gift.te', `gift_domains($1)')
 +ifdef(`evolution.te', `evolution_domains($1)')
 +ifdef(`ethereal.te', `ethereal_domain($1)')
 +')
 +
 +# ICE communication channel
 +ice_domain($1, $1)
- 
--fontconfig_domain($1)
++
 +# ORBit communication channel (independent of GNOME)
 +orbit_domain($1, $1)
- 
++
  # Instantiate a derived domain for user cron jobs.
  ifdef(`crond.te', `crond_domain($1)')
+ 
 @@ -294,8 +317,6 @@
  x_client_domain($1, $1)
  
@@ -906,9 +837,9 @@
  allow $1_t xserver_misc_device_t:{ chr_file blk_file } rw_file_perms;
  ')
  
-diff --exclude-from=exclude -N -u -r nsapolicy/macros/global_macros.te policy-1.23.17/macros/global_macros.te
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/global_macros.te policy-1.23.18/macros/global_macros.te
 --- nsapolicy/macros/global_macros.te	2005-05-25 11:28:10.000000000 -0400
-+++ policy-1.23.17/macros/global_macros.te	2005-05-31 17:03:20.000000000 -0400
++++ policy-1.23.18/macros/global_macros.te	2005-06-08 09:04:15.000000000 -0400
 @@ -60,7 +60,7 @@
  # read_sysctl(domain)
  #
@@ -1032,9 +963,9 @@
 -r_dir_file($1, fonts_t)
 -')
 -
-diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/bonobo_macros.te policy-1.23.17/macros/program/bonobo_macros.te
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/bonobo_macros.te policy-1.23.18/macros/program/bonobo_macros.te
 --- nsapolicy/macros/program/bonobo_macros.te	1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.23.17/macros/program/bonobo_macros.te	2005-06-06 14:11:22.000000000 -0400
++++ policy-1.23.18/macros/program/bonobo_macros.te	2005-06-08 09:04:15.000000000 -0400
 @@ -0,0 +1,118 @@
 +#
 +# Bonobo
@@ -1154,9 +1085,9 @@
 +orbit_connect($2, $1)
 +
 +') dnl bonobo_connect
-diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ethereal_macros.te policy-1.23.17/macros/program/ethereal_macros.te
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ethereal_macros.te policy-1.23.18/macros/program/ethereal_macros.te
 --- nsapolicy/macros/program/ethereal_macros.te	1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.23.17/macros/program/ethereal_macros.te	2005-06-06 11:21:37.000000000 -0400
++++ policy-1.23.18/macros/program/ethereal_macros.te	2005-06-08 09:04:15.000000000 -0400
 @@ -0,0 +1,61 @@
 +# DESC - Ethereal  
 +#
@@ -1219,10 +1150,10 @@
 +# FIXME: policy is incomplete
 +
 +') dnl ethereal_domain 
-diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/evolution_macros.te policy-1.23.17/macros/program/evolution_macros.te
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/evolution_macros.te policy-1.23.18/macros/program/evolution_macros.te
 --- nsapolicy/macros/program/evolution_macros.te	1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.23.17/macros/program/evolution_macros.te	2005-06-06 14:15:54.000000000 -0400
-@@ -0,0 +1,249 @@
++++ policy-1.23.18/macros/program/evolution_macros.te	2005-06-08 22:57:41.000000000 -0400
+@@ -0,0 +1,240 @@
 +#
 +# Evolution   
 +#
@@ -1274,9 +1205,6 @@
 +# Talks to exchange
 +bonobo_connect($1_evolution_server, $1_evolution_exchange)
 +
-+# Talks to exchange
-+bonobo_connect($1_evolution_server, $1_evolution_exchange)
-+
 +can_exec($1_evolution_server_t, shell_exec_t)
 +
 +# Obtain weather data via http (read server name from xml file in /usr)
@@ -1454,12 +1382,6 @@
 +domain_auto_trans($1_evolution_t, mozilla_exec_t, $1_mozilla_t)
 +') dnl mozilla.te
 +
-+### Start links in web browser
-+ifdef(`mozilla.te', `
-+can_exec($1_evolution_t, shell_exec_t)
-+domain_auto_trans($1_evolution_t, mozilla_exec_t, $1_mozilla_t)
-+') dnl mozilla.te
-+
 +') dnl evolution_domain
 +
 +#################################
@@ -1472,10 +1394,10 @@
 +evolution_alarm($1)
 +evolution_exchange($1)
 +') dnl end evolution_domains
-diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/fontconfig_macros.te policy-1.23.17/macros/program/fontconfig_macros.te
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/fontconfig_macros.te policy-1.23.18/macros/program/fontconfig_macros.te
 --- nsapolicy/macros/program/fontconfig_macros.te	2005-05-31 14:20:00.000000000 -0400
-+++ policy-1.23.17/macros/program/fontconfig_macros.te	2005-06-06 16:39:03.000000000 -0400
-@@ -8,17 +8,44 @@
++++ policy-1.23.18/macros/program/fontconfig_macros.te	2005-06-08 22:57:41.000000000 -0400
+@@ -8,17 +8,43 @@
  # read_fonts(domain, role_prefix) - 
  #         allow domain to read fonts, optionally per/user
  #  
@@ -1512,22 +1434,21 @@
 +# Automatically manipulated by libfontconfig
 +can_restore_context($1)
 +
-+ifdef(`fontsconfig.te', `
 +allow $1 $2_fonts_cache_t:file create_file_perms;
 +# Read per user fonts and font config
 +r_dir_file($1, $2_fonts_t)
 +r_dir_file($1, $2_fonts_config_t)
++
 +# There are some fonts in .gnome2
 +ifdef(`gnome.te', `
 +allow $1 $2_gnome_settings_t:dir { getattr search };
 +')
-+')
 +
-+')
++') dnl ifelse
 +') dnl read_fonts
-diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/games_domain.te policy-1.23.17/macros/program/games_domain.te
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/games_domain.te policy-1.23.18/macros/program/games_domain.te
 --- nsapolicy/macros/program/games_domain.te	2005-05-07 00:41:12.000000000 -0400
-+++ policy-1.23.17/macros/program/games_domain.te	2005-06-06 16:03:27.000000000 -0400
++++ policy-1.23.18/macros/program/games_domain.te	2005-06-08 22:57:41.000000000 -0400
 @@ -22,17 +22,11 @@
  
  can_create_pty($1_games)
@@ -1597,7 +1518,7 @@
  allow $1_games_t self:sem create_sem_perms;
  
  allow $1_games_t { bin_t sbin_t }:dir { getattr search };
-@@ -92,13 +81,15 @@
+@@ -92,13 +81,12 @@
  dontaudit $1_games_t initrc_var_run_t:file { read write };
  dontaudit $1_games_t var_log_t:dir search;
  
@@ -1612,14 +1533,11 @@
 +# Suppress .icons denial until properly implemented
 +dontaudit $1_games_t $1_home_t:dir read;
 +
-+# Suppress .icons denial until properly implemented
-+dontaudit $1_games_t $1_home_t:dir read;
-+
  ')dnl end macro definition
  
-diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/gconf_macros.te policy-1.23.17/macros/program/gconf_macros.te
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/gconf_macros.te policy-1.23.18/macros/program/gconf_macros.te
 --- nsapolicy/macros/program/gconf_macros.te	1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.23.17/macros/program/gconf_macros.te	2005-06-06 11:21:41.000000000 -0400
++++ policy-1.23.18/macros/program/gconf_macros.te	2005-06-08 09:04:15.000000000 -0400
 @@ -0,0 +1,56 @@
 +#
 +# GConfd daemon  
@@ -1677,14 +1595,15 @@
 +allow $1_t $2_gconfd_tmp_t:file { getattr read }; 
 +
 +') dnl gconf_client 
-diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/gift_macros.te policy-1.23.17/macros/program/gift_macros.te
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/gift_macros.te policy-1.23.18/macros/program/gift_macros.te
 --- nsapolicy/macros/program/gift_macros.te	2005-05-25 11:28:10.000000000 -0400
-+++ policy-1.23.17/macros/program/gift_macros.te	2005-06-06 14:22:41.000000000 -0400
-@@ -17,59 +17,33 @@
++++ policy-1.23.18/macros/program/gift_macros.te	2005-06-08 22:57:41.000000000 -0400
+@@ -17,59 +17,31 @@
  domain_auto_trans($1_t, gift_exec_t, $1_gift_t)
  role $1_r types $1_gift_t;
  
 -# X access, Home files, /tmp
++# X access, Home files, GNOME, /tmp
  x_client_domain($1_gift, $1)
 +gnome_application($1_gift, $1)
  home_domain($1, gift)
@@ -1708,8 +1627,7 @@
 -
  # Launch gift daemon
  allow $1_gift_t bin_t:dir search;
- allow $1_gift_t self:process { fork signal_perms getsched };
-+allow $1_gift_t self:fifo_file { read write };
+-allow $1_gift_t self:process { fork signal_perms getsched };
  domain_auto_trans($1_gift_t, giftd_exec_t, $1_giftd_t)
  
  # Connect to gift daemon
@@ -1718,9 +1636,7 @@
 +can_network_client_tcp($1_gift_t, giftd_port_t)
 +allow $1_gift_t giftd_port_t:tcp_socket name_connect;
  
--# Read /proc/meminfo
-+# Read /proc/meminfo, sysctl
-+read_sysctl($1_gift_t)
+ # Read /proc/meminfo
  allow $1_gift_t proc_t:dir search;
  allow $1_gift_t proc_t:file { getattr read };
  
@@ -1748,7 +1664,7 @@
  
  ') dnl gift_domain
  
-@@ -103,15 +77,21 @@
+@@ -103,15 +75,15 @@
  
  # Access home domain
  home_domain_access($1_giftd_t, $1, gift)
@@ -1762,24 +1678,18 @@
 -can_network_client($1_giftd_t)
 +allow $1_giftd_t self:udp_socket listen;
 +allow $1_giftd_t port_type:{ tcp_socket udp_socket } name_bind;
-+dontaudit $1_giftd_t reserved_port_type:{ tcp_socket udp_socket } name_bind;
-+
-+allow $1_giftd_t giftd_openft_port_t:tcp_socket name_bind;
-+allow $1_giftd_t giftd_fasttrack_port_t:{ tcp_socket udp_socket } name_bind;
-+allow $1_giftd_t giftd_gnutella_port_t:tcp_socket name_bind;
  
 -# FIXME: ???
 -dontaudit $1_giftd_t self:udp_socket listen;
-+# Connect to various p2p networks
++# Connect to various p2p networks. Ports can be random.
 +can_network_client($1_giftd_t)
 +allow $1_giftd_t port_type:tcp_socket name_connect;
-+dontaudit $1_giftd_t reserved_port_type:tcp_socket name_connect;
  
  # Plugins
  r_dir_file($1_giftd_t, usr_t)
-diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/gnome_macros.te policy-1.23.17/macros/program/gnome_macros.te
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/gnome_macros.te policy-1.23.18/macros/program/gnome_macros.te
 --- nsapolicy/macros/program/gnome_macros.te	1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.23.17/macros/program/gnome_macros.te	2005-06-06 14:25:41.000000000 -0400
++++ policy-1.23.18/macros/program/gnome_macros.te	2005-06-08 09:04:15.000000000 -0400
 @@ -0,0 +1,113 @@
 +#
 +# GNOME related types 
@@ -1894,9 +1804,9 @@
 +allow $2_t $1_secret_t:file unlink;
 +
 +') dnl gnome_private_store
-diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/gnome_vfs_macros.te policy-1.23.17/macros/program/gnome_vfs_macros.te
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/gnome_vfs_macros.te policy-1.23.18/macros/program/gnome_vfs_macros.te
 --- nsapolicy/macros/program/gnome_vfs_macros.te	1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.23.17/macros/program/gnome_vfs_macros.te	2005-06-06 11:21:42.000000000 -0400
++++ policy-1.23.18/macros/program/gnome_vfs_macros.te	2005-06-08 09:04:15.000000000 -0400
 @@ -0,0 +1,49 @@
 +#
 +# GNOME VFS daemon  
@@ -1947,9 +1857,9 @@
 +bonobo_connect($1, $2_gnome_vfs)
 +
 +') dnl gnome_vfs_client 
-diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/iceauth_macros.te policy-1.23.17/macros/program/iceauth_macros.te
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/iceauth_macros.te policy-1.23.18/macros/program/iceauth_macros.te
 --- nsapolicy/macros/program/iceauth_macros.te	1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.23.17/macros/program/iceauth_macros.te	2005-06-06 16:34:51.000000000 -0400
++++ policy-1.23.18/macros/program/iceauth_macros.te	2005-06-08 09:04:15.000000000 -0400
 @@ -0,0 +1,34 @@
 +#
 +# Macros for iceauth domains.
@@ -1985,10 +1895,10 @@
 +# FIXME: policy is incomplete
 +
 +')dnl end xauth_domain macro
-diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ice_macros.te policy-1.23.17/macros/program/ice_macros.te
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ice_macros.te policy-1.23.18/macros/program/ice_macros.te
 --- nsapolicy/macros/program/ice_macros.te	1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.23.17/macros/program/ice_macros.te	2005-06-06 16:35:06.000000000 -0400
-@@ -0,0 +1,44 @@
++++ policy-1.23.18/macros/program/ice_macros.te	2005-06-08 22:57:41.000000000 -0400
+@@ -0,0 +1,42 @@
 +#
 +# ICE related types 
 +#
@@ -1998,7 +1908,6 @@
 +# ice_connect(type1_prefix, type2_prefix) - allow communication through ICE sockets 
 +
 +define(`ice_domain', `
-+ifdef(`iceauth.te',`
 +ifdef(`$1_ice_tmp_t_defined',`', `
 +define(`$1_ice_tmp_t_defined')
 +
@@ -2018,7 +1927,6 @@
 +
 +')
 +')
-+')
 +
 +# FIXME: Should this be bidirectional?
 +# Adding only unidirectional for now.
@@ -2033,9 +1941,9 @@
 +allow $1_t $2_ice_tmp_t:sock_file { read write };
 +allow $1_t $2_t:unix_stream_socket { read write };
 +')
-diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mail_client_macros.te policy-1.23.17/macros/program/mail_client_macros.te
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mail_client_macros.te policy-1.23.18/macros/program/mail_client_macros.te
 --- nsapolicy/macros/program/mail_client_macros.te	1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.23.17/macros/program/mail_client_macros.te	2005-06-06 11:21:43.000000000 -0400
++++ policy-1.23.18/macros/program/mail_client_macros.te	2005-06-08 09:04:15.000000000 -0400
 @@ -0,0 +1,60 @@
 +#
 +# Shared macro for mail clients
@@ -2097,9 +2005,9 @@
 +')
 +
 +')
-diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.23.17/macros/program/mozilla_macros.te
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.23.18/macros/program/mozilla_macros.te
 --- nsapolicy/macros/program/mozilla_macros.te	2005-05-25 11:28:10.000000000 -0400
-+++ policy-1.23.17/macros/program/mozilla_macros.te	2005-06-06 14:28:20.000000000 -0400
++++ policy-1.23.18/macros/program/mozilla_macros.te	2005-06-08 22:57:41.000000000 -0400
 @@ -15,6 +15,11 @@
  # The type declaration for the executable type for this program is
  # provided separately in domains/program/mozilla.te. 
@@ -2112,7 +2020,7 @@
  define(`mozilla_domain',`
  
  type $1_mozilla_t, domain, web_client_domain, nscd_client_domain, privlog;
-@@ -29,21 +34,20 @@
+@@ -29,21 +34,18 @@
  home_domain($1, mozilla)
  x_client_domain($1_mozilla, $1)
  
@@ -2131,18 +2039,18 @@
 -can_network_client($1_mozilla_t)
 -allow $1_mozilla_t ftp_port_t:tcp_socket name_connect;
 -#allow $1_mozilla_t port_type:tcp_socket name_connect;
-+can_resolve($1_mozilla_t)
-+can_network_client_tcp($1_mozilla_t, { http_port_t http_cache_port_t ftp_port_t } )
-+allow $1_mozilla_t { http_port_t http_cache_port_t ftp_port_t }:tcp_socket name_connect;
- 
+-
 -uses_shlib($1_mozilla_t)
 -read_locale($1_mozilla_t)
- read_sysctl($1_mozilla_t)
+-read_sysctl($1_mozilla_t)
 -access_terminal($1_mozilla_t, $1)
++can_resolve($1_mozilla_t)
++can_network_client_tcp($1_mozilla_t, { http_port_t http_cache_port_t ftp_port_t } )
++allow $1_mozilla_t { http_port_t http_cache_port_t ftp_port_t }:tcp_socket name_connect;
  
  allow $1_mozilla_t sound_device_t:chr_file rw_file_perms;
  
-@@ -55,21 +59,14 @@
+@@ -55,21 +57,14 @@
  can_ps($1_t, $1_mozilla_t)
  allow $1_t $1_mozilla_t:process signal_perms;
  
@@ -2164,7 +2072,7 @@
  
  # for bash - old mozilla binary
  can_exec($1_mozilla_t, mozilla_exec_t)
-@@ -83,10 +80,6 @@
+@@ -83,10 +78,6 @@
  
  allow $1_mozilla_t { var_t var_lib_t }:dir search;
  
@@ -2175,7 +2083,7 @@
  # interacting with gstreamer
  r_dir_file($1_mozilla_t, var_t)
  
-@@ -96,14 +89,6 @@
+@@ -96,14 +87,6 @@
  # Execute downloaded programs.
  can_exec($1_mozilla_t, $1_mozilla_tmp_t)
  
@@ -2190,7 +2098,7 @@
  # Allow mozilla to read user home content
  if (mozilla_readhome || mozilla_writehome) {
  r_dir_file($1_mozilla_t, $1_home_t)
-@@ -113,10 +98,11 @@
+@@ -113,10 +96,11 @@
  }
  
  if (mozilla_writehome) {
@@ -2206,7 +2114,7 @@
  
  allow $1_mozilla_t $1_t:unix_stream_socket connectto;
  allow $1_mozilla_t sysctl_net_t:dir search;
-@@ -130,8 +116,6 @@
+@@ -130,8 +114,6 @@
  allow $1_mozilla_t mozilla_conf_t:file r_file_perms;
  dontaudit $1_mozilla_t port_type:tcp_socket name_bind;
  dontaudit $1_mozilla_t dri_device_t:chr_file rw_file_perms;
@@ -2215,7 +2123,7 @@
  allow $1_mozilla_t self:sem create_sem_perms;
  
  # Java plugin
-@@ -139,7 +123,6 @@
+@@ -139,7 +121,6 @@
  javaplugin_domain($1_mozilla, $1)
  ')
  
@@ -2223,7 +2131,7 @@
  # Use printer
  ifdef(`lpr.te', `
  domain_auto_trans($1_mozilla_t, lpr_exec_t, $1_lpr_t)
-@@ -148,6 +131,7 @@
+@@ -148,6 +129,7 @@
  allow $1_lpr_t $1_mozilla_tmp_t:file rw_file_perms;
  
  # Suppress history.fop denial
@@ -2231,7 +2139,7 @@
  dontaudit $1_lpr_t $1_mozilla_home_t:file { read write };
  
  dontaudit $1_lpr_t $1_mozilla_t:tcp_socket { read write };
-@@ -159,6 +143,7 @@
+@@ -159,6 +141,7 @@
  domain_auto_trans($1_mozilla_t, mplayer_exec_t, $1_mplayer_t)
  
  # Read mozilla content in /tmp
@@ -2239,7 +2147,7 @@
  r_dir_file($1_mplayer_t, $1_mozilla_tmp_t);
  
  # Suppress history.fop denial
-@@ -167,6 +152,12 @@
+@@ -167,6 +150,12 @@
  dontaudit $1_mplayer_t $1_mozilla_t:unix_stream_socket { read write };
  ')dnl end if mplayer.te  
  
@@ -2252,10 +2160,10 @@
  if (allow_execmem) {
  allow $1_mozilla_t self:process execmem;
  }
-diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/orbit_macros.te policy-1.23.17/macros/program/orbit_macros.te
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/orbit_macros.te policy-1.23.18/macros/program/orbit_macros.te
 --- nsapolicy/macros/program/orbit_macros.te	1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.23.17/macros/program/orbit_macros.te	2005-06-06 14:30:08.000000000 -0400
-@@ -0,0 +1,48 @@
++++ policy-1.23.18/macros/program/orbit_macros.te	2005-06-08 22:57:41.000000000 -0400
+@@ -0,0 +1,44 @@
 +#
 +# ORBit related types 
 +#
@@ -2286,10 +2194,6 @@
 +allow $1_t self:unix_stream_socket create_stream_socket_perms;
 +allow $1_t self:unix_dgram_socket create_socket_perms;
 +
-+# Write to bonobo files
-+allow $1_t $2_orbit_tmp_t:file { getattr read write lock };
-+dontaudit $1_t $2_orbit_tmp_t:dir setattr;
-+
 +# Use random device(s)
 +allow $1_t { random_device_t urandom_device_t }:chr_file { read getattr ioctl };
 +
@@ -2304,9 +2208,9 @@
 +allow $1_t $2_orbit_tmp_t:sock_file write;
 +
 +') dnl orbit_connect
-diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/spamassassin_macros.te policy-1.23.17/macros/program/spamassassin_macros.te
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/spamassassin_macros.te policy-1.23.18/macros/program/spamassassin_macros.te
 --- nsapolicy/macros/program/spamassassin_macros.te	2005-04-27 10:28:55.000000000 -0400
-+++ policy-1.23.17/macros/program/spamassassin_macros.te	2005-05-28 01:50:36.000000000 -0400
++++ policy-1.23.18/macros/program/spamassassin_macros.te	2005-06-08 09:04:15.000000000 -0400
 @@ -29,7 +29,7 @@
  # Note: most of this should really be in a generic macro like
  # base_user_program($1, foo)
@@ -2342,9 +2246,9 @@
  ') dnl endif spamd.te
  ') dnl endif spamc.te
  
-diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/thunderbird_macros.te policy-1.23.17/macros/program/thunderbird_macros.te
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/thunderbird_macros.te policy-1.23.18/macros/program/thunderbird_macros.te
 --- nsapolicy/macros/program/thunderbird_macros.te	1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.23.17/macros/program/thunderbird_macros.te	2005-06-06 11:21:43.000000000 -0400
++++ policy-1.23.18/macros/program/thunderbird_macros.te	2005-06-08 09:04:15.000000000 -0400
 @@ -0,0 +1,59 @@
 +#
 +# Thunderbird
@@ -2405,9 +2309,9 @@
 +can_network_client_tcp($1_thunderbird_t, http_port_t) 
 +allow $1_thunderbird_t http_port_t:tcp_socket name_connect;
 +')
-diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/xauth_macros.te policy-1.23.17/macros/program/xauth_macros.te
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/xauth_macros.te policy-1.23.18/macros/program/xauth_macros.te
 --- nsapolicy/macros/program/xauth_macros.te	2005-04-27 10:28:55.000000000 -0400
-+++ policy-1.23.17/macros/program/xauth_macros.te	2005-05-28 01:49:57.000000000 -0400
++++ policy-1.23.18/macros/program/xauth_macros.te	2005-06-08 09:04:15.000000000 -0400
 @@ -23,7 +23,7 @@
  
  allow $1_xauth_t self:process signal;
@@ -2417,9 +2321,9 @@
  
  # Transition from the user domain to this domain.
  domain_auto_trans($1_t, xauth_exec_t, $1_xauth_t)
-diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/x_client_macros.te policy-1.23.17/macros/program/x_client_macros.te
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/x_client_macros.te policy-1.23.18/macros/program/x_client_macros.te
 --- nsapolicy/macros/program/x_client_macros.te	2005-05-25 11:28:11.000000000 -0400
-+++ policy-1.23.17/macros/program/x_client_macros.te	2005-06-06 11:21:43.000000000 -0400
++++ policy-1.23.18/macros/program/x_client_macros.te	2005-06-08 09:04:15.000000000 -0400
 @@ -16,12 +16,8 @@
  # Connect to xserver
  can_unix_connect($1_t, $2_xserver_t)
@@ -2443,9 +2347,9 @@
  allow $1_t $2_xauth_home_t:file { getattr read };
  ')
  
-diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/xserver_macros.te policy-1.23.17/macros/program/xserver_macros.te
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/xserver_macros.te policy-1.23.18/macros/program/xserver_macros.te
 --- nsapolicy/macros/program/xserver_macros.te	2005-05-02 14:06:57.000000000 -0400
-+++ policy-1.23.17/macros/program/xserver_macros.te	2005-05-31 17:03:20.000000000 -0400
++++ policy-1.23.18/macros/program/xserver_macros.te	2005-06-08 09:04:15.000000000 -0400
 @@ -79,6 +79,12 @@
  allow xdm_xserver_t init_t:fd use;
  
@@ -2494,9 +2398,9 @@
  ')dnl end macro definition
  
  ', `
-diff --exclude-from=exclude -N -u -r nsapolicy/mls policy-1.23.17/mls
+diff --exclude-from=exclude -N -u -r nsapolicy/mls policy-1.23.18/mls
 --- nsapolicy/mls	2005-04-14 15:01:53.000000000 -0400
-+++ policy-1.23.17/mls	2005-06-07 14:52:23.000000000 -0400
++++ policy-1.23.18/mls	2005-06-08 09:04:15.000000000 -0400
 @@ -257,10 +257,10 @@
  # these access vectors have no MLS restrictions
  # { dir file lnk_file chr_file blk_file sock_file fifo_file } { ioctl lock swapon quotaon }
@@ -2587,9 +2491,9 @@
  
  
  
-diff --exclude-from=exclude -N -u -r nsapolicy/net_contexts policy-1.23.17/net_contexts
+diff --exclude-from=exclude -N -u -r nsapolicy/net_contexts policy-1.23.18/net_contexts
 --- nsapolicy/net_contexts	2005-05-25 11:28:09.000000000 -0400
-+++ policy-1.23.17/net_contexts	2005-06-07 14:52:23.000000000 -0400
++++ policy-1.23.18/net_contexts	2005-06-08 22:57:41.000000000 -0400
 @@ -50,19 +50,25 @@
  portcon udp 53 system_u:object_r:dns_port_t
  portcon tcp 53 system_u:object_r:dns_port_t
@@ -2631,7 +2535,7 @@
  ifdef(`snmpd.te', `
  portcon udp 161 system_u:object_r:snmp_port_t
  portcon udp 162 system_u:object_r:snmp_port_t
-@@ -131,10 +133,13 @@
+@@ -131,10 +133,8 @@
  ')
  ifdef(`swat.te', `portcon tcp 901 system_u:object_r:swat_port_t')
  ifdef(`named.te', `portcon tcp 953 system_u:object_r:rndc_port_t')
@@ -2641,15 +2545,10 @@
 -portcon tcp 1109 system_u:object_r:pop_port_t
 +ifdef(`gift.te', `
 +portcon tcp 1213 system_u:object_r:giftd_port_t
-+portcon tcp 1214 system_u:object_r:giftd_fasttrack_port_t
-+portcon udp 1214 system_u:object_r:giftd_fasttrack_port_t
-+portcon tcp 2141 system_u:object_r:giftd_openft_port_t
-+portcon tcp 2513 system_u:object_r:giftd_openft_port_t
-+portcon tcp 3606 system_u:object_r:giftd_gnutella_port_t
  ')
  ifdef(`nessusd.te', `portcon tcp 1241 system_u:object_r:nessus_port_t')
  ifdef(`monopd.te', `portcon tcp 1234 system_u:object_r:monopd_port_t')
-@@ -191,6 +196,7 @@
+@@ -191,6 +191,7 @@
  ')
  ifdef(`postgresql.te', `portcon tcp 5432 system_u:object_r:postgresql_port_t')
  ifdef(`nrpe.te', `portcon tcp 5666 system_u:object_r:inetd_child_port_t')
@@ -2657,33 +2556,9 @@
  ifdef(`xdm.te', `
  portcon tcp 5900  system_u:object_r:vnc_port_t 
  ')
-diff --exclude-from=exclude -N -u -r nsapolicy/selinux-policy-strict.spec policy-1.23.17/selinux-policy-strict.spec
---- nsapolicy/selinux-policy-strict.spec	2005-06-01 06:11:22.000000000 -0400
-+++ policy-1.23.17/selinux-policy-strict.spec	2005-05-25 11:28:29.000000000 -0400
-@@ -6,7 +6,7 @@
- 
- Summary: SELinux %{type} policy configuration
- Name: selinux-policy-%{type}
--Version: 1.23.18
-+Version: 1.23.17
- Release: 1
- License: GPL
- Group: System Environment/Base
-diff --exclude-from=exclude -N -u -r nsapolicy/selinux-policy-targeted.spec policy-1.23.17/selinux-policy-targeted.spec
---- nsapolicy/selinux-policy-targeted.spec	2005-06-01 06:11:22.000000000 -0400
-+++ policy-1.23.17/selinux-policy-targeted.spec	2005-05-25 11:28:29.000000000 -0400
-@@ -6,7 +6,7 @@
- 
- Summary: SELinux %{type} policy configuration
- Name: selinux-policy-%{type}
--Version: 1.23.18
-+Version: 1.23.17
- Release: 1
- License: GPL
- Group: System Environment/Base
-diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/crond.te policy-1.23.17/targeted/domains/program/crond.te
+diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/crond.te policy-1.23.18/targeted/domains/program/crond.te
 --- nsapolicy/targeted/domains/program/crond.te	2005-06-01 06:11:23.000000000 -0400
-+++ policy-1.23.17/targeted/domains/program/crond.te	2005-05-28 01:19:02.000000000 -0400
++++ policy-1.23.18/targeted/domains/program/crond.te	2005-06-08 09:04:15.000000000 -0400
 @@ -17,13 +17,11 @@
  type system_crond_tmp_t, file_type, tmpfile, sysadmfile;
  type system_cron_spool_t, file_type, sysadmfile;
@@ -2698,9 +2573,22 @@
  file_type_auto_trans(crond_t, user_home_dir_t, user_home_t)
  file_type_auto_trans(crond_t, tmp_t, system_crond_tmp_t)
  allow crond_t initrc_t:dbus send_msg;
-diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.23.17/tunables/distro.tun
+diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/unconfined.te policy-1.23.18/targeted/domains/unconfined.te
+--- nsapolicy/targeted/domains/unconfined.te	2005-05-25 11:28:11.000000000 -0400
++++ policy-1.23.18/targeted/domains/unconfined.te	2005-06-08 09:22:54.000000000 -0400
+@@ -63,8 +63,7 @@
+ bool use_samba_home_dirs false;
+ 
+ if (allow_execmod) {
+-allow unconfined_t { ld_so_t shlib_t }:file execmod;
+-allow unconfined_t { bin_t sbin_t exec_type }:file execmod;
++allow unconfined_t file_type:file execmod;
+ }
+ 
+ ifdef(`samba.te', `samba_domain(user)')
+diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.23.18/tunables/distro.tun
 --- nsapolicy/tunables/distro.tun	2005-02-24 14:51:09.000000000 -0500
-+++ policy-1.23.17/tunables/distro.tun	2005-05-28 01:14:00.000000000 -0400
++++ policy-1.23.18/tunables/distro.tun	2005-06-08 09:04:15.000000000 -0400
 @@ -5,7 +5,7 @@
  # appropriate ifdefs.
  
@@ -2710,9 +2598,9 @@
  
  dnl define(`distro_suse')
  
-diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.23.17/tunables/tunable.tun
+diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.23.18/tunables/tunable.tun
 --- nsapolicy/tunables/tunable.tun	2005-05-25 11:28:11.000000000 -0400
-+++ policy-1.23.17/tunables/tunable.tun	2005-05-28 01:14:00.000000000 -0400
++++ policy-1.23.18/tunables/tunable.tun	2005-06-08 09:04:15.000000000 -0400
 @@ -2,7 +2,7 @@
  dnl define(`user_can_mount')
  
@@ -2731,9 +2619,23 @@
  
  # Allow user_r to reach sysadm_r via su, sudo, or userhelper.
  # Otherwise, only staff_r can do so.
-diff --exclude-from=exclude -N -u -r nsapolicy/types/devpts.te policy-1.23.17/types/devpts.te
+diff --exclude-from=exclude -N -u -r nsapolicy/types/device.te policy-1.23.18/types/device.te
+--- nsapolicy/types/device.te	2005-05-25 11:28:11.000000000 -0400
++++ policy-1.23.18/types/device.te	2005-06-08 09:04:15.000000000 -0400
+@@ -154,3 +154,10 @@
+ 
+ # for other device nodes such as the NVidia binary-only driver
+ type xserver_misc_device_t, device_type, dev_fs;
++
++# for the IBM zSeries z90crypt hardware ssl accelorator
++type crypt_device_t, device_type, dev_fs;
++
++
++
++
+diff --exclude-from=exclude -N -u -r nsapolicy/types/devpts.te policy-1.23.18/types/devpts.te
 --- nsapolicy/types/devpts.te	2005-05-25 11:28:11.000000000 -0400
-+++ policy-1.23.17/types/devpts.te	2005-06-07 14:51:32.000000000 -0400
++++ policy-1.23.18/types/devpts.te	2005-06-08 09:04:15.000000000 -0400
 @@ -10,7 +10,7 @@
  #
  # ptmx_t is the type for /dev/ptmx.
@@ -2743,21 +2645,18 @@
  
  #
  # devpts_t is the type of the devpts file system and 
-diff --exclude-from=exclude -N -u -r nsapolicy/types/file.te policy-1.23.17/types/file.te
+diff --exclude-from=exclude -N -u -r nsapolicy/types/file.te policy-1.23.18/types/file.te
 --- nsapolicy/types/file.te	2005-05-25 11:28:11.000000000 -0400
-+++ policy-1.23.17/types/file.te	2005-06-06 11:21:44.000000000 -0400
-@@ -26,7 +26,7 @@
- type usbfs_t, mount_point, fs_type;
- type nfsd_fs_t, fs_type;
- type rpc_pipefs_t, fs_type;
--type binfmt_misc_fs_t, mount_point, fs_type;
-+type binfmt_misc_fs_t, fs_type;
++++ policy-1.23.18/types/file.te	2005-06-08 22:49:18.000000000 -0400
+@@ -325,4 +325,4 @@
+ # Type for anonymous FTP data, used by ftp and rsync
+ type ftpd_anon_t, file_type, sysadmfile, customizable;
  
- #
- # file_t is the default type of a file that has not yet been
-diff --exclude-from=exclude -N -u -r nsapolicy/types/network.te policy-1.23.17/types/network.te
+-
++allow customizable self:filesystem associate;
+diff --exclude-from=exclude -N -u -r nsapolicy/types/network.te policy-1.23.18/types/network.te
 --- nsapolicy/types/network.te	2005-05-25 11:28:11.000000000 -0400
-+++ policy-1.23.17/types/network.te	2005-06-06 11:22:45.000000000 -0400
++++ policy-1.23.18/types/network.te	2005-06-08 09:04:15.000000000 -0400
 @@ -33,15 +33,7 @@
  type ipp_port_t, port_type, reserved_port_type;
  
@@ -2774,21 +2673,15 @@
  
  type ftp_port_t, port_type, reserved_port_type;
  type ftp_data_port_t, port_type, reserved_port_type;
-diff --exclude-from=exclude -N -u -r nsapolicy/types/security.te policy-1.23.17/types/security.te
+diff --exclude-from=exclude -N -u -r nsapolicy/types/security.te policy-1.23.18/types/security.te
 --- nsapolicy/types/security.te	2005-05-25 11:28:11.000000000 -0400
-+++ policy-1.23.17/types/security.te	2005-06-07 14:51:32.000000000 -0400
++++ policy-1.23.18/types/security.te	2005-06-08 09:04:15.000000000 -0400
 @@ -12,7 +12,7 @@
  # the permissions in the security class.  It is also
  # applied to selinuxfs inodes.
  #
 -type security_t, mount_point, fs_type;
-+type security_t, fs_type, mlstrustedobject;
++type security_t, mount_point, fs_type, mlstrustedobject;
  
  #
  # policy_config_t is the type of /etc/security/selinux/*
-diff --exclude-from=exclude -N -u -r nsapolicy/VERSION policy-1.23.17/VERSION
---- nsapolicy/VERSION	2005-06-01 06:11:22.000000000 -0400
-+++ policy-1.23.17/VERSION	2005-05-25 11:28:27.000000000 -0400
-@@ -1 +1 @@
--1.23.18
-+1.23.17


Index: selinux-policy-targeted.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-targeted/devel/selinux-policy-targeted.spec,v
retrieving revision 1.314
retrieving revision 1.315
diff -u -r1.314 -r1.315
--- selinux-policy-targeted.spec	8 Jun 2005 12:29:27 -0000	1.314
+++ selinux-policy-targeted.spec	9 Jun 2005 03:01:40 -0000	1.315
@@ -11,7 +11,7 @@
 Summary: SELinux %{type} policy configuration
 Name: selinux-policy-%{type}
 Version: 1.23.18
-Release: 1
+Release: 2
 License: GPL
 Group: System Environment/Base
 Source: http://www.nsa.gov/selinux/archives/policy-%{version}.tgz
@@ -234,6 +234,10 @@
 exit 0
 
 %changelog
+* Wed Jun 8 2005 Dan Walsh <dwalsh redhat com> 1.23.18-2
+- Add alsa policy
+- Policy cleanup from Ivan
+
 * Mon Jun 6 2005 Dan Walsh <dwalsh redhat com> 1.23.18-1
 - Upgrade from NSA
 	* Merged minor fixes to pppd.fc and courier.te by Russell Coker.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]