rpms/selinux-policy-targeted/FC-4 policy-20050606.patch, 1.2, 1.3 selinux-policy-targeted.spec, 1.315, 1.316
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Sat Jun 25 10:42:31 UTC 2005
- Previous message (by thread): rpms/openoffice.org/devel .cvsignore, 1.55, 1.56 openoffice.org.spec, 1.248, 1.249 sources, 1.78, 1.79
- Next message (by thread): rpms/selinux-policy-strict/devel policy-20050606.patch, 1.18, 1.19 selinux-policy-strict.spec, 1.335, 1.336
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy-targeted/FC-4
In directory cvs.devel.redhat.com:/tmp/cvs-serv28117
Modified Files:
policy-20050606.patch selinux-policy-targeted.spec
Log Message:
* Sat Jun 25 2005 Dan Walsh <dwalsh at redhat.com> 1.23.18-17
- Bump for FC4
policy-20050606.patch:
Makefile | 23 +-
attrib.te | 2
domains/misc/kernel.te | 7
domains/misc/local.te | 5
domains/program/fsadm.te | 5
domains/program/init.te | 4
domains/program/initrc.te | 11 +
domains/program/klogd.te | 2
domains/program/login.te | 2
domains/program/modutil.te | 2
domains/program/mount.te | 4
domains/program/restorecon.te | 5
domains/program/ssh.te | 4
domains/program/syslogd.te | 3
domains/program/unused/NetworkManager.te | 9 +
domains/program/unused/acct.te | 2
domains/program/unused/afs.te | 1
domains/program/unused/alsa.te | 17 ++
domains/program/unused/amanda.te | 7
domains/program/unused/amavis.te | 5
domains/program/unused/apache.te | 4
domains/program/unused/apmd.te | 2
domains/program/unused/asterisk.te | 2
domains/program/unused/auditd.te | 10 +
domains/program/unused/bonobo.te | 9 +
domains/program/unused/ciped.te | 5
domains/program/unused/clamav.te | 1
domains/program/unused/clockspeed.te | 2
domains/program/unused/consoletype.te | 2
domains/program/unused/cups.te | 33 ++++
domains/program/unused/cyrus.te | 2
domains/program/unused/dante.te | 1
domains/program/unused/dcc.te | 3
domains/program/unused/ddclient.te | 4
domains/program/unused/dhcpc.te | 16 +-
domains/program/unused/dhcpd.te | 3
domains/program/unused/dictd.te | 1
domains/program/unused/distcc.te | 1
domains/program/unused/dovecot.te | 4
domains/program/unused/ethereal.te | 48 ++++++
domains/program/unused/evolution.te | 13 +
domains/program/unused/fingerd.te | 1
domains/program/unused/gatekeeper.te | 1
domains/program/unused/gconf.te | 12 +
domains/program/unused/gift.te | 2
domains/program/unused/gnome.te | 7
domains/program/unused/gnome_vfs.te | 9 +
domains/program/unused/gpg.te | 3
domains/program/unused/hotplug.te | 2
domains/program/unused/howl.te | 1
domains/program/unused/i18n_input.te | 7
domains/program/unused/iceauth.te | 12 +
domains/program/unused/imazesrv.te | 1
domains/program/unused/inetd.te | 7
domains/program/unused/innd.te | 1
domains/program/unused/ircd.te | 1
domains/program/unused/jabberd.te | 3
domains/program/unused/lpd.te | 1
domains/program/unused/lrrd.te | 1
domains/program/unused/monopd.te | 1
domains/program/unused/mozilla.te | 6
domains/program/unused/mysqld.te | 4
domains/program/unused/named.te | 1
domains/program/unused/nessusd.te | 1
domains/program/unused/nscd.te | 1
domains/program/unused/ntpd.te | 1
domains/program/unused/openvpn.te | 2
domains/program/unused/orbit.te | 7
domains/program/unused/pam.te | 5
domains/program/unused/pamconsole.te | 2
domains/program/unused/ping.te | 2
domains/program/unused/postgresql.te | 4
domains/program/unused/postgrey.te | 2
domains/program/unused/pppd.te | 7
domains/program/unused/pxe.te | 1
domains/program/unused/pyzor.te | 2
domains/program/unused/radius.te | 2
domains/program/unused/razor.te | 2
domains/program/unused/rpcd.te | 5
domains/program/unused/samba.te | 3
domains/program/unused/snmpd.te | 1
domains/program/unused/sound-server.te | 1
domains/program/unused/spamd.te | 1
domains/program/unused/squid.te | 1
domains/program/unused/stunnel.te | 1
domains/program/unused/tftpd.te | 2
domains/program/unused/thunderbird.te | 9 +
domains/program/unused/transproxy.te | 2
domains/program/unused/ucspi-tcp.te | 2
domains/program/unused/udev.te | 2
domains/program/unused/utempter.te | 5
domains/program/unused/watchdog.te | 2
domains/program/unused/xdm.te | 23 ++
domains/program/unused/xserver.te | 3
domains/program/unused/zebra.te | 1
domains/user.te | 14 +
file_contexts/distros.fc | 21 --
file_contexts/program/alsa.fc | 3
file_contexts/program/apache.fc | 2
file_contexts/program/bonobo.fc | 1
file_contexts/program/cups.fc | 4
file_contexts/program/cyrus.fc | 1
file_contexts/program/ethereal.fc | 3
file_contexts/program/evolution.fc | 8 +
file_contexts/program/fontconfig.fc | 6
file_contexts/program/fsadm.fc | 1
file_contexts/program/gconf.fc | 5
file_contexts/program/gnome.fc | 8 +
file_contexts/program/gnome_vfs.fc | 1
file_contexts/program/iceauth.fc | 3
file_contexts/program/irc.fc | 2
file_contexts/program/mozilla.fc | 4
file_contexts/program/orbit.fc | 3
file_contexts/program/thunderbird.fc | 2
file_contexts/program/xauth.fc | 1
file_contexts/program/xdm.fc | 1
file_contexts/program/xserver.fc | 2
file_contexts/types.fc | 5
macros/admin_macros.te | 12 +
macros/base_user_macros.te | 75 ++++++---
macros/content_macros.te | 185 +++++++++++++++++++++++
macros/global_macros.te | 121 +--------------
macros/home_macros.te | 130 ++++++++++++++++
macros/network_macros.te | 2
macros/program/apache_macros.te | 4
macros/program/bonobo_macros.te | 119 +++++++++++++++
macros/program/dbusd_macros.te | 3
macros/program/ethereal_macros.te | 83 ++++++++++
macros/program/evolution_macros.te | 241 +++++++++++++++++++++++++++++++
macros/program/fontconfig_macros.te | 38 ++++
macros/program/games_domain.te | 38 +---
macros/program/gconf_macros.te | 56 +++++++
macros/program/gift_macros.te | 60 ++-----
macros/program/gnome_macros.te | 115 ++++++++++++++
macros/program/gnome_vfs_macros.te | 49 ++++++
macros/program/gpg_agent_macros.te | 1
macros/program/gpg_macros.te | 45 -----
macros/program/ice_macros.te | 38 ++++
macros/program/iceauth_macros.te | 40 +++++
macros/program/inetd_macros.te | 1
macros/program/irc_macros.te | 1
macros/program/lpr_macros.te | 24 ---
macros/program/mail_client_macros.te | 48 ++++++
macros/program/mozilla_macros.te | 131 ++++++----------
macros/program/mplayer_macros.te | 15 +
macros/program/orbit_macros.te | 44 +++++
macros/program/pyzor_macros.te | 1
macros/program/razor_macros.te | 1
macros/program/spamassassin_macros.te | 9 -
macros/program/ssh_agent_macros.te | 3
macros/program/thunderbird_macros.te | 57 +++++++
macros/program/tvtime_macros.te | 1
macros/program/userhelper_macros.te | 3
macros/program/x_client_macros.te | 12 -
macros/program/xauth_macros.te | 1
macros/program/xdm_macros.te | 11 +
macros/program/xserver_macros.te | 17 +-
macros/user_macros.te | 8 -
mls | 41 ++---
net_contexts | 133 +++++------------
targeted/domains/program/crond.te | 2
targeted/domains/program/ssh.te | 1
targeted/domains/program/xdm.te | 1
targeted/domains/unconfined.te | 10 -
tunables/distro.tun | 2
tunables/tunable.tun | 4
types/device.te | 7
types/devpts.te | 2
types/file.te | 8 +
types/network.te | 98 +++++++++---
types/security.te | 2
171 files changed, 1998 insertions(+), 732 deletions(-)
Index: policy-20050606.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-targeted/FC-4/policy-20050606.patch,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- policy-20050606.patch 17 Jun 2005 03:45:33 -0000 1.2
+++ policy-20050606.patch 25 Jun 2005 10:42:28 -0000 1.3
@@ -205,8 +205,14 @@
-
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ssh.te policy-1.23.18/domains/program/ssh.te
--- nsapolicy/domains/program/ssh.te 2005-05-25 11:28:09.000000000 -0400
-+++ policy-1.23.18/domains/program/ssh.te 2005-06-08 09:04:15.000000000 -0400
-@@ -25,7 +25,7 @@
++++ policy-1.23.18/domains/program/ssh.te 2005-06-18 06:38:47.000000000 -0400
+@@ -19,13 +19,11 @@
+ type sshd_exec_t, file_type, exec_type, sysadmfile;
+ type sshd_key_t, file_type, sysadmfile;
+
+-type ssh_port_t, port_type, reserved_port_type;
+-
+ define(`sshd_program_domain', `
# privowner is for changing the identity on the terminal device
# privfd is for passing the terminal file handle to the user process
# auth_chkpwd is for running unix_chkpwd and unix_verify.
@@ -217,7 +223,7 @@
role system_r types $1_t;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/syslogd.te policy-1.23.18/domains/program/syslogd.te
--- nsapolicy/domains/program/syslogd.te 2005-05-25 11:28:09.000000000 -0400
-+++ policy-1.23.18/domains/program/syslogd.te 2005-06-08 09:04:15.000000000 -0400
++++ policy-1.23.18/domains/program/syslogd.te 2005-06-18 06:38:54.000000000 -0400
@@ -25,7 +25,7 @@
r_dir_file(syslogd_t, sysfs_t)
@@ -227,6 +233,14 @@
# if something can log to syslog they should be able to log to the console
allow privlog console_device_t:chr_file { ioctl read write getattr };
+@@ -86,7 +86,6 @@
+ allow syslogd_t tty_device_t:chr_file { getattr write ioctl append };
+
+ # Allow name_bind for remote logging
+-type syslogd_port_t, port_type, reserved_port_type;
+ allow syslogd_t syslogd_port_t:udp_socket name_bind;
+ #
+ # /initrd is not umounted before minilog starts
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/acct.te policy-1.23.18/domains/program/unused/acct.te
--- nsapolicy/domains/program/unused/acct.te 2005-04-27 10:28:49.000000000 -0400
+++ policy-1.23.18/domains/program/unused/acct.te 2005-06-08 09:04:15.000000000 -0400
@@ -239,6 +253,17 @@
allow acct_t self:capability sys_pacct;
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/afs.te policy-1.23.18/domains/program/unused/afs.te
+--- nsapolicy/domains/program/unused/afs.te 2005-05-02 10:57:09.000000000 -0400
++++ policy-1.23.18/domains/program/unused/afs.te 2005-06-23 16:35:33.000000000 -0400
+@@ -18,7 +18,6 @@
+ define(`afs_server_domain',`
+ type afs_$1server_t, domain $2;
+ type afs_$1server_exec_t, file_type, sysadmfile;
+-type afs_$1_port_t, port_type;
+
+ role system_r types afs_$1server_t;
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/alsa.te policy-1.23.18/domains/program/unused/alsa.te
--- nsapolicy/domains/program/unused/alsa.te 1969-12-31 19:00:00.000000000 -0500
+++ policy-1.23.18/domains/program/unused/alsa.te 2005-06-08 14:42:59.000000000 -0400
@@ -260,9 +285,60 @@
+allow alsa_t devpts_t:chr_file { read write };
+allow alsa_t etc_t:file { getattr read };
+domain_auto_trans(pam_console_t, alsa_exec_t, alsa_t)
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/amanda.te policy-1.23.18/domains/program/unused/amanda.te
+--- nsapolicy/domains/program/unused/amanda.te 2005-06-01 06:11:22.000000000 -0400
++++ policy-1.23.18/domains/program/unused/amanda.te 2005-06-18 06:35:10.000000000 -0400
+@@ -31,7 +31,7 @@
+ # General declarations
+ ######################
+
+-type amanda_t, domain, privlog, auth, nscd_client_domain;
++type amanda_t, domain, privlog, auth, fs_domain, nscd_client_domain;
+ role system_r types amanda_t;
+
+ # type for the amanda executables
+@@ -167,7 +167,8 @@
+
+ can_network_server(amanda_t);
+ can_ypbind(amanda_t);
+-
++can_exec(amanda_t, sbin_t);
++
+ allow amanda_t self:fifo_file { getattr read write ioctl lock };
+ allow amanda_t self:unix_stream_socket { connect create read write };
+
+@@ -298,12 +299,12 @@
+ #
+ # Rules to allow amanda to be run as a service in xinetd
+ #
+-type amanda_port_t, port_type;
+ allow inetd_t amanda_port_t:{ tcp_socket udp_socket } name_bind;
+
+ allow amanda_t file_type:dir {getattr read search };
+ allow amanda_t file_type:{ lnk_file file chr_file blk_file } {getattr read };
+ allow amanda_t device_type:{ blk_file chr_file } getattr;
++allow amanda_t fixed_disk_device_t:blk_file read;
+ domain_auto_trans(amanda_t, fsadm_exec_t, fsadm_t)
+
+ dontaudit amanda_t file_type:sock_file getattr;
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/amavis.te policy-1.23.18/domains/program/unused/amavis.te
+--- nsapolicy/domains/program/unused/amavis.te 2005-05-25 11:28:09.000000000 -0400
++++ policy-1.23.18/domains/program/unused/amavis.te 2005-06-18 06:39:01.000000000 -0400
+@@ -15,11 +15,6 @@
+ # Virus and spam found and quarantined.
+ type amavisd_quarantine_t, file_type, sysadmfile, tmpfile;
+
+-# Differentiate between the port where amavisd receives mail, and the
+-# port where it returns cleaned mail back to the MTA.
+-type amavisd_recv_port_t, port_type, reserved_port_type;
+-type amavisd_send_port_t, port_type, reserved_port_type;
+-
+ daemon_domain(amavisd)
+ tmp_domain(amavisd)
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.23.18/domains/program/unused/apache.te
--- nsapolicy/domains/program/unused/apache.te 2005-05-25 11:28:09.000000000 -0400
-+++ policy-1.23.18/domains/program/unused/apache.te 2005-06-08 09:04:15.000000000 -0400
++++ policy-1.23.18/domains/program/unused/apache.te 2005-06-20 14:20:15.000000000 -0400
@@ -86,6 +86,8 @@
read_sysctl(httpd_t)
@@ -272,18 +348,72 @@
# for modules that want to access /etc/mtab and /proc/meminfo
allow httpd_t { proc_t etc_runtime_t }:file { getattr read };
+@@ -363,7 +365,9 @@
+
+ if (httpd_enable_cgi && httpd_unified ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
+ domain_auto_trans(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
++ifdef(`targeted_policy', `', `
+ domain_auto_trans(sysadm_t, httpdcontent, httpd_sys_script_t)
++')
+ }
+ if (httpd_enable_cgi && httpd_unified && httpd_builtin_scripting ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
+ domain_auto_trans(httpd_t, httpdcontent, httpd_sys_script_t)
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apmd.te policy-1.23.18/domains/program/unused/apmd.te
+--- nsapolicy/domains/program/unused/apmd.te 2005-05-25 11:28:09.000000000 -0400
++++ policy-1.23.18/domains/program/unused/apmd.te 2005-06-23 11:55:58.000000000 -0400
+@@ -30,7 +30,7 @@
+ role system_r types apm_t;
+
+ allow apmd_t device_t:lnk_file read;
+-allow apmd_t proc_t:file { getattr read };
++allow apmd_t proc_t:file { getattr read write };
+ can_sysctl(apmd_t)
+ allow apmd_t sysfs_t:file write;
+
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/asterisk.te policy-1.23.18/domains/program/unused/asterisk.te
+--- nsapolicy/domains/program/unused/asterisk.te 2005-04-27 10:28:49.000000000 -0400
++++ policy-1.23.18/domains/program/unused/asterisk.te 2005-06-18 06:39:01.000000000 -0400
+@@ -4,8 +4,6 @@
+ #
+ # X-Debian-Packages: asterisk
+
+-type asterisk_port_t, port_type;
+-
+ daemon_domain(asterisk)
+ allow asterisk_t asterisk_var_run_t:{ sock_file fifo_file } create_file_perms;
+ allow initrc_t asterisk_var_run_t:fifo_file unlink;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/auditd.te policy-1.23.18/domains/program/unused/auditd.te
--- nsapolicy/domains/program/unused/auditd.te 2005-06-01 06:11:22.000000000 -0400
-+++ policy-1.23.18/domains/program/unused/auditd.te 2005-06-16 22:40:17.000000000 -0400
-@@ -16,7 +16,7 @@
++++ policy-1.23.18/domains/program/unused/auditd.te 2005-06-23 13:30:06.000000000 -0400
+@@ -14,9 +14,9 @@
+
+ allow auditd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv };
allow auditd_t self:unix_dgram_socket create_socket_perms;
- allow auditd_t self:capability { audit_write audit_control sys_nice };
+-allow auditd_t self:capability { audit_write audit_control sys_nice };
++allow auditd_t self:capability { audit_write audit_control sys_nice sys_resource };
allow auditd_t self:process setsched;
-allow auditd_t self:file { getattr read };
+allow auditd_t self:file { getattr read write };
allow auditd_t etc_t:file { getattr read };
# Do not use logdir_domain since this is a security file
+@@ -27,6 +27,10 @@
+ can_exec(auditd_t, init_exec_t)
+ allow auditd_t initctl_t:fifo_file write;
+
++ifdef(`targeted_policy', `
++dontaudit auditd_t unconfined_t:fifo_file read;
++')
++
+ type auditctl_t, domain, privlog;
+ type auditctl_exec_t, file_type, exec_type, sysadmfile;
+ uses_shlib(auditctl_t)
+@@ -59,3 +63,5 @@
+ dontaudit auditctl_t init_t:fd use;
+ allow auditctl_t initrc_devpts_t:chr_file { read write };
+ allow auditctl_t privfd:fd use;
++
++
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/bonobo.te policy-1.23.18/domains/program/unused/bonobo.te
--- nsapolicy/domains/program/unused/bonobo.te 1969-12-31 19:00:00.000000000 -0500
+++ policy-1.23.18/domains/program/unused/bonobo.te 2005-06-08 09:04:15.000000000 -0400
@@ -297,6 +427,45 @@
+type bonobo_exec_t, file_type, exec_type, sysadmfile;
+
+# Everything else is in macros/bonobo_macros.te
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ciped.te policy-1.23.18/domains/program/unused/ciped.te
+--- nsapolicy/domains/program/unused/ciped.te 2005-05-02 14:06:54.000000000 -0400
++++ policy-1.23.18/domains/program/unused/ciped.te 2005-06-18 06:39:01.000000000 -0400
+@@ -5,12 +5,7 @@
+ # for SSP
+ allow ciped_t urandom_device_t:chr_file read;
+
+-ifdef(`afs.te',`
+-allow ciped_t afs_bos_port_t:udp_socket name_bind;
+-',`
+-type cipe_port_t, port_type;
+ allow ciped_t cipe_port_t:udp_socket name_bind;
+-')
+
+ can_network_udp(ciped_t)
+ can_ypbind(ciped_t)
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/clamav.te policy-1.23.18/domains/program/unused/clamav.te
+--- nsapolicy/domains/program/unused/clamav.te 2005-05-02 14:06:54.000000000 -0400
++++ policy-1.23.18/domains/program/unused/clamav.te 2005-06-18 06:39:01.000000000 -0400
+@@ -115,7 +115,6 @@
+ ')
+
+ # Clamd can be configured to listen on a TCP port.
+-type clamd_port_t, port_type, reserved_port_type;
+ can_network_server_tcp(clamd_t, clamd_port_t)
+ allow clamd_t clamd_port_t:tcp_socket name_bind;
+ can_resolve(clamd_t);
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/clockspeed.te policy-1.23.18/domains/program/unused/clockspeed.te
+--- nsapolicy/domains/program/unused/clockspeed.te 2005-04-27 10:28:50.000000000 -0400
++++ policy-1.23.18/domains/program/unused/clockspeed.te 2005-06-18 06:39:01.000000000 -0400
+@@ -3,8 +3,6 @@
+ # Author Petre Rodan <kaiowas at gentoo.org>
+ #
+
+-type clockspeed_port_t, port_type;
+-
+ daemon_base_domain(clockspeed)
+ var_lib_domain(clockspeed)
+ can_network(clockspeed_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/consoletype.te policy-1.23.18/domains/program/unused/consoletype.te
--- nsapolicy/domains/program/unused/consoletype.te 2005-05-07 00:41:09.000000000 -0400
+++ policy-1.23.18/domains/program/unused/consoletype.te 2005-06-08 09:04:15.000000000 -0400
@@ -311,13 +480,12 @@
role system_r types consoletype_t;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.23.18/domains/program/unused/cups.te
--- nsapolicy/domains/program/unused/cups.te 2005-06-01 06:11:22.000000000 -0400
-+++ policy-1.23.18/domains/program/unused/cups.te 2005-06-15 11:14:26.000000000 -0400
-@@ -150,6 +150,12 @@
++++ policy-1.23.18/domains/program/unused/cups.te 2005-06-23 08:54:40.000000000 -0400
+@@ -150,6 +150,11 @@
allow ptal_t self:capability { chown sys_rawio };
allow ptal_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms;
allow ptal_t self:unix_stream_socket { listen accept };
+can_network_server_tcp(ptal_t)
-+type ptal_port_t, port_type, reserved_port_type;
+allow ptal_t ptal_port_t:tcp_socket name_bind;
+allow userdomain ptal_t:unix_stream_socket connectto;
+allow userdomain ptal_var_run_t:sock_file write;
@@ -325,12 +493,11 @@
allow ptal_t self:fifo_file rw_file_perms;
allow ptal_t device_t:dir read;
allow ptal_t printer_device_t:chr_file rw_file_perms;
-@@ -166,6 +172,30 @@
+@@ -166,6 +171,29 @@
allow initrc_t ptal_var_run_t:fifo_file unlink;
+# HPLIP
-+type hplip_port_t, port_type, reserved_port_type;
+daemon_domain(hplip)
+etcdir_domain(hplip)
+allow hplip_t etc_t:file r_file_perms;
@@ -356,10 +523,76 @@
dontaudit cupsd_t selinux_config_t:dir search;
dontaudit cupsd_t selinux_config_t:file { getattr read };
+@@ -273,3 +301,8 @@
+ allow unconfined_t cupsd_config_t:dbus send_msg;
+ allow { cupsd_t cupsd_config_t } unconfined_t:fifo_file read;
+ ')
++typealias printer_port_t alias cupsd_lpd_port_t;
++inetd_child_domain(cupsd_lpd)
++allow inetd_t printer_port_t:tcp_socket name_bind;
++r_dir_file(cupsd_lpd_t, cupsd_etc_t)
++allow cupsd_lpd_t ipp_port_t:tcp_socket name_connect;
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cyrus.te policy-1.23.18/domains/program/unused/cyrus.te
+--- nsapolicy/domains/program/unused/cyrus.te 2005-05-02 14:06:54.000000000 -0400
++++ policy-1.23.18/domains/program/unused/cyrus.te 2005-06-23 12:06:22.000000000 -0400
+@@ -42,3 +42,5 @@
+ allow system_crond_t cyrus_var_lib_t:file create_file_perms;
+ ')
+ allow cyrus_t mail_port_t:tcp_socket name_bind;
++create_dir_file(cyrus_t, mail_spool_t)
++
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dante.te policy-1.23.18/domains/program/unused/dante.te
+--- nsapolicy/domains/program/unused/dante.te 2005-05-25 11:28:09.000000000 -0400
++++ policy-1.23.18/domains/program/unused/dante.te 2005-06-18 06:39:01.000000000 -0400
+@@ -4,7 +4,6 @@
+ #
+
+ type dante_conf_t, file_type, sysadmfile;
+-type socks_port_t, port_type;
+
+ daemon_domain(dante)
+ can_network_server(dante_t)
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dcc.te policy-1.23.18/domains/program/unused/dcc.te
+--- nsapolicy/domains/program/unused/dcc.te 2005-05-02 14:06:54.000000000 -0400
++++ policy-1.23.18/domains/program/unused/dcc.te 2005-06-18 06:39:01.000000000 -0400
+@@ -7,9 +7,6 @@
+ # /var/lib/dcc. For now this policy supports both directories being
+ # writable.
+
+-# Ports used by dcc
+-type dcc_port_t, port_type, reserved_port_type;
+-
+ # Files common to all dcc programs
+ type dcc_client_map_t, file_type, sysadmfile;
+ type dcc_var_t, file_type, sysadmfile;
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ddclient.te policy-1.23.18/domains/program/unused/ddclient.te
+--- nsapolicy/domains/program/unused/ddclient.te 2005-04-27 10:28:50.000000000 -0400
++++ policy-1.23.18/domains/program/unused/ddclient.te 2005-06-19 23:27:20.000000000 -0400
+@@ -26,9 +26,9 @@
+ allow ddclient_t etc_t:file { getattr read };
+ allow ddclient_t etc_runtime_t:file r_file_perms;
+ allow ddclient_t ifconfig_exec_t:file { rx_file_perms execute_no_trans };
+-allow ddclient_t urandom_device_t:chr_file { read };
++allow ddclient_t urandom_device_t:chr_file read;
+ general_proc_read_access(ddclient_t)
+-allow ddclient_t sysctl_net_t:dir { search };
++allow ddclient_t sysctl_net_t:dir search;
+
+ # network-related goodies
+ can_network_client(ddclient_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dhcpc.te policy-1.23.18/domains/program/unused/dhcpc.te
--- nsapolicy/domains/program/unused/dhcpc.te 2005-04-27 10:28:50.000000000 -0400
-+++ policy-1.23.18/domains/program/unused/dhcpc.te 2005-06-16 17:52:55.000000000 -0400
-@@ -68,6 +68,9 @@
++++ policy-1.23.18/domains/program/unused/dhcpc.te 2005-06-18 06:35:34.000000000 -0400
+@@ -15,8 +15,6 @@
+ # dhcpc_exec_t is the type of the dhcpcd executable.
+ # The dhcpc_t can be used for other DHCPC related files as well.
+ #
+-type dhcpc_port_t, port_type, reserved_port_type;
+-
+ daemon_domain(dhcpc, `, privuser')
+
+ # for SSP
+@@ -68,6 +66,9 @@
ifdef(`cardmgr.te', `
allow ping_t cardmgr_t:fd use;
') dnl end if cardmgr
@@ -369,7 +602,7 @@
') dnl end if ping
ifdef(`dhcpd.te', `', `
-@@ -127,7 +130,7 @@
+@@ -127,7 +128,7 @@
ifdef(`hostname.te', `
domain_auto_trans(dhcpc_t, hostname_exec_t, hostname_t)
')
@@ -378,7 +611,7 @@
allow dhcpc_t { userdomain kernel_t }:fd use;
allow dhcpc_t home_root_t:dir search;
-@@ -143,10 +146,17 @@
+@@ -143,10 +144,17 @@
can_exec(dhcpc_t, initrc_exec_t)
ifdef(`ypbind.te', `
domain_auto_trans(dhcpc_t, ypbind_exec_t, ypbind_t)
@@ -397,6 +630,55 @@
+allow { NetworkManager_t initrc_t } dhcpc_t:dbus send_msg;
+allow dhcpc_t { NetworkManager_t initrc_t }:dbus send_msg;
+')
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dhcpd.te policy-1.23.18/domains/program/unused/dhcpd.te
+--- nsapolicy/domains/program/unused/dhcpd.te 2005-05-25 11:28:09.000000000 -0400
++++ policy-1.23.18/domains/program/unused/dhcpd.te 2005-06-18 06:35:46.000000000 -0400
+@@ -20,9 +20,6 @@
+ allow dhcpd_t dhcpd_port_t:udp_socket name_bind;
+
+ # for UDP port 4011
+-ifdef(`pxe.te', `', `
+-type pxe_port_t, port_type;
+-')
+ allow dhcpd_t pxe_port_t:udp_socket name_bind;
+
+ type dhcp_etc_t, file_type, sysadmfile, usercanread;
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dictd.te policy-1.23.18/domains/program/unused/dictd.te
+--- nsapolicy/domains/program/unused/dictd.te 2005-04-27 10:28:50.000000000 -0400
++++ policy-1.23.18/domains/program/unused/dictd.te 2005-06-18 06:35:54.000000000 -0400
+@@ -10,7 +10,6 @@
+ #
+ # dictd_exec_t is the type of the dictd executable.
+ #
+-type dict_port_t, port_type;
+ daemon_base_domain(dictd)
+ type dictd_var_lib_t, file_type, sysadmfile;
+ typealias dictd_var_lib_t alias var_lib_dictd_t;
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/distcc.te policy-1.23.18/domains/program/unused/distcc.te
+--- nsapolicy/domains/program/unused/distcc.te 2005-04-27 10:28:50.000000000 -0400
++++ policy-1.23.18/domains/program/unused/distcc.te 2005-06-18 06:39:01.000000000 -0400
+@@ -9,7 +9,6 @@
+ log_domain(distccd)
+ tmp_domain(distccd)
+
+-type distccd_port_t, port_type;
+ allow distccd_t distccd_port_t:tcp_socket name_bind;
+ allow distccd_t self:capability { setgid setuid };
+
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dovecot.te policy-1.23.18/domains/program/unused/dovecot.te
+--- nsapolicy/domains/program/unused/dovecot.te 2005-05-25 11:28:09.000000000 -0400
++++ policy-1.23.18/domains/program/unused/dovecot.te 2005-06-18 06:19:10.000000000 -0400
+@@ -52,6 +52,10 @@
+ # Dovecot auth daemon
+ #
+ daemon_sub_domain(dovecot_t, dovecot_auth, `, auth_chkpwd')
++can_ldap(dovecot_auth_t)
++can_ypbind(dovecot_auth_t)
++can_kerberos(dovecot_auth_t)
++can_resolve(dovecot_auth_t)
+ allow dovecot_auth_t self:process { fork signal_perms };
+ allow dovecot_auth_t self:capability { setgid setuid };
+ allow dovecot_auth_t dovecot_t:unix_stream_socket { getattr accept read write ioctl };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ethereal.te policy-1.23.18/domains/program/unused/ethereal.te
--- nsapolicy/domains/program/unused/ethereal.te 1969-12-31 19:00:00.000000000 -0500
+++ policy-1.23.18/domains/program/unused/ethereal.te 2005-06-13 11:53:36.000000000 -0400
@@ -466,6 +748,28 @@
+type evolution_exchange_exec_t, file_type, exec_type, sysadmfile;
+
+# Everything else is in macros/evolution_macros.te
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/fingerd.te policy-1.23.18/domains/program/unused/fingerd.te
+--- nsapolicy/domains/program/unused/fingerd.te 2005-04-27 10:28:50.000000000 -0400
++++ policy-1.23.18/domains/program/unused/fingerd.te 2005-06-18 06:36:01.000000000 -0400
+@@ -12,7 +12,6 @@
+ #
+ daemon_domain(fingerd)
+
+-type fingerd_port_t, port_type, reserved_port_type;
+ etcdir_domain(fingerd)
+
+ allow fingerd_t etc_t:lnk_file read;
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/gatekeeper.te policy-1.23.18/domains/program/unused/gatekeeper.te
+--- nsapolicy/domains/program/unused/gatekeeper.te 2005-04-27 10:28:50.000000000 -0400
++++ policy-1.23.18/domains/program/unused/gatekeeper.te 2005-06-18 06:39:01.000000000 -0400
+@@ -15,7 +15,6 @@
+ # for SSP
+ allow gatekeeper_t urandom_device_t:chr_file read;
+
+-type gatekeeper_port_t, port_type;
+ etc_domain(gatekeeper)
+ allow gatekeeper_t gatekeeper_etc_t:lnk_file { getattr read };
+ logdir_domain(gatekeeper)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/gconf.te policy-1.23.18/domains/program/unused/gconf.te
--- nsapolicy/domains/program/unused/gconf.te 1969-12-31 19:00:00.000000000 -0500
+++ policy-1.23.18/domains/program/unused/gconf.te 2005-06-08 09:04:15.000000000 -0400
@@ -484,14 +788,13 @@
+# Everything else is in macros/gconfd_macros.te
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/gift.te policy-1.23.18/domains/program/unused/gift.te
--- nsapolicy/domains/program/unused/gift.te 2005-04-27 10:28:50.000000000 -0400
-+++ policy-1.23.18/domains/program/unused/gift.te 2005-06-13 11:53:36.000000000 -0400
-@@ -5,5 +5,6 @@
-
++++ policy-1.23.18/domains/program/unused/gift.te 2005-06-18 06:39:01.000000000 -0400
+@@ -6,4 +6,4 @@
type gift_exec_t, file_type, exec_type, sysadmfile;
type giftd_exec_t, file_type, exec_type, sysadmfile;
-+type giftd_port_t, port_type;
- # Everything else is in macros/gift_macros.te
+-# Everything else is in macros/gift_macros.te
++# Everything else is in macros/program/gift_macros.te
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/gnome.te policy-1.23.18/domains/program/unused/gnome.te
--- nsapolicy/domains/program/unused/gnome.te 1969-12-31 19:00:00.000000000 -0500
+++ policy-1.23.18/domains/program/unused/gnome.te 2005-06-08 09:04:15.000000000 -0400
@@ -540,14 +843,45 @@
allow hotplug_t sysfs_t:lnk_file { getattr read };
allow hotplug_t udev_runtime_t:file rw_file_perms;
ifdef(`lpd.te', `
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/howl.te policy-1.23.18/domains/program/unused/howl.te
+--- nsapolicy/domains/program/unused/howl.te 2005-04-27 10:28:51.000000000 -0400
++++ policy-1.23.18/domains/program/unused/howl.te 2005-06-18 06:36:08.000000000 -0400
+@@ -12,7 +12,6 @@
+
+ allow howl_t self:fifo_file rw_file_perms;
+
+-type howl_port_t, port_type;
+ allow howl_t howl_port_t:{ udp_socket tcp_socket } name_bind;
+
+ allow howl_t self:unix_dgram_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/i18n_input.te policy-1.23.18/domains/program/unused/i18n_input.te
--- nsapolicy/domains/program/unused/i18n_input.te 2005-05-07 00:41:09.000000000 -0400
-+++ policy-1.23.18/domains/program/unused/i18n_input.te 2005-06-08 09:04:15.000000000 -0400
-@@ -30,3 +30,4 @@
++++ policy-1.23.18/domains/program/unused/i18n_input.te 2005-06-18 06:36:19.000000000 -0400
+@@ -2,9 +2,6 @@
+ # Security Policy for IIIMF htt server
+ # Date: 2004, 12th April (Monday)
+
+-# Types for server port
+-type i18n_input_port_t, port_type;
+-
+ # Establish i18n_input as a daemon
+ daemon_domain(i18n_input)
+
+@@ -23,6 +20,7 @@
+ allow i18n_input_t self:process { setsched setpgid };
+
+ allow i18n_input_t { bin_t sbin_t }:dir search;
++can_exec(i18n_input_t, bin_t)
+
+ allow i18n_input_t etc_t:file r_file_perms;
+ allow i18n_input_t self:unix_dgram_socket create_socket_perms;
+@@ -30,3 +28,6 @@
allow i18n_input_t i18n_input_var_run_t:dir create_dir_perms;
allow i18n_input_t i18n_input_var_run_t:sock_file create_file_perms;
allow i18n_input_t usr_t:file { getattr read };
+allow i18n_input_t home_root_t:dir search;
++allow i18n_input_t etc_runtime_t:file { getattr read };
++allow i18n_input_t proc_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/iceauth.te policy-1.23.18/domains/program/unused/iceauth.te
--- nsapolicy/domains/program/unused/iceauth.te 1969-12-31 19:00:00.000000000 -0500
+++ policy-1.23.18/domains/program/unused/iceauth.te 2005-06-08 09:04:15.000000000 -0400
@@ -564,9 +898,44 @@
+
+# Everything else is in the iceauth_domain macro in
+# macros/program/iceauth_macros.te.
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/imazesrv.te policy-1.23.18/domains/program/unused/imazesrv.te
+--- nsapolicy/domains/program/unused/imazesrv.te 2005-04-27 10:28:51.000000000 -0400
++++ policy-1.23.18/domains/program/unused/imazesrv.te 2005-06-18 06:39:01.000000000 -0400
+@@ -15,7 +15,6 @@
+
+ r_dir_file(imazesrv_t, imazesrv_data_t)
+
+-type imaze_port_t, port_type;
+ allow imazesrv_t imaze_port_t:tcp_socket name_bind;
+ allow imazesrv_t imaze_port_t:udp_socket name_bind;
+
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/inetd.te policy-1.23.18/domains/program/unused/inetd.te
+--- nsapolicy/domains/program/unused/inetd.te 2005-04-27 10:28:51.000000000 -0400
++++ policy-1.23.18/domains/program/unused/inetd.te 2005-06-23 11:46:24.000000000 -0400
+@@ -10,12 +10,6 @@
+ # Rules for the inetd_t domain and
+ # the inetd_child_t domain.
+ #
+-type biff_port_t, port_type, reserved_port_type;
+-
+-#################################
+-#
+-# Rules for the inetd_t domain.
+-#
+
+ daemon_domain(inetd, `ifdef(`unlimitedInetd', `,admin, etc_writer, fs_domain, auth_write, privmem')' )
+
+@@ -51,6 +45,7 @@
+ allow inetd_t ntalk_port_t:tcp_socket name_bind;
+ ')
+
++allow inetd_t auth_port_t:tcp_socket name_bind;
+ # Communicate with the portmapper.
+ ifdef(`portmap.te', `can_udp_send(inetd_t, portmap_t)')
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/innd.te policy-1.23.18/domains/program/unused/innd.te
--- nsapolicy/domains/program/unused/innd.te 2005-04-27 10:28:51.000000000 -0400
-+++ policy-1.23.18/domains/program/unused/innd.te 2005-06-16 23:11:43.000000000 -0400
++++ policy-1.23.18/domains/program/unused/innd.te 2005-06-18 06:36:55.000000000 -0400
@@ -7,7 +7,6 @@
# Types for the server port and news spool.
@@ -575,6 +944,63 @@
type news_spool_t, file_type, sysadmfile;
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ircd.te policy-1.23.18/domains/program/unused/ircd.te
+--- nsapolicy/domains/program/unused/ircd.te 2005-04-27 10:28:51.000000000 -0400
++++ policy-1.23.18/domains/program/unused/ircd.te 2005-06-18 06:39:01.000000000 -0400
+@@ -12,7 +12,6 @@
+ #
+ daemon_domain(ircd)
+
+-type ircd_port_t, port_type;
+ allow ircd_t ircd_port_t:tcp_socket name_bind;
+
+ etcdir_domain(ircd)
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/jabberd.te policy-1.23.18/domains/program/unused/jabberd.te
+--- nsapolicy/domains/program/unused/jabberd.te 2005-04-27 10:28:51.000000000 -0400
++++ policy-1.23.18/domains/program/unused/jabberd.te 2005-06-18 06:39:01.000000000 -0400
+@@ -7,9 +7,6 @@
+ logdir_domain(jabberd)
+ var_lib_domain(jabberd)
+
+-type jabber_client_port_t, port_type;
+-type jabber_interserver_port_t, port_type;
+-
+ allow jabberd_t jabber_client_port_t:tcp_socket name_bind;
+ allow jabberd_t jabber_interserver_port_t:tcp_socket name_bind;
+
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/lpd.te policy-1.23.18/domains/program/unused/lpd.te
+--- nsapolicy/domains/program/unused/lpd.te 2005-05-25 11:28:10.000000000 -0400
++++ policy-1.23.18/domains/program/unused/lpd.te 2005-06-18 06:37:40.000000000 -0400
+@@ -15,7 +15,6 @@
+ # printer_t is the type of the Unix domain socket created
+ # by lpd.
+ #
+-type printer_port_t, port_type, reserved_port_type;
+ daemon_domain(lpd)
+
+ allow lpd_t lpd_var_run_t:sock_file create_file_perms;
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/lrrd.te policy-1.23.18/domains/program/unused/lrrd.te
+--- nsapolicy/domains/program/unused/lrrd.te 2005-04-27 10:28:51.000000000 -0400
++++ policy-1.23.18/domains/program/unused/lrrd.te 2005-06-18 06:39:01.000000000 -0400
+@@ -16,7 +16,6 @@
+
+ etcdir_domain(lrrd)
+ type lrrd_var_lib_t, file_type, sysadmfile;
+-type lrrd_port_t, port_type;
+
+ log_domain(lrrd)
+ tmp_domain(lrrd)
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/monopd.te policy-1.23.18/domains/program/unused/monopd.te
+--- nsapolicy/domains/program/unused/monopd.te 2005-04-27 10:28:51.000000000 -0400
++++ policy-1.23.18/domains/program/unused/monopd.te 2005-06-18 06:39:01.000000000 -0400
+@@ -20,7 +20,6 @@
+ can_network_server(monopd_t)
+ can_ypbind(monopd_t)
+
+-type monopd_port_t, port_type;
+ allow monopd_t monopd_port_t:tcp_socket name_bind;
+
+ r_dir_file(monopd_t,share_monopd_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mozilla.te policy-1.23.18/domains/program/unused/mozilla.te
--- nsapolicy/domains/program/unused/mozilla.te 2005-04-27 10:28:51.000000000 -0400
+++ policy-1.23.18/domains/program/unused/mozilla.te 2005-06-16 14:02:17.000000000 -0400
@@ -593,24 +1019,48 @@
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mysqld.te policy-1.23.18/domains/program/unused/mysqld.te
--- nsapolicy/domains/program/unused/mysqld.te 2005-05-25 11:28:10.000000000 -0400
-+++ policy-1.23.18/domains/program/unused/mysqld.te 2005-06-15 16:29:50.000000000 -0400
-@@ -10,7 +10,7 @@
++++ policy-1.23.18/domains/program/unused/mysqld.te 2005-06-18 06:38:06.000000000 -0400
+@@ -10,9 +10,8 @@
#
# mysqld_exec_t is the type of the mysqld executable.
#
-daemon_domain(mysqld)
+daemon_domain(mysqld, `, nscd_client_domain')
- type mysqld_port_t, port_type;
+-type mysqld_port_t, port_type;
allow mysqld_t mysqld_port_t:tcp_socket name_bind;
-@@ -89,3 +89,4 @@
+
+ allow mysqld_t mysqld_var_run_t:sock_file create_file_perms;
+@@ -89,3 +88,4 @@
}
')
+allow mysqld_t self:netlink_route_socket r_netlink_socket_perms;
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/named.te policy-1.23.18/domains/program/unused/named.te
+--- nsapolicy/domains/program/unused/named.te 2005-04-27 10:28:51.000000000 -0400
++++ policy-1.23.18/domains/program/unused/named.te 2005-06-18 06:38:11.000000000 -0400
+@@ -10,7 +10,6 @@
+ #
+ # Rules for the named_t domain.
+ #
+-type rndc_port_t, port_type, reserved_port_type;
+
+ daemon_domain(named, `, nscd_client_domain')
+ tmp_domain(named)
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/nessusd.te policy-1.23.18/domains/program/unused/nessusd.te
+--- nsapolicy/domains/program/unused/nessusd.te 2005-04-27 10:28:52.000000000 -0400
++++ policy-1.23.18/domains/program/unused/nessusd.te 2005-06-18 06:39:01.000000000 -0400
+@@ -15,7 +15,6 @@
+ etc_domain(nessusd)
+ type nessusd_db_t, file_type, sysadmfile;
+
+-type nessus_port_t, port_type;
+ allow nessusd_t nessus_port_t:tcp_socket name_bind;
+
+ #tmp_domain(nessusd)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/NetworkManager.te policy-1.23.18/domains/program/unused/NetworkManager.te
--- nsapolicy/domains/program/unused/NetworkManager.te 2005-05-02 14:06:54.000000000 -0400
-+++ policy-1.23.18/domains/program/unused/NetworkManager.te 2005-06-16 17:52:42.000000000 -0400
++++ policy-1.23.18/domains/program/unused/NetworkManager.te 2005-06-17 23:59:45.000000000 -0400
@@ -42,6 +42,7 @@
allow named_t NetworkManager_t:udp_socket { read write };
allow named_t NetworkManager_t:netlink_route_socket { read write };
@@ -619,7 +1069,15 @@
')
allow NetworkManager_t selinux_config_t:dir search;
-@@ -70,7 +71,7 @@
+@@ -50,6 +51,7 @@
+ ifdef(`dbusd.te', `
+ dbusd_client(system, NetworkManager)
+ allow NetworkManager_t system_dbusd_t:dbus { acquire_svc send_msg };
++allow NetworkManager_t self:dbus send_msg;
+ ifdef(`hald.te', `
+ allow NetworkManager_t hald_t:dbus send_msg;
+ allow hald_t NetworkManager_t:dbus send_msg;
+@@ -70,7 +72,7 @@
allow NetworkManager_t { sbin_t bin_t }:dir search;
allow NetworkManager_t bin_t:lnk_file read;
@@ -628,11 +1086,15 @@
# in /etc created by NetworkManager will be labelled net_conf_t.
file_type_auto_trans(NetworkManager_t, etc_t, net_conf_t, file)
-@@ -91,3 +92,4 @@
+@@ -91,3 +93,8 @@
allow NetworkManager_t self:netlink_route_socket r_netlink_socket_perms;
domain_auto_trans(NetworkManager_t, initrc_exec_t, initrc_t)
+domain_auto_trans(NetworkManager_t, dhcpc_exec_t, dhcpc_t)
++ifdef(`vpnc.te', `
++domain_auto_trans(NetworkManager_t, vpnc_exec_t, vpnc_t)
++')
++
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/nscd.te policy-1.23.18/domains/program/unused/nscd.te
--- nsapolicy/domains/program/unused/nscd.te 2005-04-27 10:28:52.000000000 -0400
+++ policy-1.23.18/domains/program/unused/nscd.te 2005-06-16 23:20:22.000000000 -0400
@@ -641,6 +1103,29 @@
allow nscd_t { urandom_device_t random_device_t }:chr_file { getattr read };
log_domain(nscd)
+r_dir_file(nscd_t, cert_t)
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ntpd.te policy-1.23.18/domains/program/unused/ntpd.te
+--- nsapolicy/domains/program/unused/ntpd.te 2005-05-02 14:06:54.000000000 -0400
++++ policy-1.23.18/domains/program/unused/ntpd.te 2005-06-18 06:38:19.000000000 -0400
+@@ -10,7 +10,6 @@
+ #
+ daemon_domain(ntpd, `, nscd_client_domain')
+ type ntp_drift_t, file_type, sysadmfile;
+-type ntp_port_t, port_type, reserved_port_type;
+
+ type ntpdate_exec_t, file_type, sysadmfile, exec_type;
+ domain_auto_trans(initrc_t, ntpdate_exec_t, ntpd_t)
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/openvpn.te policy-1.23.18/domains/program/unused/openvpn.te
+--- nsapolicy/domains/program/unused/openvpn.te 2005-04-27 10:28:52.000000000 -0400
++++ policy-1.23.18/domains/program/unused/openvpn.te 2005-06-18 06:39:01.000000000 -0400
+@@ -8,8 +8,6 @@
+ daemon_domain(openvpn)
+ etcdir_domain(openvpn)
+
+-type openvpn_port_t, port_type;
+-
+ allow openvpn_t { etc_t etc_runtime_t }:{ file lnk_file } r_file_perms;
+
+ allow openvpn_t { random_device_t urandom_device_t }:chr_file { read getattr };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/orbit.te policy-1.23.18/domains/program/unused/orbit.te
--- nsapolicy/domains/program/unused/orbit.te 1969-12-31 19:00:00.000000000 -0500
+++ policy-1.23.18/domains/program/unused/orbit.te 2005-06-08 09:04:15.000000000 -0400
@@ -688,6 +1173,121 @@
can_ypbind(ping_t)
allow ping_t etc_t:file { getattr read };
allow ping_t self:unix_stream_socket create_socket_perms;
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/postgresql.te policy-1.23.18/domains/program/unused/postgresql.te
+--- nsapolicy/domains/program/unused/postgresql.te 2005-04-27 10:28:52.000000000 -0400
++++ policy-1.23.18/domains/program/unused/postgresql.te 2005-06-23 11:47:31.000000000 -0400
+@@ -10,7 +10,6 @@
+ #
+ # postgresql_exec_t is the type of the postgresql executable.
+ #
+-type postgresql_port_t, port_type;
+ daemon_domain(postgresql)
+ allow initrc_t postgresql_exec_t:lnk_file read;
+ allow postgresql_t usr_t:file { getattr read };
+@@ -51,7 +50,7 @@
+ file_type_auto_trans(postgresql_t, tmpfs_t, postgresql_tmp_t)
+
+ # Use the network.
+-can_network_server(postgresql_t)
++can_network(postgresql_t)
+ can_ypbind(postgresql_t)
+ allow postgresql_t self:fifo_file { getattr read write ioctl };
+ allow postgresql_t self:unix_stream_socket create_stream_socket_perms;
+@@ -79,6 +78,7 @@
+ ')
+
+ allow postgresql_t postgresql_port_t:tcp_socket name_bind;
++allow postgresql_t auth_port_t:tcp_socket name_connect;
+
+ allow postgresql_t { proc_t self }:file { getattr read };
+
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/postgrey.te policy-1.23.18/domains/program/unused/postgrey.te
+--- nsapolicy/domains/program/unused/postgrey.te 2005-04-27 10:28:52.000000000 -0400
++++ policy-1.23.18/domains/program/unused/postgrey.te 2005-06-18 06:39:01.000000000 -0400
+@@ -3,8 +3,6 @@
+ # Author: Russell Coker <russell at coker.com.au>
+ # X-Debian-Packages: postgrey
+
+-type postgrey_port_t, port_type;
+-
+ daemon_domain(postgrey)
+
+ allow postgrey_t urandom_device_t:chr_file { getattr read };
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pppd.te policy-1.23.18/domains/program/unused/pppd.te
+--- nsapolicy/domains/program/unused/pppd.te 2005-05-25 11:28:10.000000000 -0400
++++ policy-1.23.18/domains/program/unused/pppd.te 2005-06-20 12:20:35.000000000 -0400
+@@ -54,7 +54,7 @@
+ # allow running ip-up and ip-down scripts and running chat.
+ can_exec(pppd_t, { shell_exec_t bin_t sbin_t etc_t ifconfig_exec_t })
+ allow pppd_t { bin_t sbin_t }:dir search;
+-allow pppd_t bin_t:lnk_file read;
++allow pppd_t { sbin_t bin_t }:lnk_file read;
+
+ # Access /dev/ppp.
+ allow pppd_t ppp_device_t:chr_file rw_file_perms;
+@@ -65,6 +65,8 @@
+
+ allow pppd_t proc_t:dir search;
+ allow pppd_t proc_t:{ file lnk_file } r_file_perms;
++allow pppd_t proc_net_t:dir { read search };
++allow pppd_t proc_net_t:file r_file_perms;
+
+ allow pppd_t etc_runtime_t:file r_file_perms;
+
+@@ -96,3 +98,6 @@
+
+ file_type_auto_trans(pppd_t, etc_t, net_conf_t, file)
+ tmp_domain(pppd)
++allow pppd_t sysctl_net_t:dir search;
++allow pppd_t sysctl_net_t:file r_file_perms;
++allow pppd_t self:netlink_route_socket r_netlink_socket_perms;
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pxe.te policy-1.23.18/domains/program/unused/pxe.te
+--- nsapolicy/domains/program/unused/pxe.te 2005-04-27 10:28:52.000000000 -0400
++++ policy-1.23.18/domains/program/unused/pxe.te 2005-06-18 06:39:01.000000000 -0400
+@@ -10,7 +10,6 @@
+ #
+ daemon_domain(pxe)
+
+-type pxe_port_t, port_type;
+ allow pxe_t pxe_port_t:udp_socket name_bind;
+
+ allow pxe_t etc_t:file { getattr read };
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pyzor.te policy-1.23.18/domains/program/unused/pyzor.te
+--- nsapolicy/domains/program/unused/pyzor.te 2005-04-27 10:28:52.000000000 -0400
++++ policy-1.23.18/domains/program/unused/pyzor.te 2005-06-18 06:39:01.000000000 -0400
+@@ -15,8 +15,6 @@
+ # (I.E. The log file into /var/log, etc.) This policy will work
+ # either way.
+
+-type pyzor_port_t, port_type, reserved_port_type;
+-
+ ##########
+ # pyzor daemon
+ ##########
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/radius.te policy-1.23.18/domains/program/unused/radius.te
+--- nsapolicy/domains/program/unused/radius.te 2005-04-27 10:28:52.000000000 -0400
++++ policy-1.23.18/domains/program/unused/radius.te 2005-06-18 06:38:33.000000000 -0400
+@@ -10,8 +10,6 @@
+ #
+ # radiusd_exec_t is the type of the radiusd executable.
+ #
+-type radius_port_t, port_type;
+-type radacct_port_t, port_type;
+ daemon_domain(radiusd, `, auth')
+
+ etcdir_domain(radiusd)
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/razor.te policy-1.23.18/domains/program/unused/razor.te
+--- nsapolicy/domains/program/unused/razor.te 2005-05-02 14:06:54.000000000 -0400
++++ policy-1.23.18/domains/program/unused/razor.te 2005-06-18 06:39:01.000000000 -0400
+@@ -9,8 +9,6 @@
+ # file in /etc/razor, or with the default of dumping everything into
+ # $HOME/.razor.
+
+-type razor_port_t, port_type, reserved_port_type;
+-
+ ##########
+ # Razor query application - from system_r applictions
+ ##########
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rpcd.te policy-1.23.18/domains/program/unused/rpcd.te
--- nsapolicy/domains/program/unused/rpcd.te 2005-05-25 11:28:10.000000000 -0400
+++ policy-1.23.18/domains/program/unused/rpcd.te 2005-06-16 23:16:11.000000000 -0400
@@ -708,6 +1308,93 @@
-
+allow nfsd_t devtty_t:chr_file rw_file_perms;
+allow rpcd_t devtty_t:chr_file rw_file_perms;
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/samba.te policy-1.23.18/domains/program/unused/samba.te
+--- nsapolicy/domains/program/unused/samba.te 2005-05-25 11:28:10.000000000 -0400
++++ policy-1.23.18/domains/program/unused/samba.te 2005-06-17 07:09:39.000000000 -0400
+@@ -9,7 +9,7 @@
+ # Declarations for Samba
+ #
+
+-daemon_domain(smbd, `, auth_chkpwd')
++daemon_domain(smbd, `, auth_chkpwd, nscd_client_domain')
+ daemon_domain(nmbd)
+ type samba_etc_t, file_type, sysadmfile, usercanread;
+ type samba_log_t, file_type, sysadmfile, logfile;
+@@ -68,6 +68,7 @@
+ allow smbd_t samba_log_t:file { create ra_file_perms };
+ allow smbd_t var_log_t:dir search;
+ allow smbd_t samba_log_t:dir ra_dir_perms;
++dontaudit smbd_t samba_log_t:dir remove_name;
+
+ allow smbd_t usr_t:file { getattr read };
+
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/snmpd.te policy-1.23.18/domains/program/unused/snmpd.te
+--- nsapolicy/domains/program/unused/snmpd.te 2005-05-25 11:28:10.000000000 -0400
++++ policy-1.23.18/domains/program/unused/snmpd.te 2005-06-20 14:32:46.000000000 -0400
+@@ -16,7 +16,6 @@
+ can_network_server(snmpd_t)
+ can_ypbind(snmpd_t)
+
+-type snmp_port_t, port_type, reserved_port_type;
+ allow snmpd_t snmp_port_t:{ udp_socket tcp_socket } name_bind;
+
+ etc_domain(snmpd)
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/sound-server.te policy-1.23.18/domains/program/unused/sound-server.te
+--- nsapolicy/domains/program/unused/sound-server.te 2005-04-27 10:28:53.000000000 -0400
++++ policy-1.23.18/domains/program/unused/sound-server.te 2005-06-18 06:39:01.000000000 -0400
+@@ -11,7 +11,6 @@
+ #
+ daemon_domain(soundd)
+
+-type soundd_port_t, port_type;
+ allow soundd_t soundd_port_t:tcp_socket name_bind;
+
+ type etc_soundd_t, file_type, sysadmfile;
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/spamd.te policy-1.23.18/domains/program/unused/spamd.te
+--- nsapolicy/domains/program/unused/spamd.te 2005-04-27 10:28:53.000000000 -0400
++++ policy-1.23.18/domains/program/unused/spamd.te 2005-06-18 06:38:47.000000000 -0400
+@@ -9,7 +9,6 @@
+
+ tmp_domain(spamd)
+
+-type spamd_port_t, port_type, reserved_port_type;
+ allow spamd_t spamd_port_t:tcp_socket name_bind;
+
+ general_domain_access(spamd_t)
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/squid.te policy-1.23.18/domains/program/unused/squid.te
+--- nsapolicy/domains/program/unused/squid.te 2005-06-01 06:11:22.000000000 -0400
++++ policy-1.23.18/domains/program/unused/squid.te 2005-06-18 06:31:04.000000000 -0400
+@@ -61,6 +61,7 @@
+
+ # tcp port 8080 and udp port 3130 is http_cache_port_t (see net_contexts)
+ allow squid_t http_cache_port_t:{ tcp_socket udp_socket } name_bind;
++allow squid_t { gopher_port_t ftp_port_t http_port_t http_cache_port_t }:tcp_socket name_connect;
+
+ # to allow running programs from /usr/lib/squid (IE unlinkd)
+ # also allow exec()ing itself
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/stunnel.te policy-1.23.18/domains/program/unused/stunnel.te
+--- nsapolicy/domains/program/unused/stunnel.te 2005-04-27 10:28:53.000000000 -0400
++++ policy-1.23.18/domains/program/unused/stunnel.te 2005-06-18 06:38:54.000000000 -0400
+@@ -3,7 +3,6 @@
+ # Author: petre rodan <kaiowas at gentoo.org>
+ #
+ ifdef(`distro_gentoo', `
+-type stunnel_port_t, port_type;
+
+ daemon_domain(stunnel)
+
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/tftpd.te policy-1.23.18/domains/program/unused/tftpd.te
+--- nsapolicy/domains/program/unused/tftpd.te 2005-04-27 10:28:53.000000000 -0400
++++ policy-1.23.18/domains/program/unused/tftpd.te 2005-06-18 06:39:01.000000000 -0400
+@@ -13,8 +13,6 @@
+ #
+ daemon_domain(tftpd)
+
+-type tftp_port_t, port_type, reserved_port_type;
+-
+ # tftpdir_t is the type of files in the /tftpboot directories.
+ type tftpdir_t, file_type, sysadmfile;
+ r_dir_file(tftpd_t, tftpdir_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/thunderbird.te policy-1.23.18/domains/program/unused/thunderbird.te
--- nsapolicy/domains/program/unused/thunderbird.te 1969-12-31 19:00:00.000000000 -0500
+++ policy-1.23.18/domains/program/unused/thunderbird.te 2005-06-08 09:04:15.000000000 -0400
@@ -721,6 +1408,30 @@
+type thunderbird_exec_t, file_type, exec_type, sysadmfile;
+
+# Everything else is in macros/thunderbird_macros.te
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/transproxy.te policy-1.23.18/domains/program/unused/transproxy.te
+--- nsapolicy/domains/program/unused/transproxy.te 2005-04-27 10:28:53.000000000 -0400
++++ policy-1.23.18/domains/program/unused/transproxy.te 2005-06-18 06:39:01.000000000 -0400
+@@ -12,8 +12,6 @@
+ #
+ daemon_domain(transproxy)
+
+-type transproxy_port_t, port_type;
+-
+ # Use the network.
+ can_network_server_tcp(transproxy_t)
+ allow transproxy_t transproxy_port_t:tcp_socket name_bind;
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ucspi-tcp.te policy-1.23.18/domains/program/unused/ucspi-tcp.te
+--- nsapolicy/domains/program/unused/ucspi-tcp.te 2005-05-25 11:28:10.000000000 -0400
++++ policy-1.23.18/domains/program/unused/ucspi-tcp.te 2005-06-18 06:39:01.000000000 -0400
+@@ -6,8 +6,6 @@
+
+ # http://cr.yp.to/ucspi-tcp.html
+
+-type utcpserver_port_t, port_type;
+-
+ daemon_base_domain(utcpserver)
+ can_network(utcpserver_t)
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/udev.te policy-1.23.18/domains/program/unused/udev.te
--- nsapolicy/domains/program/unused/udev.te 2005-05-25 11:28:10.000000000 -0400
+++ policy-1.23.18/domains/program/unused/udev.te 2005-06-08 09:04:15.000000000 -0400
@@ -748,9 +1459,21 @@
allow utempter_t self:unix_stream_socket create_stream_socket_perms;
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/watchdog.te policy-1.23.18/domains/program/unused/watchdog.te
+--- nsapolicy/domains/program/unused/watchdog.te 2005-04-27 10:28:54.000000000 -0400
++++ policy-1.23.18/domains/program/unused/watchdog.te 2005-06-20 10:14:08.000000000 -0400
+@@ -12,6 +12,8 @@
+ daemon_domain(watchdog, `, privmail')
+ type watchdog_device_t, device_type, dev_fs;
+
++allow watchdog_t self:process setsched;
++
+ log_domain(watchdog)
+
+ allow watchdog_t etc_t:file r_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/xdm.te policy-1.23.18/domains/program/unused/xdm.te
--- nsapolicy/domains/program/unused/xdm.te 2005-05-25 11:28:10.000000000 -0400
-+++ policy-1.23.18/domains/program/unused/xdm.te 2005-06-16 14:02:27.000000000 -0400
++++ policy-1.23.18/domains/program/unused/xdm.te 2005-06-18 06:39:12.000000000 -0400
@@ -269,7 +269,6 @@
allow xdm_xserver_t self:capability mknod;
allow xdm_xserver_t sysctl_modprobe_t:file { getattr read };
@@ -794,7 +1517,15 @@
allow xdm_t var_log_t:file { getattr read };
allow xdm_t self:capability { sys_nice sys_rawio net_bind_service };
allow xdm_t self:process setrlimit;
-@@ -356,3 +364,11 @@
+@@ -346,7 +354,6 @@
+ dontaudit xdm_t port_type:tcp_socket name_bind;
+
+ # VNC v4 module in X server
+-type vnc_port_t, port_type;
+ allow xdm_xserver_t vnc_port_t:tcp_socket name_bind;
+ ifdef(`crack.te', `
+ allow xdm_t crack_db_t:file r_file_perms;
+@@ -356,3 +363,11 @@
# Run telinit->init to shutdown.
can_exec(xdm_t, init_exec_t)
allow xdm_t self:sem create_sem_perms;
@@ -819,6 +1550,17 @@
# Everything else is in the xserver_domain macro in
# macros/program/xserver_macros.te.
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/zebra.te policy-1.23.18/domains/program/unused/zebra.te
+--- nsapolicy/domains/program/unused/zebra.te 2005-04-27 10:28:54.000000000 -0400
++++ policy-1.23.18/domains/program/unused/zebra.te 2005-06-18 06:39:20.000000000 -0400
+@@ -3,7 +3,6 @@
+ # Author: Russell Coker <russell at coker.com.au>
+ # X-Debian-Packages: zebra
+ #
+-type zebra_port_t, port_type;
+
+ daemon_domain(zebra, `, sysctl_net_writer')
+ type zebra_conf_t, file_type, sysadmfile;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/user.te policy-1.23.18/domains/user.te
--- nsapolicy/domains/user.te 2005-06-01 06:11:22.000000000 -0400
+++ policy-1.23.18/domains/user.te 2005-06-16 14:02:34.000000000 -0400
@@ -853,7 +1595,7 @@
') dnl reach_sysadm
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/distros.fc policy-1.23.18/file_contexts/distros.fc
--- nsapolicy/file_contexts/distros.fc 2005-05-25 11:28:10.000000000 -0400
-+++ policy-1.23.18/file_contexts/distros.fc 2005-06-16 14:02:43.000000000 -0400
++++ policy-1.23.18/file_contexts/distros.fc 2005-06-17 16:00:50.000000000 -0400
@@ -1,7 +1,6 @@
ifdef(`distro_redhat', `
/usr/share/system-config-network(/netconfig)?/[^/]+\.py -- system_u:object_r:bin_t
@@ -862,7 +1604,17 @@
/etc/sysconfig/network-scripts/.*resolv\.conf -- system_u:object_r:net_conf_t
/usr/share/rhn/rhn_applet/applet\.py -- system_u:object_r:bin_t
/usr/share/rhn/rhn_applet/eggtrayiconmodule\.so -- system_u:object_r:shlib_t
-@@ -89,18 +88,9 @@
+@@ -36,9 +35,6 @@
+ /usr/share/texmf/web2c/mktexdir -- system_u:object_r:bin_t
+ /usr/share/texmf/web2c/mktexnam -- system_u:object_r:bin_t
+ /usr/share/texmf/web2c/mktexupd -- system_u:object_r:bin_t
+-/usr/share/ssl/certs(/.*)? system_u:object_r:cert_t
+-/usr/share/ssl/private(/.*)? system_u:object_r:cert_t
+-/etc/pki(/.*)? system_u:object_r:cert_t
+ /etc/rhgb(/.*)? -d system_u:object_r:mnt_t
+ /usr/share/ssl/misc(/.*)? system_u:object_r:bin_t
+ #
+@@ -89,18 +85,9 @@
/usr/X11R6/lib/modules/dri/.*\.so -- system_u:object_r:texrel_shlib_t
/usr/X11R6/lib/libOSMesa\.so.* -- system_u:object_r:texrel_shlib_t
/usr/lib/libHermes\.so.* -- system_u:object_r:texrel_shlib_t
@@ -884,7 +1636,7 @@
/usr/lib/.*/program/libicudata\.so.* -- system_u:object_r:texrel_shlib_t
/usr/lib/.*/program/libsts645li\.so -- system_u:object_r:texrel_shlib_t
/usr/lib/.*/program/libvclplug_gen645li\.so -- system_u:object_r:texrel_shlib_t
-@@ -156,7 +146,7 @@
+@@ -156,7 +143,7 @@
/usr(/.*)?/Reader/intellinux/plug_ins/.*\.api -- system_u:object_r:shlib_t
/usr(/.*)?/Reader/intellinux/plug_ins/AcroForm\.api -- system_u:object_r:texrel_shlib_t
/usr(/.*)?/Reader/intellinux/plug_ins/EScript\.api -- system_u:object_r:texrel_shlib_t
@@ -919,8 +1671,16 @@
+/usr/libexec/bonobo-activation-server -- system_u:object_r:bonobo_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/cups.fc policy-1.23.18/file_contexts/program/cups.fc
--- nsapolicy/file_contexts/program/cups.fc 2005-06-01 06:11:22.000000000 -0400
-+++ policy-1.23.18/file_contexts/program/cups.fc 2005-06-14 12:32:19.000000000 -0400
-@@ -35,5 +35,8 @@
++++ policy-1.23.18/file_contexts/program/cups.fc 2005-06-23 08:54:58.000000000 -0400
+@@ -17,6 +17,7 @@
+ /etc/printcap.* -- system_u:object_r:cupsd_rw_etc_t
+ /usr/lib(64)?/cups/backend/.* -- system_u:object_r:cupsd_exec_t
+ /usr/lib(64)?/cups/daemon/.* -- system_u:object_r:cupsd_exec_t
++/usr/lib(64)?/cups/daemon/cups-lpd -- system_u:object_r:cupsd_lpd_exec_t
+ /usr/sbin/cupsd -- system_u:object_r:cupsd_exec_t
+ ifdef(`hald.te', `
+ # cupsd_config depends on hald
+@@ -35,5 +36,8 @@
/usr/sbin/ptal-photod -- system_u:object_r:ptal_exec_t
/var/run/ptal-printd(/.*)? system_u:object_r:ptal_var_run_t
/var/run/ptal-mlcd(/.*)? system_u:object_r:ptal_var_run_t
@@ -929,6 +1689,14 @@
+/usr/share/hplip/hpssd.py -- system_u:object_r:hplip_exec_t
/usr/share/foomatic/db/oldprinterids -- system_u:object_r:cupsd_rw_etc_t
/var/cache/foomatic(/.*)? -- system_u:object_r:cupsd_rw_etc_t
+diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/cyrus.fc policy-1.23.18/file_contexts/program/cyrus.fc
+--- nsapolicy/file_contexts/program/cyrus.fc 2005-02-24 14:51:09.000000000 -0500
++++ policy-1.23.18/file_contexts/program/cyrus.fc 2005-06-23 12:05:13.000000000 -0400
+@@ -2,3 +2,4 @@
+ /var/lib/imap(/.*)? system_u:object_r:cyrus_var_lib_t
+ /usr/lib(64)?/cyrus-imapd/.* -- system_u:object_r:bin_t
+ /usr/lib(64)?/cyrus-imapd/cyrus-master -- system_u:object_r:cyrus_exec_t
++/var/spool/imap(/.*)? system_u:object_r:mail_spool_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/ethereal.fc policy-1.23.18/file_contexts/program/ethereal.fc
--- nsapolicy/file_contexts/program/ethereal.fc 1969-12-31 19:00:00.000000000 -0500
+++ policy-1.23.18/file_contexts/program/ethereal.fc 2005-06-08 09:04:15.000000000 -0400
@@ -958,6 +1726,17 @@
+HOME_DIR/\.fonts(/.*)? system_u:object_r:ROLE_fonts_t
+HOME_DIR/\.fonts/auto(/.*)? system_u:object_r:ROLE_fonts_cache_t
+HOME_DIR/\.fonts.cache-.* -- system_u:object_r:ROLE_fonts_cache_t
+diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/fsadm.fc policy-1.23.18/file_contexts/program/fsadm.fc
+--- nsapolicy/file_contexts/program/fsadm.fc 2005-06-01 06:11:22.000000000 -0400
++++ policy-1.23.18/file_contexts/program/fsadm.fc 2005-06-23 11:14:34.000000000 -0400
+@@ -1,6 +1,7 @@
+ # fs admin utilities
+ /sbin/fsck.* -- system_u:object_r:fsadm_exec_t
+ /sbin/mkfs.* -- system_u:object_r:fsadm_exec_t
++/sbin/mkfs\.cramfs -- system_u:object_r:sbin_t
+ /sbin/e2fsck -- system_u:object_r:fsadm_exec_t
+ /sbin/mkdosfs -- system_u:object_r:fsadm_exec_t
+ /sbin/dosfsck -- system_u:object_r:fsadm_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/gconf.fc policy-1.23.18/file_contexts/program/gconf.fc
--- nsapolicy/file_contexts/program/gconf.fc 1969-12-31 19:00:00.000000000 -0500
+++ policy-1.23.18/file_contexts/program/gconf.fc 2005-06-08 09:04:15.000000000 -0400
@@ -1058,7 +1837,7 @@
/tmp/\.ICE-unix/.* -s <<none>>
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/types.fc policy-1.23.18/file_contexts/types.fc
--- nsapolicy/file_contexts/types.fc 2005-06-01 06:11:22.000000000 -0400
-+++ policy-1.23.18/file_contexts/types.fc 2005-06-14 12:46:58.000000000 -0400
++++ policy-1.23.18/file_contexts/types.fc 2005-06-17 16:00:39.000000000 -0400
@@ -249,6 +249,7 @@
/dev/dri/.+ -c system_u:object_r:dri_device_t
/dev/radeon -c system_u:object_r:dri_device_t
@@ -1067,7 +1846,24 @@
#
# Misc
-@@ -499,6 +500,7 @@
+@@ -354,6 +355,8 @@
+ /usr/share/man(/.*)? system_u:object_r:man_t
+ /usr/share/mc/extfs/.* -- system_u:object_r:bin_t
+ /usr/share(/.*)?/lib(64)?(/.*)? system_u:object_r:usr_t
++/usr/share/ssl/certs(/.*)? system_u:object_r:cert_t
++/usr/share/ssl/private(/.*)? system_u:object_r:cert_t
+
+ # nvidia share libraries
+ /usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)* -- system_u:object_r:texrel_shlib_t
+@@ -471,6 +474,7 @@
+ /usr/lib/locale(/.*)? system_u:object_r:locale_t
+ /etc/localtime -- system_u:object_r:locale_t
+ /etc/localtime -l system_u:object_r:etc_t
++/etc/pki(/.*)? system_u:object_r:cert_t
+
+ #
+ # Gnu Cash
+@@ -499,6 +503,7 @@
#
/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird -- system_u:object_r:bin_t
/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird-bin -- system_u:object_r:bin_t
@@ -1737,6 +2533,35 @@
+# App side access
+home_domain_ro_access($1_$2_t, $1, $2)
+')
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/network_macros.te policy-1.23.18/macros/network_macros.te
+--- nsapolicy/macros/network_macros.te 2005-04-27 10:28:54.000000000 -0400
++++ policy-1.23.18/macros/network_macros.te 2005-06-18 06:12:33.000000000 -0400
+@@ -164,9 +164,7 @@
+ ')
+
+ define(`can_ldap',`
+-ifdef(`slapd.te',`
+ can_network_client_tcp($1, `ldap_port_t')
+ allow $1 ldap_port_t:tcp_socket name_connect;
+ ')
+-')
+
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/apache_macros.te policy-1.23.18/macros/program/apache_macros.te
+--- nsapolicy/macros/program/apache_macros.te 2005-05-25 11:28:10.000000000 -0400
++++ policy-1.23.18/macros/program/apache_macros.te 2005-06-20 14:19:53.000000000 -0400
+@@ -113,9 +113,11 @@
+ #
+ # If a user starts a script by hand it gets the proper context
+ #
+-if (httpd_enable_cgi ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
++ifdef(`targeted_policy', `', `
++if (httpd_enable_cgi) {
+ domain_auto_trans(sysadm_t, httpd_$1_script_exec_t, httpd_$1_script_t)
+ }
++')
+ role sysadm_r types httpd_$1_script_t;
+
+ dontaudit httpd_$1_script_t sysctl_kernel_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/bonobo_macros.te policy-1.23.18/macros/program/bonobo_macros.te
--- nsapolicy/macros/program/bonobo_macros.te 1969-12-31 19:00:00.000000000 -0500
+++ policy-1.23.18/macros/program/bonobo_macros.te 2005-06-10 14:12:09.000000000 -0400
@@ -2866,6 +3691,17 @@
+allow $1_t $2_ice_tmp_t:sock_file { read write };
+allow $1_t $2_t:unix_stream_socket { read write };
+')
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/inetd_macros.te policy-1.23.18/macros/program/inetd_macros.te
+--- nsapolicy/macros/program/inetd_macros.te 2005-04-27 10:28:55.000000000 -0400
++++ policy-1.23.18/macros/program/inetd_macros.te 2005-06-18 06:54:13.000000000 -0400
+@@ -56,7 +56,6 @@
+ allow $1_t self:{ lnk_file file } { getattr read };
+ can_kerberos($1_t)
+ allow $1_t urandom_device_t:chr_file r_file_perms;
+-type $1_port_t, port_type, reserved_port_type;
+ # Use sockets inherited from inetd.
+ ifelse($2, `', `
+ allow inetd_t $1_port_t:udp_socket name_bind;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/irc_macros.te policy-1.23.18/macros/program/irc_macros.te
--- nsapolicy/macros/program/irc_macros.te 2005-05-25 11:28:10.000000000 -0400
+++ policy-1.23.18/macros/program/irc_macros.te 2005-06-16 14:04:14.000000000 -0400
@@ -2985,7 +3821,7 @@
+')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.23.18/macros/program/mozilla_macros.te
--- nsapolicy/macros/program/mozilla_macros.te 2005-05-25 11:28:10.000000000 -0400
-+++ policy-1.23.18/macros/program/mozilla_macros.te 2005-06-16 14:04:39.000000000 -0400
++++ policy-1.23.18/macros/program/mozilla_macros.te 2005-06-18 07:21:29.000000000 -0400
@@ -15,6 +15,11 @@
# The type declaration for the executable type for this program is
# provided separately in domains/program/mozilla.te.
@@ -3065,7 +3901,7 @@
# for bash - old mozilla binary
can_exec($1_mozilla_t, mozilla_exec_t)
-@@ -81,92 +88,46 @@
+@@ -81,92 +88,48 @@
allow $1_mozilla_t self:lnk_file read;
r_dir_file($1_mozilla_t, proc_net_t)
@@ -3165,7 +4001,8 @@
-# Suppress history.fop denial
-dontaudit $1_mplayer_t $1_mozilla_home_t:file write;
-
--dontaudit $1_mplayer_t $1_mozilla_t:unix_stream_socket { read write };
++dontaudit $1_mplayer_t $1_mozilla_home_t:file { read write };
+ dontaudit $1_mplayer_t $1_mozilla_t:unix_stream_socket { read write };
+dontaudit $1_mplayer_t $1_mozilla_home_t:file { read write };
')dnl end if mplayer.te
@@ -3589,8 +4426,29 @@
diff --exclude-from=exclude -N -u -r nsapolicy/Makefile policy-1.23.18/Makefile
--- nsapolicy/Makefile 2005-05-25 11:28:09.000000000 -0400
-+++ policy-1.23.18/Makefile 2005-06-16 14:05:37.000000000 -0400
-@@ -144,9 +144,6 @@
++++ policy-1.23.18/Makefile 2005-06-23 16:44:19.000000000 -0400
+@@ -70,7 +70,7 @@
+ CONTEXTFILES += $(FCFILES)
+
+ APPDIR=$(CONTEXTPATH)
+-APPFILES = $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types) $(CONTEXTPATH)/files/media
++APPFILES = $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types port_types) $(CONTEXTPATH)/files/media
+ CONTEXTFILES += $(wildcard appconfig/*_context*) appconfig/media
+
+ ROOTFILES = $(addprefix $(APPDIR)/users/,root)
+@@ -115,6 +115,11 @@
+ @grep "^type .*customizable" $< | cut -d',' -f1 | cut -d' ' -f2 > tmp/customizable_types
+ install -m 644 tmp/customizable_types $@
+
++$(APPDIR)/port_types: policy.conf
++ @mkdir -p $(APPDIR)
++ @grep "^type .*port_type" $< | cut -d',' -f1 | cut -d' ' -f2 > tmp/port_types
++ install -m 644 tmp/port_types $@
++
+ $(APPDIR)/default_type: appconfig/default_type
+ @mkdir -p $(APPDIR)
+ install -m 644 $< $@
+@@ -144,9 +149,6 @@
@mkdir -p $(POLICYPATH)
$(CHECKPOLICY) $(CHECKPOLMLS) -o $@ policy.conf
ifneq ($(MLS),y)
@@ -3600,7 +4458,7 @@
endif
# Note: Can't use install, so not sure how to deal with mode, user, and group
# other than by default.
-@@ -155,21 +152,12 @@
+@@ -155,21 +157,12 @@
$(POLICYVER): policy.conf $(FC) $(CHECKPOLICY)
$(CHECKPOLICY) $(CHECKPOLMLS) -o $@ policy.conf
@@ -3622,7 +4480,16 @@
touch tmp/load
load: tmp/load $(FCPATH)
-@@ -242,7 +230,7 @@
+@@ -210,7 +203,7 @@
+ file_contexts/misc:
+ @mkdir -p file_contexts/misc
+
+-$(FCPATH): tmp/valid_fc $(USERPATH)/system.users $(APPDIR)/customizable_types
++$(FCPATH): tmp/valid_fc $(USERPATH)/system.users $(APPDIR)/customizable_types $(APPDIR)/port_types
+ @echo "Installing file contexts files..."
+ @mkdir -p $(CONTEXTPATH)/files
+ install -m 644 $(HOMEDIR_TEMPLATE) $(HOMEDIRPATH)
+@@ -242,7 +235,7 @@
--regex-te='/^[ \t]*bool[ \t]+(\w+)/\1/b,bool/' $^
clean:
@@ -3726,19 +4593,53 @@
diff --exclude-from=exclude -N -u -r nsapolicy/net_contexts policy-1.23.18/net_contexts
--- nsapolicy/net_contexts 2005-05-25 11:28:09.000000000 -0400
-+++ policy-1.23.18/net_contexts 2005-06-16 23:12:27.000000000 -0400
-@@ -50,23 +50,29 @@
++++ policy-1.23.18/net_contexts 2005-06-23 16:38:05.000000000 -0400
+@@ -17,7 +17,6 @@
+ # protocol number context
+ # protocol low-high context
+ #
+-ifdef(`inetd.te', `
+ portcon tcp 7 system_u:object_r:inetd_child_port_t
+ portcon udp 7 system_u:object_r:inetd_child_port_t
+ portcon tcp 9 system_u:object_r:inetd_child_port_t
+@@ -28,7 +27,7 @@
+ portcon udp 19 system_u:object_r:inetd_child_port_t
+ portcon tcp 37 system_u:object_r:inetd_child_port_t
+ portcon udp 37 system_u:object_r:inetd_child_port_t
+-portcon tcp 113 system_u:object_r:inetd_child_port_t
++portcon tcp 113 system_u:object_r:auth_port_t
+ portcon tcp 512 system_u:object_r:inetd_child_port_t
+ portcon tcp 543 system_u:object_r:inetd_child_port_t
+ portcon tcp 544 system_u:object_r:inetd_child_port_t
+@@ -37,11 +36,10 @@
+ portcon tcp 892 system_u:object_r:inetd_child_port_t
+ portcon udp 892 system_u:object_r:inetd_child_port_t
+ portcon tcp 2105 system_u:object_r:inetd_child_port_t
+-')
+ portcon tcp 20 system_u:object_r:ftp_data_port_t
+ portcon tcp 21 system_u:object_r:ftp_port_t
+-ifdef(`ssh.te', `portcon tcp 22 system_u:object_r:ssh_port_t')
+-ifdef(`telnetd.te', `portcon tcp 23 system_u:object_r:telnetd_port_t')
++portcon tcp 22 system_u:object_r:ssh_port_t
++portcon tcp 23 system_u:object_r:telnetd_port_t
+
+ portcon tcp 25 system_u:object_r:smtp_port_t
+ portcon tcp 465 system_u:object_r:smtp_port_t
+@@ -50,24 +48,31 @@
portcon udp 53 system_u:object_r:dns_port_t
portcon tcp 53 system_u:object_r:dns_port_t
-ifdef(`use_dhcpd', `portcon udp 67 system_u:object_r:dhcpd_port_t')
-ifdef(`dhcpc.te', `portcon udp 68 system_u:object_r:dhcpc_port_t')
-+ifdef(`dhcpc.te', `
+-ifdef(`tftpd.te', `portcon udp 69 system_u:object_r:tftp_port_t')
+-ifdef(`fingerd.te', `portcon tcp 79 system_u:object_r:fingerd_port_t')
+portcon udp 67 system_u:object_r:dhcpd_port_t
+portcon udp 68 system_u:object_r:dhcpc_port_t
-+')
- ifdef(`tftpd.te', `portcon udp 69 system_u:object_r:tftp_port_t')
- ifdef(`fingerd.te', `portcon tcp 79 system_u:object_r:fingerd_port_t')
++portcon udp 70 system_u:object_r:gopher_port_t
++portcon tcp 70 system_u:object_r:gopher_port_t
++
++portcon udp 69 system_u:object_r:tftp_port_t
++portcon tcp 79 system_u:object_r:fingerd_port_t
portcon tcp 80 system_u:object_r:http_port_t
portcon tcp 443 system_u:object_r:http_port_t
@@ -3758,11 +4659,13 @@
portcon tcp 111 system_u:object_r:portmap_port_t
-ifdef(`innd.te', `portcon tcp 119 system_u:object_r:innd_port_t')
+-ifdef(`ntpd.te', `portcon udp 123 system_u:object_r:ntp_port_t')
+portcon tcp 119 system_u:object_r:innd_port_t
- ifdef(`ntpd.te', `portcon udp 123 system_u:object_r:ntp_port_t')
++portcon udp 123 system_u:object_r:ntp_port_t
portcon tcp 137 system_u:object_r:smbd_port_t
-@@ -77,10 +83,6 @@
+ portcon udp 137 system_u:object_r:nmbd_port_t
+@@ -77,35 +82,23 @@
portcon udp 139 system_u:object_r:nmbd_port_t
portcon tcp 445 system_u:object_r:smbd_port_t
@@ -3770,34 +4673,194 @@
-portcon tcp 143 system_u:object_r:pop_port_t
-portcon tcp 220 system_u:object_r:pop_port_t
-')
- ifdef(`snmpd.te', `
+-ifdef(`snmpd.te', `
portcon udp 161 system_u:object_r:snmp_port_t
portcon udp 162 system_u:object_r:snmp_port_t
-@@ -131,10 +133,8 @@
- ')
- ifdef(`swat.te', `portcon tcp 901 system_u:object_r:swat_port_t')
- ifdef(`named.te', `portcon tcp 953 system_u:object_r:rndc_port_t')
+ portcon tcp 199 system_u:object_r:snmp_port_t
+-')
+-ifdef(`comsat.te', `
+ portcon udp 512 system_u:object_r:comsat_port_t
+-')
+
+ portcon tcp 389 system_u:object_r:ldap_port_t
+ portcon udp 389 system_u:object_r:ldap_port_t
+ portcon tcp 636 system_u:object_r:ldap_port_t
+ portcon udp 636 system_u:object_r:ldap_port_t
+
+-ifdef(`rlogind.te', `portcon tcp 513 system_u:object_r:rlogind_port_t')
++portcon tcp 513 system_u:object_r:rlogind_port_t
+ portcon tcp 514 system_u:object_r:rsh_port_t
+
+-ifdef(`lpd.te', `portcon tcp 515 system_u:object_r:printer_port_t')
+-ifdef(`syslogd.te', `
++portcon tcp 515 system_u:object_r:printer_port_t
+ portcon udp 514 system_u:object_r:syslogd_port_t
+-')
+-ifdef(`ktalkd.te', `
+ portcon udp 517 system_u:object_r:ktalkd_port_t
+ portcon udp 518 system_u:object_r:ktalkd_port_t
+-')
+ portcon tcp 631 system_u:object_r:ipp_port_t
+ portcon udp 631 system_u:object_r:ipp_port_t
+ portcon tcp 88 system_u:object_r:kerberos_port_t
+@@ -117,41 +110,25 @@
+ portcon udp 750 system_u:object_r:kerberos_port_t
+ portcon tcp 4444 system_u:object_r:kerberos_master_port_t
+ portcon udp 4444 system_u:object_r:kerberos_master_port_t
+-ifdef(`spamd.te', `portcon tcp 783 system_u:object_r:spamd_port_t')
+-ifdef(`uucpd.te', `
++portcon tcp 783 system_u:object_r:spamd_port_t
+ portcon tcp 540 system_u:object_r:uucpd_port_t
+-')
+-ifdef(`cvs.te', `
+ portcon tcp 2401 system_u:object_r:cvs_port_t
+ portcon udp 2401 system_u:object_r:cvs_port_t
+-')
+-ifdef(`rsync.te', `
+ portcon tcp 873 system_u:object_r:rsync_port_t
+ portcon udp 873 system_u:object_r:rsync_port_t
+-')
+-ifdef(`swat.te', `portcon tcp 901 system_u:object_r:swat_port_t')
+-ifdef(`named.te', `portcon tcp 953 system_u:object_r:rndc_port_t')
-ifdef(`use_pop', `
-portcon tcp 993 system_u:object_r:pop_port_t
-portcon tcp 995 system_u:object_r:pop_port_t
-portcon tcp 1109 system_u:object_r:pop_port_t
-+ifdef(`gift.te', `
+-')
+-ifdef(`nessusd.te', `portcon tcp 1241 system_u:object_r:nessus_port_t')
+-ifdef(`monopd.te', `portcon tcp 1234 system_u:object_r:monopd_port_t')
+-ifdef(`radius.te', `
++portcon tcp 901 system_u:object_r:swat_port_t
++portcon tcp 953 system_u:object_r:rndc_port_t
+portcon tcp 1213 system_u:object_r:giftd_port_t
- ')
- ifdef(`nessusd.te', `portcon tcp 1241 system_u:object_r:nessus_port_t')
- ifdef(`monopd.te', `portcon tcp 1234 system_u:object_r:monopd_port_t')
-@@ -191,6 +191,11 @@
- ')
- ifdef(`postgresql.te', `portcon tcp 5432 system_u:object_r:postgresql_port_t')
- ifdef(`nrpe.te', `portcon tcp 5666 system_u:object_r:inetd_child_port_t')
-+ifdef(`cups.te', `
++portcon tcp 1241 system_u:object_r:nessus_port_t
++portcon tcp 1234 system_u:object_r:monopd_port_t
+ portcon udp 1645 system_u:object_r:radius_port_t
+ portcon udp 1646 system_u:object_r:radacct_port_t
+ portcon udp 1812 system_u:object_r:radius_port_t
+ portcon udp 1813 system_u:object_r:radacct_port_t
+-')
+-ifdef(`dbskkd.te', `portcon tcp 1178 system_u:object_r:dbskkd_port_t')
+-ifdef(`gatekeeper.te', `
+ portcon udp 1718 system_u:object_r:gatekeeper_port_t
+ portcon udp 1719 system_u:object_r:gatekeeper_port_t
+ portcon tcp 1721 system_u:object_r:gatekeeper_port_t
+ portcon tcp 7000 system_u:object_r:gatekeeper_port_t
+-')
+-ifdef(`afs.te', `
+ portcon tcp 2040 system_u:object_r:afs_fs_port_t
+ portcon udp 7000 system_u:object_r:afs_fs_port_t
+ portcon udp 7002 system_u:object_r:afs_pt_port_t
+@@ -159,42 +136,31 @@
+ portcon udp 7004 system_u:object_r:afs_ka_port_t
+ portcon udp 7005 system_u:object_r:afs_fs_port_t
+ portcon udp 7007 system_u:object_r:afs_bos_port_t
+-',`
+-ifdef(`ciped.te', `portcon udp 7007 system_u:object_r:cipe_port_t')
+-')
+-ifdef(`asterisk.te', `
+ portcon tcp 1720 system_u:object_r:asterisk_port_t
+ portcon udp 2427 system_u:object_r:asterisk_port_t
+ portcon udp 2727 system_u:object_r:asterisk_port_t
+ portcon udp 4569 system_u:object_r:asterisk_port_t
+ portcon udp 5060 system_u:object_r:asterisk_port_t
+-')
+ portcon tcp 2000 system_u:object_r:mail_port_t
+-ifdef(`zebra.te', `portcon tcp 2601 system_u:object_r:zebra_port_t')
+-ifdef(`dictd.te', `portcon tcp 2628 system_u:object_r:dict_port_t')
+-ifdef(`mysqld.te', `portcon tcp 3306 system_u:object_r:mysqld_port_t')
+-ifdef(`distcc.te', `portcon tcp 3632 system_u:object_r:distccd_port_t')
+-ifdef(`use_pxe', `portcon udp 4011 system_u:object_r:pxe_port_t')
+-ifdef(`openvpn.te', `portcon udp 5000 system_u:object_r:openvpn_port_t')
+-ifdef(`imazesrv.te',`
++portcon tcp 2601 system_u:object_r:zebra_port_t
++portcon tcp 2628 system_u:object_r:dict_port_t
++portcon tcp 3306 system_u:object_r:mysqld_port_t
++portcon tcp 3632 system_u:object_r:distccd_port_t
++portcon udp 4011 system_u:object_r:pxe_port_t
++portcon udp 5000 system_u:object_r:openvpn_port_t
+ portcon tcp 5323 system_u:object_r:imaze_port_t
+ portcon udp 5323 system_u:object_r:imaze_port_t
+-')
+-ifdef(`howl.te', `
+ portcon tcp 5335 system_u:object_r:howl_port_t
+ portcon udp 5353 system_u:object_r:howl_port_t
+-')
+-ifdef(`jabberd.te', `
+ portcon tcp 5222 system_u:object_r:jabber_client_port_t
+ portcon tcp 5223 system_u:object_r:jabber_client_port_t
+ portcon tcp 5269 system_u:object_r:jabber_interserver_port_t
+-')
+-ifdef(`postgresql.te', `portcon tcp 5432 system_u:object_r:postgresql_port_t')
+-ifdef(`nrpe.te', `portcon tcp 5666 system_u:object_r:inetd_child_port_t')
+-ifdef(`xdm.te', `
++portcon tcp 5432 system_u:object_r:postgresql_port_t
++portcon tcp 5666 system_u:object_r:inetd_child_port_t
+portcon tcp 5703 system_u:object_r:ptal_port_t
+portcon tcp 50000 system_u:object_r:hplip_port_t
+portcon tcp 50002 system_u:object_r:hplip_port_t
-+')
- ifdef(`xdm.te', `
portcon tcp 5900 system_u:object_r:vnc_port_t
- ')
+-')
+-ifdef(`use_x_ports', `
+ portcon tcp 6000 system_u:object_r:xserver_port_t
+ portcon tcp 6001 system_u:object_r:xserver_port_t
+ portcon tcp 6002 system_u:object_r:xserver_port_t
+@@ -215,51 +181,34 @@
+ portcon tcp 6017 system_u:object_r:xserver_port_t
+ portcon tcp 6018 system_u:object_r:xserver_port_t
+ portcon tcp 6019 system_u:object_r:xserver_port_t
+-')
+-ifdef(`ircd.te', `portcon tcp 6667 system_u:object_r:ircd_port_t')
+-ifdef(`sound-server.te', `
++portcon tcp 6667 system_u:object_r:ircd_port_t
+ portcon tcp 8000 system_u:object_r:soundd_port_t
+ # 9433 is for YIFF
+ portcon tcp 9433 system_u:object_r:soundd_port_t
+-')
+ portcon tcp 3128 system_u:object_r:http_cache_port_t
+ portcon tcp 8080 system_u:object_r:http_cache_port_t
+ portcon udp 3130 system_u:object_r:http_cache_port_t
+ # 8118 is for privoxy
+ portcon tcp 8118 system_u:object_r:http_cache_port_t
+
+-ifdef(`clockspeed.te', `portcon udp 4041 system_u:object_r:clockspeed_port_t')
+-ifdef(`transproxy.te', `portcon tcp 8081 system_u:object_r:transproxy_port_t')
+-ifdef(`amanda.te', `
++portcon udp 4041 system_u:object_r:clockspeed_port_t
++portcon tcp 8081 system_u:object_r:transproxy_port_t
+ portcon udp 10080 system_u:object_r:amanda_port_t
+ portcon tcp 10080 system_u:object_r:amanda_port_t
+ portcon udp 10081 system_u:object_r:amanda_port_t
+ portcon tcp 10081 system_u:object_r:amanda_port_t
+ portcon tcp 10082 system_u:object_r:amanda_port_t
+ portcon tcp 10083 system_u:object_r:amanda_port_t
+-')
+-ifdef(`postgrey.te', `portcon tcp 60000 system_u:object_r:postgrey_port_t')
++portcon tcp 60000 system_u:object_r:postgrey_port_t
+
+-ifdef(`amavis.te', `
+ portcon tcp 10024 system_u:object_r:amavisd_recv_port_t
+ portcon tcp 10025 system_u:object_r:amavisd_send_port_t
+-')
+-ifdef(`clamav.te', `
+ portcon tcp 3310 system_u:object_r:clamd_port_t
+-')
+-ifdef(`dcc.te', `
+ portcon udp 6276 system_u:object_r:dcc_port_t
+ portcon udp 6277 system_u:object_r:dcc_port_t
+-')
+-ifdef(`pyzor.te', `
+ portcon udp 24441 system_u:object_r:pyzor_port_t
+-')
+-ifdef(`razor.te', `
+ portcon tcp 2703 system_u:object_r:razor_port_t
+-')
+-ifdef(`zope.te', `
+ portcon tcp 8021 system_u:object_r:zope_port_t
+-')
+
+ # Defaults for reserved ports. Earlier portcon entries take precedence;
+ # these entries just cover any remaining reserved ports not otherwise
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/crond.te policy-1.23.18/targeted/domains/program/crond.te
--- nsapolicy/targeted/domains/program/crond.te 2005-06-01 06:11:23.000000000 -0400
+++ policy-1.23.18/targeted/domains/program/crond.te 2005-06-08 09:04:15.000000000 -0400
@@ -3815,6 +4878,26 @@
file_type_auto_trans(crond_t, user_home_dir_t, user_home_t)
file_type_auto_trans(crond_t, tmp_t, system_crond_tmp_t)
allow crond_t initrc_t:dbus send_msg;
+diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/ssh.te policy-1.23.18/targeted/domains/program/ssh.te
+--- nsapolicy/targeted/domains/program/ssh.te 2005-04-27 10:28:56.000000000 -0400
++++ policy-1.23.18/targeted/domains/program/ssh.te 2005-06-18 07:17:39.000000000 -0400
+@@ -16,5 +16,4 @@
+ type ssh_keysign_exec_t, file_type, sysadmfile, exec_type;
+ type sshd_key_t, file_type, sysadmfile;
+ type sshd_var_run_t, file_type, sysadmfile;
+-type ssh_port_t, port_type;
+ domain_auto_trans(initrc_t, sshd_exec_t, sshd_t)
+diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/xdm.te policy-1.23.18/targeted/domains/program/xdm.te
+--- nsapolicy/targeted/domains/program/xdm.te 2005-05-02 07:37:54.000000000 -0400
++++ policy-1.23.18/targeted/domains/program/xdm.te 2005-06-18 07:18:55.000000000 -0400
+@@ -12,7 +12,6 @@
+ #
+ type xdm_exec_t, file_type, sysadmfile, exec_type;
+ type xsession_exec_t, file_type, sysadmfile, exec_type;
+-type vnc_port_t, port_type;
+ type xserver_log_t, file_type, sysadmfile;
+ type xdm_xserver_tmp_t, file_type, sysadmfile;
+ type xdm_rw_etc_t, file_type, sysadmfile;
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/unconfined.te policy-1.23.18/targeted/domains/unconfined.te
--- nsapolicy/targeted/domains/unconfined.te 2005-05-25 11:28:11.000000000 -0400
+++ policy-1.23.18/targeted/domains/unconfined.te 2005-06-16 13:48:06.000000000 -0400
@@ -3924,12 +5007,30 @@
diff --exclude-from=exclude -N -u -r nsapolicy/types/network.te policy-1.23.18/types/network.te
--- nsapolicy/types/network.te 2005-05-25 11:28:11.000000000 -0400
-+++ policy-1.23.18/types/network.te 2005-06-16 23:11:57.000000000 -0400
-@@ -31,17 +31,10 @@
++++ policy-1.23.18/types/network.te 2005-06-23 16:41:20.000000000 -0400
+@@ -8,17 +8,7 @@
+ # Modified by Russell Coker
+ # Move port types to their respective domains, add ifdefs, other cleanups.
+
+-# generally we do not want to define port types in this file, but some things
+-# are insanely difficult to do elsewhere, xserver_port_t is a good example
+-# getting the type defined is the easy part for X, conditional code for many
+-# other domains (including one that starts with a) is the hard part.
+-ifdef(`xdm.te', `define(`use_x_ports')')
+-ifdef(`startx.te', `define(`use_x_ports')')
+-ifdef(`xauth.te', `define(`use_x_ports')')
+-ifdef(`xserver.te', `define(`use_x_ports')')
+-ifdef(`use_x_ports', `
+ type xserver_port_t, port_type;
+-')
+ #
+ # Defines used by the te files need to be defined outside of net_constraints
+ #
+@@ -31,24 +21,14 @@
type http_cache_port_t, port_type, reserved_port_type;
type http_port_t, port_type, reserved_port_type;
type ipp_port_t, port_type, reserved_port_type;
-+type innd_port_t, port_type, reserved_port_type;
++type gopher_port_t, port_type, reserved_port_type;
allow web_client_domain { http_cache_port_t http_port_t }:tcp_socket name_connect;
-ifdef(`cyrus.te', `define(`use_pop')')
@@ -3944,6 +5045,93 @@
type ftp_port_t, port_type, reserved_port_type;
type ftp_data_port_t, port_type, reserved_port_type;
+
+-ifdef(`dhcpd.te', `define(`use_pxe')')
+-ifdef(`pxe.te', `define(`use_pxe')')
+-
+ ############################################
+ #
+ # Network types
+@@ -126,3 +106,79 @@
+ # Kernel-generated traffic, e.g. TCP resets.
+ allow kernel_t netif_type:netif { tcp_send tcp_recv };
+ allow kernel_t node_type:node { tcp_send tcp_recv };
++type radius_port_t, port_type;
++type radacct_port_t, port_type;
++type rndc_port_t, port_type, reserved_port_type;
++type tftp_port_t, port_type, reserved_port_type;
++type printer_port_t, port_type, reserved_port_type;
++type mysqld_port_t, port_type;
++type postgresql_port_t, port_type;
++type ptal_port_t, port_type, reserved_port_type;
++type howl_port_t, port_type;
++type dict_port_t, port_type;
++type syslogd_port_t, port_type, reserved_port_type;
++type spamd_port_t, port_type, reserved_port_type;
++type ssh_port_t, port_type, reserved_port_type;
++type pxe_port_t, port_type;
++type amanda_port_t, port_type;
++type fingerd_port_t, port_type, reserved_port_type;
++type dhcpc_port_t, port_type, reserved_port_type;
++type ntp_port_t, port_type, reserved_port_type;
++type stunnel_port_t, port_type;
++type zebra_port_t, port_type;
++type i18n_input_port_t, port_type;
++type vnc_port_t, port_type;
++type openvpn_port_t, port_type;
++type clamd_port_t, port_type, reserved_port_type;
++type transproxy_port_t, port_type;
++type clockspeed_port_t, port_type;
++type pyzor_port_t, port_type, reserved_port_type;
++type postgrey_port_t, port_type;
++type asterisk_port_t, port_type;
++type utcpserver_port_t, port_type;
++type nessus_port_t, port_type;
++type razor_port_t, port_type;
++type distccd_port_t, port_type;
++type socks_port_t, port_type;
++type gatekeeper_port_t, port_type;
++type dcc_port_t, port_type;
++type lrrd_port_t, port_type;
++type jabber_client_port_t, port_type;
++type jabber_interserver_port_t, port_type;
++type ircd_port_t, port_type;
++type giftd_port_t, port_type;
++type soundd_port_t, port_type;
++type imaze_port_t, port_type;
++type monopd_port_t, port_type;
++# Differentiate between the port where amavisd receives mail, and the
++# port where it returns cleaned mail back to the MTA.
++type amavisd_recv_port_t, port_type;
++type amavisd_send_port_t, port_type;
++type innd_port_t, port_type, reserved_port_type;
++type snmp_port_t, port_type, reserved_port_type;
++type biff_port_t, port_type, reserved_port_type;
++type hplip_port_t, port_type;
++
++#inetd_child_ports
++
++type rlogind_port_t, port_type, reserved_port_type;
++type telnetd_port_t, port_type, reserved_port_type;
++type comsat_port_t, port_type, reserved_port_type;
++type cvs_port_t, port_type;
++type dbskkd_port_t, port_type, reserved_port_type;
++type inetd_child_port_t, port_type, reserved_port_type;
++type ktalkd_port_t, port_type, reserved_port_type;
++type rsync_port_t, port_type, reserved_port_type;
++type uucpd_port_t, port_type, reserved_port_type;
++type swat_port_t, port_type, reserved_port_type;
++type zope_port_t, port_type;
++type auth_port_t, port_type, reserved_port_type;
++
++# afs ports
++
++type afs_fs_port_t, port_type;
++type afs_pt_port_t, port_type;
++type afs_vl_port_t, port_type;
++type afs_ka_port_t, port_type;
++type afs_bos_port_t, port_type;
++
diff --exclude-from=exclude -N -u -r nsapolicy/types/security.te policy-1.23.18/types/security.te
--- nsapolicy/types/security.te 2005-05-25 11:28:11.000000000 -0400
+++ policy-1.23.18/types/security.te 2005-06-08 09:04:15.000000000 -0400
Index: selinux-policy-targeted.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-targeted/FC-4/selinux-policy-targeted.spec,v
retrieving revision 1.315
retrieving revision 1.316
diff -u -r1.315 -r1.316
--- selinux-policy-targeted.spec 17 Jun 2005 03:45:33 -0000 1.315
+++ selinux-policy-targeted.spec 25 Jun 2005 10:42:28 -0000 1.316
@@ -11,7 +11,7 @@
Summary: SELinux %{type} policy configuration
Name: selinux-policy-%{type}
Version: 1.23.18
-Release: 12
+Release: 17
License: GPL
Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policy-%{version}.tgz
@@ -118,6 +118,7 @@
%config(noreplace) %{_sysconfdir}/selinux/%{type}/users/local.users
%config %{_sysconfdir}/selinux/%{type}/users/system.users
%{_sysconfdir}/selinux/%{type}/contexts/customizable_types
+%{_sysconfdir}/selinux/%{type}/contexts/port_types
%{_mandir}/man8/*
%pre
@@ -234,8 +235,24 @@
exit 0
%changelog
-* Thu Jun 16 2005 Dan Walsh <dwalsh at redhat.com> 1.23.18-12
-- Update for FC4
+* Sat Jun 25 2005 Dan Walsh <dwalsh at redhat.com> 1.23.18-17
+- Bump for FC4
+
+* Thu Jun 23 2005 Dan Walsh <dwalsh at redhat.com> 1.23.18-16
+- Fix postgres to allow it to connect to auth
+- Change cyrus-imapd to write to /var/spool/imap
+- Add Russell patches
+
+* Mon Jun 20 2005 Dan Walsh <dwalsh at redhat.com> 1.23.18-15
+- Fix pppd
+- Fix auditd
+
+* Sat Jun 18 2005 Dan Walsh <dwalsh at redhat.com> 1.23.18-14
+- Add Russell's patch for net_contexts
+
+* Fri Jun 17 2005 Dan Walsh <dwalsh at redhat.com> 1.23.18-13
+- Fix NetworkManager policy
+- Fix dovecot cert labeleing
* Thu Jun 16 2005 Dan Walsh <dwalsh at redhat.com> 1.23.18-11
- Fix NetworkManager dhcpd communications
- Previous message (by thread): rpms/openoffice.org/devel .cvsignore, 1.55, 1.56 openoffice.org.spec, 1.248, 1.249 sources, 1.78, 1.79
- Next message (by thread): rpms/selinux-policy-strict/devel policy-20050606.patch, 1.18, 1.19 selinux-policy-strict.spec, 1.335, 1.336
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-cvs-commits
mailing list