rpms/selinux-policy-strict/devel booleans, 1.11, 1.12 policy-20050516.patch, 1.8, 1.9 selinux-policy-strict.spec, 1.311, 1.312
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Tue May 24 19:27:08 UTC 2005
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy-strict/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv26122
Modified Files:
booleans policy-20050516.patch selinux-policy-strict.spec
Log Message:
* Tue May 24 2005 Dan Walsh <dwalsh at redhat.com> 1.23.16-7
- Don't transition from sysadm_t to fsadm_t in targeted policy
- Fix sysadm_crond_tmp_t to tmpfile in targeted
- Allow kernel_t to read sysfs_t
Index: booleans
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-strict/devel/booleans,v
retrieving revision 1.11
retrieving revision 1.12
diff -u -r1.11 -r1.12
--- booleans 11 May 2005 12:25:14 -0000 1.11
+++ booleans 24 May 2005 19:27:06 -0000 1.12
@@ -21,4 +21,4 @@
use_nfs_home_dirs=0
allow_ypbind=0
allow_kerberos=1
-allow_write_xhm=1
+allow_write_xshm=1
policy-20050516.patch:
Makefile | 4 +-
assert.te | 8 -----
attrib.te | 18 +++++++++++
constraints | 4 ++
domains/misc/kernel.te | 4 +-
domains/program/crond.te | 2 -
domains/program/fsadm.te | 4 +-
domains/program/init.te | 2 -
domains/program/initrc.te | 9 +++--
domains/program/klogd.te | 2 -
domains/program/ldconfig.te | 2 -
domains/program/modutil.te | 7 ++--
domains/program/mount.te | 28 +-----------------
domains/program/passwd.te | 3 +
domains/program/restorecon.te | 4 +-
domains/program/setfiles.te | 10 +++---
domains/program/ssh.te | 2 +
domains/program/syslogd.te | 10 +-----
domains/program/unused/amanda.te | 4 +-
domains/program/unused/amavis.te | 2 -
domains/program/unused/anaconda.te | 6 +++
domains/program/unused/apache.te | 28 +++++++++---------
domains/program/unused/apmd.te | 3 +
domains/program/unused/auditd.te | 14 +++++----
domains/program/unused/automount.te | 8 +++--
domains/program/unused/bluetooth.te | 4 +-
domains/program/unused/cups.te | 38 ++++++++++++++++--------
domains/program/unused/ddcprobe.te | 42 +++++++++++++++++++++++++++
domains/program/unused/dhcpd.te | 2 -
domains/program/unused/dovecot.te | 3 -
domains/program/unused/firstboot.te | 7 +++-
domains/program/unused/fontconfig.te | 7 ++++
domains/program/unused/ftpd.te | 6 ++-
domains/program/unused/gpg.te | 2 -
domains/program/unused/hald.te | 8 +----
domains/program/unused/hotplug.te | 4 +-
domains/program/unused/kudzu.te | 2 -
domains/program/unused/lpd.te | 2 -
domains/program/unused/lvm.te | 22 +++++++++++---
domains/program/unused/mrtg.te | 2 -
domains/program/unused/mta.te | 1
domains/program/unused/mysqld.te | 2 -
domains/program/unused/nx_server.te | 2 -
domains/program/unused/pamconsole.te | 1
domains/program/unused/pppd.te | 2 -
domains/program/unused/procmail.te | 3 +
domains/program/unused/qmail.te | 18 +++++------
domains/program/unused/rhgb.te | 3 -
domains/program/unused/rpcd.te | 3 +
domains/program/unused/rshd.te | 2 -
domains/program/unused/samba.te | 4 +-
domains/program/unused/saslauthd.te | 3 -
domains/program/unused/slapd.te | 5 +--
domains/program/unused/snmpd.te | 5 +--
domains/program/unused/snort.te | 4 +-
domains/program/unused/sxid.te | 2 -
domains/program/unused/udev.te | 1
domains/program/unused/uml_net.te | 2 -
domains/program/unused/winbind.te | 2 -
domains/program/unused/xauth.te | 2 -
domains/program/unused/xdm.te | 21 +++++++------
domains/program/unused/xfs.te | 5 +--
domains/program/unused/yam.te | 2 -
domains/user.te | 6 +++
file_contexts/distros.fc | 1
file_contexts/program/bluetooth.fc | 3 +
file_contexts/program/cups.fc | 1
file_contexts/program/ddcprobe.fc | 1
file_contexts/program/dovecot.fc | 1
file_contexts/program/fontconfig.fc | 2 +
file_contexts/program/initrc.fc | 6 +++
file_contexts/program/lvm.fc | 2 +
file_contexts/program/ntpd.fc | 4 +-
file_contexts/program/traceroute.fc | 3 -
file_contexts/types.fc | 33 ++++++++++++++-------
macros/admin_macros.te | 15 +--------
macros/base_user_macros.te | 16 +++++++++-
macros/global_macros.te | 42 ++++++++++++++++-----------
macros/program/apache_macros.te | 2 -
macros/program/chkpwd_macros.te | 1
macros/program/fontconfig_macros.te | 24 +++++++++++++++
macros/program/gift_macros.te | 6 ++-
macros/program/gpg_agent_macros.te | 2 -
macros/program/irc_macros.te | 2 -
macros/program/java_macros.te | 8 +----
macros/program/mozilla_macros.te | 54 +++++++++++++++++++++--------------
macros/program/mplayer_macros.te | 47 +++++++++++++++++++++---------
macros/program/userhelper_macros.te | 2 -
macros/program/x_client_macros.te | 2 -
man/man8/ftpd_selinux.8 | 2 -
man/man8/httpd_selinux.8 | 2 -
man/man8/kerberos_selinux.8 | 4 +-
man/man8/named_selinux.8 | 2 -
man/man8/rsync_selinux.8 | 2 -
man/man8/samba_selinux.8 | 2 -
net_contexts | 2 -
targeted/assert.te | 2 -
targeted/domains/program/crond.te | 2 -
targeted/domains/unconfined.te | 5 +++
tunables/distro.tun | 2 -
tunables/tunable.tun | 4 +-
types/device.te | 2 -
types/devpts.te | 2 -
types/file.te | 38 ++++++++++++------------
types/network.te | 1
types/nfs.te | 2 -
types/procfs.te | 4 +-
types/security.te | 12 +++----
108 files changed, 507 insertions(+), 305 deletions(-)
Index: policy-20050516.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-strict/devel/policy-20050516.patch,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -r1.8 -r1.9
--- policy-20050516.patch 20 May 2005 18:53:29 -0000 1.8
+++ policy-20050516.patch 24 May 2005 19:27:06 -0000 1.9
@@ -1,6 +1,6 @@
diff --exclude-from=exclude -N -u -r nsapolicy/assert.te policy-1.23.16/assert.te
--- nsapolicy/assert.te 2005-04-27 10:28:48.000000000 -0400
-+++ policy-1.23.16/assert.te 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/assert.te 2005-05-23 16:45:33.000000000 -0400
@@ -75,13 +75,7 @@
#
# Verify that /proc/kmsg is only accessible to klogd.
@@ -18,7 +18,7 @@
# Verify that /proc/kcore is inaccessible.
diff --exclude-from=exclude -N -u -r nsapolicy/attrib.te policy-1.23.16/attrib.te
--- nsapolicy/attrib.te 2005-05-07 00:41:08.000000000 -0400
-+++ policy-1.23.16/attrib.te 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/attrib.te 2005-05-23 16:45:33.000000000 -0400
@@ -121,6 +121,13 @@
# tagged with this attribute.
attribute privmem;
@@ -60,7 +60,7 @@
# used in TE rules and assertions that should be applied to all
diff --exclude-from=exclude -N -u -r nsapolicy/constraints policy-1.23.16/constraints
--- nsapolicy/constraints 2005-02-24 14:51:10.000000000 -0500
-+++ policy-1.23.16/constraints 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/constraints 2005-05-23 16:45:33.000000000 -0400
@@ -61,6 +61,10 @@
')
ifdef(`userhelper.te',
@@ -72,9 +72,23 @@
or (t1 == priv_system_role and r2 == system_r )
);
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/misc/kernel.te policy-1.23.16/domains/misc/kernel.te
+--- nsapolicy/domains/misc/kernel.te 2005-05-07 00:41:08.000000000 -0400
++++ policy-1.23.16/domains/misc/kernel.te 2005-05-24 11:50:19.000000000 -0400
+@@ -22,8 +22,8 @@
+ # Use capabilities.
+ allow kernel_t self:capability *;
+
+-allow kernel_t sysfs_t:dir search;
+-allow kernel_t { usbfs_t usbdevfs_t sysfs_t }:dir search;
++r_dir_file(kernel_t, sysfs_t)
++allow kernel_t { usbfs_t usbdevfs_t }:dir search;
+
+ # Run init in the init_t domain.
+ domain_auto_trans(kernel_t, init_exec_t, init_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/crond.te policy-1.23.16/domains/program/crond.te
--- nsapolicy/domains/program/crond.te 2005-04-27 10:28:48.000000000 -0400
-+++ policy-1.23.16/domains/program/crond.te 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/domains/program/crond.te 2005-05-23 16:45:33.000000000 -0400
@@ -37,7 +37,7 @@
# read files in /etc
@@ -86,7 +100,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/fsadm.te policy-1.23.16/domains/program/fsadm.te
--- nsapolicy/domains/program/fsadm.te 2005-05-02 14:06:54.000000000 -0400
-+++ policy-1.23.16/domains/program/fsadm.te 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/domains/program/fsadm.te 2005-05-24 11:38:39.000000000 -0400
@@ -29,6 +29,7 @@
# for /dev/shm
@@ -95,9 +109,20 @@
base_file_read_access(fsadm_t)
+@@ -46,8 +47,9 @@
+
+ type fsadm_exec_t, file_type, sysadmfile, exec_type;
+ domain_auto_trans(initrc_t, fsadm_exec_t, fsadm_t)
++ifdef(`targeted_policy', `', `
+ domain_auto_trans(sysadm_t, fsadm_exec_t, fsadm_t)
+-
++')
+ tmp_domain(fsadm)
+
+ # remount file system to apply changes
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/initrc.te policy-1.23.16/domains/program/initrc.te
--- nsapolicy/domains/program/initrc.te 2005-05-16 11:28:11.000000000 -0400
-+++ policy-1.23.16/domains/program/initrc.te 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/domains/program/initrc.te 2005-05-23 16:45:33.000000000 -0400
@@ -131,7 +131,7 @@
# Update /var/log/wtmp and /var/log/dmesg.
allow initrc_t wtmp_t:file { setattr rw_file_perms };
@@ -133,7 +158,7 @@
# allow start scripts to clean /tmp
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/init.te policy-1.23.16/domains/program/init.te
--- nsapolicy/domains/program/init.te 2005-05-02 14:06:54.000000000 -0400
-+++ policy-1.23.16/domains/program/init.te 2005-05-19 09:58:14.000000000 -0400
++++ policy-1.23.16/domains/program/init.te 2005-05-23 16:45:33.000000000 -0400
@@ -142,6 +142,6 @@
# file descriptors inherited from the rootfs.
dontaudit init_t root_t:{ file chr_file } { read write };
@@ -144,7 +169,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/klogd.te policy-1.23.16/domains/program/klogd.te
--- nsapolicy/domains/program/klogd.te 2005-05-02 14:06:54.000000000 -0400
-+++ policy-1.23.16/domains/program/klogd.te 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/domains/program/klogd.te 2005-05-23 16:45:33.000000000 -0400
@@ -8,7 +8,7 @@
#
# Rules for the klogd_t domain.
@@ -156,7 +181,7 @@
allow klogd_t proc_t:dir r_dir_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ldconfig.te policy-1.23.16/domains/program/ldconfig.te
--- nsapolicy/domains/program/ldconfig.te 2005-04-27 10:28:49.000000000 -0400
-+++ policy-1.23.16/domains/program/ldconfig.te 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/domains/program/ldconfig.te 2005-05-23 16:45:33.000000000 -0400
@@ -39,7 +39,7 @@
')
@@ -168,7 +193,7 @@
dontaudit ldconfig_t unconfined_t:tcp_socket { read write };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/modutil.te policy-1.23.16/domains/program/modutil.te
--- nsapolicy/domains/program/modutil.te 2005-05-07 00:41:09.000000000 -0400
-+++ policy-1.23.16/domains/program/modutil.te 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/domains/program/modutil.te 2005-05-23 16:45:33.000000000 -0400
@@ -30,7 +30,9 @@
domain_auto_trans(initrc_t, depmod_exec_t, depmod_t)
allow depmod_t { bin_t sbin_t }:dir search;
@@ -204,7 +229,7 @@
-
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/mount.te policy-1.23.16/domains/program/mount.te
--- nsapolicy/domains/program/mount.te 2005-05-02 14:06:54.000000000 -0400
-+++ policy-1.23.16/domains/program/mount.te 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/domains/program/mount.te 2005-05-23 16:45:33.000000000 -0400
@@ -37,29 +37,9 @@
# Mount, remount and unmount file systems.
@@ -251,7 +276,7 @@
dontaudit mount_t root_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/passwd.te policy-1.23.16/domains/program/passwd.te
--- nsapolicy/domains/program/passwd.te 2005-04-27 10:28:49.000000000 -0400
-+++ policy-1.23.16/domains/program/passwd.te 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/domains/program/passwd.te 2005-05-23 16:45:33.000000000 -0400
@@ -145,6 +145,7 @@
# make sure that getcon succeeds
@@ -263,7 +288,7 @@
+allow passwd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/restorecon.te policy-1.23.16/domains/program/restorecon.te
--- nsapolicy/domains/program/restorecon.te 2005-05-07 00:41:09.000000000 -0400
-+++ policy-1.23.16/domains/program/restorecon.te 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/domains/program/restorecon.te 2005-05-23 16:45:33.000000000 -0400
@@ -51,8 +51,8 @@
allow restorecon_t fs_t:filesystem getattr;
allow restorecon_t fs_type:dir r_dir_perms;
@@ -277,7 +302,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/setfiles.te policy-1.23.16/domains/program/setfiles.te
--- nsapolicy/domains/program/setfiles.te 2005-05-16 11:28:11.000000000 -0400
-+++ policy-1.23.16/domains/program/setfiles.te 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/domains/program/setfiles.te 2005-05-23 16:45:33.000000000 -0400
@@ -19,6 +19,9 @@
role sysadm_r types setfiles_t;
role secadm_r types setfiles_t;
@@ -311,7 +336,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ssh.te policy-1.23.16/domains/program/ssh.te
--- nsapolicy/domains/program/ssh.te 2005-04-27 10:28:49.000000000 -0400
-+++ policy-1.23.16/domains/program/ssh.te 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/domains/program/ssh.te 2005-05-23 16:45:33.000000000 -0400
@@ -229,3 +229,5 @@
allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
allow ssh_keygen_t sysadm_tty_device_t:chr_file { read write };
@@ -320,7 +345,7 @@
+allow sshd_t sbin_t:file getattr;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/syslogd.te policy-1.23.16/domains/program/syslogd.te
--- nsapolicy/domains/program/syslogd.te 2005-04-27 10:28:49.000000000 -0400
-+++ policy-1.23.16/domains/program/syslogd.te 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/domains/program/syslogd.te 2005-05-23 16:45:33.000000000 -0400
@@ -14,9 +14,9 @@
# by syslogd.
#
@@ -358,7 +383,7 @@
-}
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/amanda.te policy-1.23.16/domains/program/unused/amanda.te
--- nsapolicy/domains/program/unused/amanda.te 2005-05-02 14:06:54.000000000 -0400
-+++ policy-1.23.16/domains/program/unused/amanda.te 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/domains/program/unused/amanda.te 2005-05-23 16:45:33.000000000 -0400
@@ -303,11 +303,11 @@
allow amanda_t file_type:dir {getattr read search };
@@ -375,7 +400,7 @@
dontaudit amanda_t proc_t:dir read;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/amavis.te policy-1.23.16/domains/program/unused/amavis.te
--- nsapolicy/domains/program/unused/amavis.te 2005-05-07 00:41:09.000000000 -0400
-+++ policy-1.23.16/domains/program/unused/amavis.te 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/domains/program/unused/amavis.te 2005-05-23 16:45:33.000000000 -0400
@@ -23,7 +23,7 @@
daemon_domain(amavisd)
tmp_domain(amavisd)
@@ -387,7 +412,7 @@
allow initrc_t amavisd_var_run_t:dir setattr;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/anaconda.te policy-1.23.16/domains/program/unused/anaconda.te
--- nsapolicy/domains/program/unused/anaconda.te 2005-04-27 10:28:49.000000000 -0400
-+++ policy-1.23.16/domains/program/unused/anaconda.te 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/domains/program/unused/anaconda.te 2005-05-23 16:45:33.000000000 -0400
@@ -17,13 +17,17 @@
role system_r types ldconfig_t;
domain_auto_trans(anaconda_t, ldconfig_exec_t, ldconfig_t)
@@ -415,7 +440,7 @@
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.23.16/domains/program/unused/apache.te
--- nsapolicy/domains/program/unused/apache.te 2005-05-02 14:06:54.000000000 -0400
-+++ policy-1.23.16/domains/program/unused/apache.te 2005-05-19 07:29:44.000000000 -0400
++++ policy-1.23.16/domains/program/unused/apache.te 2005-05-23 16:45:33.000000000 -0400
@@ -54,15 +54,6 @@
#
type httpd_config_t, file_type, sysadmfile;
@@ -481,7 +506,7 @@
# Permissions for running child processes and scripts
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apmd.te policy-1.23.16/domains/program/unused/apmd.te
--- nsapolicy/domains/program/unused/apmd.te 2005-05-07 00:41:09.000000000 -0400
-+++ policy-1.23.16/domains/program/unused/apmd.te 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/domains/program/unused/apmd.te 2005-05-23 16:45:33.000000000 -0400
@@ -32,6 +32,8 @@
allow apmd_t device_t:lnk_file read;
allow apmd_t proc_t:file { getattr read };
@@ -501,8 +526,17 @@
var_lib_domain(apmd)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/auditd.te policy-1.23.16/domains/program/unused/auditd.te
--- nsapolicy/domains/program/unused/auditd.te 2005-05-07 00:41:09.000000000 -0400
-+++ policy-1.23.16/domains/program/unused/auditd.te 2005-05-18 15:50:12.000000000 -0400
-@@ -23,12 +23,10 @@
++++ policy-1.23.16/domains/program/unused/auditd.te 2005-05-23 16:45:33.000000000 -0400
+@@ -15,6 +15,8 @@
+ allow auditd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv };
+ allow auditd_t self:unix_dgram_socket create_socket_perms;
+ allow auditd_t self:capability { audit_write audit_control sys_nice };
++allow auditd_t self:process setsched;
++allow auditd_t self:file { getattr read };
+ allow auditd_t etc_t:file { getattr read };
+
+ # Do not use logdir_domain since this is a security file
+@@ -23,12 +25,10 @@
rw_dir_create_file(auditd_t, auditd_log_t)
can_exec(auditd_t, init_exec_t)
@@ -516,22 +550,38 @@
uses_shlib(auditctl_t)
allow auditctl_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv };
allow auditctl_t self:capability { audit_write audit_control };
-@@ -53,7 +51,11 @@
+@@ -37,15 +37,17 @@
+
+ type auditd_etc_t, file_type, secure_file_type;
+ allow { auditd_t auditctl_t } auditd_etc_t:file r_file_perms;
++allow initrc_t auditd_etc_t:file r_file_perms;
+
+ role secadm_r types auditctl_t;
+ role sysadm_r types auditctl_t;
+ audit_manager_domain(secadm_t)
+
++ifdef(`targeted_policy', `', `
+ ifdef(`separate_secadm', `', `
+ audit_manager_domain(sysadm_t)
++')
+ ')
+-allow initrc_t auditd_etc_t:file r_file_perms;
+
+ role system_r types auditctl_t;
+ domain_auto_trans(initrc_t, auditctl_exec_t, auditctl_t)
+@@ -53,7 +55,7 @@
dontaudit auditctl_t local_login_t:fd use;
allow auditctl_t proc_t:dir search;
allow auditctl_t sysctl_kernel_t:dir search;
-allow auditctl_t sysctl_kernel_t:file read;
+-allow auditd_t self:process setsched;
+allow auditctl_t sysctl_kernel_t:file { getattr read };
- allow auditd_t self:process setsched;
dontaudit auditctl_t init_t:fd use;
allow auditctl_t initrc_devpts_t:chr_file { read write };
-+allow auditd_t self:file { getattr read };
-+ifdef(`rpm.te', `
-+allow auditctl_t rpm_script_t:fd use;
-+')
++allow auditctl_t privfd:fd use;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/automount.te policy-1.23.16/domains/program/unused/automount.te
--- nsapolicy/domains/program/unused/automount.te 2005-05-07 00:41:09.000000000 -0400
-+++ policy-1.23.16/domains/program/unused/automount.te 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/domains/program/unused/automount.te 2005-05-23 16:45:33.000000000 -0400
@@ -25,7 +25,7 @@
allow automount_t { etc_t etc_runtime_t }:file { getattr read };
@@ -560,7 +610,7 @@
+allow bluetooth_t usbfs_t:dir read;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/bluetooth.te policy-1.23.16/domains/program/unused/bluetooth.te
--- nsapolicy/domains/program/unused/bluetooth.te 2005-04-27 10:28:49.000000000 -0400
-+++ policy-1.23.16/domains/program/unused/bluetooth.te 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/domains/program/unused/bluetooth.te 2005-05-23 16:45:33.000000000 -0400
@@ -39,4 +39,6 @@
allow bluetooth_t bluetooth_conf_t:dir search;
allow bluetooth_t bluetooth_conf_t:file { getattr read ioctl };
@@ -571,8 +621,8 @@
+allow bluetooth_t usbfs_t:file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.23.16/domains/program/unused/cups.te
--- nsapolicy/domains/program/unused/cups.te 2005-05-07 00:41:09.000000000 -0400
-+++ policy-1.23.16/domains/program/unused/cups.te 2005-05-19 10:56:19.000000000 -0400
-@@ -11,7 +11,6 @@
++++ policy-1.23.16/domains/program/unused/cups.te 2005-05-23 17:03:34.000000000 -0400
+@@ -11,13 +11,11 @@
# cupsd_t is the domain of cupsd.
# cupsd_exec_t is the type of the cupsd executable.
#
@@ -580,7 +630,13 @@
daemon_domain(cupsd, `, auth_chkpwd, nscd_client_domain')
etcdir_domain(cupsd)
type cupsd_rw_etc_t, file_type, sysadmfile, usercanread;
-@@ -82,6 +81,11 @@
+
+ can_network(cupsd_t)
+-can_ypbind(cupsd_t)
+ allow cupsd_t port_type:tcp_socket name_connect;
+ logdir_domain(cupsd)
+
+@@ -82,6 +80,11 @@
allow cupsd_t self:capability { dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_tty_config };
dontaudit cupsd_t self:capability net_admin;
@@ -592,7 +648,7 @@
allow cupsd_t self:process setsched;
# for /var/lib/defoma
-@@ -111,7 +115,7 @@
+@@ -111,7 +114,7 @@
can_exec(cupsd_t, { shell_exec_t bin_t sbin_t })
# They will also invoke ghostscript, which needs to read fonts
@@ -601,7 +657,30 @@
# Read /usr/lib/gconv/gconv-modules.* and /usr/lib/python2.2/.*
allow cupsd_t lib_t:file { read getattr };
-@@ -173,8 +177,6 @@
+@@ -144,12 +147,12 @@
+ etcdir_domain(ptal)
+
+ file_type_auto_trans(ptal_t, var_run_t, ptal_var_run_t)
+-allow ptal_t self:capability chown;
++allow ptal_t self:capability { chown sys_rawio };
+ allow ptal_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms;
+ allow ptal_t self:unix_stream_socket { listen accept };
+ allow ptal_t self:fifo_file rw_file_perms;
+ allow ptal_t device_t:dir read;
+-allow ptal_t printer_device_t:chr_file { ioctl read write };
++allow ptal_t printer_device_t:chr_file rw_file_perms;
+ allow initrc_t printer_device_t:chr_file getattr;
+ allow ptal_t { etc_t etc_runtime_t }:file { getattr read };
+ r_dir_file(ptal_t, usbdevfs_t)
+@@ -162,6 +165,7 @@
+ allow initrc_t ptal_var_run_t:dir rmdir;
+ allow initrc_t ptal_var_run_t:fifo_file unlink;
+
++
+ dontaudit cupsd_t selinux_config_t:dir search;
+ dontaudit cupsd_t selinux_config_t:file { getattr read };
+
+@@ -173,12 +177,11 @@
allow cupsd_t userdomain:dbus send_msg;
')
@@ -610,7 +689,12 @@
# CUPS configuration daemon
daemon_domain(cupsd_config)
-@@ -202,6 +204,7 @@
+ allow cupsd_config_t devpts_t:dir search;
++allow cupsd_config_t devpts_t:chr_file { getattr ioctl };
+
+ ifdef(`distro_redhat', `
+ ifdef(`rpm.te', `
+@@ -202,6 +205,7 @@
rw_dir_create_file(cupsd_config_t, cupsd_etc_t)
rw_dir_create_file(cupsd_config_t, cupsd_rw_etc_t)
file_type_auto_trans(cupsd_config_t, cupsd_etc_t, cupsd_rw_etc_t, file)
@@ -618,7 +702,7 @@
can_network_tcp(cupsd_config_t)
can_ypbind(cupsd_config_t)
-@@ -214,13 +217,23 @@
+@@ -214,13 +218,23 @@
dbusd_client(system, cupsd_config)
allow cupsd_config_t userdomain:dbus send_msg;
allow cupsd_config_t system_dbusd_t:dbus { send_msg acquire_svc };
@@ -644,7 +728,7 @@
can_exec(cupsd_config_t, { bin_t sbin_t shell_exec_t })
ifdef(`hostname.te', `
can_exec(cupsd_t, hostname_exec_t)
-@@ -241,7 +254,6 @@
+@@ -241,7 +255,6 @@
allow cupsd_config_t urandom_device_t:chr_file { getattr read };
@@ -652,7 +736,7 @@
ifdef(`logrotate.te', `
allow cupsd_config_t logrotate_t:fd use;
')dnl end if logrotate.te
-@@ -252,10 +264,11 @@
+@@ -252,10 +265,11 @@
# Alternatives asks for this
allow cupsd_config_t initrc_exec_t:file getattr;
@@ -668,7 +752,7 @@
')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ddcprobe.te policy-1.23.16/domains/program/unused/ddcprobe.te
--- nsapolicy/domains/program/unused/ddcprobe.te 1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.23.16/domains/program/unused/ddcprobe.te 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/domains/program/unused/ddcprobe.te 2005-05-23 16:45:33.000000000 -0400
@@ -0,0 +1,42 @@
+#DESC ddcprobe - output ddcprobe results from kudzu
+#
@@ -714,7 +798,7 @@
+allow ddcprobe_t kernel_t:system syslog_console;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dhcpd.te policy-1.23.16/domains/program/unused/dhcpd.te
--- nsapolicy/domains/program/unused/dhcpd.te 2005-04-27 10:28:50.000000000 -0400
-+++ policy-1.23.16/domains/program/unused/dhcpd.te 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/domains/program/unused/dhcpd.te 2005-05-23 16:45:33.000000000 -0400
@@ -15,7 +15,7 @@
# dhcpd_exec_t is the type of the dhcpdd executable.
# The dhcpd_t can be used for other DHCPC related files as well.
@@ -726,7 +810,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dovecot.te policy-1.23.16/domains/program/unused/dovecot.te
--- nsapolicy/domains/program/unused/dovecot.te 2005-04-27 10:28:50.000000000 -0400
-+++ policy-1.23.16/domains/program/unused/dovecot.te 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/domains/program/unused/dovecot.te 2005-05-23 16:56:02.000000000 -0400
@@ -34,8 +34,7 @@
allow dovecot_t pop_port_t:tcp_socket name_bind;
allow dovecot_t urandom_device_t:chr_file { getattr read };
@@ -739,7 +823,7 @@
allow dovecot_t self:fifo_file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/firstboot.te policy-1.23.16/domains/program/unused/firstboot.te
--- nsapolicy/domains/program/unused/firstboot.te 2005-04-27 10:28:50.000000000 -0400
-+++ policy-1.23.16/domains/program/unused/firstboot.te 2005-05-20 14:48:43.000000000 -0400
++++ policy-1.23.16/domains/program/unused/firstboot.te 2005-05-23 16:45:33.000000000 -0400
@@ -10,7 +10,7 @@
#
# firstboot_exec_t is the type of the firstboot executable.
@@ -770,7 +854,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/fontconfig.te policy-1.23.16/domains/program/unused/fontconfig.te
--- nsapolicy/domains/program/unused/fontconfig.te 1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.23.16/domains/program/unused/fontconfig.te 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/domains/program/unused/fontconfig.te 2005-05-23 16:45:33.000000000 -0400
@@ -0,0 +1,7 @@
+#
+# Fontconfig related types
@@ -781,7 +865,7 @@
+# Look in fontconfig_macros.te
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ftpd.te policy-1.23.16/domains/program/unused/ftpd.te
--- nsapolicy/domains/program/unused/ftpd.te 2005-04-27 10:28:50.000000000 -0400
-+++ policy-1.23.16/domains/program/unused/ftpd.te 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/domains/program/unused/ftpd.te 2005-05-23 16:45:33.000000000 -0400
@@ -9,7 +9,7 @@
#
# Rules for the ftpd_t domain
@@ -811,7 +895,7 @@
r_dir_file(ftpd_t, nfs_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/gpg.te policy-1.23.16/domains/program/unused/gpg.te
--- nsapolicy/domains/program/unused/gpg.te 2005-04-27 10:28:50.000000000 -0400
-+++ policy-1.23.16/domains/program/unused/gpg.te 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/domains/program/unused/gpg.te 2005-05-23 16:45:33.000000000 -0400
@@ -8,7 +8,7 @@
type gpg_exec_t, file_type, sysadmfile, exec_type;
type gpg_helper_exec_t, file_type, sysadmfile, exec_type;
@@ -823,7 +907,7 @@
# Allow gpg exec stack
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hald.te policy-1.23.16/domains/program/unused/hald.te
--- nsapolicy/domains/program/unused/hald.te 2005-05-07 00:41:09.000000000 -0400
-+++ policy-1.23.16/domains/program/unused/hald.te 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/domains/program/unused/hald.te 2005-05-23 16:45:33.000000000 -0400
@@ -36,7 +36,7 @@
allow hald_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -848,7 +932,7 @@
allow hald_t initrc_t:dbus send_msg;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hotplug.te policy-1.23.16/domains/program/unused/hotplug.te
--- nsapolicy/domains/program/unused/hotplug.te 2005-05-07 00:41:09.000000000 -0400
-+++ policy-1.23.16/domains/program/unused/hotplug.te 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/domains/program/unused/hotplug.te 2005-05-23 16:45:33.000000000 -0400
@@ -29,7 +29,7 @@
# get info from /proc
@@ -869,7 +953,7 @@
allow hotplug_t udev_runtime_t:file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/kudzu.te policy-1.23.16/domains/program/unused/kudzu.te
--- nsapolicy/domains/program/unused/kudzu.te 2005-05-16 11:28:12.000000000 -0400
-+++ policy-1.23.16/domains/program/unused/kudzu.te 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/domains/program/unused/kudzu.te 2005-05-23 16:45:33.000000000 -0400
@@ -26,7 +26,6 @@
allow kudzu_t mouse_device_t:chr_file { read write };
allow kudzu_t proc_net_t:dir r_dir_perms;
@@ -885,7 +969,7 @@
+allow kudzu_t net_conf_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/lpd.te policy-1.23.16/domains/program/unused/lpd.te
--- nsapolicy/domains/program/unused/lpd.te 2005-04-27 10:28:51.000000000 -0400
-+++ policy-1.23.16/domains/program/unused/lpd.te 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/domains/program/unused/lpd.te 2005-05-23 16:45:33.000000000 -0400
@@ -20,7 +20,7 @@
allow lpd_t lpd_var_run_t:sock_file create_file_perms;
@@ -897,7 +981,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/lvm.te policy-1.23.16/domains/program/unused/lvm.te
--- nsapolicy/domains/program/unused/lvm.te 2005-05-07 00:41:09.000000000 -0400
-+++ policy-1.23.16/domains/program/unused/lvm.te 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/domains/program/unused/lvm.te 2005-05-23 16:45:33.000000000 -0400
@@ -18,7 +18,6 @@
type lvm_metadata_t, file_type, sysadmfile;
type lvm_control_t, device_type, dev_fs;
@@ -954,7 +1038,7 @@
+dontaudit clvmd_t selinux_config_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mrtg.te policy-1.23.16/domains/program/unused/mrtg.te
--- nsapolicy/domains/program/unused/mrtg.te 2005-04-27 10:28:51.000000000 -0400
-+++ policy-1.23.16/domains/program/unused/mrtg.te 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/domains/program/unused/mrtg.te 2005-05-23 16:45:33.000000000 -0400
@@ -81,7 +81,7 @@
# for uptime
@@ -966,7 +1050,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mta.te policy-1.23.16/domains/program/unused/mta.te
--- nsapolicy/domains/program/unused/mta.te 2005-04-27 10:28:51.000000000 -0400
-+++ policy-1.23.16/domains/program/unused/mta.te 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/domains/program/unused/mta.te 2005-05-23 16:45:33.000000000 -0400
@@ -23,6 +23,7 @@
# targeted policy. We could move these rules permanantly here.
ifdef(`postfix.te', `', `can_exec_any(system_mail_t)')
@@ -977,7 +1061,7 @@
allow system_mail_t { var_t var_spool_t }:dir getattr;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mysqld.te policy-1.23.16/domains/program/unused/mysqld.te
--- nsapolicy/domains/program/unused/mysqld.te 2005-04-27 10:28:51.000000000 -0400
-+++ policy-1.23.16/domains/program/unused/mysqld.te 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/domains/program/unused/mysqld.te 2005-05-23 16:45:33.000000000 -0400
@@ -35,7 +35,7 @@
allow initrc_t mysqld_log_t:file { write append setattr ioctl };
@@ -989,7 +1073,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/nx_server.te policy-1.23.16/domains/program/unused/nx_server.te
--- nsapolicy/domains/program/unused/nx_server.te 2005-04-27 10:28:52.000000000 -0400
-+++ policy-1.23.16/domains/program/unused/nx_server.te 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/domains/program/unused/nx_server.te 2005-05-23 16:45:33.000000000 -0400
@@ -51,7 +51,7 @@
allow nx_server_t devtty_t:chr_file { read write };
@@ -1001,7 +1085,7 @@
# but users need to be able to also read the config
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pamconsole.te policy-1.23.16/domains/program/unused/pamconsole.te
--- nsapolicy/domains/program/unused/pamconsole.te 2005-05-07 00:41:09.000000000 -0400
-+++ policy-1.23.16/domains/program/unused/pamconsole.te 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/domains/program/unused/pamconsole.te 2005-05-23 16:45:33.000000000 -0400
@@ -46,4 +46,5 @@
allow pam_console_t xdm_var_run_t:file { getattr read };
')
@@ -1010,7 +1094,7 @@
allow pam_console_t file_context_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pppd.te policy-1.23.16/domains/program/unused/pppd.te
--- nsapolicy/domains/program/unused/pppd.te 2005-04-27 10:28:52.000000000 -0400
-+++ policy-1.23.16/domains/program/unused/pppd.te 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/domains/program/unused/pppd.te 2005-05-23 16:45:33.000000000 -0400
@@ -46,7 +46,7 @@
ifdef(`postfix.te', `
allow pppd_t postfix_etc_t:dir search;
@@ -1022,7 +1106,7 @@
')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/procmail.te policy-1.23.16/domains/program/unused/procmail.te
--- nsapolicy/domains/program/unused/procmail.te 2005-04-27 10:28:52.000000000 -0400
-+++ policy-1.23.16/domains/program/unused/procmail.te 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/domains/program/unused/procmail.te 2005-05-23 16:45:33.000000000 -0400
@@ -57,6 +57,9 @@
# for spamassasin
@@ -1035,7 +1119,7 @@
allow procmail_t var_run_t:dir { getattr search };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/qmail.te policy-1.23.16/domains/program/unused/qmail.te
--- nsapolicy/domains/program/unused/qmail.te 2005-04-27 10:28:52.000000000 -0400
-+++ policy-1.23.16/domains/program/unused/qmail.te 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/domains/program/unused/qmail.te 2005-05-23 16:45:33.000000000 -0400
@@ -82,7 +82,7 @@
allow qmail_rspawn_t { bin_t sbin_t }:dir search;
@@ -1101,18 +1185,8 @@
can_ypbind(qmail_serialmail_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rhgb.te policy-1.23.16/domains/program/unused/rhgb.te
--- nsapolicy/domains/program/unused/rhgb.te 2005-04-27 10:28:52.000000000 -0400
-+++ policy-1.23.16/domains/program/unused/rhgb.te 2005-05-18 15:50:12.000000000 -0400
-@@ -43,9 +43,6 @@
- allow rhgb_t port_type:tcp_socket name_connect;
- can_ypbind(rhgb_t)
-
--# for fonts
--allow rhgb_t usr_t:{ file lnk_file } { getattr read };
--
- # for running setxkbmap
- r_dir_file(rhgb_t, xkb_var_lib_t)
-
-@@ -68,8 +65,7 @@
++++ policy-1.23.16/domains/program/unused/rhgb.te 2005-05-23 16:45:33.000000000 -0400
+@@ -68,8 +68,7 @@
tmpfs_domain(rhgb)
allow xdm_xserver_t rhgb_tmpfs_t:file { read write };
@@ -1124,7 +1198,7 @@
dontaudit rhgb_t var_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rpcd.te policy-1.23.16/domains/program/unused/rpcd.te
--- nsapolicy/domains/program/unused/rpcd.te 2005-04-27 10:28:52.000000000 -0400
-+++ policy-1.23.16/domains/program/unused/rpcd.te 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/domains/program/unused/rpcd.te 2005-05-23 16:45:33.000000000 -0400
@@ -140,3 +140,6 @@
r_dir_file(gssd_t, proc_net_t)
allow gssd_t rpc_pipefs_t:dir r_dir_perms;
@@ -1132,9 +1206,21 @@
+allow gssd_t rpc_pipefs_t:file r_file_perms;
+allow gssd_t self:capability setuid;
+
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rshd.te policy-1.23.16/domains/program/unused/rshd.te
+--- nsapolicy/domains/program/unused/rshd.te 2005-04-27 10:28:52.000000000 -0400
++++ policy-1.23.16/domains/program/unused/rshd.te 2005-05-23 17:04:20.000000000 -0400
+@@ -25,8 +25,6 @@
+ can_network_server(rshd_t)
+ allow rshd_t rsh_port_t:tcp_socket name_bind;
+
+-can_ypbind(rshd_t)
+-
+ allow rshd_t etc_t:file { getattr read };
+ read_locale(rshd_t)
+ allow rshd_t self:unix_dgram_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/samba.te policy-1.23.16/domains/program/unused/samba.te
--- nsapolicy/domains/program/unused/samba.te 2005-05-02 14:06:54.000000000 -0400
-+++ policy-1.23.16/domains/program/unused/samba.te 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/domains/program/unused/samba.te 2005-05-23 16:45:33.000000000 -0400
@@ -46,7 +46,8 @@
allow smbd_t self:capability { setgid setuid sys_resource net_bind_service lease dac_override dac_read_search };
@@ -1155,8 +1241,16 @@
')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/saslauthd.te policy-1.23.16/domains/program/unused/saslauthd.te
--- nsapolicy/domains/program/unused/saslauthd.te 2005-04-27 10:28:52.000000000 -0400
-+++ policy-1.23.16/domains/program/unused/saslauthd.te 2005-05-18 15:50:12.000000000 -0400
-@@ -15,7 +15,7 @@
++++ policy-1.23.16/domains/program/unused/saslauthd.te 2005-05-23 16:55:43.000000000 -0400
+@@ -4,7 +4,6 @@
+ #
+
+ daemon_domain(saslauthd, `, auth_chkpwd')
+-
+ allow saslauthd_t self:fifo_file { read write };
+ allow saslauthd_t self:unix_dgram_socket create_socket_perms;
+ allow saslauthd_t self:unix_stream_socket create_stream_socket_perms;
+@@ -15,7 +14,7 @@
allow saslauthd_t net_conf_t:file r_file_perms;
allow saslauthd_t self:file r_file_perms;
@@ -1167,7 +1261,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/slapd.te policy-1.23.16/domains/program/unused/slapd.te
--- nsapolicy/domains/program/unused/slapd.te 2005-04-27 10:28:53.000000000 -0400
-+++ policy-1.23.16/domains/program/unused/slapd.te 2005-05-19 10:23:01.000000000 -0400
++++ policy-1.23.16/domains/program/unused/slapd.te 2005-05-23 16:45:33.000000000 -0400
@@ -31,7 +31,7 @@
can_tcp_connect(domain, slapd_t)
@@ -1193,7 +1287,7 @@
+r_dir_file(slapd_t, cert_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/snmpd.te policy-1.23.16/domains/program/unused/snmpd.te
--- nsapolicy/domains/program/unused/snmpd.te 2005-05-02 14:06:54.000000000 -0400
-+++ policy-1.23.16/domains/program/unused/snmpd.te 2005-05-19 11:34:15.000000000 -0400
++++ policy-1.23.16/domains/program/unused/snmpd.te 2005-05-23 16:45:33.000000000 -0400
@@ -8,7 +8,7 @@
#
# Rules for the snmpd_t domain.
@@ -1214,7 +1308,7 @@
dontaudit snmpd_t selinux_config_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/snort.te policy-1.23.16/domains/program/unused/snort.te
--- nsapolicy/domains/program/unused/snort.te 2005-04-27 10:28:53.000000000 -0400
-+++ policy-1.23.16/domains/program/unused/snort.te 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/domains/program/unused/snort.te 2005-05-23 16:45:33.000000000 -0400
@@ -28,6 +28,6 @@
allow snort_t self:unix_stream_socket create_socket_perms;
@@ -1226,7 +1320,7 @@
+dontaudit snort_t { etc_runtime_t proc_t }:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/sxid.te policy-1.23.16/domains/program/unused/sxid.te
--- nsapolicy/domains/program/unused/sxid.te 2005-04-27 10:28:53.000000000 -0400
-+++ policy-1.23.16/domains/program/unused/sxid.te 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/domains/program/unused/sxid.te 2005-05-23 16:45:33.000000000 -0400
@@ -31,7 +31,7 @@
allow sxid_t { device_t device_type }:{ chr_file blk_file } getattr;
allow sxid_t ttyfile:chr_file getattr;
@@ -1238,7 +1332,7 @@
# Use the network.
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/udev.te policy-1.23.16/domains/program/unused/udev.te
--- nsapolicy/domains/program/unused/udev.te 2005-05-07 00:41:10.000000000 -0400
-+++ policy-1.23.16/domains/program/unused/udev.te 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/domains/program/unused/udev.te 2005-05-23 16:45:33.000000000 -0400
@@ -142,3 +142,4 @@
ifdef(`unlimitedUtils', `
unconfined_domain(udev_t)
@@ -1246,7 +1340,7 @@
+dontaudit hostname_t udev_t:fd use;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/uml_net.te policy-1.23.16/domains/program/unused/uml_net.te
--- nsapolicy/domains/program/unused/uml_net.te 2005-04-27 10:28:53.000000000 -0400
-+++ policy-1.23.16/domains/program/unused/uml_net.te 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/domains/program/unused/uml_net.te 2005-05-23 16:45:33.000000000 -0400
@@ -15,7 +15,7 @@
uses_shlib(uml_net_t)
allow uml_net_t devtty_t:chr_file { read write };
@@ -1258,7 +1352,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/winbind.te policy-1.23.16/domains/program/unused/winbind.te
--- nsapolicy/domains/program/unused/winbind.te 2005-04-27 10:28:54.000000000 -0400
-+++ policy-1.23.16/domains/program/unused/winbind.te 2005-05-19 07:32:26.000000000 -0400
++++ policy-1.23.16/domains/program/unused/winbind.te 2005-05-23 16:45:33.000000000 -0400
@@ -8,7 +8,7 @@
# Declarations for winbind
#
@@ -1270,7 +1364,7 @@
allow winbind_t etc_t:lnk_file read;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/xauth.te policy-1.23.16/domains/program/unused/xauth.te
--- nsapolicy/domains/program/unused/xauth.te 2005-04-27 10:28:54.000000000 -0400
-+++ policy-1.23.16/domains/program/unused/xauth.te 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/domains/program/unused/xauth.te 2005-05-23 16:45:33.000000000 -0400
@@ -9,7 +9,5 @@
#
type xauth_exec_t, file_type, sysadmfile, exec_type;
@@ -1281,7 +1375,7 @@
# macros/program/xauth_macros.te.
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/xdm.te policy-1.23.16/domains/program/unused/xdm.te
--- nsapolicy/domains/program/unused/xdm.te 2005-05-07 00:41:11.000000000 -0400
-+++ policy-1.23.16/domains/program/unused/xdm.te 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/domains/program/unused/xdm.te 2005-05-23 16:45:33.000000000 -0400
@@ -78,7 +78,7 @@
allow unpriv_userdomain xdm_xserver_t:unix_stream_socket connectto;
allow unpriv_userdomain xdm_xserver_t:shm r_shm_perms;
@@ -1354,7 +1448,7 @@
#
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/xfs.te policy-1.23.16/domains/program/unused/xfs.te
--- nsapolicy/domains/program/unused/xfs.te 2005-04-27 10:28:54.000000000 -0400
-+++ policy-1.23.16/domains/program/unused/xfs.te 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/domains/program/unused/xfs.te 2005-05-23 16:45:33.000000000 -0400
@@ -37,9 +37,8 @@
allow xfs_t self:unix_stream_socket create_stream_socket_perms;
allow xfs_t self:unix_dgram_socket create_socket_perms;
@@ -1369,7 +1463,7 @@
allow initrc_t xfs_tmp_t:dir rw_dir_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/yam.te policy-1.23.16/domains/program/unused/yam.te
--- nsapolicy/domains/program/unused/yam.te 2005-05-06 16:46:27.000000000 -0400
-+++ policy-1.23.16/domains/program/unused/yam.te 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/domains/program/unused/yam.te 2005-05-23 16:45:33.000000000 -0400
@@ -125,7 +125,7 @@
allow yam_crond_t default_t:dir search;
@@ -1381,7 +1475,7 @@
##########
diff --exclude-from=exclude -N -u -r nsapolicy/domains/user.te policy-1.23.16/domains/user.te
--- nsapolicy/domains/user.te 2005-05-02 14:06:54.000000000 -0400
-+++ policy-1.23.16/domains/user.te 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/domains/user.te 2005-05-23 16:45:33.000000000 -0400
@@ -78,6 +78,12 @@
dontaudit $1_su_t { sysadm_home_t staff_home_t }:dir rw_dir_perms;
dontaudit $1_su_t { sysadm_home_t staff_home_t }:file create_file_perms;
@@ -1397,7 +1491,7 @@
# Privileged user domain
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/distros.fc policy-1.23.16/file_contexts/distros.fc
--- nsapolicy/file_contexts/distros.fc 2005-05-07 00:41:12.000000000 -0400
-+++ policy-1.23.16/file_contexts/distros.fc 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/file_contexts/distros.fc 2005-05-23 16:45:33.000000000 -0400
@@ -1,6 +1,7 @@
ifdef(`distro_redhat', `
/usr/share/system-config-network(/netconfig)?/[^/]+\.py -- system_u:object_r:bin_t
@@ -1408,7 +1502,7 @@
/usr/share/rhn/rhn_applet/eggtrayiconmodule\.so -- system_u:object_r:shlib_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/bluetooth.fc policy-1.23.16/file_contexts/program/bluetooth.fc
--- nsapolicy/file_contexts/program/bluetooth.fc 2005-02-24 14:51:08.000000000 -0500
-+++ policy-1.23.16/file_contexts/program/bluetooth.fc 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/file_contexts/program/bluetooth.fc 2005-05-23 16:45:33.000000000 -0400
@@ -4,4 +4,5 @@
/usr/sbin/hcid -- system_u:object_r:bluetooth_exec_t
/usr/sbin/sdpd -- system_u:object_r:bluetooth_exec_t
@@ -1418,7 +1512,7 @@
+/usr/sbin/hid2hci -- system_u:object_r:bluetooth_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/cups.fc policy-1.23.16/file_contexts/program/cups.fc
--- nsapolicy/file_contexts/program/cups.fc 2005-05-07 00:41:12.000000000 -0400
-+++ policy-1.23.16/file_contexts/program/cups.fc 2005-05-19 13:13:28.000000000 -0400
++++ policy-1.23.16/file_contexts/program/cups.fc 2005-05-23 16:45:33.000000000 -0400
@@ -35,3 +35,4 @@
/var/run/ptal-printd(/.*)? system_u:object_r:ptal_var_run_t
/var/run/ptal-mlcd(/.*)? system_u:object_r:ptal_var_run_t
@@ -1426,12 +1520,12 @@
+/var/cache/foomatic(/.*)? -- system_u:object_r:cupsd_rw_etc_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/ddcprobe.fc policy-1.23.16/file_contexts/program/ddcprobe.fc
--- nsapolicy/file_contexts/program/ddcprobe.fc 1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.23.16/file_contexts/program/ddcprobe.fc 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/file_contexts/program/ddcprobe.fc 2005-05-23 16:45:33.000000000 -0400
@@ -0,0 +1 @@
+/usr/sbin/ddcprobe -- system_u:object_r:ddcprobe_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/dovecot.fc policy-1.23.16/file_contexts/program/dovecot.fc
--- nsapolicy/file_contexts/program/dovecot.fc 2005-03-21 22:32:19.000000000 -0500
-+++ policy-1.23.16/file_contexts/program/dovecot.fc 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/file_contexts/program/dovecot.fc 2005-05-23 16:45:33.000000000 -0400
@@ -10,6 +10,7 @@
')
/usr/share/ssl/certs/dovecot\.pem -- system_u:object_r:dovecot_cert_t
@@ -1442,13 +1536,13 @@
/var/spool/dovecot(/.*)? system_u:object_r:dovecot_spool_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/fontconfig.fc policy-1.23.16/file_contexts/program/fontconfig.fc
--- nsapolicy/file_contexts/program/fontconfig.fc 1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.23.16/file_contexts/program/fontconfig.fc 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/file_contexts/program/fontconfig.fc 2005-05-23 16:45:33.000000000 -0400
@@ -0,0 +1,2 @@
+HOME_DIR/\.fonts(/.*)? system_u:object_r:ROLE_fonts_t
+HOME_DIR/\.fonts.cache-1 -- system_u:object_r:ROLE_fonts_cache_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/initrc.fc policy-1.23.16/file_contexts/program/initrc.fc
--- nsapolicy/file_contexts/program/initrc.fc 2005-04-14 15:01:54.000000000 -0400
-+++ policy-1.23.16/file_contexts/program/initrc.fc 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/file_contexts/program/initrc.fc 2005-05-23 16:45:33.000000000 -0400
@@ -38,5 +38,11 @@
/etc/nohotplug -- system_u:object_r:etc_runtime_t
ifdef(`distro_redhat', `
@@ -1463,7 +1557,7 @@
+
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/lvm.fc policy-1.23.16/file_contexts/program/lvm.fc
--- nsapolicy/file_contexts/program/lvm.fc 2005-05-02 14:06:56.000000000 -0400
-+++ policy-1.23.16/file_contexts/program/lvm.fc 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/file_contexts/program/lvm.fc 2005-05-23 16:45:33.000000000 -0400
@@ -65,3 +65,5 @@
/sbin/pvs -- system_u:object_r:lvm_exec_t
/sbin/vgs -- system_u:object_r:lvm_exec_t
@@ -1472,7 +1566,7 @@
+/usr/sbin/clvmd -- system_u:object_r:clvmd_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/ntpd.fc policy-1.23.16/file_contexts/program/ntpd.fc
--- nsapolicy/file_contexts/program/ntpd.fc 2005-02-24 14:51:09.000000000 -0500
-+++ policy-1.23.16/file_contexts/program/ntpd.fc 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/file_contexts/program/ntpd.fc 2005-05-23 16:45:33.000000000 -0400
@@ -1,7 +1,7 @@
/var/lib/ntp(/.*)? system_u:object_r:ntp_drift_t
/etc/ntp/data(/.*)? system_u:object_r:ntp_drift_t
@@ -1485,7 +1579,7 @@
/var/log/ntpstats(/.*)? system_u:object_r:ntpd_log_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/traceroute.fc policy-1.23.16/file_contexts/program/traceroute.fc
--- nsapolicy/file_contexts/program/traceroute.fc 2005-05-16 11:28:12.000000000 -0400
-+++ policy-1.23.16/file_contexts/program/traceroute.fc 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/file_contexts/program/traceroute.fc 2005-05-23 16:45:33.000000000 -0400
@@ -1,9 +1,6 @@
# traceroute
/bin/traceroute.* -- system_u:object_r:traceroute_exec_t
@@ -1498,7 +1592,7 @@
/usr/bin/nmap -- system_u:object_r:traceroute_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/types.fc policy-1.23.16/file_contexts/types.fc
--- nsapolicy/file_contexts/types.fc 2005-05-07 00:41:12.000000000 -0400
-+++ policy-1.23.16/file_contexts/types.fc 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/file_contexts/types.fc 2005-05-23 16:45:33.000000000 -0400
@@ -58,7 +58,7 @@
#
@@ -1569,7 +1663,7 @@
#
diff --exclude-from=exclude -N -u -r nsapolicy/macros/admin_macros.te policy-1.23.16/macros/admin_macros.te
--- nsapolicy/macros/admin_macros.te 2005-04-27 10:28:54.000000000 -0400
-+++ policy-1.23.16/macros/admin_macros.te 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/macros/admin_macros.te 2005-05-23 16:45:33.000000000 -0400
@@ -203,14 +203,9 @@
# policy management infrastructure is in place so that an administrator
# cannot directly manipulate policy files with arbitrary programs.
@@ -1600,7 +1694,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/macros/base_user_macros.te policy-1.23.16/macros/base_user_macros.te
--- nsapolicy/macros/base_user_macros.te 2005-05-02 14:06:57.000000000 -0400
-+++ policy-1.23.16/macros/base_user_macros.te 2005-05-19 10:43:06.000000000 -0400
++++ policy-1.23.16/macros/base_user_macros.te 2005-05-23 16:45:33.000000000 -0400
@@ -68,14 +68,21 @@
allow $1_t dri_device_t:chr_file getattr;
dontaudit $1_t dri_device_t:chr_file rw_file_perms;
@@ -1646,7 +1740,7 @@
#
diff --exclude-from=exclude -N -u -r nsapolicy/macros/global_macros.te policy-1.23.16/macros/global_macros.te
--- nsapolicy/macros/global_macros.te 2005-05-07 00:41:12.000000000 -0400
-+++ policy-1.23.16/macros/global_macros.te 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/macros/global_macros.te 2005-05-23 16:45:33.000000000 -0400
@@ -156,7 +156,6 @@
r_dir_file($1, locale_t)
')
@@ -1711,7 +1805,7 @@
+
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/apache_macros.te policy-1.23.16/macros/program/apache_macros.te
--- nsapolicy/macros/program/apache_macros.te 2005-04-27 10:28:54.000000000 -0400
-+++ policy-1.23.16/macros/program/apache_macros.te 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/macros/program/apache_macros.te 2005-05-23 16:45:33.000000000 -0400
@@ -101,7 +101,7 @@
# Allow the scripts to read, read/write, append to the specified directories
# or files
@@ -1721,9 +1815,20 @@
r_dir_file(httpd_$1_script_t, httpd_$1_script_ro_t)
create_dir_file(httpd_$1_script_t, httpd_$1_script_rw_t)
ra_dir_file(httpd_$1_script_t, httpd_$1_script_ra_t)
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/chkpwd_macros.te policy-1.23.16/macros/program/chkpwd_macros.te
+--- nsapolicy/macros/program/chkpwd_macros.te 2005-05-02 14:06:57.000000000 -0400
++++ policy-1.23.16/macros/program/chkpwd_macros.te 2005-05-23 17:02:21.000000000 -0400
+@@ -34,6 +34,7 @@
+ allow auth_chkpwd self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+ dontaudit system_chkpwd_t { user_tty_type tty_device_t }:chr_file rw_file_perms;
+ dontaudit auth_chkpwd shadow_t:file { getattr read };
++can_ypbind(auth_chkpwd)
+ ', `
+ domain_auto_trans($1_t, chkpwd_exec_t, $1_chkpwd_t)
+ allow $1_t sbin_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/fontconfig_macros.te policy-1.23.16/macros/program/fontconfig_macros.te
--- nsapolicy/macros/program/fontconfig_macros.te 1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.23.16/macros/program/fontconfig_macros.te 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/macros/program/fontconfig_macros.te 2005-05-23 16:45:33.000000000 -0400
@@ -0,0 +1,24 @@
+#
+# Fontconfig related types
@@ -1751,7 +1856,7 @@
+
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/gift_macros.te policy-1.23.16/macros/program/gift_macros.te
--- nsapolicy/macros/program/gift_macros.te 2005-04-27 10:28:54.000000000 -0400
-+++ policy-1.23.16/macros/program/gift_macros.te 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/macros/program/gift_macros.te 2005-05-23 16:45:33.000000000 -0400
@@ -17,9 +17,10 @@
domain_auto_trans($1_t, gift_exec_t, $1_gift_t)
role $1_r types $1_gift_t;
@@ -1783,7 +1888,7 @@
can_network_client($1_giftd_t)
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/gpg_agent_macros.te policy-1.23.16/macros/program/gpg_agent_macros.te
--- nsapolicy/macros/program/gpg_agent_macros.te 2005-05-16 11:28:12.000000000 -0400
-+++ policy-1.23.16/macros/program/gpg_agent_macros.te 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/macros/program/gpg_agent_macros.te 2005-05-23 16:45:33.000000000 -0400
@@ -88,7 +88,7 @@
allow { $1_gpg_agent_t $1_gpg_pinentry_t } xdm_t:fd use;
')dnl end ig xdm.te
@@ -1795,7 +1900,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/irc_macros.te policy-1.23.16/macros/program/irc_macros.te
--- nsapolicy/macros/program/irc_macros.te 2005-04-27 10:28:55.000000000 -0400
-+++ policy-1.23.16/macros/program/irc_macros.te 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/macros/program/irc_macros.te 2005-05-23 16:45:33.000000000 -0400
@@ -66,7 +66,7 @@
dontaudit $1_irc_t var_run_t:dir search;
@@ -1807,7 +1912,7 @@
# access files under /tmp
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/java_macros.te policy-1.23.16/macros/program/java_macros.te
--- nsapolicy/macros/program/java_macros.te 2005-04-27 10:28:55.000000000 -0400
-+++ policy-1.23.16/macros/program/java_macros.te 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/macros/program/java_macros.te 2005-05-23 16:45:33.000000000 -0400
@@ -4,7 +4,7 @@
# Macros for javaplugin (java plugin) domains.
#
@@ -1837,7 +1942,7 @@
')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.23.16/macros/program/mozilla_macros.te
--- nsapolicy/macros/program/mozilla_macros.te 2005-05-02 14:06:57.000000000 -0400
-+++ policy-1.23.16/macros/program/mozilla_macros.te 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/macros/program/mozilla_macros.te 2005-05-23 16:45:33.000000000 -0400
@@ -16,7 +16,8 @@
# provided separately in domains/program/mozilla.te.
#
@@ -1951,7 +2056,7 @@
ifelse($1, sysadm, `', `
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mplayer_macros.te policy-1.23.16/macros/program/mplayer_macros.te
--- nsapolicy/macros/program/mplayer_macros.te 2005-04-27 10:28:55.000000000 -0400
-+++ policy-1.23.16/macros/program/mplayer_macros.te 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/macros/program/mplayer_macros.te 2005-05-23 16:45:33.000000000 -0400
@@ -6,9 +6,9 @@
# mplayer_domains(user) declares domains for mplayer, gmplayer,
# and mencoder
@@ -2050,7 +2155,7 @@
define(`mplayer_domains', `
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/userhelper_macros.te policy-1.23.16/macros/program/userhelper_macros.te
--- nsapolicy/macros/program/userhelper_macros.te 2005-04-27 10:28:55.000000000 -0400
-+++ policy-1.23.16/macros/program/userhelper_macros.te 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/macros/program/userhelper_macros.te 2005-05-23 16:45:33.000000000 -0400
@@ -96,7 +96,7 @@
allow $1_userhelper_t fs_t:filesystem getattr;
@@ -2062,7 +2167,7 @@
allow $1_userhelper_t proc_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/x_client_macros.te policy-1.23.16/macros/program/x_client_macros.te
--- nsapolicy/macros/program/x_client_macros.te 2005-04-27 10:28:55.000000000 -0400
-+++ policy-1.23.16/macros/program/x_client_macros.te 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/macros/program/x_client_macros.te 2005-05-23 16:45:33.000000000 -0400
@@ -74,7 +74,7 @@
allow $1_t self:shm create_shm_perms;
@@ -2074,7 +2179,7 @@
ifdef(`xserver.te', `
diff --exclude-from=exclude -N -u -r nsapolicy/Makefile policy-1.23.16/Makefile
--- nsapolicy/Makefile 2005-05-16 11:28:11.000000000 -0400
-+++ policy-1.23.16/Makefile 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/Makefile 2005-05-23 16:45:33.000000000 -0400
@@ -220,8 +220,8 @@
$(FC): $(ALL_TUNABLES) tmp/program_used_flags.te $(FCFILES) domains/program domains/misc file_contexts/program file_contexts/misc users /etc/passwd
@echo "Building file contexts files..."
@@ -2088,7 +2193,7 @@
# Create a tags-file for the policy:
diff --exclude-from=exclude -N -u -r nsapolicy/man/man8/ftpd_selinux.8 policy-1.23.16/man/man8/ftpd_selinux.8
--- nsapolicy/man/man8/ftpd_selinux.8 2005-03-11 15:31:07.000000000 -0500
-+++ policy-1.23.16/man/man8/ftpd_selinux.8 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/man/man8/ftpd_selinux.8 2005-05-23 16:45:33.000000000 -0400
@@ -43,7 +43,7 @@
.TP
setsebool -P ftpd_disable_trans 1
@@ -2100,7 +2205,7 @@
.SH AUTHOR
diff --exclude-from=exclude -N -u -r nsapolicy/man/man8/httpd_selinux.8 policy-1.23.16/man/man8/httpd_selinux.8
--- nsapolicy/man/man8/httpd_selinux.8 2005-05-02 14:06:57.000000000 -0400
-+++ policy-1.23.16/man/man8/httpd_selinux.8 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/man/man8/httpd_selinux.8 2005-05-23 16:45:33.000000000 -0400
@@ -101,7 +101,7 @@
setsebool -P httpd_disable_trans 1
@@ -2112,7 +2217,7 @@
system-config-securitylevel is a GUI tool available to customize SELinux policy settings.
diff --exclude-from=exclude -N -u -r nsapolicy/man/man8/kerberos_selinux.8 policy-1.23.16/man/man8/kerberos_selinux.8
--- nsapolicy/man/man8/kerberos_selinux.8 2005-02-24 14:51:10.000000000 -0500
-+++ policy-1.23.16/man/man8/kerberos_selinux.8 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/man/man8/kerberos_selinux.8 2005-05-23 16:45:33.000000000 -0400
@@ -16,11 +16,11 @@
setsebool -P krb5kdc_disable_trans 1
@@ -2129,7 +2234,7 @@
system-config-securitylevel is a GUI tool available to customize SELinux policy settings.
diff --exclude-from=exclude -N -u -r nsapolicy/man/man8/named_selinux.8 policy-1.23.16/man/man8/named_selinux.8
--- nsapolicy/man/man8/named_selinux.8 2005-02-24 14:51:10.000000000 -0500
-+++ policy-1.23.16/man/man8/named_selinux.8 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/man/man8/named_selinux.8 2005-05-23 16:45:33.000000000 -0400
@@ -17,7 +17,7 @@
.TP
setsebool -P named_disable_trans 1
@@ -2141,7 +2246,7 @@
.SH AUTHOR
diff --exclude-from=exclude -N -u -r nsapolicy/man/man8/rsync_selinux.8 policy-1.23.16/man/man8/rsync_selinux.8
--- nsapolicy/man/man8/rsync_selinux.8 2005-02-24 14:51:10.000000000 -0500
-+++ policy-1.23.16/man/man8/rsync_selinux.8 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/man/man8/rsync_selinux.8 2005-05-23 16:45:33.000000000 -0400
@@ -25,7 +25,7 @@
.TP
setsebool -P rsync_disable_trans 1
@@ -2153,7 +2258,7 @@
.SH AUTHOR
diff --exclude-from=exclude -N -u -r nsapolicy/man/man8/samba_selinux.8 policy-1.23.16/man/man8/samba_selinux.8
--- nsapolicy/man/man8/samba_selinux.8 2005-02-24 14:51:10.000000000 -0500
-+++ policy-1.23.16/man/man8/samba_selinux.8 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/man/man8/samba_selinux.8 2005-05-23 16:45:33.000000000 -0400
@@ -41,7 +41,7 @@
setsebool -P smbd_disable_trans 1
@@ -2165,7 +2270,7 @@
.SH AUTHOR
diff --exclude-from=exclude -N -u -r nsapolicy/net_contexts policy-1.23.16/net_contexts
--- nsapolicy/net_contexts 2005-05-16 11:28:11.000000000 -0400
-+++ policy-1.23.16/net_contexts 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/net_contexts 2005-05-23 16:45:33.000000000 -0400
@@ -106,10 +106,8 @@
portcon udp 517 system_u:object_r:ktalkd_port_t
portcon udp 518 system_u:object_r:ktalkd_port_t
@@ -2179,7 +2284,7 @@
portcon tcp 464 system_u:object_r:kerberos_admin_port_t
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/assert.te policy-1.23.16/targeted/assert.te
--- nsapolicy/targeted/assert.te 2005-04-27 10:28:56.000000000 -0400
-+++ policy-1.23.16/targeted/assert.te 2005-05-19 11:37:34.000000000 -0400
++++ policy-1.23.16/targeted/assert.te 2005-05-23 16:45:33.000000000 -0400
@@ -25,7 +25,7 @@
neverallow { domain -unrestricted } unconfined_t:process ~sigchld;
@@ -2189,9 +2294,21 @@
#
# Verify that every type that can be entered by
+diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/crond.te policy-1.23.16/targeted/domains/program/crond.te
+--- nsapolicy/targeted/domains/program/crond.te 2005-05-02 07:37:54.000000000 -0400
++++ policy-1.23.16/targeted/domains/program/crond.te 2005-05-24 08:21:57.000000000 -0400
+@@ -14,7 +14,7 @@
+ type crond_t, domain, privuser, privrole, privowner;
+ typealias crond_t alias system_crond_t;
+ type anacron_exec_t, file_type, sysadmfile, exec_type;
+-type system_crond_tmp_t, file_type, sysadmfile;
++type system_crond_tmp_t, file_type, tmpfile, sysadmfile;
+ type system_cron_spool_t, file_type, sysadmfile;
+ type sysadm_cron_spool_t, file_type, sysadmfile;
+ type crond_log_t, file_type, sysadmfile;
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/unconfined.te policy-1.23.16/targeted/domains/unconfined.te
--- nsapolicy/targeted/domains/unconfined.te 2005-05-02 14:06:57.000000000 -0400
-+++ policy-1.23.16/targeted/domains/unconfined.te 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/targeted/domains/unconfined.te 2005-05-23 16:45:33.000000000 -0400
@@ -77,3 +77,8 @@
# allow reading of default file context
@@ -2203,7 +2320,7 @@
+
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.23.16/tunables/distro.tun
--- nsapolicy/tunables/distro.tun 2005-02-24 14:51:09.000000000 -0500
-+++ policy-1.23.16/tunables/distro.tun 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/tunables/distro.tun 2005-05-23 16:45:33.000000000 -0400
@@ -5,7 +5,7 @@
# appropriate ifdefs.
@@ -2215,7 +2332,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.23.16/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun 2005-04-14 15:01:54.000000000 -0400
-+++ policy-1.23.16/tunables/tunable.tun 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/tunables/tunable.tun 2005-05-23 16:45:33.000000000 -0400
@@ -2,7 +2,7 @@
dnl define(`user_can_mount')
@@ -2236,7 +2353,7 @@
# Otherwise, only staff_r can do so.
diff --exclude-from=exclude -N -u -r nsapolicy/types/device.te policy-1.23.16/types/device.te
--- nsapolicy/types/device.te 2005-04-27 10:28:56.000000000 -0400
-+++ policy-1.23.16/types/device.te 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/types/device.te 2005-05-23 16:45:33.000000000 -0400
@@ -10,7 +10,7 @@
#
# device_t is the type of /dev.
@@ -2248,7 +2365,7 @@
# null_device_t is the type of /dev/null.
diff --exclude-from=exclude -N -u -r nsapolicy/types/devpts.te policy-1.23.16/types/devpts.te
--- nsapolicy/types/devpts.te 2005-04-27 10:28:56.000000000 -0400
-+++ policy-1.23.16/types/devpts.te 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/types/devpts.te 2005-05-23 16:45:33.000000000 -0400
@@ -16,6 +16,6 @@
# devpts_t is the type of the devpts file system and
# the type of the root directory of the file system.
@@ -2259,7 +2376,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/types/file.te policy-1.23.16/types/file.te
--- nsapolicy/types/file.te 2005-05-07 00:41:13.000000000 -0400
-+++ policy-1.23.16/types/file.te 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/types/file.te 2005-05-23 16:45:33.000000000 -0400
@@ -23,37 +23,37 @@
type eventpollfs_t, fs_type;
type futexfs_t, fs_type;
@@ -2390,7 +2507,7 @@
type iso9660_t, fs_type, noexattrfile, sysadmfile;
diff --exclude-from=exclude -N -u -r nsapolicy/types/network.te policy-1.23.16/types/network.te
--- nsapolicy/types/network.te 2005-05-02 14:06:57.000000000 -0400
-+++ policy-1.23.16/types/network.te 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/types/network.te 2005-05-23 16:45:33.000000000 -0400
@@ -30,6 +30,7 @@
type nmbd_port_t, port_type, reserved_port_type;
type http_cache_port_t, port_type, reserved_port_type;
@@ -2401,7 +2518,7 @@
ifdef(`cyrus.te', `define(`use_pop')')
diff --exclude-from=exclude -N -u -r nsapolicy/types/nfs.te policy-1.23.16/types/nfs.te
--- nsapolicy/types/nfs.te 2005-04-27 10:28:56.000000000 -0400
-+++ policy-1.23.16/types/nfs.te 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/types/nfs.te 2005-05-23 16:45:33.000000000 -0400
@@ -13,7 +13,7 @@
# The nfs_*_t types are used for specific NFS
# servers in net_contexts or net_contexts.mls.
@@ -2413,7 +2530,7 @@
# Allow NFS files to be associated with an NFS file system.
diff --exclude-from=exclude -N -u -r nsapolicy/types/procfs.te policy-1.23.16/types/procfs.te
--- nsapolicy/types/procfs.te 2005-04-27 10:28:56.000000000 -0400
-+++ policy-1.23.16/types/procfs.te 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/types/procfs.te 2005-05-23 16:45:33.000000000 -0400
@@ -14,7 +14,7 @@
# proc_mdstat_t is the type of /proc/mdstat.
# proc_net_t is the type of /proc/net.
@@ -2434,7 +2551,7 @@
type sysctl_modprobe_t, sysctl_type;
diff --exclude-from=exclude -N -u -r nsapolicy/types/security.te policy-1.23.16/types/security.te
--- nsapolicy/types/security.te 2005-04-27 10:28:56.000000000 -0400
-+++ policy-1.23.16/types/security.te 2005-05-18 15:50:12.000000000 -0400
++++ policy-1.23.16/types/security.te 2005-05-23 16:45:33.000000000 -0400
@@ -12,32 +12,32 @@
# the permissions in the security class. It is also
# applied to selinuxfs inodes.
Index: selinux-policy-strict.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-strict/devel/selinux-policy-strict.spec,v
retrieving revision 1.311
retrieving revision 1.312
diff -u -r1.311 -r1.312
--- selinux-policy-strict.spec 20 May 2005 18:53:29 -0000 1.311
+++ selinux-policy-strict.spec 24 May 2005 19:27:06 -0000 1.312
@@ -11,7 +11,7 @@
Summary: SELinux %{type} policy configuration
Name: selinux-policy-%{type}
Version: 1.23.16
-Release: 6
+Release: 7
License: GPL
Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policy-%{version}.tgz
@@ -220,6 +220,11 @@
exit 0
%changelog
+* Tue May 24 2005 Dan Walsh <dwalsh at redhat.com> 1.23.16-7
+- Don't transition from sysadm_t to fsadm_t in targeted policy
+- Fix sysadm_crond_tmp_t to tmpfile in targeted
+- Allow kernel_t to read sysfs_t
+
* Fri May 20 2005 Dan Walsh <dwalsh at redhat.com> 1.23.16-6
- Add firstboot to targeted policy
More information about the fedora-cvs-commits
mailing list