[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

rpms/selinux-policy-mls/devel policy-20051021.patch, 1.16, 1.17 selinux-policy-mls.spec, 1.116, 1.117



Author: dwalsh

Update of /cvs/dist/rpms/selinux-policy-mls/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv9246

Modified Files:
	policy-20051021.patch selinux-policy-mls.spec 
Log Message:
* Fri Nov 7 2005 Dan Walsh <dwalsh redhat com> 1.27.2-16
- Allow scanimage to work with hplip
- Fix multiple definititions in file context
- Fix missing launch


policy-20051021.patch:
 Makefile                                 |   14 -
 attrib.te                                |   18 +
 domains/admin.te                         |    2 
 domains/misc/kernel.te                   |    2 
 domains/program/fsadm.te                 |    2 
 domains/program/getty.te                 |    2 
 domains/program/ifconfig.te              |    2 
 domains/program/init.te                  |    2 
 domains/program/initrc.te                |   13 +
 domains/program/login.te                 |    2 
 domains/program/logrotate.te             |    2 
 domains/program/modutil.te               |    8 
 domains/program/newrole.te               |    4 
 domains/program/restorecon.te            |    4 
 domains/program/setfiles.te              |    2 
 domains/program/ssh.te                   |    2 
 domains/program/su.te                    |    4 
 domains/program/syslogd.te               |    4 
 domains/program/tmpreaper.te             |    2 
 domains/program/unused/NetworkManager.te |   10 +
 domains/program/unused/amanda.te         |   21 +-
 domains/program/unused/apache.te         |   16 +
 domains/program/unused/apmd.te           |   13 +
 domains/program/unused/auditd.te         |    6 
 domains/program/unused/avahi.te          |   31 +++
 domains/program/unused/bluetooth.te      |   57 +++++
 domains/program/unused/cups.te           |   11 -
 domains/program/unused/cyrus.te          |    8 
 domains/program/unused/dbusd.te          |    2 
 domains/program/unused/dhcpc.te          |    3 
 domains/program/unused/dhcpd.te          |    3 
 domains/program/unused/exim.te           |  309 +++++++++++++++++++++++++++++++
 domains/program/unused/ftpd.te           |    6 
 domains/program/unused/hald.te           |    5 
 domains/program/unused/hotplug.te        |    5 
 domains/program/unused/ipsec.te          |    2 
 domains/program/unused/kudzu.te          |    3 
 domains/program/unused/mta.te            |    5 
 domains/program/unused/mysqld.te         |    6 
 domains/program/unused/named.te          |   17 +
 domains/program/unused/nscd.te           |    1 
 domains/program/unused/ntpd.te           |    5 
 domains/program/unused/pamconsole.te     |    2 
 domains/program/unused/pegasus.te        |   15 +
 domains/program/unused/ping.te           |    2 
 domains/program/unused/postfix.te        |   55 +++--
 domains/program/unused/postgresql.te     |   11 -
 domains/program/unused/pppd.te           |   23 +-
 domains/program/unused/procmail.te       |    6 
 domains/program/unused/radius.te         |    3 
 domains/program/unused/rpcd.te           |   16 +
 domains/program/unused/rpm.te            |    4 
 domains/program/unused/rsync.te          |    3 
 domains/program/unused/samba.te          |    6 
 domains/program/unused/saslauthd.te      |    1 
 domains/program/unused/sendmail.te       |   50 ++++-
 domains/program/unused/slapd.te          |   25 ++
 domains/program/unused/snmpd.te          |    1 
 domains/program/unused/spamd.te          |   28 --
 domains/program/unused/udev.te           |    8 
 domains/program/unused/webalizer.te      |    3 
 domains/program/unused/xdm.te            |    2 
 domains/program/unused/yppasswdd.te      |   40 ++++
 domains/program/unused/ypserv.te         |    8 
 file_contexts/distros.fc                 |    1 
 file_contexts/program/apache.fc          |    3 
 file_contexts/program/avahi.fc           |    4 
 file_contexts/program/backup.fc          |    2 
 file_contexts/program/bluetooth.fc       |    2 
 file_contexts/program/compat.fc          |    4 
 file_contexts/program/dhcpc.fc           |    1 
 file_contexts/program/dhcpd.fc           |    9 
 file_contexts/program/exim.fc            |   18 +
 file_contexts/program/ftpd.fc            |    5 
 file_contexts/program/games.fc           |    3 
 file_contexts/program/kudzu.fc           |    2 
 file_contexts/program/pegasus.fc         |    6 
 file_contexts/program/rshd.fc            |    1 
 file_contexts/program/rsync.fc           |    2 
 file_contexts/program/sendmail.fc        |    9 
 file_contexts/program/slapd.fc           |   12 +
 file_contexts/program/squid.fc           |    3 
 file_contexts/program/yppasswdd.fc       |    2 
 file_contexts/types.fc                   |    5 
 genfs_contexts                           |    1 
 macros/base_user_macros.te               |    7 
 macros/global_macros.te                  |   26 --
 macros/home_macros.te                    |    9 
 macros/program/chkpwd_macros.te          |    7 
 macros/program/dbusd_macros.te           |    1 
 macros/program/exim_macros.te            |   75 +++++++
 macros/program/su_macros.te              |    2 
 macros/program/ypbind_macros.te          |    1 
 macros/user_macros.te                    |    1 
 man/man8/ftpd_selinux.8                  |   19 +
 man/man8/httpd_selinux.8                 |    9 
 man/man8/rsync_selinux.8                 |   12 -
 man/man8/samba_selinux.8                 |    9 
 mcs                                      |  194 ++++++-------------
 mls                                      |  227 ++++++++--------------
 net_contexts                             |    4 
 targeted/assert.te                       |    2 
 targeted/domains/program/compat.te       |    1 
 targeted/domains/program/sendmail.te     |   18 -
 targeted/domains/program/ssh.te          |    2 
 targeted/domains/program/xdm.te          |    4 
 targeted/domains/unconfined.te           |   10 -
 tunables/distro.tun                      |    2 
 tunables/tunable.tun                     |    4 
 types/devpts.te                          |    4 
 types/file.te                            |   44 +---
 types/network.te                         |   10 -
 types/nfs.te                             |    1 
 types/security.te                        |    2 
 114 files changed, 1201 insertions(+), 549 deletions(-)

Index: policy-20051021.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-mls/devel/policy-20051021.patch,v
retrieving revision 1.16
retrieving revision 1.17
diff -u -r1.16 -r1.17
--- policy-20051021.patch	4 Nov 2005 22:35:21 -0000	1.16
+++ policy-20051021.patch	7 Nov 2005 18:57:02 -0000	1.17
@@ -1,6 +1,6 @@
 diff --exclude-from=exclude -N -u -r nsapolicy/attrib.te policy-1.27.2/attrib.te
 --- nsapolicy/attrib.te	2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/attrib.te	2005-10-27 10:26:28.000000000 -0400
++++ policy-1.27.2/attrib.te	2005-11-07 10:47:22.000000000 -0500
 @@ -28,7 +28,8 @@
  #
  # Grant MLS read access to files not dominated by the process Effective SL
@@ -63,7 +63,7 @@
  
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/admin.te policy-1.27.2/domains/admin.te
 --- nsapolicy/domains/admin.te	2005-09-12 16:40:28.000000000 -0400
-+++ policy-1.27.2/domains/admin.te	2005-10-27 10:26:28.000000000 -0400
++++ policy-1.27.2/domains/admin.te	2005-11-07 10:47:22.000000000 -0500
 @@ -4,7 +4,7 @@
  
  # sysadm_t is the system administrator domain.
@@ -75,7 +75,7 @@
  allow privhome home_root_t:dir { getattr search };
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/misc/kernel.te policy-1.27.2/domains/misc/kernel.te
 --- nsapolicy/domains/misc/kernel.te	2005-09-16 11:17:08.000000000 -0400
-+++ policy-1.27.2/domains/misc/kernel.te	2005-10-27 10:26:28.000000000 -0400
++++ policy-1.27.2/domains/misc/kernel.te	2005-11-07 10:47:22.000000000 -0500
 @@ -30,7 +30,7 @@
  
  ifdef(`mls_policy', `
@@ -87,7 +87,7 @@
  # Share state with the init process.
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/fsadm.te policy-1.27.2/domains/program/fsadm.te
 --- nsapolicy/domains/program/fsadm.te	2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/domains/program/fsadm.te	2005-10-27 10:26:28.000000000 -0400
++++ policy-1.27.2/domains/program/fsadm.te	2005-11-07 10:47:22.000000000 -0500
 @@ -12,7 +12,7 @@
  # administration.
  # fsadm_exec_t is the type of the corresponding programs.
@@ -99,7 +99,7 @@
  
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/getty.te policy-1.27.2/domains/program/getty.te
 --- nsapolicy/domains/program/getty.te	2005-09-12 16:40:28.000000000 -0400
-+++ policy-1.27.2/domains/program/getty.te	2005-11-04 17:30:38.000000000 -0500
++++ policy-1.27.2/domains/program/getty.te	2005-11-07 10:47:22.000000000 -0500
 @@ -8,7 +8,7 @@
  #
  # Rules for the getty_t domain.
@@ -111,7 +111,7 @@
  
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ifconfig.te policy-1.27.2/domains/program/ifconfig.te
 --- nsapolicy/domains/program/ifconfig.te	2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/domains/program/ifconfig.te	2005-10-27 10:26:28.000000000 -0400
++++ policy-1.27.2/domains/program/ifconfig.te	2005-11-07 10:47:22.000000000 -0500
 @@ -61,7 +61,7 @@
  # ifconfig attempts to search some sysctl entries.
  # Do not audit those attempts; comment out these rules if it is desired to
@@ -123,7 +123,7 @@
  
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/initrc.te policy-1.27.2/domains/program/initrc.te
 --- nsapolicy/domains/program/initrc.te	2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/domains/program/initrc.te	2005-10-27 10:26:28.000000000 -0400
++++ policy-1.27.2/domains/program/initrc.te	2005-11-07 10:47:22.000000000 -0500
 @@ -12,7 +12,7 @@
  # initrc_exec_t is the type of the init program.
  #
@@ -164,7 +164,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/init.te policy-1.27.2/domains/program/init.te
 --- nsapolicy/domains/program/init.te	2005-09-12 16:40:29.000000000 -0400
-+++ policy-1.27.2/domains/program/init.te	2005-10-27 10:26:28.000000000 -0400
++++ policy-1.27.2/domains/program/init.te	2005-11-07 10:47:22.000000000 -0500
 @@ -14,7 +14,7 @@
  # by init during initialization.  This pipe is used
  # to communicate with init.
@@ -176,7 +176,7 @@
  type init_exec_t, file_type, sysadmfile, exec_type;
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/login.te policy-1.27.2/domains/program/login.te
 --- nsapolicy/domains/program/login.te	2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/domains/program/login.te	2005-11-04 17:31:09.000000000 -0500
++++ policy-1.27.2/domains/program/login.te	2005-11-07 10:47:22.000000000 -0500
 @@ -13,7 +13,7 @@
  
  # $1 is the name of the domain (local or remote)
@@ -188,7 +188,7 @@
  dontaudit $1_login_t shadow_t:file { getattr read };
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/logrotate.te policy-1.27.2/domains/program/logrotate.te
 --- nsapolicy/domains/program/logrotate.te	2005-09-12 16:40:29.000000000 -0400
-+++ policy-1.27.2/domains/program/logrotate.te	2005-10-27 10:26:28.000000000 -0400
++++ policy-1.27.2/domains/program/logrotate.te	2005-11-07 10:47:22.000000000 -0500
 @@ -13,7 +13,7 @@
  # logrotate_t is the domain for the logrotate program.
  # logrotate_exec_t is the type of the corresponding program.
@@ -200,7 +200,7 @@
  uses_shlib(logrotate_t)
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/modutil.te policy-1.27.2/domains/program/modutil.te
 --- nsapolicy/domains/program/modutil.te	2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/domains/program/modutil.te	2005-10-27 10:26:28.000000000 -0400
++++ policy-1.27.2/domains/program/modutil.te	2005-11-07 10:47:22.000000000 -0500
 @@ -82,7 +82,6 @@
  bool secure_mode_insmod false;
  
@@ -240,7 +240,7 @@
  rw_dir_create_file(system_crond_t, var_log_ksyms_t)
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/newrole.te policy-1.27.2/domains/program/newrole.te
 --- nsapolicy/domains/program/newrole.te	2005-09-12 16:40:29.000000000 -0400
-+++ policy-1.27.2/domains/program/newrole.te	2005-10-27 10:26:28.000000000 -0400
++++ policy-1.27.2/domains/program/newrole.te	2005-11-07 10:47:22.000000000 -0500
 @@ -18,3 +18,7 @@
  allow newrole_t initrc_var_run_t:file rw_file_perms;
  
@@ -251,7 +251,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/restorecon.te policy-1.27.2/domains/program/restorecon.te
 --- nsapolicy/domains/program/restorecon.te	2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/domains/program/restorecon.te	2005-10-28 10:58:06.000000000 -0400
++++ policy-1.27.2/domains/program/restorecon.te	2005-11-07 10:47:22.000000000 -0500
 @@ -63,3 +63,7 @@
  allow restorecon_t kernel_t:fifo_file { read write };
  allow restorecon_t kernel_t:unix_dgram_socket { read write };
@@ -262,7 +262,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/setfiles.te policy-1.27.2/domains/program/setfiles.te
 --- nsapolicy/domains/program/setfiles.te	2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/domains/program/setfiles.te	2005-10-27 10:26:28.000000000 -0400
++++ policy-1.27.2/domains/program/setfiles.te	2005-11-07 10:47:22.000000000 -0500
 @@ -12,7 +12,7 @@
  #
  # needs auth_write attribute because it has relabelfrom/relabelto
@@ -274,7 +274,7 @@
  role system_r types setfiles_t;
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ssh.te policy-1.27.2/domains/program/ssh.te
 --- nsapolicy/domains/program/ssh.te	2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/domains/program/ssh.te	2005-10-27 10:26:28.000000000 -0400
++++ policy-1.27.2/domains/program/ssh.te	2005-11-07 10:47:22.000000000 -0500
 @@ -233,5 +233,5 @@
  allow ssh_keygen_t sysadm_tty_device_t:chr_file { read write };
  allow ssh_keygen_t urandom_device_t:chr_file { getattr read };
@@ -284,7 +284,7 @@
  ')
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/su.te policy-1.27.2/domains/program/su.te
 --- nsapolicy/domains/program/su.te	2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/domains/program/su.te	2005-10-27 10:26:28.000000000 -0400
++++ policy-1.27.2/domains/program/su.te	2005-11-07 10:47:22.000000000 -0500
 @@ -15,7 +15,9 @@
  
  ifdef(`use_mcs', `
@@ -298,7 +298,7 @@
  ')
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/syslogd.te policy-1.27.2/domains/program/syslogd.te
 --- nsapolicy/domains/program/syslogd.te	2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/domains/program/syslogd.te	2005-10-27 10:26:28.000000000 -0400
++++ policy-1.27.2/domains/program/syslogd.te	2005-11-07 10:47:22.000000000 -0500
 @@ -14,9 +14,9 @@
  # by syslogd.
  #
@@ -313,7 +313,7 @@
  # can_network is for the UDP socket
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/tmpreaper.te policy-1.27.2/domains/program/tmpreaper.te
 --- nsapolicy/domains/program/tmpreaper.te	2005-09-12 16:40:28.000000000 -0400
-+++ policy-1.27.2/domains/program/tmpreaper.te	2005-10-27 10:26:28.000000000 -0400
++++ policy-1.27.2/domains/program/tmpreaper.te	2005-11-07 10:47:22.000000000 -0500
 @@ -8,7 +8,7 @@
  #
  # Rules for the tmpreaper_t domain.
@@ -325,7 +325,7 @@
  role system_r types tmpreaper_t;
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/amanda.te policy-1.27.2/domains/program/unused/amanda.te
 --- nsapolicy/domains/program/unused/amanda.te	2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/domains/program/unused/amanda.te	2005-10-27 10:26:28.000000000 -0400
++++ policy-1.27.2/domains/program/unused/amanda.te	2005-11-07 10:47:22.000000000 -0500
 @@ -132,7 +132,8 @@
  
  allow amanda_t self:capability { chown dac_override setuid };
@@ -387,7 +387,7 @@
  ############################
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.27.2/domains/program/unused/apache.te
 --- nsapolicy/domains/program/unused/apache.te	2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/domains/program/unused/apache.te	2005-11-03 09:09:38.000000000 -0500
++++ policy-1.27.2/domains/program/unused/apache.te	2005-11-07 10:47:22.000000000 -0500
 @@ -225,7 +225,7 @@
  # Creation of lock files for apache2
  lock_domain(httpd)
@@ -444,7 +444,7 @@
 +
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apmd.te policy-1.27.2/domains/program/unused/apmd.te
 --- nsapolicy/domains/program/unused/apmd.te	2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/domains/program/unused/apmd.te	2005-10-27 10:26:28.000000000 -0400
++++ policy-1.27.2/domains/program/unused/apmd.te	2005-11-07 10:47:22.000000000 -0500
 @@ -147,4 +147,15 @@
  ')dnl end if logrotate.te
  allow apmd_t devpts_t:dir { getattr search };
@@ -464,7 +464,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/auditd.te policy-1.27.2/domains/program/unused/auditd.te
 --- nsapolicy/domains/program/unused/auditd.te	2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/domains/program/unused/auditd.te	2005-10-27 10:26:28.000000000 -0400
++++ policy-1.27.2/domains/program/unused/auditd.te	2005-11-07 10:47:22.000000000 -0500
 @@ -12,6 +12,12 @@
  
  daemon_domain(auditd)
@@ -480,7 +480,7 @@
  allow auditd_t self:capability { audit_write audit_control sys_nice sys_resource };
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/avahi.te policy-1.27.2/domains/program/unused/avahi.te
 --- nsapolicy/domains/program/unused/avahi.te	1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.27.2/domains/program/unused/avahi.te	2005-10-31 10:40:30.000000000 -0500
++++ policy-1.27.2/domains/program/unused/avahi.te	2005-11-07 10:47:22.000000000 -0500
 @@ -0,0 +1,31 @@
 +#DESC avahi - mDNS/DNS-SD daemon implementing Apple’s ZeroConf architecture
 +#
@@ -515,7 +515,7 @@
 +
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/bluetooth.te policy-1.27.2/domains/program/unused/bluetooth.te
 --- nsapolicy/domains/program/unused/bluetooth.te	2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/domains/program/unused/bluetooth.te	2005-10-27 10:26:28.000000000 -0400
++++ policy-1.27.2/domains/program/unused/bluetooth.te	2005-11-07 10:47:22.000000000 -0500
 @@ -14,8 +14,10 @@
  file_type_auto_trans(bluetooth_t, bluetooth_conf_t, bluetooth_conf_rw_t)
  
@@ -599,7 +599,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.27.2/domains/program/unused/cups.te
 --- nsapolicy/domains/program/unused/cups.te	2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/domains/program/unused/cups.te	2005-10-27 10:26:28.000000000 -0400
++++ policy-1.27.2/domains/program/unused/cups.te	2005-11-07 10:47:22.000000000 -0500
 @@ -48,7 +48,7 @@
  
  # this is not ideal, and allowing setattr access to cupsd_etc_t is wrong
@@ -640,7 +640,7 @@
  
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cyrus.te policy-1.27.2/domains/program/unused/cyrus.te
 --- nsapolicy/domains/program/unused/cyrus.te	2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/domains/program/unused/cyrus.te	2005-11-03 14:58:55.000000000 -0500
++++ policy-1.27.2/domains/program/unused/cyrus.te	2005-11-07 10:47:22.000000000 -0500
 @@ -50,3 +50,11 @@
  
  r_dir_file(cyrus_t, cert_t)
@@ -655,7 +655,7 @@
 +
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dbusd.te policy-1.27.2/domains/program/unused/dbusd.te
 --- nsapolicy/domains/program/unused/dbusd.te	2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/domains/program/unused/dbusd.te	2005-10-27 10:26:28.000000000 -0400
++++ policy-1.27.2/domains/program/unused/dbusd.te	2005-11-07 10:47:22.000000000 -0500
 @@ -24,4 +24,4 @@
  allow system_dbusd_t self:fifo_file { read write };
  allow system_dbusd_t self:unix_stream_socket connectto;
@@ -664,7 +664,7 @@
 +allow system_dbusd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dhcpc.te policy-1.27.2/domains/program/unused/dhcpc.te
 --- nsapolicy/domains/program/unused/dhcpc.te	2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/domains/program/unused/dhcpc.te	2005-10-27 10:26:28.000000000 -0400
++++ policy-1.27.2/domains/program/unused/dhcpc.te	2005-11-07 10:47:22.000000000 -0500
 @@ -120,6 +120,7 @@
  allow dhcpc_t self:packet_socket create_socket_perms;
  allow dhcpc_t var_lib_t:dir search;
@@ -681,7 +681,7 @@
 +allow dhcpc_t locale_t:file write;
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dhcpd.te policy-1.27.2/domains/program/unused/dhcpd.te
 --- nsapolicy/domains/program/unused/dhcpd.te	2005-09-12 16:40:28.000000000 -0400
-+++ policy-1.27.2/domains/program/unused/dhcpd.te	2005-10-27 10:26:28.000000000 -0400
++++ policy-1.27.2/domains/program/unused/dhcpd.te	2005-11-07 10:47:22.000000000 -0500
 @@ -17,8 +17,6 @@
  #
  daemon_domain(dhcpd, `, nscd_client_domain')
@@ -701,7 +701,7 @@
  allow dhcpd_t self:unix_stream_socket create_socket_perms;
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/exim.te policy-1.27.2/domains/program/unused/exim.te
 --- nsapolicy/domains/program/unused/exim.te	1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.27.2/domains/program/unused/exim.te	2005-10-27 10:26:28.000000000 -0400
++++ policy-1.27.2/domains/program/unused/exim.te	2005-11-07 10:47:22.000000000 -0500
 @@ -0,0 +1,309 @@
 +#DESC Exim - Mail server
 +#
@@ -1014,7 +1014,7 @@
 +rw_dir_file(exim_db_rw_t, exim_spool_db_t)
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ftpd.te policy-1.27.2/domains/program/unused/ftpd.te
 --- nsapolicy/domains/program/unused/ftpd.te	2005-09-16 11:17:09.000000000 -0400
-+++ policy-1.27.2/domains/program/unused/ftpd.te	2005-10-27 10:26:28.000000000 -0400
++++ policy-1.27.2/domains/program/unused/ftpd.te	2005-11-07 10:47:22.000000000 -0500
 @@ -99,9 +99,11 @@
  
  if (ftp_home_dir) {
@@ -1031,7 +1031,7 @@
  	r_dir_file(ftpd_t, nfs_t)
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hald.te policy-1.27.2/domains/program/unused/hald.te
 --- nsapolicy/domains/program/unused/hald.te	2005-09-16 11:17:09.000000000 -0400
-+++ policy-1.27.2/domains/program/unused/hald.te	2005-10-27 10:26:28.000000000 -0400
++++ policy-1.27.2/domains/program/unused/hald.te	2005-11-07 10:47:22.000000000 -0500
 @@ -24,7 +24,8 @@
  allow hald_t self:dbus send_msg;
  ')
@@ -1050,7 +1050,7 @@
 +r_dir_file(hald_t, hwdata_t)
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hotplug.te policy-1.27.2/domains/program/unused/hotplug.te
 --- nsapolicy/domains/program/unused/hotplug.te	2005-09-12 16:40:28.000000000 -0400
-+++ policy-1.27.2/domains/program/unused/hotplug.te	2005-10-27 10:26:28.000000000 -0400
++++ policy-1.27.2/domains/program/unused/hotplug.te	2005-11-07 10:47:22.000000000 -0500
 @@ -11,9 +11,9 @@
  # hotplug_exec_t is the type of the hotplug executable.
  #
@@ -1073,7 +1073,7 @@
  allow hotplug_t printer_device_t:chr_file setattr;
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ipsec.te policy-1.27.2/domains/program/unused/ipsec.te
 --- nsapolicy/domains/program/unused/ipsec.te	2005-09-16 11:17:09.000000000 -0400
-+++ policy-1.27.2/domains/program/unused/ipsec.te	2005-10-27 10:26:28.000000000 -0400
++++ policy-1.27.2/domains/program/unused/ipsec.te	2005-11-07 10:47:22.000000000 -0500
 @@ -219,7 +219,7 @@
  dontaudit ipsec_mgmt_t selinux_config_t:dir search;
  dontaudit ipsec_t ttyfile:chr_file { read write };
@@ -1085,7 +1085,7 @@
  allow ipsec_mgmt_t self:{ tcp_socket udp_socket } create_socket_perms;
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/kudzu.te policy-1.27.2/domains/program/unused/kudzu.te
 --- nsapolicy/domains/program/unused/kudzu.te	2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/domains/program/unused/kudzu.te	2005-10-27 10:26:28.000000000 -0400
++++ policy-1.27.2/domains/program/unused/kudzu.te	2005-11-07 10:47:22.000000000 -0500
 @@ -64,6 +64,7 @@
  allow kudzu_t lib_t:file { read getattr };
  # Read /usr/share/hwdata/.* and /usr/share/terminfo/l/linux
@@ -1105,7 +1105,7 @@
  allow kudzu_t initrc_t:unix_stream_socket connectto;
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mta.te policy-1.27.2/domains/program/unused/mta.te
 --- nsapolicy/domains/program/unused/mta.te	2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/domains/program/unused/mta.te	2005-11-03 15:13:19.000000000 -0500
++++ policy-1.27.2/domains/program/unused/mta.te	2005-11-07 10:47:22.000000000 -0500
 @@ -38,9 +38,8 @@
  ', `
  ifdef(`sendmail.te', `
@@ -1120,7 +1120,7 @@
  allow initrc_t sendmail_exec_t:lnk_file { getattr read };
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mysqld.te policy-1.27.2/domains/program/unused/mysqld.te
 --- nsapolicy/domains/program/unused/mysqld.te	2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/domains/program/unused/mysqld.te	2005-10-27 10:26:28.000000000 -0400
++++ policy-1.27.2/domains/program/unused/mysqld.te	2005-11-07 10:47:22.000000000 -0500
 @@ -33,14 +33,14 @@
  
  allow initrc_t mysqld_log_t:file { write append setattr ioctl };
@@ -1141,7 +1141,7 @@
  can_ypbind(mysqld_t)
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/named.te policy-1.27.2/domains/program/unused/named.te
 --- nsapolicy/domains/program/unused/named.te	2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/domains/program/unused/named.te	2005-10-27 10:26:28.000000000 -0400
++++ policy-1.27.2/domains/program/unused/named.te	2005-11-07 10:47:22.000000000 -0500
 @@ -36,7 +36,7 @@
  allow named_t self:process { setsched setcap setrlimit };
  
@@ -1175,7 +1175,7 @@
  type ndc_exec_t, file_type,sysadmfile, exec_type;
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/NetworkManager.te policy-1.27.2/domains/program/unused/NetworkManager.te
 --- nsapolicy/domains/program/unused/NetworkManager.te	2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/domains/program/unused/NetworkManager.te	2005-10-27 10:26:28.000000000 -0400
++++ policy-1.27.2/domains/program/unused/NetworkManager.te	2005-11-07 10:47:22.000000000 -0500
 @@ -91,7 +91,12 @@
  allow NetworkManager_t howl_t:process signal;
  allow NetworkManager_t initrc_var_run_t:file { getattr read };
@@ -1200,7 +1200,7 @@
 +
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/nscd.te policy-1.27.2/domains/program/unused/nscd.te
 --- nsapolicy/domains/program/unused/nscd.te	2005-09-12 16:40:28.000000000 -0400
-+++ policy-1.27.2/domains/program/unused/nscd.te	2005-10-27 10:26:28.000000000 -0400
++++ policy-1.27.2/domains/program/unused/nscd.te	2005-11-07 10:47:22.000000000 -0500
 @@ -76,3 +76,4 @@
  log_domain(nscd)
  r_dir_file(nscd_t, cert_t)
@@ -1208,7 +1208,7 @@
 +allow nscd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ntpd.te policy-1.27.2/domains/program/unused/ntpd.te
 --- nsapolicy/domains/program/unused/ntpd.te	2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/domains/program/unused/ntpd.te	2005-10-27 10:26:28.000000000 -0400
++++ policy-1.27.2/domains/program/unused/ntpd.te	2005-11-07 10:47:22.000000000 -0500
 @@ -27,11 +27,10 @@
  allow ntpd_t urandom_device_t:chr_file { getattr read };
  
@@ -1225,7 +1225,7 @@
  tmp_domain(ntpd)
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pamconsole.te policy-1.27.2/domains/program/unused/pamconsole.te
 --- nsapolicy/domains/program/unused/pamconsole.te	2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/domains/program/unused/pamconsole.te	2005-10-27 10:26:28.000000000 -0400
++++ policy-1.27.2/domains/program/unused/pamconsole.te	2005-11-07 10:47:22.000000000 -0500
 @@ -3,7 +3,7 @@
  #
  # pam_console_apply
@@ -1237,7 +1237,7 @@
  
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pegasus.te policy-1.27.2/domains/program/unused/pegasus.te
 --- nsapolicy/domains/program/unused/pegasus.te	2005-10-20 15:53:02.000000000 -0400
-+++ policy-1.27.2/domains/program/unused/pegasus.te	2005-10-31 15:19:43.000000000 -0500
++++ policy-1.27.2/domains/program/unused/pegasus.te	2005-11-07 10:47:22.000000000 -0500
 @@ -7,17 +7,20 @@
  #
  # Rules for the pegasus domain
@@ -1275,7 +1275,7 @@
 +
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ping.te policy-1.27.2/domains/program/unused/ping.te
 --- nsapolicy/domains/program/unused/ping.te	2005-09-16 11:17:09.000000000 -0400
-+++ policy-1.27.2/domains/program/unused/ping.te	2005-10-27 10:26:28.000000000 -0400
++++ policy-1.27.2/domains/program/unused/ping.te	2005-11-07 10:47:22.000000000 -0500
 @@ -58,6 +58,6 @@
  dontaudit ping_t devtty_t:chr_file { read write };
  dontaudit ping_t self:capability sys_tty_config;
@@ -1286,7 +1286,7 @@
  
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/postfix.te policy-1.27.2/domains/program/unused/postfix.te
 --- nsapolicy/domains/program/unused/postfix.te	2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/domains/program/unused/postfix.te	2005-11-03 14:58:43.000000000 -0500
++++ policy-1.27.2/domains/program/unused/postfix.te	2005-11-07 11:28:26.000000000 -0500
 @@ -54,6 +54,8 @@
  allow postfix_$1_t proc_net_t:dir search;
  allow postfix_$1_t proc_net_t:file { getattr read };
@@ -1459,7 +1459,7 @@
 -allow postfix_local_t mail_spool_t:file { unlink };
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/postgresql.te policy-1.27.2/domains/program/unused/postgresql.te
 --- nsapolicy/domains/program/unused/postgresql.te	2005-09-16 11:17:09.000000000 -0400
-+++ policy-1.27.2/domains/program/unused/postgresql.te	2005-10-27 10:26:28.000000000 -0400
++++ policy-1.27.2/domains/program/unused/postgresql.te	2005-11-07 10:47:22.000000000 -0500
 @@ -51,7 +51,6 @@
  
  # Use the network.
@@ -1489,7 +1489,7 @@
 +}
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pppd.te policy-1.27.2/domains/program/unused/pppd.te
 --- nsapolicy/domains/program/unused/pppd.te	2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/domains/program/unused/pppd.te	2005-10-27 10:26:28.000000000 -0400
++++ policy-1.27.2/domains/program/unused/pppd.te	2005-11-07 11:43:42.000000000 -0500
 @@ -14,7 +14,7 @@
  #
  bool pppd_for_user false;
@@ -1525,7 +1525,7 @@
  
  # for scripts
  allow pppd_t self:fifo_file rw_file_perms;
-@@ -105,14 +106,16 @@
+@@ -105,14 +106,17 @@
  dontaudit pppd_t initrc_var_run_t:file { lock write };
  
  # pppd needs to load kernel modules for certain modems
@@ -1537,6 +1537,7 @@
 +if (pppd_can_insmod && !secure_mode_insmod) {
  domain_auto_trans(pppd_t, insmod_exec_t, insmod_t)
 -')
++allow ifconfig_t self:capability sys_module;
  }
  
 -daemon_domain(pptp)
@@ -1546,7 +1547,7 @@
  can_network_client_tcp(pptp_t)
  allow pptp_t { reserved_port_type port_t }:tcp_socket name_connect;
  can_exec(pptp_t, hostname_exec_t)
-@@ -121,11 +124,11 @@
+@@ -121,11 +125,11 @@
  allow pptp_t self:unix_stream_socket { connectto create_stream_socket_perms };
  allow pptp_t self:unix_dgram_socket create_socket_perms;
  can_exec(pptp_t, pppd_etc_rw_t)
@@ -1560,14 +1561,34 @@
  allow pppd_t pptp_t:process signal;
  allow pptp_t self:capability net_raw;
  allow pptp_t self:fifo_file { read write };
-@@ -145,3 +148,4 @@
+@@ -145,3 +149,4 @@
  # Allow /etc/ppp/ip-{up,down} to run most anything
  type pppd_script_exec_t, file_type, sysadmfile;
  domain_auto_trans(pppd_t, pppd_script_exec_t, initrc_t)
 +allow pppd_t initrc_t:process noatsecure;
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/procmail.te policy-1.27.2/domains/program/unused/procmail.te
+--- nsapolicy/domains/program/unused/procmail.te	2005-10-21 11:36:15.000000000 -0400
++++ policy-1.27.2/domains/program/unused/procmail.te	2005-11-07 11:30:31.000000000 -0500
+@@ -59,12 +59,14 @@
+ allow procmail_t usr_t:file { getattr ioctl read };
+ ifdef(`spamassassin.te', `
+ can_exec(procmail_t, spamassassin_exec_t)
+-can_resolve(procmail_t)
+ allow procmail_t port_t:udp_socket name_bind;
+ allow procmail_t tmp_t:dir getattr;
+ ')
++ifdef(`spamc.te', `
++can_exec(procmail_t, spamc_exec_t)
++')
++
+ ifdef(`targeted_policy', `
+-can_resolve(procmail_t)
+ allow procmail_t port_t:udp_socket name_bind;
+ allow procmail_t tmp_t:dir getattr;
+ ')
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/radius.te policy-1.27.2/domains/program/unused/radius.te
 --- nsapolicy/domains/program/unused/radius.te	2005-09-12 16:40:28.000000000 -0400
-+++ policy-1.27.2/domains/program/unused/radius.te	2005-11-03 14:07:34.000000000 -0500
++++ policy-1.27.2/domains/program/unused/radius.te	2005-11-07 10:47:22.000000000 -0500
 @@ -10,7 +10,7 @@
  #
  # radiusd_exec_t is the type of the radiusd executable.
@@ -1584,7 +1605,7 @@
 +allow radiusd_t urandom_device_t:chr_file { getattr read };
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rpcd.te policy-1.27.2/domains/program/unused/rpcd.te
 --- nsapolicy/domains/program/unused/rpcd.te	2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/domains/program/unused/rpcd.te	2005-10-27 10:26:28.000000000 -0400
++++ policy-1.27.2/domains/program/unused/rpcd.te	2005-11-07 10:47:22.000000000 -0500
 @@ -148,6 +148,20 @@
  allow gssd_t rpc_pipefs_t:dir r_dir_perms;
  allow gssd_t rpc_pipefs_t:sock_file { read write };
@@ -1609,7 +1630,7 @@
 +}
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rpm.te policy-1.27.2/domains/program/unused/rpm.te
 --- nsapolicy/domains/program/unused/rpm.te	2005-09-16 11:17:09.000000000 -0400
-+++ policy-1.27.2/domains/program/unused/rpm.te	2005-10-27 10:26:28.000000000 -0400
++++ policy-1.27.2/domains/program/unused/rpm.te	2005-11-07 10:47:22.000000000 -0500
 @@ -10,7 +10,7 @@
  # rpm_log_t is the type for rpm log files (/var/log/rpmpkgs*)
  # rpm_var_lib_t is the type for rpm files in /var/lib
@@ -1630,7 +1651,7 @@
  uses_shlib(rpm_script_t)
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rsync.te policy-1.27.2/domains/program/unused/rsync.te
 --- nsapolicy/domains/program/unused/rsync.te	2005-09-16 11:17:09.000000000 -0400
-+++ policy-1.27.2/domains/program/unused/rsync.te	2005-10-27 10:26:28.000000000 -0400
++++ policy-1.27.2/domains/program/unused/rsync.te	2005-11-07 10:47:22.000000000 -0500
 @@ -15,5 +15,4 @@
  type rsync_data_t, file_type, sysadmfile;
  r_dir_file(rsync_t, rsync_data_t)
@@ -1640,7 +1661,7 @@
 +allow rsync_t self:capability sys_chroot;
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/samba.te policy-1.27.2/domains/program/unused/samba.te
 --- nsapolicy/domains/program/unused/samba.te	2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/domains/program/unused/samba.te	2005-11-03 13:34:23.000000000 -0500
++++ policy-1.27.2/domains/program/unused/samba.te	2005-11-07 10:47:22.000000000 -0500
 @@ -46,7 +46,7 @@
  allow smbd_t smbd_port_t:tcp_socket name_bind;
  
@@ -1670,7 +1691,7 @@
  ifdef(`logrotate.te', `
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/saslauthd.te policy-1.27.2/domains/program/unused/saslauthd.te
 --- nsapolicy/domains/program/unused/saslauthd.te	2005-09-16 11:17:10.000000000 -0400
-+++ policy-1.27.2/domains/program/unused/saslauthd.te	2005-10-31 09:50:32.000000000 -0500
++++ policy-1.27.2/domains/program/unused/saslauthd.te	2005-11-07 10:47:22.000000000 -0500
 @@ -39,3 +39,4 @@
  allow saslauthd_t mysqld_db_t:dir search;
  allow saslauthd_t mysqld_var_run_t:sock_file rw_file_perms;
@@ -1678,7 +1699,7 @@
 +dontaudit saslauthd_t self:capability setuid;
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/sendmail.te policy-1.27.2/domains/program/unused/sendmail.te
 --- nsapolicy/domains/program/unused/sendmail.te	2005-09-12 16:40:29.000000000 -0400
-+++ policy-1.27.2/domains/program/unused/sendmail.te	2005-11-03 15:15:08.000000000 -0500
++++ policy-1.27.2/domains/program/unused/sendmail.te	2005-11-07 10:47:22.000000000 -0500
 @@ -13,10 +13,47 @@
  # daemon started by the init rc scripts.
  #
@@ -1753,7 +1774,7 @@
  allow sendmail_t initrc_var_run_t:file { getattr read };
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/slapd.te policy-1.27.2/domains/program/unused/slapd.te
 --- nsapolicy/domains/program/unused/slapd.te	2005-09-12 16:40:28.000000000 -0400
-+++ policy-1.27.2/domains/program/unused/slapd.te	2005-11-04 16:41:54.000000000 -0500
++++ policy-1.27.2/domains/program/unused/slapd.te	2005-11-07 10:47:22.000000000 -0500
 @@ -24,8 +24,9 @@
  can_network(slapd_t)
  allow slapd_t port_type:tcp_socket name_connect;
@@ -1794,7 +1815,7 @@
 +allow slapd_t usr_t:file { create write };
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/snmpd.te policy-1.27.2/domains/program/unused/snmpd.te
 --- nsapolicy/domains/program/unused/snmpd.te	2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/domains/program/unused/snmpd.te	2005-10-27 10:26:28.000000000 -0400
++++ policy-1.27.2/domains/program/unused/snmpd.te	2005-11-07 10:47:22.000000000 -0500
 @@ -80,5 +80,6 @@
  
  allow snmpd_t domain:dir { getattr search };
@@ -1804,7 +1825,7 @@
  dontaudit snmpd_t selinux_config_t:dir search;
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/spamd.te policy-1.27.2/domains/program/unused/spamd.te
 --- nsapolicy/domains/program/unused/spamd.te	2005-09-12 16:40:29.000000000 -0400
-+++ policy-1.27.2/domains/program/unused/spamd.te	2005-10-28 10:40:44.000000000 -0400
++++ policy-1.27.2/domains/program/unused/spamd.te	2005-11-07 10:47:22.000000000 -0500
 @@ -9,20 +9,22 @@
  
  tmp_domain(spamd)
@@ -1856,7 +1877,7 @@
 +ifdef(`targeted_policy', `home_domain_access(spamd_t, user)')
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/udev.te policy-1.27.2/domains/program/unused/udev.te
 --- nsapolicy/domains/program/unused/udev.te	2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/domains/program/unused/udev.te	2005-10-27 10:26:28.000000000 -0400
++++ policy-1.27.2/domains/program/unused/udev.te	2005-11-07 10:47:22.000000000 -0500
 @@ -28,12 +28,12 @@
  type udev_tdb_t, file_type, sysadmfile, dev_fs;
  typealias udev_tdb_t alias udev_tbl_t;
@@ -1883,7 +1904,7 @@
  ')
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/webalizer.te policy-1.27.2/domains/program/unused/webalizer.te
 --- nsapolicy/domains/program/unused/webalizer.te	2005-09-12 16:40:29.000000000 -0400
-+++ policy-1.27.2/domains/program/unused/webalizer.te	2005-10-27 10:26:28.000000000 -0400
++++ policy-1.27.2/domains/program/unused/webalizer.te	2005-11-07 10:47:22.000000000 -0500
 @@ -20,6 +20,9 @@
  #read apache log
  allow webalizer_t var_log_t:dir r_dir_perms;
@@ -1896,7 +1917,7 @@
  var_lib_domain(webalizer)
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/xdm.te policy-1.27.2/domains/program/unused/xdm.te
 --- nsapolicy/domains/program/unused/xdm.te	2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/domains/program/unused/xdm.te	2005-10-27 10:26:28.000000000 -0400
++++ policy-1.27.2/domains/program/unused/xdm.te	2005-11-07 10:47:22.000000000 -0500
 @@ -372,5 +372,5 @@
  
  #### Also see xdm_macros.te
@@ -1906,7 +1927,7 @@
  ')
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/yppasswdd.te policy-1.27.2/domains/program/unused/yppasswdd.te
 --- nsapolicy/domains/program/unused/yppasswdd.te	1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.27.2/domains/program/unused/yppasswdd.te	2005-10-27 10:26:28.000000000 -0400
++++ policy-1.27.2/domains/program/unused/yppasswdd.te	2005-11-07 10:47:22.000000000 -0500
 @@ -0,0 +1,40 @@
 +#DESC yppassdd - NIS password update daemon
 +#
@@ -1950,7 +1971,7 @@
 +rw_dir_create_file(yppasswdd_t, var_yp_t)
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ypserv.te policy-1.27.2/domains/program/unused/ypserv.te
 --- nsapolicy/domains/program/unused/ypserv.te	2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/domains/program/unused/ypserv.te	2005-11-03 11:08:20.000000000 -0500
++++ policy-1.27.2/domains/program/unused/ypserv.te	2005-11-07 10:47:22.000000000 -0500
 @@ -40,3 +40,11 @@
  allow ypserv_t reserved_port_t:{ udp_socket tcp_socket } name_bind;
  dontaudit ypserv_t reserved_port_type:{ tcp_socket udp_socket } name_bind;
@@ -1965,7 +1986,7 @@
 +allow ypxfr_t self:unix_stream_socket create_stream_socket_perms;
 diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/distros.fc policy-1.27.2/file_contexts/distros.fc
 --- nsapolicy/file_contexts/distros.fc	2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/file_contexts/distros.fc	2005-10-27 10:26:28.000000000 -0400
++++ policy-1.27.2/file_contexts/distros.fc	2005-11-07 10:47:22.000000000 -0500
 @@ -89,6 +89,7 @@
  /usr/lib/valgrind/hp2ps				-- system_u:object_r:texrel_shlib_t
  /usr/lib/valgrind/stage2			-- system_u:object_r:texrel_shlib_t
@@ -1976,7 +1997,7 @@
  /usr/lib/.*/program/libicudata\.so.*		-- system_u:object_r:texrel_shlib_t
 diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/apache.fc policy-1.27.2/file_contexts/program/apache.fc
 --- nsapolicy/file_contexts/program/apache.fc	2005-09-16 11:17:10.000000000 -0400
-+++ policy-1.27.2/file_contexts/program/apache.fc	2005-10-31 11:34:40.000000000 -0500
++++ policy-1.27.2/file_contexts/program/apache.fc	2005-11-07 10:47:22.000000000 -0500
 @@ -9,6 +9,8 @@
  /var/cache/httpd(/.*)?		system_u:object_r:httpd_cache_t
  /var/cache/php-eaccelerator(/.*)? system_u:object_r:httpd_cache_t
@@ -1996,7 +2017,7 @@
  /usr/lib/apache-ssl/.+	 --	system_u:object_r:httpd_exec_t
 diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/avahi.fc policy-1.27.2/file_contexts/program/avahi.fc
 --- nsapolicy/file_contexts/program/avahi.fc	1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.27.2/file_contexts/program/avahi.fc	2005-10-28 20:52:18.000000000 -0400
++++ policy-1.27.2/file_contexts/program/avahi.fc	2005-11-07 10:47:22.000000000 -0500
 @@ -0,0 +1,4 @@
 +#DESC avahi - mDNS/DNS-SD daemon implementing Apple’s ZeroConf architecture
 +/usr/sbin/avahi-daemon		--	system_u:object_r:avahi_exec_t
@@ -2004,7 +2025,7 @@
 +/var/run/avahi-daemon(/.*)? 		system_u:object_r:avahi_var_run_t
 diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/backup.fc policy-1.27.2/file_contexts/program/backup.fc
 --- nsapolicy/file_contexts/program/backup.fc	2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/file_contexts/program/backup.fc	2005-10-27 10:26:28.000000000 -0400
++++ policy-1.27.2/file_contexts/program/backup.fc	2005-11-07 10:47:22.000000000 -0500
 @@ -3,4 +3,4 @@
  # calls tar) in backup_exec_t and label the directory for storing them as
  # backup_store_t, Debian uses /var/backups
@@ -2013,7 +2034,7 @@
 +/var/backups(/.*)?		system_u:object_r:backup_store_t
 diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/bluetooth.fc policy-1.27.2/file_contexts/program/bluetooth.fc
 --- nsapolicy/file_contexts/program/bluetooth.fc	2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/file_contexts/program/bluetooth.fc	2005-10-27 10:26:28.000000000 -0400
++++ policy-1.27.2/file_contexts/program/bluetooth.fc	2005-11-07 10:47:22.000000000 -0500
 @@ -7,3 +7,5 @@
  /usr/sbin/hciattach	--	system_u:object_r:bluetooth_exec_t
  /var/run/sdp		-s	system_u:object_r:bluetooth_var_run_t
@@ -2022,7 +2043,7 @@
 +/var/lib/bluetooth(/.*)?	system_u:object_r:bluetooth_var_lib_t
 diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/compat.fc policy-1.27.2/file_contexts/program/compat.fc
 --- nsapolicy/file_contexts/program/compat.fc	2005-09-12 16:40:27.000000000 -0400
-+++ policy-1.27.2/file_contexts/program/compat.fc	2005-11-03 08:51:12.000000000 -0500
++++ policy-1.27.2/file_contexts/program/compat.fc	2005-11-07 10:47:22.000000000 -0500
 @@ -43,6 +43,7 @@
  /sbin/hdparm		--	system_u:object_r:fsadm_exec_t
  /sbin/raidstart		--	system_u:object_r:fsadm_exec_t
@@ -2031,22 +2052,19 @@
  /sbin/blockdev		--	system_u:object_r:fsadm_exec_t
  /sbin/losetup.*		--	system_u:object_r:fsadm_exec_t
  /sbin/jfs_.*		--	system_u:object_r:fsadm_exec_t
-@@ -55,6 +56,12 @@
+@@ -55,6 +56,9 @@
  /usr/bin/partition_uuid	--	system_u:object_r:fsadm_exec_t
  /sbin/partprobe		--	system_u:object_r:fsadm_exec_t
  ')
 +ifdef(`lvm.te', `', `
 +/sbin/lvm.static	--	system_u:object_r:lvm_exec_t
 +')
-+ifdef(`lvm.te', `', `
-+/sbin/lvm.static	--	system_u:object_r:lvm_exec_t
-+')
  ifdef(`kudzu.te', `', `
  # kudzu
  /usr/sbin/kudzu	--	system_u:object_r:kudzu_exec_t
 diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/dhcpc.fc policy-1.27.2/file_contexts/program/dhcpc.fc
 --- nsapolicy/file_contexts/program/dhcpc.fc	2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/file_contexts/program/dhcpc.fc	2005-10-27 10:26:28.000000000 -0400
++++ policy-1.27.2/file_contexts/program/dhcpc.fc	2005-11-07 10:47:22.000000000 -0500
 @@ -8,6 +8,7 @@
  /sbin/dhclient.*	--	system_u:object_r:dhcpc_exec_t
  /var/lib/dhcp(3)?/dhclient.*	system_u:object_r:dhcpc_state_t
@@ -2057,7 +2075,7 @@
  # pump
 diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/dhcpd.fc policy-1.27.2/file_contexts/program/dhcpd.fc
 --- nsapolicy/file_contexts/program/dhcpd.fc	2005-09-16 11:17:10.000000000 -0400
-+++ policy-1.27.2/file_contexts/program/dhcpd.fc	2005-11-04 09:36:48.000000000 -0500
++++ policy-1.27.2/file_contexts/program/dhcpd.fc	2005-11-07 10:47:22.000000000 -0500
 @@ -2,18 +2,17 @@
  /etc/dhcpd\.conf	--	system_u:object_r:dhcp_etc_t
  /etc/dhcp3(/.*)?		system_u:object_r:dhcp_etc_t
@@ -2083,7 +2101,7 @@
  # for the chroot setup
 diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/exim.fc policy-1.27.2/file_contexts/program/exim.fc
 --- nsapolicy/file_contexts/program/exim.fc	1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.27.2/file_contexts/program/exim.fc	2005-10-27 10:26:28.000000000 -0400
++++ policy-1.27.2/file_contexts/program/exim.fc	2005-11-07 10:47:22.000000000 -0500
 @@ -0,0 +1,18 @@
 +# exim
 +/usr/sbin/exicyclog		--	system_u:object_r:exicyclog_exec_t
@@ -2105,7 +2123,7 @@
 +/var/log/exim(/.*)?                     system_u:object_r:exim_log_t
 diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/ftpd.fc policy-1.27.2/file_contexts/program/ftpd.fc
 --- nsapolicy/file_contexts/program/ftpd.fc	2005-09-12 16:40:27.000000000 -0400
-+++ policy-1.27.2/file_contexts/program/ftpd.fc	2005-10-27 10:26:28.000000000 -0400
++++ policy-1.27.2/file_contexts/program/ftpd.fc	2005-11-07 10:47:22.000000000 -0500
 @@ -10,7 +10,8 @@
  /var/run/proftpd/proftpd\.scoreboard -- system_u:object_r:ftpd_var_run_t
  /var/log/muddleftpd\.log.* --	system_u:object_r:xferlog_t
@@ -2119,7 +2137,7 @@
 +/srv/([^/]*/)?ftp(/.*)?		system_u:object_r:public_content_t
 diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/games.fc policy-1.27.2/file_contexts/program/games.fc
 --- nsapolicy/file_contexts/program/games.fc	2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/file_contexts/program/games.fc	2005-10-27 10:26:28.000000000 -0400
++++ policy-1.27.2/file_contexts/program/games.fc	2005-11-07 10:47:22.000000000 -0500
 @@ -1,5 +1,5 @@
  #  games
 -/usr/lib/games/.* 	--	system_u:object_r:games_exec_t
@@ -2134,7 +2152,7 @@
 +
 diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/kudzu.fc policy-1.27.2/file_contexts/program/kudzu.fc
 --- nsapolicy/file_contexts/program/kudzu.fc	2005-09-12 16:40:28.000000000 -0400
-+++ policy-1.27.2/file_contexts/program/kudzu.fc	2005-10-27 10:26:28.000000000 -0400
++++ policy-1.27.2/file_contexts/program/kudzu.fc	2005-11-07 10:47:22.000000000 -0500
 @@ -1,4 +1,4 @@
  # kudzu
 -/usr/sbin/kudzu	--	system_u:object_r:kudzu_exec_t
@@ -2143,7 +2161,7 @@
  /var/run/Xconfig --	root:object_r:kudzu_var_run_t
 diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/pegasus.fc policy-1.27.2/file_contexts/program/pegasus.fc
 --- nsapolicy/file_contexts/program/pegasus.fc	2005-10-20 15:53:02.000000000 -0400
-+++ policy-1.27.2/file_contexts/program/pegasus.fc	2005-10-27 10:26:28.000000000 -0400
++++ policy-1.27.2/file_contexts/program/pegasus.fc	2005-11-07 10:47:22.000000000 -0500
 @@ -1,11 +1,9 @@
  # File Contexts for The Open Group Pegasus (tog-pegasus) cimserver
  /usr/sbin/cimserver		--	system_u:object_r:pegasus_exec_t
@@ -2160,7 +2178,7 @@
 +
 diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/rshd.fc policy-1.27.2/file_contexts/program/rshd.fc
 --- nsapolicy/file_contexts/program/rshd.fc	2005-09-12 16:40:27.000000000 -0400
-+++ policy-1.27.2/file_contexts/program/rshd.fc	2005-10-27 10:26:28.000000000 -0400
++++ policy-1.27.2/file_contexts/program/rshd.fc	2005-11-07 10:47:22.000000000 -0500
 @@ -1,3 +1,4 @@
  # rshd.
  /usr/sbin/in\.rshd	--	system_u:object_r:rshd_exec_t
@@ -2168,7 +2186,7 @@
  /usr/kerberos/sbin/kshd	--	system_u:object_r:rshd_exec_t
 diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/rsync.fc policy-1.27.2/file_contexts/program/rsync.fc
 --- nsapolicy/file_contexts/program/rsync.fc	2005-09-12 16:40:27.000000000 -0400
-+++ policy-1.27.2/file_contexts/program/rsync.fc	2005-10-27 10:26:28.000000000 -0400
++++ policy-1.27.2/file_contexts/program/rsync.fc	2005-11-07 10:47:22.000000000 -0500
 @@ -1,3 +1,3 @@
  # rsync program
  /usr/bin/rsync	--	system_u:object_r:rsync_exec_t
@@ -2176,7 +2194,7 @@
 +/srv/([^/]*/)?rsync(/.*)?	system_u:object_r:public_content_t
 diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/sendmail.fc policy-1.27.2/file_contexts/program/sendmail.fc
 --- nsapolicy/file_contexts/program/sendmail.fc	2005-09-12 16:40:27.000000000 -0400
-+++ policy-1.27.2/file_contexts/program/sendmail.fc	2005-11-04 16:55:39.000000000 -0500
++++ policy-1.27.2/file_contexts/program/sendmail.fc	2005-11-07 10:47:22.000000000 -0500
 @@ -4,3 +4,12 @@
  /var/log/mail(/.*)?			system_u:object_r:sendmail_log_t
  /var/run/sendmail\.pid		--	system_u:object_r:sendmail_var_run_t
@@ -2192,7 +2210,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/slapd.fc policy-1.27.2/file_contexts/program/slapd.fc
 --- nsapolicy/file_contexts/program/slapd.fc	2005-09-12 16:40:28.000000000 -0400
-+++ policy-1.27.2/file_contexts/program/slapd.fc	2005-11-04 16:43:12.000000000 -0500
++++ policy-1.27.2/file_contexts/program/slapd.fc	2005-11-07 10:47:22.000000000 -0500
 @@ -5,3 +5,15 @@
  /var/run/slapd\.args	--	system_u:object_r:slapd_var_run_t
  /etc/ldap/slapd\.conf	--	system_u:object_r:slapd_etc_t
@@ -2211,7 +2229,7 @@
 +/opt/(fedora|redhat)-ds/alias/[^/]+so.* system_u:object_r:shlib_t
 diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/squid.fc policy-1.27.2/file_contexts/program/squid.fc
 --- nsapolicy/file_contexts/program/squid.fc	2005-09-12 16:40:27.000000000 -0400
-+++ policy-1.27.2/file_contexts/program/squid.fc	2005-11-03 17:28:39.000000000 -0500
++++ policy-1.27.2/file_contexts/program/squid.fc	2005-11-07 10:47:22.000000000 -0500
 @@ -6,3 +6,6 @@
  /etc/squid(/.*)?		system_u:object_r:squid_conf_t
  /var/run/squid\.pid	--	system_u:object_r:squid_var_run_t
@@ -2221,14 +2239,22 @@
 +')
 diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/yppasswdd.fc policy-1.27.2/file_contexts/program/yppasswdd.fc
 --- nsapolicy/file_contexts/program/yppasswdd.fc	1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.27.2/file_contexts/program/yppasswdd.fc	2005-10-27 10:26:28.000000000 -0400
++++ policy-1.27.2/file_contexts/program/yppasswdd.fc	2005-11-07 10:47:22.000000000 -0500
 @@ -0,0 +1,2 @@
 +# yppasswd
 +/usr/sbin/rpc.yppasswdd		--	system_u:object_r:yppasswdd_exec_t
 diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/types.fc policy-1.27.2/file_contexts/types.fc
 --- nsapolicy/file_contexts/types.fc	2005-09-16 11:17:10.000000000 -0400
-+++ policy-1.27.2/file_contexts/types.fc	2005-10-27 10:26:28.000000000 -0400
-@@ -133,6 +133,7 @@
++++ policy-1.27.2/file_contexts/types.fc	2005-11-07 10:47:22.000000000 -0500
+@@ -72,6 +72,7 @@
+ /var/yp(/.*)?			system_u:object_r:var_yp_t
+ /var/lib(/.*)?			system_u:object_r:var_lib_t
+ /var/lib/nfs(/.*)?		system_u:object_r:var_lib_nfs_t
++/var/lib/abl(/.*)?		system_u:object_r:var_auth_t
+ /var/lib/texmf(/.*)?		system_u:object_r:tetex_data_t
+ /var/cache/fonts(/.*)?		system_u:object_r:tetex_data_t
+ /var/lock(/.*)?			system_u:object_r:var_lock_t
+@@ -133,6 +134,7 @@
  /dev/dcbri[0-9]+	-c	system_u:object_r:tty_device_t
  /dev/irlpt[0-9]+	-c	system_u:object_r:printer_device_t
  /dev/ircomm[0-9]+	-c	system_u:object_r:tty_device_t
@@ -2236,7 +2262,7 @@
  /dev/isdn.*		-c	system_u:object_r:tty_device_t
  /dev/.*tty[^/]*	-c	system_u:object_r:tty_device_t
  /dev/[pt]ty[abcdepqrstuvwxyz][0-9a-f]	-c system_u:object_r:bsdpty_device_t
-@@ -485,6 +486,7 @@
+@@ -485,6 +487,7 @@
  # Turboprint
  #
  /usr/share/turboprint/lib(/.*)? 	--     system_u:object_r:bin_t
@@ -2244,7 +2270,7 @@
  
  #
  # initrd mount point, only used during boot
-@@ -511,3 +513,5 @@
+@@ -511,3 +514,5 @@
  #
  /srv(/.*)?			system_u:object_r:var_t
  
@@ -2252,7 +2278,7 @@
 +/etc/sysconfig/network-scripts/ifdown-.* 	-- system_u:object_r:bin_t
 diff --exclude-from=exclude -N -u -r nsapolicy/genfs_contexts policy-1.27.2/genfs_contexts
 --- nsapolicy/genfs_contexts	2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/genfs_contexts	2005-10-27 10:26:28.000000000 -0400
++++ policy-1.27.2/genfs_contexts	2005-11-07 10:47:22.000000000 -0500
 @@ -95,6 +95,7 @@
  genfscon inotifyfs /			system_u:object_r:inotifyfs_t
  genfscon hugetlbfs /			system_u:object_r:hugetlbfs_t
@@ -2263,7 +2289,7 @@
  genfscon eventpollfs / system_u:object_r:eventpollfs_t
 diff --exclude-from=exclude -N -u -r nsapolicy/macros/base_user_macros.te policy-1.27.2/macros/base_user_macros.te
 --- nsapolicy/macros/base_user_macros.te	2005-09-16 11:17:11.000000000 -0400
-+++ policy-1.27.2/macros/base_user_macros.te	2005-10-27 10:26:28.000000000 -0400
++++ policy-1.27.2/macros/base_user_macros.te	2005-11-07 10:47:22.000000000 -0500
 @@ -40,6 +40,12 @@
  allow $1_t $1_home_t:{ notdevfile_class_set dir } { relabelfrom relabelto };
  can_setfscreate($1_t)
@@ -2287,7 +2313,7 @@
  ifdef(`screen.te', `screen_domain($1)')
 diff --exclude-from=exclude -N -u -r nsapolicy/macros/global_macros.te policy-1.27.2/macros/global_macros.te
 --- nsapolicy/macros/global_macros.te	2005-10-21 11:36:16.000000000 -0400
-+++ policy-1.27.2/macros/global_macros.te	2005-10-27 10:26:28.000000000 -0400
++++ policy-1.27.2/macros/global_macros.te	2005-11-07 10:47:22.000000000 -0500
 @@ -325,27 +325,13 @@
  ') dnl transitionbool
  domain_auto_trans(initrc_t, $1_exec_t, $1_t)
@@ -2347,16 +2373,17 @@
  allow $1 node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
  allow $1 file_type:{ unix_stream_socket unix_dgram_socket } name_bind;
  
-@@ -774,4 +761,6 @@
+@@ -774,4 +761,7 @@
  allow $1 { random_device_t urandom_device_t }:chr_file { getattr read };
  allow $1 self:capability { audit_write audit_control };
  dontaudit $1 shadow_t:file { getattr read };
 +allow $1 sbin_t:dir search;
 +allow $1 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
++rw_dir_file($1, var_auth_t)
  ')
 diff --exclude-from=exclude -N -u -r nsapolicy/macros/home_macros.te policy-1.27.2/macros/home_macros.te
 --- nsapolicy/macros/home_macros.te	2005-09-12 16:40:26.000000000 -0400
-+++ policy-1.27.2/macros/home_macros.te	2005-10-28 10:33:44.000000000 -0400
++++ policy-1.27.2/macros/home_macros.te	2005-11-07 10:47:22.000000000 -0500
 @@ -68,7 +68,11 @@
  define(`home_domain_ro_access', `
  allow $1 { home_root_t $2_home_dir_t }:dir { search getattr };
@@ -2384,7 +2411,7 @@
  ####################################################################
 diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/chkpwd_macros.te policy-1.27.2/macros/program/chkpwd_macros.te
 --- nsapolicy/macros/program/chkpwd_macros.te	2005-10-21 11:36:16.000000000 -0400
-+++ policy-1.27.2/macros/program/chkpwd_macros.te	2005-10-27 10:26:28.000000000 -0400
++++ policy-1.27.2/macros/program/chkpwd_macros.te	2005-11-07 10:47:22.000000000 -0500
 @@ -22,21 +22,18 @@
  # read /selinux/mls
  allow $1_chkpwd_t security_t:dir search;
@@ -2411,7 +2438,7 @@
  access_terminal($1_chkpwd_t, $1)
 diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/dbusd_macros.te policy-1.27.2/macros/program/dbusd_macros.te
 --- nsapolicy/macros/program/dbusd_macros.te	2005-10-21 11:36:16.000000000 -0400
-+++ policy-1.27.2/macros/program/dbusd_macros.te	2005-10-27 10:26:28.000000000 -0400
++++ policy-1.27.2/macros/program/dbusd_macros.te	2005-11-07 10:47:22.000000000 -0500
 @@ -41,6 +41,7 @@
  can_getsecurity($1_dbusd_t)
  r_dir_file($1_dbusd_t, default_context_t)
@@ -2422,7 +2449,7 @@
  r_dir_file($1_dbusd_t, pam_var_console_t)
 diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/exim_macros.te policy-1.27.2/macros/program/exim_macros.te
 --- nsapolicy/macros/program/exim_macros.te	1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.27.2/macros/program/exim_macros.te	2005-10-27 10:26:28.000000000 -0400
++++ policy-1.27.2/macros/program/exim_macros.te	2005-11-07 10:47:22.000000000 -0500
 @@ -0,0 +1,75 @@
 +#DESC Exim - Mail server
 +#
@@ -2501,7 +2528,7 @@
 +
 diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/su_macros.te policy-1.27.2/macros/program/su_macros.te
 --- nsapolicy/macros/program/su_macros.te	2005-10-21 11:36:16.000000000 -0400
-+++ policy-1.27.2/macros/program/su_macros.te	2005-10-27 10:26:29.000000000 -0400
++++ policy-1.27.2/macros/program/su_macros.te	2005-11-07 10:47:22.000000000 -0500
 @@ -68,7 +68,7 @@
  ')
  
@@ -2513,7 +2540,7 @@
  # Caused by su - init scripts
 diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ypbind_macros.te policy-1.27.2/macros/program/ypbind_macros.te
 --- nsapolicy/macros/program/ypbind_macros.te	2005-09-12 16:40:26.000000000 -0400
-+++ policy-1.27.2/macros/program/ypbind_macros.te	2005-10-27 10:26:29.000000000 -0400
++++ policy-1.27.2/macros/program/ypbind_macros.te	2005-11-07 10:47:22.000000000 -0500
 @@ -1,4 +1,3 @@
 -
  define(`uncond_can_ypbind', `
@@ -2521,7 +2548,7 @@
  r_dir_file($1,var_yp_t)
 diff --exclude-from=exclude -N -u -r nsapolicy/macros/user_macros.te policy-1.27.2/macros/user_macros.te
 --- nsapolicy/macros/user_macros.te	2005-10-21 11:36:16.000000000 -0400
-+++ policy-1.27.2/macros/user_macros.te	2005-10-27 10:26:29.000000000 -0400
++++ policy-1.27.2/macros/user_macros.te	2005-11-07 10:47:22.000000000 -0500
 @@ -122,6 +122,7 @@
  ifelse($1, sysadm, `',`
  ifdef(`apache.te', `apache_user_domain($1)')
@@ -2532,7 +2559,7 @@
  ifdef(`lockdev.te', `lockdev_domain($1)')
 diff --exclude-from=exclude -N -u -r nsapolicy/Makefile policy-1.27.2/Makefile
 --- nsapolicy/Makefile	2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/Makefile	2005-10-27 10:26:29.000000000 -0400
++++ policy-1.27.2/Makefile	2005-11-07 10:47:22.000000000 -0500
 @@ -27,7 +27,7 @@
  GENHOMEDIRCON = $(SBINDIR)/genhomedircon
  SETFILES = $(SBINDIR)/setfiles
@@ -2579,7 +2606,7 @@
  	@echo "Enabling MCS in the Makefile"
 diff --exclude-from=exclude -N -u -r nsapolicy/man/man8/ftpd_selinux.8 policy-1.27.2/man/man8/ftpd_selinux.8
 --- nsapolicy/man/man8/ftpd_selinux.8	2005-09-12 16:40:29.000000000 -0400
-+++ policy-1.27.2/man/man8/ftpd_selinux.8	2005-10-27 10:26:29.000000000 -0400
++++ policy-1.27.2/man/man8/ftpd_selinux.8	2005-11-07 10:47:22.000000000 -0500
 @@ -8,23 +8,24 @@
  .SH FILE_CONTEXTS
  SELinux requires files to have an extended attribute to define the file type. 
@@ -2616,7 +2643,7 @@
  SELinux ftp daemon policy is customizable based on least access required.  So by 
 diff --exclude-from=exclude -N -u -r nsapolicy/man/man8/httpd_selinux.8 policy-1.27.2/man/man8/httpd_selinux.8
 --- nsapolicy/man/man8/httpd_selinux.8	2005-09-12 16:40:29.000000000 -0400
-+++ policy-1.27.2/man/man8/httpd_selinux.8	2005-10-27 10:26:29.000000000 -0400
++++ policy-1.27.2/man/man8/httpd_selinux.8	2005-11-07 10:47:22.000000000 -0500
 @@ -45,6 +45,15 @@
  .SH NOTE
  With certain policies you can define addional file contexts based on roles like user or staff.  httpd_user_script_exec_t can be defined where it would only have access to "user" contexts.
@@ -2635,7 +2662,7 @@
  default SElinux prevents certain http scripts from working.  httpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd with the tightest access possible.
 diff --exclude-from=exclude -N -u -r nsapolicy/man/man8/rsync_selinux.8 policy-1.27.2/man/man8/rsync_selinux.8
 --- nsapolicy/man/man8/rsync_selinux.8	2005-09-12 16:40:29.000000000 -0400
-+++ policy-1.27.2/man/man8/rsync_selinux.8	2005-10-27 10:26:29.000000000 -0400
++++ policy-1.27.2/man/man8/rsync_selinux.8	2005-11-07 10:47:22.000000000 -0500
 @@ -8,16 +8,22 @@
  .SH FILE_CONTEXTS
  SELinux requires files to have an extended attribute to define the file type. 
@@ -2664,7 +2691,7 @@
  .TP
 diff --exclude-from=exclude -N -u -r nsapolicy/man/man8/samba_selinux.8 policy-1.27.2/man/man8/samba_selinux.8
 --- nsapolicy/man/man8/samba_selinux.8	2005-09-12 16:40:29.000000000 -0400
-+++ policy-1.27.2/man/man8/samba_selinux.8	2005-10-27 10:26:29.000000000 -0400
++++ policy-1.27.2/man/man8/samba_selinux.8	2005-11-07 10:47:22.000000000 -0500
 @@ -20,6 +20,11 @@
  .br
  /var/eng(/.*)? system_u:object_r:samba_share_t
@@ -2690,7 +2717,7 @@
  
 diff --exclude-from=exclude -N -u -r nsapolicy/mcs policy-1.27.2/mcs
 --- nsapolicy/mcs	2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/mcs	2005-10-27 10:26:29.000000000 -0400
++++ policy-1.27.2/mcs	2005-11-07 10:47:22.000000000 -0500
 @@ -18,141 +18,77 @@
  #
  # Each category has a name and zero or more aliases.
@@ -2900,7 +2927,7 @@
  # Define the MCS policy
 diff --exclude-from=exclude -N -u -r nsapolicy/mls policy-1.27.2/mls
 --- nsapolicy/mls	2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/mls	2005-10-27 10:26:29.000000000 -0400
++++ policy-1.27.2/mls	2005-11-07 10:47:22.000000000 -0500
 @@ -13,12 +13,17 @@
  sensitivity s7;
  sensitivity s8;
@@ -3152,9 +3179,30 @@
  
  
  #
+diff --exclude-from=exclude -N -u -r nsapolicy/net_contexts policy-1.27.2/net_contexts
+--- nsapolicy/net_contexts	2005-10-21 11:36:15.000000000 -0400
++++ policy-1.27.2/net_contexts	2005-11-07 12:25:33.000000000 -0500
+@@ -65,6 +65,7 @@
+ portcon tcp 443  system_u:object_r:http_port_t
+ portcon tcp 488  system_u:object_r:http_port_t
+ portcon tcp 8008  system_u:object_r:http_port_t
++portcon tcp 8090  system_u:object_r:http_port_t
+ 
+ portcon tcp 106 system_u:object_r:pop_port_t
+ portcon tcp 109 system_u:object_r:pop_port_t
+@@ -163,6 +164,9 @@
+ portcon tcp 5432 system_u:object_r:postgresql_port_t
+ portcon tcp 5666 system_u:object_r:inetd_child_port_t
+ portcon tcp 5703 system_u:object_r:ptal_port_t
++portcon tcp 9290 system_u:object_r:hplip_port_t
++portcon tcp 9291 system_u:object_r:hplip_port_t
++portcon tcp 9292 system_u:object_r:hplip_port_t
+ portcon tcp 50000 system_u:object_r:hplip_port_t
+ portcon tcp 50002 system_u:object_r:hplip_port_t
+ portcon tcp 5900  system_u:object_r:vnc_port_t 
 diff --exclude-from=exclude -N -u -r nsapolicy/targeted/assert.te policy-1.27.2/targeted/assert.te
 --- nsapolicy/targeted/assert.te	2005-09-16 11:17:12.000000000 -0400
-+++ policy-1.27.2/targeted/assert.te	2005-10-27 10:26:29.000000000 -0400
++++ policy-1.27.2/targeted/assert.te	2005-11-07 10:47:22.000000000 -0500
 @@ -22,7 +22,7 @@
  
  # Confined domains must never touch an unconfined domain except to
@@ -3166,7 +3214,7 @@
  neverallow { domain -unrestricted -snmpd_t } unconfined_t:dir { getattr search };
 diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/compat.te policy-1.27.2/targeted/domains/program/compat.te
 --- nsapolicy/targeted/domains/program/compat.te	2005-09-12 16:40:26.000000000 -0400
-+++ policy-1.27.2/targeted/domains/program/compat.te	2005-11-03 08:51:29.000000000 -0500
++++ policy-1.27.2/targeted/domains/program/compat.te	2005-11-07 10:47:22.000000000 -0500
 @@ -1,3 +1,4 @@
  typealias bin_t alias mount_exec_t;
  typealias bin_t alias dmesg_exec_t;
@@ -3174,18 +3222,29 @@
 +typealias sbin_t alias lvm_exec_t;
 diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/sendmail.te policy-1.27.2/targeted/domains/program/sendmail.te
 --- nsapolicy/targeted/domains/program/sendmail.te	2005-09-12 16:40:26.000000000 -0400
-+++ policy-1.27.2/targeted/domains/program/sendmail.te	2005-10-27 10:26:29.000000000 -0400
-@@ -12,7 +12,6 @@
- #
- type sendmail_exec_t, file_type, sysadmfile, exec_type;
- type sendmail_log_t, file_type, sysadmfile;
++++ policy-1.27.2/targeted/domains/program/sendmail.te	1969-12-31 19:00:00.000000000 -0500
+@@ -1,18 +0,0 @@
+-#DESC sendmail 
+-#
+-# Authors:  Daniel Walsh <dwalsh redhat com>
+-#
+-
+-#################################
+-#
+-# Rules for the sendmaild domain.
+-#
+-# sendmail_exec_t is the type of the /usr/sbin/sendmail and other programs.
+-# This domain is defined just for targeted policy. 
+-#
+-type sendmail_exec_t, file_type, sysadmfile, exec_type;
+-type sendmail_log_t, file_type, sysadmfile;
 -type etc_mail_t, file_type, sysadmfile;
- domain_auto_trans(initrc_t, sendmail_exec_t, sendmail_t)
- var_run_domain(sendmail)
- 
+-domain_auto_trans(initrc_t, sendmail_exec_t, sendmail_t)
+-var_run_domain(sendmail)
+-
 diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/ssh.te policy-1.27.2/targeted/domains/program/ssh.te
 --- nsapolicy/targeted/domains/program/ssh.te	2005-10-21 11:36:16.000000000 -0400
-+++ policy-1.27.2/targeted/domains/program/ssh.te	2005-10-27 10:26:29.000000000 -0400
++++ policy-1.27.2/targeted/domains/program/ssh.te	2005-11-07 10:47:22.000000000 -0500
 @@ -18,5 +18,5 @@
  type sshd_var_run_t, file_type, sysadmfile;
  domain_auto_trans(initrc_t, sshd_exec_t, sshd_t)
@@ -3195,7 +3254,7 @@
  ')
 diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/xdm.te policy-1.27.2/targeted/domains/program/xdm.te
 --- nsapolicy/targeted/domains/program/xdm.te	2005-10-21 11:36:16.000000000 -0400
-+++ policy-1.27.2/targeted/domains/program/xdm.te	2005-10-27 10:26:29.000000000 -0400
++++ policy-1.27.2/targeted/domains/program/xdm.te	2005-11-07 10:47:22.000000000 -0500
 @@ -21,6 +21,6 @@
  domain_auto_trans(initrc_t, xdm_exec_t, xdm_t)
  domain_auto_trans(init_t, xdm_exec_t, xdm_t)
@@ -3207,7 +3266,16 @@
  ')
 diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/unconfined.te policy-1.27.2/targeted/domains/unconfined.te
 --- nsapolicy/targeted/domains/unconfined.te	2005-10-21 11:36:16.000000000 -0400
-+++ policy-1.27.2/targeted/domains/unconfined.te	2005-10-31 10:01:05.000000000 -0500
++++ policy-1.27.2/targeted/domains/unconfined.te	2005-11-07 10:47:22.000000000 -0500
+@@ -13,7 +13,7 @@
+ 
+ # Define some type aliases to help with compatibility with
+ # macros and domains from the "strict" policy.
+-typealias unconfined_t alias { logrotate_t sendmail_t sshd_t secadm_t sysadm_t rpm_t rpm_script_t xdm_t };
++typealias unconfined_t alias { logrotate_t sshd_t secadm_t sysadm_t rpm_t rpm_script_t xdm_t };
+ 
+ typeattribute tty_device_t admin_tty_type;
+ typeattribute devpts_t admin_tty_type;
 @@ -81,10 +81,12 @@
  typealias bin_t alias i18n_input_exec_t;
  typealias unconfined_t alias i18n_input_t;
@@ -3226,7 +3294,7 @@
 +dontaudit unconfined_t domain:file read;
 diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.27.2/tunables/distro.tun
 --- nsapolicy/tunables/distro.tun	2005-09-12 16:40:26.000000000 -0400
-+++ policy-1.27.2/tunables/distro.tun	2005-10-27 10:26:29.000000000 -0400
++++ policy-1.27.2/tunables/distro.tun	2005-11-07 10:47:22.000000000 -0500
 @@ -5,7 +5,7 @@
  # appropriate ifdefs.
  
@@ -3238,7 +3306,7 @@
  
 diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.27.2/tunables/tunable.tun
 --- nsapolicy/tunables/tunable.tun	2005-09-12 16:40:26.000000000 -0400
-+++ policy-1.27.2/tunables/tunable.tun	2005-10-27 10:26:29.000000000 -0400
++++ policy-1.27.2/tunables/tunable.tun	2005-11-07 10:47:22.000000000 -0500
 @@ -1,5 +1,5 @@
  # Allow rpm to run unconfined.
 -dnl define(`unlimitedRPM')
@@ -3257,7 +3325,7 @@
  # Otherwise, only staff_r can do so.
 diff --exclude-from=exclude -N -u -r nsapolicy/types/devpts.te policy-1.27.2/types/devpts.te
 --- nsapolicy/types/devpts.te	2005-09-12 16:40:26.000000000 -0400
-+++ policy-1.27.2/types/devpts.te	2005-10-27 10:26:29.000000000 -0400
++++ policy-1.27.2/types/devpts.te	2005-11-07 10:47:22.000000000 -0500
 @@ -18,4 +18,6 @@
  #
  type devpts_t, mount_point, fs_type;
@@ -3268,7 +3336,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsapolicy/types/file.te policy-1.27.2/types/file.te
 --- nsapolicy/types/file.te	2005-10-21 11:36:16.000000000 -0400
-+++ policy-1.27.2/types/file.te	2005-10-27 10:26:29.000000000 -0400
++++ policy-1.27.2/types/file.te	2005-11-07 10:47:22.000000000 -0500
 @@ -84,6 +84,9 @@
  #
  type etc_t, file_type, sysadmfile;
@@ -3279,7 +3347,15 @@
  #
  # shadow_t is the type of the /etc/shadow file
  #
-@@ -273,9 +276,6 @@
+@@ -196,6 +199,7 @@
+ type faillog_t, file_type, sysadmfile, logfile;
+ type var_lock_t, file_type, sysadmfile, lockfile;
+ type var_lib_t, mount_point, file_type, sysadmfile;
++type var_auth_t, file_type, sysadmfile, logfile;
+ # for /var/{spool,lib}/texmf index files
+ type tetex_data_t, file_type, sysadmfile, tmpfile;
+ type var_spool_t, file_type, sysadmfile, tmpfile;
+@@ -273,9 +277,6 @@
  #
  allow { file_type device_type ttyfile } fs_t:filesystem associate;
  
@@ -3289,7 +3365,7 @@
  type tmpfs_t, file_type, mount_point, sysadmfile, fs_type;
  allow { logfile tmpfs_t tmpfile home_type } tmpfs_t:filesystem associate;
  allow { logfile tmpfile home_type } tmp_t:filesystem associate;
-@@ -284,29 +284,13 @@
+@@ -284,29 +285,13 @@
  ')
  
  type autofs_t, fs_type, noexattrfile, sysadmfile;
@@ -3319,7 +3395,7 @@
  typealias file_t alias  mqueue_t;
  
  # udev_runtime_t is the type of the udev table file
-@@ -316,29 +300,26 @@
+@@ -316,29 +301,26 @@
  type krb5_conf_t, file_type, sysadmfile;
  
  type cifs_t, fs_type, noexattrfile, sysadmfile;
@@ -3360,7 +3436,7 @@
 +
 diff --exclude-from=exclude -N -u -r nsapolicy/types/network.te policy-1.27.2/types/network.te
 --- nsapolicy/types/network.te	2005-10-21 11:36:16.000000000 -0400
-+++ policy-1.27.2/types/network.te	2005-10-27 10:26:29.000000000 -0400
++++ policy-1.27.2/types/network.te	2005-11-07 10:47:22.000000000 -0500
 @@ -18,7 +18,7 @@
  type dhcpd_port_t, port_type, reserved_port_type;
  type smbd_port_t, port_type, reserved_port_type;
@@ -3403,7 +3479,7 @@
  type rsync_port_t, port_type, reserved_port_type;
 diff --exclude-from=exclude -N -u -r nsapolicy/types/nfs.te policy-1.27.2/types/nfs.te
 --- nsapolicy/types/nfs.te	2005-09-12 16:40:26.000000000 -0400
-+++ policy-1.27.2/types/nfs.te	2005-10-27 10:26:29.000000000 -0400
++++ policy-1.27.2/types/nfs.te	2005-11-07 10:47:22.000000000 -0500
 @@ -18,5 +18,4 @@
  #
  # Allow NFS files to be associated with an NFS file system.
@@ -3412,7 +3488,7 @@
  allow file_type nfs_t:filesystem associate;
 diff --exclude-from=exclude -N -u -r nsapolicy/types/security.te policy-1.27.2/types/security.te
 --- nsapolicy/types/security.te	2005-10-21 11:36:16.000000000 -0400
-+++ policy-1.27.2/types/security.te	2005-10-27 10:26:29.000000000 -0400
++++ policy-1.27.2/types/security.te	2005-11-07 10:47:22.000000000 -0500
 @@ -13,6 +13,8 @@
  # applied to selinuxfs inodes.
  #


Index: selinux-policy-mls.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-mls/devel/selinux-policy-mls.spec,v
retrieving revision 1.116
retrieving revision 1.117
diff -u -r1.116 -r1.117
--- selinux-policy-mls.spec	4 Nov 2005 22:35:21 -0000	1.116
+++ selinux-policy-mls.spec	7 Nov 2005 18:57:03 -0000	1.117
@@ -9,7 +9,7 @@
 Summary: SELinux %{type} policy configuration
 Name: selinux-policy-%{type}
 Version: 1.27.2
-Release: 15
+Release: 16
 License: GPL
 Group: System Environment/Base
 Source: http://www.nsa.gov/selinux/archives/policy-%{version}.tgz
@@ -242,6 +242,11 @@
 exit 0
 
 %changelog
+* Fri Nov 7 2005 Dan Walsh <dwalsh redhat com> 1.27.2-16
+- Allow scanimage to work with hplip
+- Fix multiple definititions in file context
+- Fix missing launch
+
 * Fri Nov 4 2005 Dan Walsh <dwalsh redhat com> 1.27.2-15
 - Add mls fixes for getty and login
 - Allow getty to send mail


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]