rpms/selinux-policy-targeted/FC-4 policy-20050916.patch, 1.18, 1.19 selinux-policy-targeted.spec, 1.350, 1.351
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Wed Nov 30 22:06:41 UTC 2005
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy-targeted/FC-4
In directory cvs.devel.redhat.com:/tmp/cvs-serv24084
Modified Files:
policy-20050916.patch selinux-policy-targeted.spec
Log Message:
* Mon Nov 28 2005 Dan Walsh <dwalsh at redhat.com> 1.27.1-2.15
- Allow privoxy to write /etc/privoxy/user.action
- allow syslog to log to tty in targeted
- Allow dovecot to read etc_runtime_t
- Fixes for procmail and spam
- Allow zebra to write routing rules
policy-20050916.patch:
Makefile | 26 +-
attrib.te | 100 +++++++++-
domains/admin.te | 2
domains/misc/kernel.te | 2
domains/program/crond.te | 2
domains/program/fsadm.te | 9
domains/program/getty.te | 2
domains/program/hostname.te | 2
domains/program/ifconfig.te | 10 -
domains/program/init.te | 2
domains/program/initrc.te | 26 ++
domains/program/ldconfig.te | 3
domains/program/load_policy.te | 11 -
domains/program/login.te | 23 +-
domains/program/logrotate.te | 2
domains/program/modutil.te | 27 +-
domains/program/mount.te | 6
domains/program/netutils.te | 3
domains/program/newrole.te | 4
domains/program/passwd.te | 2
domains/program/restorecon.te | 6
domains/program/setfiles.te | 4
domains/program/ssh.te | 6
domains/program/su.te | 12 +
domains/program/syslogd.te | 7
domains/program/tmpreaper.te | 2
domains/program/unused/NetworkManager.te | 13 +
domains/program/unused/alsa.te | 2
domains/program/unused/amanda.te | 74 +------
domains/program/unused/anaconda.te | 5
domains/program/unused/apache.te | 23 +-
domains/program/unused/apmd.te | 25 ++
domains/program/unused/auditd.te | 9
domains/program/unused/automount.te | 4
domains/program/unused/avahi.te | 31 +++
domains/program/unused/bluetooth.te | 72 +++++++
domains/program/unused/cups.te | 24 +-
domains/program/unused/cvs.te | 2
domains/program/unused/cyrus.te | 10 -
domains/program/unused/dbusd.te | 4
domains/program/unused/dcc.te | 5
domains/program/unused/dhcpc.te | 6
domains/program/unused/dhcpd.te | 4
domains/program/unused/dovecot.te | 6
domains/program/unused/exim.te | 309 +++++++++++++++++++++++++++++++
domains/program/unused/ftpd.te | 6
domains/program/unused/hald.te | 5
domains/program/unused/hotplug.te | 10 -
domains/program/unused/hwclock.te | 1
domains/program/unused/ipsec.te | 2
domains/program/unused/kudzu.te | 5
domains/program/unused/mta.te | 7
domains/program/unused/mysqld.te | 10 -
domains/program/unused/named.te | 27 ++
domains/program/unused/nscd.te | 1
domains/program/unused/ntpd.te | 10 -
domains/program/unused/openct.te | 16 +
domains/program/unused/pamconsole.te | 4
domains/program/unused/pegasus.te | 36 +++
domains/program/unused/ping.te | 2
domains/program/unused/postfix.te | 63 ++++--
domains/program/unused/postgresql.te | 11 -
domains/program/unused/pppd.te | 23 +-
domains/program/unused/privoxy.te | 2
domains/program/unused/procmail.te | 16 +
domains/program/unused/radius.te | 3
domains/program/unused/readahead.te | 21 ++
domains/program/unused/rlogind.te | 4
domains/program/unused/roundup.te | 29 ++
domains/program/unused/rpcd.te | 18 +
domains/program/unused/rpm.te | 4
domains/program/unused/rsync.te | 3
domains/program/unused/samba.te | 15 +
domains/program/unused/saslauthd.te | 1
domains/program/unused/sendmail.te | 3
domains/program/unused/slapd.te | 25 ++
domains/program/unused/snmpd.te | 6
domains/program/unused/spamd.te | 28 --
domains/program/unused/squid.te | 4
domains/program/unused/udev.te | 10 -
domains/program/unused/utempter.te | 2
domains/program/unused/webalizer.te | 3
domains/program/unused/winbind.te | 1
domains/program/unused/xdm.te | 3
domains/program/unused/yppasswdd.te | 40 ++++
domains/program/unused/ypserv.te | 9
domains/program/unused/zebra.te | 2
domains/program/useradd.te | 5
file_contexts/distros.fc | 2
file_contexts/program/apache.fc | 3
file_contexts/program/bluetooth.fc | 3
file_contexts/program/compat.fc | 4
file_contexts/program/dhcpc.fc | 2
file_contexts/program/dhcpd.fc | 5
file_contexts/program/ftpd.fc | 5
file_contexts/program/games.fc | 11 -
file_contexts/program/innd.fc | 15 -
file_contexts/program/ipsec.fc | 1
file_contexts/program/openct.fc | 2
file_contexts/program/pegasus.fc | 9
file_contexts/program/pppd.fc | 2
file_contexts/program/privoxy.fc | 1
file_contexts/program/readahead.fc | 1
file_contexts/program/roundup.fc | 2
file_contexts/program/rpm.fc | 4
file_contexts/program/rshd.fc | 1
file_contexts/program/rsync.fc | 2
file_contexts/program/slapd.fc | 12 +
file_contexts/program/squid.fc | 3
file_contexts/program/xdm.fc | 2
file_contexts/program/yppasswdd.fc | 2
file_contexts/program/ypserv.fc | 1
file_contexts/types.fc | 6
genfs_contexts | 3
macros/base_user_macros.te | 7
macros/core_macros.te | 9
macros/global_macros.te | 33 ++-
macros/home_macros.te | 9
macros/network_macros.te | 17 +
macros/program/apache_macros.te | 13 +
macros/program/bonobo_macros.te | 2
macros/program/cdrecord_macros.te | 6
macros/program/chkpwd_macros.te | 8
macros/program/crontab_macros.te | 2
macros/program/dbusd_macros.te | 7
macros/program/gconf_macros.te | 2
macros/program/gift_macros.te | 2
macros/program/gpg_macros.te | 2
macros/program/i18n_input_macros.te | 21 ++
macros/program/lpr_macros.te | 2
macros/program/mta_macros.te | 4
macros/program/newrole_macros.te | 2
macros/program/pyzor_macros.te | 2
macros/program/razor_macros.te | 2
macros/program/su_macros.te | 4
macros/program/uml_macros.te | 2
macros/program/xdm_macros.te | 2
macros/program/ypbind_macros.te | 1
macros/user_macros.te | 7
man/man8/ftpd_selinux.8 | 19 +
man/man8/httpd_selinux.8 | 9
man/man8/rsync_selinux.8 | 12 -
man/man8/samba_selinux.8 | 9
mcs | 210 ++++++++-------------
mls | 270 ++++++++++-----------------
net_contexts | 13 +
targeted/appconfig/root_default_contexts | 4
targeted/assert.te | 2
targeted/domains/program/compat.te | 1
targeted/domains/program/sendmail.te | 1
targeted/domains/program/ssh.te | 3
targeted/domains/program/xdm.te | 4
targeted/domains/unconfined.te | 15 +
tunables/distro.tun | 2
tunables/tunable.tun | 4
types/device.te | 4
types/devpts.te | 4
types/file.te | 46 +---
types/network.te | 13 -
types/nfs.te | 1
types/security.te | 6
161 files changed, 1664 insertions(+), 685 deletions(-)
Index: policy-20050916.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-targeted/FC-4/policy-20050916.patch,v
retrieving revision 1.18
retrieving revision 1.19
diff -u -r1.18 -r1.19
--- policy-20050916.patch 10 Nov 2005 01:53:18 -0000 1.18
+++ policy-20050916.patch 30 Nov 2005 22:06:36 -0000 1.19
@@ -1,6 +1,6 @@
diff --exclude-from=exclude -N -u -r nsapolicy/attrib.te policy-1.27.1/attrib.te
--- nsapolicy/attrib.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/attrib.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/attrib.te 2005-11-30 16:42:28.000000000 -0500
@@ -8,51 +8,130 @@
# explicitly declared here, and can then be associated with particular
# types in type declarations. Attribute names can then be used throughout
@@ -162,7 +162,7 @@
# of the file system.
diff --exclude-from=exclude -N -u -r nsapolicy/domains/admin.te policy-1.27.1/domains/admin.te
--- nsapolicy/domains/admin.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/admin.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/domains/admin.te 2005-11-30 16:42:28.000000000 -0500
@@ -4,7 +4,7 @@
# sysadm_t is the system administrator domain.
@@ -174,7 +174,7 @@
allow privhome home_root_t:dir { getattr search };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/misc/kernel.te policy-1.27.1/domains/misc/kernel.te
--- nsapolicy/domains/misc/kernel.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/misc/kernel.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/domains/misc/kernel.te 2005-11-30 16:42:28.000000000 -0500
@@ -30,7 +30,7 @@
ifdef(`mls_policy', `
@@ -186,7 +186,7 @@
# Share state with the init process.
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/crond.te policy-1.27.1/domains/program/crond.te
--- nsapolicy/domains/program/crond.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/crond.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/domains/program/crond.te 2005-11-30 16:42:28.000000000 -0500
@@ -106,7 +106,7 @@
# Inherit and use descriptors from initrc for anacron.
@@ -198,7 +198,7 @@
allow system_crond_t self:capability { dac_read_search chown setgid setuid fowner net_bind_service fsetid };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/fsadm.te policy-1.27.1/domains/program/fsadm.te
--- nsapolicy/domains/program/fsadm.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/fsadm.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/domains/program/fsadm.te 2005-11-30 16:42:28.000000000 -0500
@@ -12,7 +12,7 @@
# administration.
# fsadm_exec_t is the type of the corresponding programs.
@@ -230,7 +230,7 @@
+allow fsadm_t file_type:dir { getattr search };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/getty.te policy-1.27.1/domains/program/getty.te
--- nsapolicy/domains/program/getty.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/getty.te 2005-11-09 20:30:51.000000000 -0500
++++ policy-1.27.1/domains/program/getty.te 2005-11-30 16:42:28.000000000 -0500
@@ -8,7 +8,7 @@
#
# Rules for the getty_t domain.
@@ -242,7 +242,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/hostname.te policy-1.27.1/domains/program/hostname.te
--- nsapolicy/domains/program/hostname.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/hostname.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/domains/program/hostname.te 2005-11-30 16:42:28.000000000 -0500
@@ -24,5 +24,5 @@
ifdef(`distro_redhat', `
allow hostname_t tmpfs_t:chr_file rw_file_perms;
@@ -252,8 +252,21 @@
allow hostname_t initrc_t:fd use;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ifconfig.te policy-1.27.1/domains/program/ifconfig.te
--- nsapolicy/domains/program/ifconfig.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/ifconfig.te 2005-11-03 18:21:50.000000000 -0500
-@@ -52,7 +52,8 @@
++++ policy-1.27.1/domains/program/ifconfig.te 2005-11-30 16:57:09.000000000 -0500
+@@ -35,7 +35,12 @@
+
+ # Use capabilities.
+ allow ifconfig_t self:capability { net_raw net_admin };
++bool allow_ifconfig_sys_module false;
++if (allow_ifconfig_sys_module) {
++allow ifconfig_t self:capability sys_module;
++} else {
+ dontaudit ifconfig_t self:capability sys_module;
++}
+ allow ifconfig_t self:capability sys_tty_config;
+
+ # Inherit and use descriptors from init.
+@@ -52,7 +57,8 @@
allow ifconfig_t self:udp_socket create_socket_perms;
# Access terminals.
@@ -263,7 +276,7 @@
ifdef(`gnome-pty-helper.te', `allow ifconfig_t sysadm_gph_t:fd use;')
allow ifconfig_t tun_tap_device_t:chr_file { read write };
-@@ -60,7 +61,7 @@
+@@ -60,7 +66,7 @@
# ifconfig attempts to search some sysctl entries.
# Do not audit those attempts; comment out these rules if it is desired to
# see the denials.
@@ -274,7 +287,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/initrc.te policy-1.27.1/domains/program/initrc.te
--- nsapolicy/domains/program/initrc.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/initrc.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/domains/program/initrc.te 2005-11-30 16:42:28.000000000 -0500
@@ -12,7 +12,7 @@
# initrc_exec_t is the type of the init program.
#
@@ -335,7 +348,7 @@
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/init.te policy-1.27.1/domains/program/init.te
--- nsapolicy/domains/program/init.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/init.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/domains/program/init.te 2005-11-30 16:42:28.000000000 -0500
@@ -14,7 +14,7 @@
# by init during initialization. This pipe is used
# to communicate with init.
@@ -347,7 +360,7 @@
type init_exec_t, file_type, sysadmfile, exec_type;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ldconfig.te policy-1.27.1/domains/program/ldconfig.te
--- nsapolicy/domains/program/ldconfig.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/ldconfig.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/domains/program/ldconfig.te 2005-11-30 16:42:28.000000000 -0500
@@ -16,7 +16,8 @@
domain_auto_trans({ sysadm_t initrc_t }, ldconfig_exec_t, ldconfig_t)
@@ -360,7 +373,7 @@
uses_shlib(ldconfig_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/load_policy.te policy-1.27.1/domains/program/load_policy.te
--- nsapolicy/domains/program/load_policy.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/load_policy.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/domains/program/load_policy.te 2005-11-30 16:42:28.000000000 -0500
@@ -8,6 +8,10 @@
# load_policy_t is the domain type for load_policy
# load_policy_exec_t is the file type for the executable
@@ -390,7 +403,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/login.te policy-1.27.1/domains/program/login.te
--- nsapolicy/domains/program/login.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/login.te 2005-11-09 20:32:38.000000000 -0500
++++ policy-1.27.1/domains/program/login.te 2005-11-30 16:42:28.000000000 -0500
@@ -13,7 +13,7 @@
# $1 is the name of the domain (local or remote)
@@ -451,7 +464,7 @@
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/logrotate.te policy-1.27.1/domains/program/logrotate.te
--- nsapolicy/domains/program/logrotate.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/logrotate.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/domains/program/logrotate.te 2005-11-30 16:42:28.000000000 -0500
@@ -13,7 +13,7 @@
# logrotate_t is the domain for the logrotate program.
# logrotate_exec_t is the type of the corresponding program.
@@ -463,7 +476,7 @@
uses_shlib(logrotate_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/modutil.te policy-1.27.1/domains/program/modutil.te
--- nsapolicy/domains/program/modutil.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/modutil.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/domains/program/modutil.te 2005-11-30 16:42:28.000000000 -0500
@@ -59,7 +59,8 @@
allow depmod_t modules_object_t:file unlink;
@@ -550,7 +563,7 @@
allow update_modules_t urandom_device_t:chr_file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/mount.te policy-1.27.1/domains/program/mount.te
--- nsapolicy/domains/program/mount.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/mount.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/domains/program/mount.te 2005-11-30 16:42:28.000000000 -0500
@@ -16,13 +16,14 @@
role sysadm_r types mount_t;
role system_r types mount_t;
@@ -576,7 +589,7 @@
allow mount_t proc_t:lnk_file read;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/netutils.te policy-1.27.1/domains/program/netutils.te
--- nsapolicy/domains/program/netutils.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/netutils.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/domains/program/netutils.te 2005-11-30 16:42:28.000000000 -0500
@@ -55,7 +55,8 @@
# Access terminals.
@@ -589,7 +602,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/newrole.te policy-1.27.1/domains/program/newrole.te
--- nsapolicy/domains/program/newrole.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/newrole.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/domains/program/newrole.te 2005-11-30 16:42:28.000000000 -0500
@@ -18,3 +18,7 @@
allow newrole_t initrc_var_run_t:file rw_file_perms;
@@ -600,7 +613,7 @@
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/passwd.te policy-1.27.1/domains/program/passwd.te
--- nsapolicy/domains/program/passwd.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/passwd.te 2005-11-09 20:32:17.000000000 -0500
++++ policy-1.27.1/domains/program/passwd.te 2005-11-30 16:42:28.000000000 -0500
@@ -42,7 +42,7 @@
allow $1_t etc_t:lnk_file read;
@@ -612,7 +625,7 @@
allow $1_t { ttyfile ptyfile }:chr_file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/restorecon.te policy-1.27.1/domains/program/restorecon.te
--- nsapolicy/domains/program/restorecon.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/restorecon.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/domains/program/restorecon.te 2005-11-30 16:42:28.000000000 -0500
@@ -19,7 +19,7 @@
role sysadm_r types restorecon_t;
role secadm_r types restorecon_t;
@@ -632,7 +645,7 @@
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/setfiles.te policy-1.27.1/domains/program/setfiles.te
--- nsapolicy/domains/program/setfiles.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/setfiles.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/domains/program/setfiles.te 2005-11-30 16:42:28.000000000 -0500
@@ -12,7 +12,7 @@
#
# needs auth_write attribute because it has relabelfrom/relabelto
@@ -653,7 +666,7 @@
allow setfiles_t self:unix_dgram_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ssh.te policy-1.27.1/domains/program/ssh.te
--- nsapolicy/domains/program/ssh.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/ssh.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/domains/program/ssh.te 2005-11-30 16:42:28.000000000 -0500
@@ -153,6 +153,7 @@
#
sshd_program_domain(sshd)
@@ -680,8 +693,8 @@
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/su.te policy-1.27.1/domains/program/su.te
--- nsapolicy/domains/program/su.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/su.te 2005-11-03 18:21:50.000000000 -0500
-@@ -12,3 +12,12 @@
++++ policy-1.27.1/domains/program/su.te 2005-11-30 16:42:28.000000000 -0500
+@@ -12,3 +12,15 @@
# Everything else is in the su_domain macro in
# macros/program/su_macros.te.
@@ -690,13 +703,16 @@
+ifdef(`targeted_policy', `
+range_transition unconfined_t su_exec_t s0 - s0:c0.c255;
+domain_auto_trans(unconfined_t, su_exec_t, sysadm_su_t)
++# allow user to suspend terminal
++allow sysadm_su_t unconfined_t:process signal;
++allow sysadm_su_t self:process { signal sigstop };
+can_exec(sysadm_su_t, bin_t)
+rw_dir_create_file(sysadm_su_t, home_dir_type)
+')
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/syslogd.te policy-1.27.1/domains/program/syslogd.te
--- nsapolicy/domains/program/syslogd.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/syslogd.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/domains/program/syslogd.te 2005-11-30 16:42:28.000000000 -0500
@@ -14,9 +14,9 @@
# by syslogd.
#
@@ -718,9 +734,17 @@
# Use capabilities.
allow syslogd_t self:capability { dac_override net_admin net_bind_service sys_resource sys_tty_config };
+@@ -97,6 +97,7 @@
+ allow syslogd_t self:netlink_route_socket r_netlink_socket_perms;
+ ifdef(`targeted_policy', `
+ allow syslogd_t var_run_t:fifo_file { ioctl read write };
++allow syslogd_t ttyfile:chr_file { getattr write ioctl append };
+ ')
+
+ # Allow access to /proc/kmsg for syslog-ng
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/tmpreaper.te policy-1.27.1/domains/program/tmpreaper.te
--- nsapolicy/domains/program/tmpreaper.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/tmpreaper.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/domains/program/tmpreaper.te 2005-11-30 16:42:28.000000000 -0500
@@ -8,7 +8,7 @@
#
# Rules for the tmpreaper_t domain.
@@ -732,7 +756,7 @@
role system_r types tmpreaper_t;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/alsa.te policy-1.27.1/domains/program/unused/alsa.te
--- nsapolicy/domains/program/unused/alsa.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/alsa.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/domains/program/unused/alsa.te 2005-11-30 16:42:28.000000000 -0500
@@ -11,6 +11,8 @@
allow alsa_t self:unix_stream_socket create_stream_socket_perms;
allow alsa_t self:unix_dgram_socket create_socket_perms;
@@ -744,7 +768,7 @@
allow alsa_t self:capability { setgid setuid ipc_owner };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/amanda.te policy-1.27.1/domains/program/unused/amanda.te
--- nsapolicy/domains/program/unused/amanda.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/amanda.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/domains/program/unused/amanda.te 2005-11-30 16:42:28.000000000 -0500
@@ -84,7 +84,6 @@
# configuration files -> read only
@@ -906,7 +930,7 @@
+allow amanda_t file_type:fifo_file getattr;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/anaconda.te policy-1.27.1/domains/program/unused/anaconda.te
--- nsapolicy/domains/program/unused/anaconda.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/anaconda.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/domains/program/unused/anaconda.te 2005-11-30 16:42:28.000000000 -0500
@@ -17,11 +17,6 @@
role system_r types ldconfig_t;
domain_auto_trans(anaconda_t, ldconfig_exec_t, ldconfig_t)
@@ -921,7 +945,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.27.1/domains/program/unused/apache.te
--- nsapolicy/domains/program/unused/apache.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/apache.te 2005-11-03 18:22:36.000000000 -0500
++++ policy-1.27.1/domains/program/unused/apache.te 2005-11-30 16:42:28.000000000 -0500
@@ -113,9 +113,12 @@
can_network_server(httpd_t)
can_kerberos(httpd_t)
@@ -993,7 +1017,16 @@
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apmd.te policy-1.27.1/domains/program/unused/apmd.te
--- nsapolicy/domains/program/unused/apmd.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/apmd.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/domains/program/unused/apmd.te 2005-11-30 16:42:28.000000000 -0500
+@@ -9,7 +9,7 @@
+ #
+ # Rules for the apmd_t domain.
+ #
+-daemon_domain(apmd, `, privmodule, nscd_client_domain')
++daemon_domain(apmd, `, privmodule, privmail, nscd_client_domain')
+
+ # for SSP
+ allow apmd_t urandom_device_t:chr_file read;
@@ -47,6 +47,7 @@
# acpid also has a logfile
@@ -1002,7 +1035,17 @@
ifdef(`distro_suse', `
var_lib_domain(apmd)
-@@ -140,3 +141,21 @@
+@@ -130,13 +131,27 @@
+ allow apmd_t crond_t:fifo_file { getattr read write ioctl };
+ ')
+
+-ifdef(`mta.te', `
+-domain_auto_trans(apmd_t, sendmail_exec_t, system_mail_t)
+-')
+-
+ # for a find /dev operation that gets /dev/shm
+ dontaudit apmd_t tmpfs_t:dir r_dir_perms;
+ dontaudit apmd_t selinux_config_t:dir search;
allow apmd_t user_tty_type:chr_file rw_file_perms;
# Access /dev/apm_bios.
allow initrc_t apm_bios_t:chr_file { setattr getattr read };
@@ -1026,7 +1069,7 @@
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/auditd.te policy-1.27.1/domains/program/unused/auditd.te
--- nsapolicy/domains/program/unused/auditd.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/auditd.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/domains/program/unused/auditd.te 2005-11-30 16:42:28.000000000 -0500
@@ -12,6 +12,12 @@
daemon_domain(auditd)
@@ -1040,15 +1083,16 @@
allow auditd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv };
allow auditd_t self:unix_dgram_socket create_socket_perms;
allow auditd_t self:capability { audit_write audit_control sys_nice sys_resource };
-@@ -65,3 +71,5 @@
+@@ -65,3 +71,6 @@
allow auditctl_t privfd:fd use;
+allow auditd_t sbin_t:dir search;
+can_exec(auditd_t, sbin_t)
++allow auditd_t self:fifo_file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/automount.te policy-1.27.1/domains/program/unused/automount.te
--- nsapolicy/domains/program/unused/automount.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/automount.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/domains/program/unused/automount.te 2005-11-30 16:42:28.000000000 -0500
@@ -34,7 +34,9 @@
can_exec(automount_t, { etc_t automount_etc_t })
@@ -1074,7 +1118,7 @@
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/avahi.te policy-1.27.1/domains/program/unused/avahi.te
--- nsapolicy/domains/program/unused/avahi.te 1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.27.1/domains/program/unused/avahi.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/domains/program/unused/avahi.te 2005-11-30 16:42:28.000000000 -0500
@@ -0,0 +1,31 @@
+#DESC avahi - mDNS/DNS-SD daemon implementing Apple’s ZeroConf architecture
+#
@@ -1109,7 +1153,7 @@
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/bluetooth.te policy-1.27.1/domains/program/unused/bluetooth.te
--- nsapolicy/domains/program/unused/bluetooth.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/bluetooth.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/domains/program/unused/bluetooth.te 2005-11-30 16:42:28.000000000 -0500
@@ -11,16 +11,23 @@
daemon_domain(bluetooth)
@@ -1212,8 +1256,13 @@
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.27.1/domains/program/unused/cups.te
--- nsapolicy/domains/program/unused/cups.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/cups.te 2005-11-03 18:21:50.000000000 -0500
-@@ -48,7 +48,7 @@
++++ policy-1.27.1/domains/program/unused/cups.te 2005-11-30 16:42:28.000000000 -0500
+@@ -44,11 +44,11 @@
+ ')
+
+ # write to spool
+-allow cupsd_t var_spool_t:dir search;
++allow cupsd_t var_spool_t:dir { getattr search };
# this is not ideal, and allowing setattr access to cupsd_etc_t is wrong
file_type_auto_trans(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file)
@@ -1276,6 +1325,15 @@
')dnl end if dbusd.te
allow hald_t cupsd_config_t:process signal;
+@@ -303,7 +307,7 @@
+ allow initrc_t cupsd_t:dbus send_msg;
+ allow { cupsd_config_t cupsd_t } unconfined_t:dbus send_msg;
+ allow unconfined_t cupsd_config_t:dbus send_msg;
+-allow { cupsd_t cupsd_config_t } unconfined_t:fifo_file read;
++allow { cupsd_t cupsd_config_t } unconfined_t:fifo_file r_file_perms;
+ ')
+ typealias printer_port_t alias cupsd_lpd_port_t;
+ inetd_child_domain(cupsd_lpd)
@@ -311,3 +315,7 @@
r_dir_file(cupsd_lpd_t, cupsd_etc_t)
r_dir_file(cupsd_lpd_t, cupsd_rw_etc_t)
@@ -1286,7 +1344,7 @@
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cvs.te policy-1.27.1/domains/program/unused/cvs.te
--- nsapolicy/domains/program/unused/cvs.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/cvs.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/domains/program/unused/cvs.te 2005-11-30 16:42:28.000000000 -0500
@@ -23,6 +23,8 @@
allow cvs_t etc_runtime_t:file { getattr read };
allow system_mail_t cvs_data_t:file { getattr read };
@@ -1298,7 +1356,7 @@
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cyrus.te policy-1.27.1/domains/program/unused/cyrus.te
--- nsapolicy/domains/program/unused/cyrus.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/cyrus.te 2005-11-03 18:23:17.000000000 -0500
++++ policy-1.27.1/domains/program/unused/cyrus.te 2005-11-30 16:42:28.000000000 -0500
@@ -42,7 +42,7 @@
create_dir_file(cyrus_t, mail_spool_t)
allow cyrus_t var_spool_t:dir search;
@@ -1322,7 +1380,7 @@
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dbusd.te policy-1.27.1/domains/program/unused/dbusd.te
--- nsapolicy/domains/program/unused/dbusd.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/dbusd.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/domains/program/unused/dbusd.te 2005-11-30 16:42:28.000000000 -0500
@@ -12,7 +12,7 @@
# dac_override: /var/run/dbus is owned by messagebus on Debian
@@ -1340,7 +1398,7 @@
+allow system_dbusd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dcc.te policy-1.27.1/domains/program/unused/dcc.te
--- nsapolicy/domains/program/unused/dcc.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/dcc.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/domains/program/unused/dcc.te 2005-11-30 16:42:28.000000000 -0500
@@ -200,9 +200,8 @@
can_exec_any(dcc_script_t)
dcc_common(dcc_script)
@@ -1355,7 +1413,7 @@
# the dcc user (even though the default dcc user is root).
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dhcpc.te policy-1.27.1/domains/program/unused/dhcpc.te
--- nsapolicy/domains/program/unused/dhcpc.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/dhcpc.te 2005-11-09 20:33:51.000000000 -0500
++++ policy-1.27.1/domains/program/unused/dhcpc.te 2005-11-30 16:42:28.000000000 -0500
@@ -120,6 +120,8 @@
allow dhcpc_t self:packet_socket create_socket_perms;
allow dhcpc_t var_lib_t:dir search;
@@ -1389,7 +1447,7 @@
+allow dhcpc_t locale_t:file write;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dhcpd.te policy-1.27.1/domains/program/unused/dhcpd.te
--- nsapolicy/domains/program/unused/dhcpd.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/dhcpd.te 2005-11-09 20:33:52.000000000 -0500
++++ policy-1.27.1/domains/program/unused/dhcpd.te 2005-11-30 16:42:28.000000000 -0500
@@ -17,8 +17,6 @@
#
daemon_domain(dhcpd, `, nscd_client_domain')
@@ -1417,7 +1475,7 @@
allow dhcpd_t { etc_t etc_runtime_t }:file r_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dovecot.te policy-1.27.1/domains/program/unused/dovecot.te
--- nsapolicy/domains/program/unused/dovecot.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/dovecot.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/domains/program/unused/dovecot.te 2005-11-30 16:42:28.000000000 -0500
@@ -43,7 +43,9 @@
can_kerberos(dovecot_t)
@@ -1429,9 +1487,15 @@
create_dir_file(dovecot_t, dovecot_spool_t)
create_dir_file(mta_delivery_agent, dovecot_spool_t)
allow dovecot_t mail_spool_t:lnk_file read;
+@@ -70,4 +72,4 @@
+ read_sysctl(dovecot_auth_t)
+ allow dovecot_auth_t dovecot_passwd_t:file { getattr read };
+ dontaudit dovecot_auth_t selinux_config_t:dir search;
+-
++allow dovecot_auth_t etc_runtime_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/exim.te policy-1.27.1/domains/program/unused/exim.te
--- nsapolicy/domains/program/unused/exim.te 1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.27.1/domains/program/unused/exim.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/domains/program/unused/exim.te 2005-11-30 16:42:28.000000000 -0500
@@ -0,0 +1,309 @@
+#DESC Exim - Mail server
+#
@@ -1461,7 +1525,7 @@
+# The exim daemon gets to listen to mail coming back from amavisd
+# For identd lookups
+allow exim_t inetd_child_port_t:tcp_socket name_connect;
-+allow exim_t self:unix_dgram_socket create_socke_perms;
++allow exim_t self:unix_dgram_socket create_socket_perms;
+
+# Lock file between exim processes. Exim creates a lock file in /tmp
+# that doesn't transition to the exim_tmp_t domain for some reason,
@@ -1744,7 +1808,7 @@
+rw_dir_file(exim_db_rw_t, exim_spool_db_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ftpd.te policy-1.27.1/domains/program/unused/ftpd.te
--- nsapolicy/domains/program/unused/ftpd.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/ftpd.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/domains/program/unused/ftpd.te 2005-11-30 16:42:28.000000000 -0500
@@ -99,9 +99,11 @@
if (ftp_home_dir) {
@@ -1761,7 +1825,7 @@
r_dir_file(ftpd_t, nfs_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hald.te policy-1.27.1/domains/program/unused/hald.te
--- nsapolicy/domains/program/unused/hald.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/hald.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/domains/program/unused/hald.te 2005-11-30 16:42:28.000000000 -0500
@@ -24,7 +24,8 @@
allow hald_t self:dbus send_msg;
')
@@ -1780,16 +1844,16 @@
+r_dir_file(hald_t, hwdata_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hotplug.te policy-1.27.1/domains/program/unused/hotplug.te
--- nsapolicy/domains/program/unused/hotplug.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/hotplug.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/domains/program/unused/hotplug.te 2005-11-30 16:42:28.000000000 -0500
@@ -11,9 +11,9 @@
# hotplug_exec_t is the type of the hotplug executable.
#
ifdef(`unlimitedUtils', `
-daemon_domain(hotplug, `, admin, etc_writer, fs_domain, privmem, auth_write, privowner, privmodule, domain, privlog, sysctl_kernel_writer')
-+daemon_domain(hotplug, `, admin, etc_writer, fs_domain, privmem, auth_write, privowner, privmodule, domain, privlog, sysctl_kernel_writer, nscd_client_domain')
++daemon_domain(hotplug, `, admin, etc_writer, fs_domain, privmem, privmail, auth_write, privowner, privmodule, domain, privlog, sysctl_kernel_writer, nscd_client_domain')
', `
-daemon_domain(hotplug, `, privmodule')
-+daemon_domain(hotplug, `, privmodule, nscd_client_domain')
++daemon_domain(hotplug, `, privmodule, privmail, nscd_client_domain')
')
etcdir_domain(hotplug)
@@ -1801,9 +1865,22 @@
allow hotplug_t udev_runtime_t:file rw_file_perms;
ifdef(`lpd.te', `
allow hotplug_t printer_device_t:chr_file setattr;
+@@ -150,11 +151,8 @@
+ can_ypbind(hotplug_t)
+ dbusd_client(system, hotplug)
+
+-# Allow hotplug (including /sbin/ifup-local) to start/stop services and # run sendmail -q
++# Allow hotplug (including /sbin/ifup-local) to start/stop services
+ domain_auto_trans(hotplug_t, initrc_exec_t, initrc_t)
+-ifdef(`mta.te', `
+-domain_auto_trans(hotplug_t, sendmail_exec_t, system_mail_t)
+-')
+
+ allow { insmod_t kernel_t } hotplug_etc_t:dir { search getattr };
+ allow hotplug_t self:netlink_route_socket r_netlink_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hwclock.te policy-1.27.1/domains/program/unused/hwclock.te
--- nsapolicy/domains/program/unused/hwclock.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/hwclock.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/domains/program/unused/hwclock.te 2005-11-30 16:42:28.000000000 -0500
@@ -47,3 +47,4 @@
# for when /usr is not mounted
dontaudit hwclock_t file_t:dir search;
@@ -1811,7 +1888,7 @@
+r_dir_file(hwclock_t, etc_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ipsec.te policy-1.27.1/domains/program/unused/ipsec.te
--- nsapolicy/domains/program/unused/ipsec.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/ipsec.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/domains/program/unused/ipsec.te 2005-11-30 16:42:28.000000000 -0500
@@ -219,7 +219,7 @@
dontaudit ipsec_mgmt_t selinux_config_t:dir search;
dontaudit ipsec_t ttyfile:chr_file { read write };
@@ -1823,7 +1900,7 @@
allow ipsec_mgmt_t self:{ tcp_socket udp_socket } create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/kudzu.te policy-1.27.1/domains/program/unused/kudzu.te
--- nsapolicy/domains/program/unused/kudzu.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/kudzu.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/domains/program/unused/kudzu.te 2005-11-30 16:42:28.000000000 -0500
@@ -20,7 +20,7 @@
allow kudzu_t ramfs_t:dir search;
allow kudzu_t ramfs_t:sock_file write;
@@ -1852,7 +1929,7 @@
allow kudzu_t initrc_t:unix_stream_socket connectto;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mta.te policy-1.27.1/domains/program/unused/mta.te
--- nsapolicy/domains/program/unused/mta.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/mta.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/domains/program/unused/mta.te 2005-11-30 17:01:28.000000000 -0500
@@ -31,6 +31,10 @@
create_dir_file(system_mail_t, mail_spool_t)
allow system_mail_t mail_spool_t:fifo_file rw_file_perms;
@@ -1864,17 +1941,16 @@
', `
ifdef(`sendmail.te', `
# sendmail has an ugly design, the one process parses input from the user and
-@@ -72,3 +76,7 @@
+@@ -72,3 +76,6 @@
allow system_mail_t etc_runtime_t:file { getattr read };
allow system_mail_t { random_device_t urandom_device_t }:chr_file { getattr read };
+ifdef(`targeted_policy', `
+typealias system_mail_t alias sysadm_mail_t;
+')
-+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mysqld.te policy-1.27.1/domains/program/unused/mysqld.te
--- nsapolicy/domains/program/unused/mysqld.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/mysqld.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/domains/program/unused/mysqld.te 2005-11-30 16:42:28.000000000 -0500
@@ -12,7 +12,7 @@
#
daemon_domain(mysqld, `, nscd_client_domain')
@@ -1907,7 +1983,7 @@
# read config files
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/named.te policy-1.27.1/domains/program/unused/named.te
--- nsapolicy/domains/program/unused/named.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/named.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/domains/program/unused/named.te 2005-11-30 16:42:28.000000000 -0500
@@ -36,7 +36,7 @@
allow named_t self:process { setsched setcap setrlimit };
@@ -1963,7 +2039,7 @@
allow ndc_t etc_t:dir r_dir_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/NetworkManager.te policy-1.27.1/domains/program/unused/NetworkManager.te
--- nsapolicy/domains/program/unused/NetworkManager.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/NetworkManager.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/domains/program/unused/NetworkManager.te 2005-11-30 16:42:28.000000000 -0500
@@ -11,7 +11,7 @@
# NetworkManager_t is the domain for the NetworkManager daemon.
# NetworkManager_exec_t is the type of the NetworkManager executable.
@@ -1998,7 +2074,7 @@
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/nscd.te policy-1.27.1/domains/program/unused/nscd.te
--- nsapolicy/domains/program/unused/nscd.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/nscd.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/domains/program/unused/nscd.te 2005-11-30 16:42:28.000000000 -0500
@@ -76,3 +76,4 @@
log_domain(nscd)
r_dir_file(nscd_t, cert_t)
@@ -2006,7 +2082,7 @@
+allow nscd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ntpd.te policy-1.27.1/domains/program/unused/ntpd.te
--- nsapolicy/domains/program/unused/ntpd.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/ntpd.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/domains/program/unused/ntpd.te 2005-11-30 16:42:28.000000000 -0500
@@ -26,11 +26,11 @@
# for SSP
allow ntpd_t urandom_device_t:chr_file { getattr read };
@@ -2034,7 +2110,7 @@
can_exec(ntpd_t, initrc_exec_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/openct.te policy-1.27.1/domains/program/unused/openct.te
--- nsapolicy/domains/program/unused/openct.te 1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.27.1/domains/program/unused/openct.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/domains/program/unused/openct.te 2005-11-30 16:42:28.000000000 -0500
@@ -0,0 +1,16 @@
+#DESC openct - read files in page cache
+#
@@ -2054,7 +2130,7 @@
+allow openct_t etc_t:file r_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pamconsole.te policy-1.27.1/domains/program/unused/pamconsole.te
--- nsapolicy/domains/program/unused/pamconsole.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/pamconsole.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/domains/program/unused/pamconsole.te 2005-11-30 16:42:28.000000000 -0500
@@ -3,7 +3,7 @@
#
# pam_console_apply
@@ -2079,7 +2155,7 @@
+nsswitch_domain(pam_console_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pegasus.te policy-1.27.1/domains/program/unused/pegasus.te
--- nsapolicy/domains/program/unused/pegasus.te 1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.27.1/domains/program/unused/pegasus.te 2005-11-03 18:23:59.000000000 -0500
++++ policy-1.27.1/domains/program/unused/pegasus.te 2005-11-30 16:42:28.000000000 -0500
@@ -0,0 +1,36 @@
+#DESC pegasus - The Open Group Pegasus CIM/WBEM Server
+#
@@ -2112,14 +2188,14 @@
+r_dir_file(pegasus_t, etc_t)
+r_dir_file(pegasus_t, var_lib_t)
+r_dir_file(pegasus_t, pegasus_mof_t)
++allow pegasus_t pegasus_conf_t:file { link unlink };
+r_dir_file(pegasus_t, pegasus_conf_t)
+file_type_auto_trans(pegasus_t, pegasus_conf_t, pegasus_data_t)
+rw_dir_create_file(pegasus_t, pegasus_data_t)
+dontaudit pegasus_t selinux_config_t:dir search;
-+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ping.te policy-1.27.1/domains/program/unused/ping.te
--- nsapolicy/domains/program/unused/ping.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/ping.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/domains/program/unused/ping.te 2005-11-30 16:42:28.000000000 -0500
@@ -58,6 +58,6 @@
dontaudit ping_t devtty_t:chr_file { read write };
dontaudit ping_t self:capability sys_tty_config;
@@ -2130,7 +2206,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/postfix.te policy-1.27.1/domains/program/unused/postfix.te
--- nsapolicy/domains/program/unused/postfix.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/postfix.te 2005-11-03 18:22:50.000000000 -0500
++++ policy-1.27.1/domains/program/unused/postfix.te 2005-11-30 16:42:28.000000000 -0500
@@ -54,6 +54,8 @@
allow postfix_$1_t proc_net_t:dir search;
allow postfix_$1_t proc_net_t:file { getattr read };
@@ -2327,7 +2403,7 @@
-allow postfix_local_t mail_spool_t:file { unlink };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/postgresql.te policy-1.27.1/domains/program/unused/postgresql.te
--- nsapolicy/domains/program/unused/postgresql.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/postgresql.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/domains/program/unused/postgresql.te 2005-11-30 16:42:28.000000000 -0500
@@ -51,7 +51,6 @@
# Use the network.
@@ -2357,7 +2433,7 @@
+}
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pppd.te policy-1.27.1/domains/program/unused/pppd.te
--- nsapolicy/domains/program/unused/pppd.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/pppd.te 2005-11-09 20:35:54.000000000 -0500
++++ policy-1.27.1/domains/program/unused/pppd.te 2005-11-30 16:42:28.000000000 -0500
@@ -14,7 +14,7 @@
#
bool pppd_for_user false;
@@ -2434,20 +2510,33 @@
type pppd_script_exec_t, file_type, sysadmfile;
domain_auto_trans(pppd_t, pppd_script_exec_t, initrc_t)
+allow pppd_t initrc_t:process noatsecure;
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/privoxy.te policy-1.27.1/domains/program/unused/privoxy.te
+--- nsapolicy/domains/program/unused/privoxy.te 2005-09-16 11:17:27.000000000 -0400
++++ policy-1.27.1/domains/program/unused/privoxy.te 2005-11-30 16:42:28.000000000 -0500
+@@ -25,3 +25,5 @@
+ allow privoxy_t self:unix_stream_socket create_socket_perms ;
+ allow privoxy_t admin_tty_type:chr_file { read write };
+
++type privoxy_etc_rw_t, file_type, sysadmfile;
++allow privoxy_t privoxy_etc_rw_t:file rw_file_perms;
+\ No newline at end of file
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/procmail.te policy-1.27.1/domains/program/unused/procmail.te
--- nsapolicy/domains/program/unused/procmail.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/procmail.te 2005-11-09 20:35:05.000000000 -0500
-@@ -19,8 +19,7 @@
++++ policy-1.27.1/domains/program/unused/procmail.te 2005-11-30 16:42:28.000000000 -0500
+@@ -18,9 +18,9 @@
+
uses_shlib(procmail_t)
allow procmail_t device_t:dir search;
- can_network_server(procmail_t)
+-can_network_server(procmail_t)
-can_ypbind(procmail_t)
-can_winbind(procmail_t)
++can_network(procmail_t)
+nsswitch_domain(procmail_t)
++allow procmail_t spamd_port_t:tcp_socket name_connect;
allow procmail_t self:capability { sys_nice chown setuid setgid dac_override };
-@@ -60,6 +59,16 @@
+@@ -60,6 +60,16 @@
allow procmail_t usr_t:file { getattr ioctl read };
ifdef(`spamassassin.te', `
can_exec(procmail_t, spamassassin_exec_t)
@@ -2466,7 +2555,7 @@
# Search /var/run.
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/radius.te policy-1.27.1/domains/program/unused/radius.te
--- nsapolicy/domains/program/unused/radius.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/radius.te 2005-11-03 18:23:52.000000000 -0500
++++ policy-1.27.1/domains/program/unused/radius.te 2005-11-30 16:42:28.000000000 -0500
@@ -10,7 +10,7 @@
#
# radiusd_exec_t is the type of the radiusd executable.
@@ -2483,7 +2572,7 @@
+allow radiusd_t urandom_device_t:chr_file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/readahead.te policy-1.27.1/domains/program/unused/readahead.te
--- nsapolicy/domains/program/unused/readahead.te 1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.27.1/domains/program/unused/readahead.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/domains/program/unused/readahead.te 2005-11-30 16:42:28.000000000 -0500
@@ -0,0 +1,21 @@
+#DESC readahead - read files in page cache
+#
@@ -2508,7 +2597,7 @@
+dontaudit readahead_t device_type:blk_file read;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rlogind.te policy-1.27.1/domains/program/unused/rlogind.te
--- nsapolicy/domains/program/unused/rlogind.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/rlogind.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/domains/program/unused/rlogind.te 2005-11-30 16:42:28.000000000 -0500
@@ -35,4 +35,6 @@
allow rlogind_t default_t:dir search;
typealias rlogind_port_t alias rlogin_port_t;
@@ -2519,7 +2608,7 @@
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/roundup.te policy-1.27.1/domains/program/unused/roundup.te
--- nsapolicy/domains/program/unused/roundup.te 1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.27.1/domains/program/unused/roundup.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/domains/program/unused/roundup.te 2005-11-30 16:42:28.000000000 -0500
@@ -0,0 +1,29 @@
+# Roundup Issue Tracking System
+#
@@ -2552,7 +2641,7 @@
+allow roundup_t etc_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rpcd.te policy-1.27.1/domains/program/unused/rpcd.te
--- nsapolicy/domains/program/unused/rpcd.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/rpcd.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/domains/program/unused/rpcd.te 2005-11-30 16:42:28.000000000 -0500
@@ -19,7 +19,7 @@
can_network($1_t)
allow $1_t port_type:tcp_socket name_connect;
@@ -2586,7 +2675,7 @@
+}
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rpm.te policy-1.27.1/domains/program/unused/rpm.te
--- nsapolicy/domains/program/unused/rpm.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/rpm.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/domains/program/unused/rpm.te 2005-11-30 16:42:28.000000000 -0500
@@ -10,7 +10,7 @@
# rpm_log_t is the type for rpm log files (/var/log/rpmpkgs*)
# rpm_var_lib_t is the type for rpm files in /var/lib
@@ -2601,13 +2690,13 @@
allow { insmod_t depmod_t } rpm_t:fifo_file rw_file_perms;
-type rpm_script_t, domain, admin, etc_writer, privlog, privowner, privmodule, privmem, fs_domain, privfd, privrole, priv_system_role;
-+type rpm_script_t, domain, admin, etc_writer, privlog, privowner, privmodule, privmem, fs_domain, privfd, privrole, priv_system_role, mlsfileread, mlsfilewrite;
++type rpm_script_t, domain, admin, etc_writer, privlog, privowner, privmodule, privmem, fs_domain, privfd, privmail, privrole, priv_system_role, mlsfileread, mlsfilewrite;
# policy for rpm scriptlet
role system_r types rpm_script_t;
uses_shlib(rpm_script_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rsync.te policy-1.27.1/domains/program/unused/rsync.te
--- nsapolicy/domains/program/unused/rsync.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/rsync.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/domains/program/unused/rsync.te 2005-11-30 16:42:28.000000000 -0500
@@ -15,5 +15,4 @@
type rsync_data_t, file_type, sysadmfile;
r_dir_file(rsync_t, rsync_data_t)
@@ -2617,7 +2706,7 @@
+allow rsync_t self:capability sys_chroot;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/samba.te policy-1.27.1/domains/program/unused/samba.te
--- nsapolicy/domains/program/unused/samba.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/samba.te 2005-11-03 18:24:24.000000000 -0500
++++ policy-1.27.1/domains/program/unused/samba.te 2005-11-30 16:42:28.000000000 -0500
@@ -25,6 +25,9 @@
# not sure why it needs this
tmp_domain(smbd)
@@ -2664,7 +2753,7 @@
ifdef(`logrotate.te', `
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/saslauthd.te policy-1.27.1/domains/program/unused/saslauthd.te
--- nsapolicy/domains/program/unused/saslauthd.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/saslauthd.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/domains/program/unused/saslauthd.te 2005-11-30 16:42:28.000000000 -0500
@@ -39,3 +39,4 @@
allow saslauthd_t mysqld_db_t:dir search;
allow saslauthd_t mysqld_var_run_t:sock_file rw_file_perms;
@@ -2672,7 +2761,7 @@
+dontaudit saslauthd_t self:capability setuid;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/sendmail.te policy-1.27.1/domains/program/unused/sendmail.te
--- nsapolicy/domains/program/unused/sendmail.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/sendmail.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/domains/program/unused/sendmail.te 2005-11-30 16:42:28.000000000 -0500
@@ -13,9 +13,6 @@
# daemon started by the init rc scripts.
#
@@ -2685,7 +2774,7 @@
tmp_domain(sendmail)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/slapd.te policy-1.27.1/domains/program/unused/slapd.te
--- nsapolicy/domains/program/unused/slapd.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/slapd.te 2005-11-09 20:36:34.000000000 -0500
++++ policy-1.27.1/domains/program/unused/slapd.te 2005-11-30 16:42:28.000000000 -0500
@@ -24,8 +24,9 @@
can_network(slapd_t)
allow slapd_t port_type:tcp_socket name_connect;
@@ -2726,7 +2815,7 @@
+allow slapd_t usr_t:file { create write };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/snmpd.te policy-1.27.1/domains/program/unused/snmpd.te
--- nsapolicy/domains/program/unused/snmpd.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/snmpd.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/domains/program/unused/snmpd.te 2005-11-30 16:42:28.000000000 -0500
@@ -22,8 +22,9 @@
# for the .index file
@@ -2756,7 +2845,7 @@
dontaudit snmpd_t selinux_config_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/spamd.te policy-1.27.1/domains/program/unused/spamd.te
--- nsapolicy/domains/program/unused/spamd.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/spamd.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/domains/program/unused/spamd.te 2005-11-30 16:42:28.000000000 -0500
@@ -9,20 +9,22 @@
tmp_domain(spamd)
@@ -2808,7 +2897,7 @@
+ifdef(`targeted_policy', `home_domain_access(spamd_t, user)')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/squid.te policy-1.27.1/domains/program/unused/squid.te
--- nsapolicy/domains/program/unused/squid.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/squid.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/domains/program/unused/squid.te 2005-11-30 16:42:28.000000000 -0500
@@ -60,7 +60,7 @@
can_tcp_connect(web_client_domain, squid_t)
@@ -2818,7 +2907,12 @@
allow squid_t { gopher_port_t ftp_port_t http_port_t http_cache_port_t }:tcp_socket name_connect;
# to allow running programs from /usr/lib/squid (IE unlinkd)
-@@ -81,4 +81,5 @@
+@@ -76,9 +76,9 @@
+ allow squid_t urandom_device_t:chr_file { getattr read };
+
+ #squid requires the following when run in diskd mode, the recommended setting
+-allow squid_t tmpfs_t:file { read write };
+ r_dir_file(squid_t, cert_t)
ifdef(`winbind.te', `
domain_auto_trans(squid_t, winbind_helper_exec_t, winbind_helper_t)
allow winbind_helper_t squid_t:tcp_socket rw_socket_perms;
@@ -2826,7 +2920,7 @@
')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/udev.te policy-1.27.1/domains/program/unused/udev.te
--- nsapolicy/domains/program/unused/udev.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/udev.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/domains/program/unused/udev.te 2005-11-30 16:42:28.000000000 -0500
@@ -28,12 +28,12 @@
type udev_tdb_t, file_type, sysadmfile, dev_fs;
typealias udev_tdb_t alias udev_tbl_t;
@@ -2858,7 +2952,7 @@
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/utempter.te policy-1.27.1/domains/program/unused/utempter.te
--- nsapolicy/domains/program/unused/utempter.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/utempter.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/domains/program/unused/utempter.te 2005-11-30 16:42:28.000000000 -0500
@@ -19,6 +19,8 @@
type utempter_exec_t, file_type, sysadmfile, exec_type;
domain_auto_trans(userdomain, utempter_exec_t, utempter_t)
@@ -2870,7 +2964,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/webalizer.te policy-1.27.1/domains/program/unused/webalizer.te
--- nsapolicy/domains/program/unused/webalizer.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/webalizer.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/domains/program/unused/webalizer.te 2005-11-30 16:42:28.000000000 -0500
@@ -20,6 +20,9 @@
#read apache log
allow webalizer_t var_log_t:dir r_dir_perms;
@@ -2883,7 +2977,7 @@
var_lib_domain(webalizer)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/winbind.te policy-1.27.1/domains/program/unused/winbind.te
--- nsapolicy/domains/program/unused/winbind.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/winbind.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/domains/program/unused/winbind.te 2005-11-30 16:42:28.000000000 -0500
@@ -44,6 +44,7 @@
r_dir_file(winbind_t, samba_etc_t)
allow winbind_helper_t self:unix_dgram_socket create_socket_perms;
@@ -2894,7 +2988,7 @@
allow winbind_helper_t privfd:fd use;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/xdm.te policy-1.27.1/domains/program/unused/xdm.te
--- nsapolicy/domains/program/unused/xdm.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/xdm.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/domains/program/unused/xdm.te 2005-11-30 16:42:28.000000000 -0500
@@ -371,3 +371,6 @@
dontaudit xdm_t ice_tmp_t:dir { getattr setattr };
@@ -2904,7 +2998,7 @@
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/yppasswdd.te policy-1.27.1/domains/program/unused/yppasswdd.te
--- nsapolicy/domains/program/unused/yppasswdd.te 1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.27.1/domains/program/unused/yppasswdd.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/domains/program/unused/yppasswdd.te 2005-11-30 16:42:28.000000000 -0500
@@ -0,0 +1,40 @@
+#DESC yppassdd - NIS password update daemon
+#
@@ -2948,15 +3042,35 @@
+rw_dir_create_file(yppasswdd_t, var_yp_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ypserv.te policy-1.27.1/domains/program/unused/ypserv.te
--- nsapolicy/domains/program/unused/ypserv.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/ypserv.te 2005-11-03 18:21:50.000000000 -0500
-@@ -39,3 +39,4 @@
++++ policy-1.27.1/domains/program/unused/ypserv.te 2005-11-30 16:42:28.000000000 -0500
+@@ -39,3 +39,12 @@
')
allow ypserv_t reserved_port_t:{ udp_socket tcp_socket } name_bind;
dontaudit ypserv_t reserved_port_type:{ tcp_socket udp_socket } name_bind;
+can_exec(ypserv_t, bin_t)
++
++application_domain(ypxfr, `, nscd_client_domain')
++can_network_client(ypxfr_t)
++allow ypxfr_t etc_t:file { getattr read };
++allow ypxfr_t portmap_port_t:tcp_socket name_connect;
++allow ypxfr_t reserved_port_t:tcp_socket name_connect;
++dontaudit ypxfr_t reserved_port_type:tcp_socket name_connect;
++allow ypxfr_t self:unix_stream_socket create_stream_socket_perms;
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/zebra.te policy-1.27.1/domains/program/unused/zebra.te
+--- nsapolicy/domains/program/unused/zebra.te 2005-09-16 11:17:27.000000000 -0400
++++ policy-1.27.1/domains/program/unused/zebra.te 2005-11-30 16:42:28.000000000 -0500
+@@ -24,7 +24,7 @@
+ allow zebra_t self:unix_dgram_socket create_socket_perms;
+ allow zebra_t self:unix_stream_socket { connectto create_stream_socket_perms };
+ allow zebra_t self:rawip_socket create_socket_perms;
+-allow zebra_t self:netlink_route_socket r_netlink_socket_perms;
++allow zebra_t self:netlink_route_socket rw_netlink_socket_perms;
+ allow zebra_t zebra_port_t:tcp_socket name_bind;
+
+ allow zebra_t proc_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/useradd.te policy-1.27.1/domains/program/useradd.te
--- nsapolicy/domains/program/useradd.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/useradd.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/domains/program/useradd.te 2005-11-30 16:42:28.000000000 -0500
@@ -55,7 +55,6 @@
# useradd/userdel request read/write for /var/log/lastlog, and read of /dev,
# but will operate without them.
@@ -2980,7 +3094,7 @@
read_sysctl(useradd_t)
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/distros.fc policy-1.27.1/file_contexts/distros.fc
--- nsapolicy/file_contexts/distros.fc 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/file_contexts/distros.fc 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/file_contexts/distros.fc 2005-11-30 16:42:28.000000000 -0500
@@ -89,6 +89,7 @@
/usr/lib/valgrind/hp2ps -- system_u:object_r:texrel_shlib_t
/usr/lib/valgrind/stage2 -- system_u:object_r:texrel_shlib_t
@@ -2999,7 +3113,7 @@
/usr/lib/ladspa/analogue_osc_1416\.so -- system_u:object_r:texrel_shlib_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/apache.fc policy-1.27.1/file_contexts/program/apache.fc
--- nsapolicy/file_contexts/program/apache.fc 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/file_contexts/program/apache.fc 2005-11-03 18:25:42.000000000 -0500
++++ policy-1.27.1/file_contexts/program/apache.fc 2005-11-30 16:42:28.000000000 -0500
@@ -9,6 +9,8 @@
/var/cache/httpd(/.*)? system_u:object_r:httpd_cache_t
/var/cache/php-eaccelerator(/.*)? system_u:object_r:httpd_cache_t
@@ -3019,7 +3133,7 @@
/usr/lib/apache-ssl/.+ -- system_u:object_r:httpd_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/bluetooth.fc policy-1.27.1/file_contexts/program/bluetooth.fc
--- nsapolicy/file_contexts/program/bluetooth.fc 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/file_contexts/program/bluetooth.fc 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/file_contexts/program/bluetooth.fc 2005-11-30 16:42:28.000000000 -0500
@@ -1,8 +1,11 @@
# bluetooth
/etc/bluetooth(/.*)? system_u:object_r:bluetooth_conf_t
@@ -3034,7 +3148,7 @@
+/var/lib/bluetooth(/.*)? system_u:object_r:bluetooth_var_lib_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/compat.fc policy-1.27.1/file_contexts/program/compat.fc
--- nsapolicy/file_contexts/program/compat.fc 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/file_contexts/program/compat.fc 2005-11-09 20:24:55.000000000 -0500
++++ policy-1.27.1/file_contexts/program/compat.fc 2005-11-30 16:42:28.000000000 -0500
@@ -43,6 +43,7 @@
/sbin/hdparm -- system_u:object_r:fsadm_exec_t
/sbin/raidstart -- system_u:object_r:fsadm_exec_t
@@ -3055,7 +3169,7 @@
/usr/sbin/kudzu -- system_u:object_r:kudzu_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/dhcpc.fc policy-1.27.1/file_contexts/program/dhcpc.fc
--- nsapolicy/file_contexts/program/dhcpc.fc 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/file_contexts/program/dhcpc.fc 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/file_contexts/program/dhcpc.fc 2005-11-30 16:42:28.000000000 -0500
@@ -4,9 +4,11 @@
/etc/dhclient.*conf -- system_u:object_r:dhcp_etc_t
/etc/dhclient-script -- system_u:object_r:dhcp_etc_t
@@ -3070,7 +3184,7 @@
# pump
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/dhcpd.fc policy-1.27.1/file_contexts/program/dhcpd.fc
--- nsapolicy/file_contexts/program/dhcpd.fc 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/file_contexts/program/dhcpd.fc 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/file_contexts/program/dhcpd.fc 2005-11-30 16:42:28.000000000 -0500
@@ -2,10 +2,10 @@
/etc/dhcpd\.conf -- system_u:object_r:dhcp_etc_t
/etc/dhcp3(/.*)? system_u:object_r:dhcp_etc_t
@@ -3094,7 +3208,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/ftpd.fc policy-1.27.1/file_contexts/program/ftpd.fc
--- nsapolicy/file_contexts/program/ftpd.fc 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/file_contexts/program/ftpd.fc 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/file_contexts/program/ftpd.fc 2005-11-30 16:42:28.000000000 -0500
@@ -10,7 +10,8 @@
/var/run/proftpd/proftpd\.scoreboard -- system_u:object_r:ftpd_var_run_t
/var/log/muddleftpd\.log.* -- system_u:object_r:xferlog_t
@@ -3108,7 +3222,7 @@
+/srv/([^/]*/)?ftp(/.*)? system_u:object_r:public_content_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/games.fc policy-1.27.1/file_contexts/program/games.fc
--- nsapolicy/file_contexts/program/games.fc 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/file_contexts/program/games.fc 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/file_contexts/program/games.fc 2005-11-30 16:42:28.000000000 -0500
@@ -1,8 +1,10 @@
# games
-/usr/lib(64)?/games/.* -- system_u:object_r:games_exec_t
@@ -3133,7 +3247,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/innd.fc policy-1.27.1/file_contexts/program/innd.fc
--- nsapolicy/file_contexts/program/innd.fc 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/file_contexts/program/innd.fc 2005-11-09 20:38:06.000000000 -0500
++++ policy-1.27.1/file_contexts/program/innd.fc 2005-11-30 16:42:28.000000000 -0500
@@ -18,25 +18,26 @@
/usr/lib(64)?/news/bin/archive -- system_u:object_r:innd_exec_t
/usr/lib(64)?/news/bin/batcher -- system_u:object_r:innd_exec_t
@@ -3170,7 +3284,7 @@
/usr/lib(64)?/news/bin/ovdb_recover -- system_u:object_r:innd_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/ipsec.fc policy-1.27.1/file_contexts/program/ipsec.fc
--- nsapolicy/file_contexts/program/ipsec.fc 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/file_contexts/program/ipsec.fc 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/file_contexts/program/ipsec.fc 2005-11-30 16:42:28.000000000 -0500
@@ -21,6 +21,7 @@
/usr/lib(64)?/ipsec/spi -- system_u:object_r:ipsec_exec_t
/usr/local/lib(64)?/ipsec/spi -- system_u:object_r:ipsec_exec_t
@@ -3181,13 +3295,13 @@
/usr/sbin/racoon -- system_u:object_r:ipsec_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/openct.fc policy-1.27.1/file_contexts/program/openct.fc
--- nsapolicy/file_contexts/program/openct.fc 1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.27.1/file_contexts/program/openct.fc 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/file_contexts/program/openct.fc 2005-11-30 16:42:28.000000000 -0500
@@ -0,0 +1,2 @@
+/usr/sbin/openct-control -- system_u:object_r:openct_exec_t
+/var/run/openct(/.*)? system_u:object_r:openct_var_run_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/pegasus.fc policy-1.27.1/file_contexts/program/pegasus.fc
--- nsapolicy/file_contexts/program/pegasus.fc 1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.27.1/file_contexts/program/pegasus.fc 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/file_contexts/program/pegasus.fc 2005-11-30 16:42:28.000000000 -0500
@@ -0,0 +1,9 @@
+# File Contexts for The Open Group Pegasus (tog-pegasus) cimserver
+/usr/sbin/cimserver -- system_u:object_r:pegasus_exec_t
@@ -3200,7 +3314,7 @@
+
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/pppd.fc policy-1.27.1/file_contexts/program/pppd.fc
--- nsapolicy/file_contexts/program/pppd.fc 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/file_contexts/program/pppd.fc 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/file_contexts/program/pppd.fc 2005-11-30 16:42:28.000000000 -0500
@@ -20,6 +20,6 @@
/etc/ppp/plugins/rp-pppoe\.so -- system_u:object_r:shlib_t
/etc/ppp/resolv\.conf -- system_u:object_r:pppd_etc_rw_t
@@ -3209,20 +3323,28 @@
+/var/run/pptp(/.*)? system_u:object_r:pptp_var_run_t
# Fix /etc/ppp {up,down} family scripts (see man pppd)
/etc/ppp/(auth|ip(v6|x)?)-(up|down) -- system_u:object_r:pppd_script_exec_t
+diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/privoxy.fc policy-1.27.1/file_contexts/program/privoxy.fc
+--- nsapolicy/file_contexts/program/privoxy.fc 2005-09-16 11:17:27.000000000 -0400
++++ policy-1.27.1/file_contexts/program/privoxy.fc 2005-11-30 16:42:28.000000000 -0500
+@@ -1,3 +1,4 @@
+ # privoxy
+ /usr/sbin/privoxy -- system_u:object_r:privoxy_exec_t
+ /var/log/privoxy(/.*)? system_u:object_r:privoxy_log_t
++/etc/privoxy/user\.action system_u:object_r:privoxy_etc_rw_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/readahead.fc policy-1.27.1/file_contexts/program/readahead.fc
--- nsapolicy/file_contexts/program/readahead.fc 1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.27.1/file_contexts/program/readahead.fc 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/file_contexts/program/readahead.fc 2005-11-30 16:42:28.000000000 -0500
@@ -0,0 +1 @@
+/usr/sbin/readahead -- system_u:object_r:readahead_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/roundup.fc policy-1.27.1/file_contexts/program/roundup.fc
--- nsapolicy/file_contexts/program/roundup.fc 1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.27.1/file_contexts/program/roundup.fc 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/file_contexts/program/roundup.fc 2005-11-30 16:42:28.000000000 -0500
@@ -0,0 +1,2 @@
+/usr/bin/roundup-server -- system_u:object_r:roundup_exec_t
+/var/lib/roundup(/.*)? -- system_u:object_r:roundup_var_lib_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/rpm.fc policy-1.27.1/file_contexts/program/rpm.fc
--- nsapolicy/file_contexts/program/rpm.fc 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/file_contexts/program/rpm.fc 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/file_contexts/program/rpm.fc 2005-11-30 16:42:28.000000000 -0500
@@ -23,3 +23,7 @@
/var/lib/YaST2(/.*)? system_u:object_r:rpm_var_lib_t
/var/log/YaST2(/.*)? system_u:object_r:rpm_log_t
@@ -3233,7 +3355,7 @@
+')
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/rshd.fc policy-1.27.1/file_contexts/program/rshd.fc
--- nsapolicy/file_contexts/program/rshd.fc 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/file_contexts/program/rshd.fc 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/file_contexts/program/rshd.fc 2005-11-30 16:42:28.000000000 -0500
@@ -1,3 +1,4 @@
# rshd.
/usr/sbin/in\.rshd -- system_u:object_r:rshd_exec_t
@@ -3241,7 +3363,7 @@
/usr/kerberos/sbin/kshd -- system_u:object_r:rshd_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/rsync.fc policy-1.27.1/file_contexts/program/rsync.fc
--- nsapolicy/file_contexts/program/rsync.fc 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/file_contexts/program/rsync.fc 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/file_contexts/program/rsync.fc 2005-11-30 16:42:28.000000000 -0500
@@ -1,3 +1,3 @@
# rsync program
/usr/bin/rsync -- system_u:object_r:rsync_exec_t
@@ -3249,7 +3371,7 @@
+/srv/([^/]*/)?rsync(/.*)? system_u:object_r:public_content_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/slapd.fc policy-1.27.1/file_contexts/program/slapd.fc
--- nsapolicy/file_contexts/program/slapd.fc 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/file_contexts/program/slapd.fc 2005-11-09 20:38:46.000000000 -0500
++++ policy-1.27.1/file_contexts/program/slapd.fc 2005-11-30 16:42:28.000000000 -0500
@@ -5,3 +5,15 @@
/var/run/slapd\.args -- system_u:object_r:slapd_var_run_t
/etc/ldap/slapd\.conf -- system_u:object_r:slapd_etc_t
@@ -3268,7 +3390,7 @@
+/opt/(fedora|redhat)-ds/alias/[^/]+so.* system_u:object_r:shlib_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/squid.fc policy-1.27.1/file_contexts/program/squid.fc
--- nsapolicy/file_contexts/program/squid.fc 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/file_contexts/program/squid.fc 2005-11-03 18:25:49.000000000 -0500
++++ policy-1.27.1/file_contexts/program/squid.fc 2005-11-30 16:42:28.000000000 -0500
@@ -6,3 +6,6 @@
/etc/squid(/.*)? system_u:object_r:squid_conf_t
/var/run/squid\.pid -- system_u:object_r:squid_var_run_t
@@ -3278,7 +3400,7 @@
+')
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/xdm.fc policy-1.27.1/file_contexts/program/xdm.fc
--- nsapolicy/file_contexts/program/xdm.fc 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/file_contexts/program/xdm.fc 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/file_contexts/program/xdm.fc 2005-11-30 16:42:28.000000000 -0500
@@ -3,7 +3,7 @@
/usr/X11R6/bin/[xgkw]dm -- system_u:object_r:xdm_exec_t
/opt/kde3/bin/kdm -- system_u:object_r:xdm_exec_t
@@ -3290,13 +3412,13 @@
/var/log/[kw]dm\.log -- system_u:object_r:xserver_log_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/yppasswdd.fc policy-1.27.1/file_contexts/program/yppasswdd.fc
--- nsapolicy/file_contexts/program/yppasswdd.fc 1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.27.1/file_contexts/program/yppasswdd.fc 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/file_contexts/program/yppasswdd.fc 2005-11-30 16:42:28.000000000 -0500
@@ -0,0 +1,2 @@
+# yppasswd
+/usr/sbin/rpc.yppasswdd -- system_u:object_r:yppasswdd_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/ypserv.fc policy-1.27.1/file_contexts/program/ypserv.fc
--- nsapolicy/file_contexts/program/ypserv.fc 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/file_contexts/program/ypserv.fc 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/file_contexts/program/ypserv.fc 2005-11-30 16:42:28.000000000 -0500
@@ -1,3 +1,4 @@
# ypserv
/usr/sbin/ypserv -- system_u:object_r:ypserv_exec_t
@@ -3304,8 +3426,16 @@
/etc/ypserv\.conf -- system_u:object_r:ypserv_conf_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/types.fc policy-1.27.1/file_contexts/types.fc
--- nsapolicy/file_contexts/types.fc 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/file_contexts/types.fc 2005-11-03 18:21:50.000000000 -0500
-@@ -133,6 +133,7 @@
++++ policy-1.27.1/file_contexts/types.fc 2005-11-30 16:42:28.000000000 -0500
+@@ -72,6 +72,7 @@
+ /var/yp(/.*)? system_u:object_r:var_yp_t
+ /var/lib(/.*)? system_u:object_r:var_lib_t
+ /var/lib/nfs(/.*)? system_u:object_r:var_lib_nfs_t
++/var/lib/abl(/.*)? system_u:object_r:var_auth_t
+ /var/lib/texmf(/.*)? system_u:object_r:tetex_data_t
+ /var/cache/fonts(/.*)? system_u:object_r:tetex_data_t
+ /var/lock(/.*)? system_u:object_r:var_lock_t
+@@ -133,6 +134,7 @@
/dev/dcbri[0-9]+ -c system_u:object_r:tty_device_t
/dev/irlpt[0-9]+ -c system_u:object_r:printer_device_t
/dev/ircomm[0-9]+ -c system_u:object_r:tty_device_t
@@ -3313,7 +3443,15 @@
/dev/isdn.* -c system_u:object_r:tty_device_t
/dev/.*tty[^/]* -c system_u:object_r:tty_device_t
/dev/[pt]ty[abcdepqrstuvwxyz][0-9a-f] -c system_u:object_r:bsdpty_device_t
-@@ -485,6 +486,7 @@
+@@ -173,6 +175,7 @@
+ /dev/jsfd -b system_u:object_r:fixed_disk_device_t
+ /dev/js.* -c system_u:object_r:mouse_device_t
+ /dev/jsflash -c system_u:object_r:fixed_disk_device_t
++/dev/xvd.* -b system_u:object_r:fixed_disk_device_t
+ /dev/s(cd|r)[^/]* -b system_u:object_r:removable_device_t
+ /dev/usb/rio500 -c system_u:object_r:removable_device_t
+ /dev/fd[^/]+ -b system_u:object_r:removable_device_t
+@@ -485,6 +488,7 @@
# Turboprint
#
/usr/share/turboprint/lib(/.*)? -- system_u:object_r:bin_t
@@ -3321,7 +3459,7 @@
#
# initrd mount point, only used during boot
-@@ -511,3 +513,5 @@
+@@ -511,3 +515,5 @@
#
/srv(/.*)? system_u:object_r:var_t
@@ -3329,7 +3467,7 @@
+/etc/sysconfig/network-scripts/ifdown-.* -- system_u:object_r:bin_t
diff --exclude-from=exclude -N -u -r nsapolicy/genfs_contexts policy-1.27.1/genfs_contexts
--- nsapolicy/genfs_contexts 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/genfs_contexts 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/genfs_contexts 2005-11-30 16:42:28.000000000 -0500
@@ -94,7 +94,8 @@
genfscon debugfs / system_u:object_r:debugfs_t
genfscon inotifyfs / system_u:object_r:inotifyfs_t
@@ -3342,7 +3480,7 @@
genfscon eventpollfs / system_u:object_r:eventpollfs_t
diff --exclude-from=exclude -N -u -r nsapolicy/macros/base_user_macros.te policy-1.27.1/macros/base_user_macros.te
--- nsapolicy/macros/base_user_macros.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/macros/base_user_macros.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/macros/base_user_macros.te 2005-11-30 16:42:28.000000000 -0500
@@ -40,6 +40,12 @@
allow $1_t $1_home_t:{ notdevfile_class_set dir } { relabelfrom relabelto };
can_setfscreate($1_t)
@@ -3366,7 +3504,7 @@
ifdef(`screen.te', `screen_domain($1)')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/core_macros.te policy-1.27.1/macros/core_macros.te
--- nsapolicy/macros/core_macros.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/macros/core_macros.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/macros/core_macros.te 2005-11-30 16:42:28.000000000 -0500
@@ -306,8 +306,10 @@
# Access selinuxfs.
allow $1 security_t:dir { read search getattr };
@@ -3412,7 +3550,7 @@
')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/global_macros.te policy-1.27.1/macros/global_macros.te
--- nsapolicy/macros/global_macros.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/macros/global_macros.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/macros/global_macros.te 2005-11-30 16:42:28.000000000 -0500
@@ -157,6 +157,11 @@
r_dir_file($1, locale_t)
')
@@ -3435,7 +3573,21 @@
')
#
-@@ -320,13 +324,14 @@
+@@ -283,8 +287,12 @@
+ #
+ define(`init_service_domain', `
+ daemon_core_rules($1, `$2')
+-
++bool $1_disable_trans false;
++if ($1_disable_trans) {
++can_exec(init_t, $1_exec_t)
++} else {
+ domain_auto_trans(init_t, $1_exec_t, $1_t)
++}
+ ')dnl
+
+ #######################
+@@ -320,13 +328,14 @@
} else {
') dnl transitionbool
domain_auto_trans(initrc_t, $1_exec_t, $1_t)
@@ -3451,7 +3603,7 @@
ifelse(index(`$2', `transitionbool'), -1, `', `
}
') dnl end transitionbool
-@@ -514,6 +519,9 @@
+@@ -514,6 +523,9 @@
type $1_t, domain, privlog $2;
type $1_exec_t, file_type, sysadmfile, exec_type;
role sysadm_r types $1_t;
@@ -3461,7 +3613,7 @@
domain_auto_trans(sysadm_t, $1_exec_t, $1_t)
uses_shlib($1_t)
')
-@@ -600,10 +608,10 @@
+@@ -600,10 +612,10 @@
# Also define boolean to allow anonymous writing
#
define(`anonymous_domain', `
@@ -3474,7 +3626,7 @@
}
')
#
-@@ -618,6 +626,7 @@
+@@ -618,6 +630,7 @@
define(`unconfined_domain', `
typeattribute $1 unrestricted;
@@ -3482,7 +3634,7 @@
# Mount/unmount any filesystem.
allow $1 fs_type:filesystem *;
-@@ -653,7 +662,7 @@
+@@ -653,7 +666,7 @@
allow $1 port_type:tcp_socket name_connect;
# Bind to any network address.
@@ -3491,7 +3643,7 @@
allow $1 node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
allow $1 file_type:{ unix_stream_socket unix_dgram_socket } name_bind;
-@@ -695,8 +704,10 @@
+@@ -695,8 +708,10 @@
allow $1 domain:msg { send receive };
# Access the security API.
@@ -3502,16 +3654,18 @@
# Perform certain system operations that lacked individual capabilities.
allow $1 kernel_t:system *;
-@@ -750,4 +761,6 @@
+@@ -750,4 +765,8 @@
allow $1 { random_device_t urandom_device_t }:chr_file { getattr read };
allow $1 self:capability { audit_write audit_control };
dontaudit $1 shadow_t:file { getattr read };
+allow $1 sbin_t:dir search;
+allow $1 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
++allow $1 var_lib_t:dir r_dir_perms;
++rw_dir_file($1, var_auth_t)
')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/home_macros.te policy-1.27.1/macros/home_macros.te
--- nsapolicy/macros/home_macros.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/macros/home_macros.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/macros/home_macros.te 2005-11-30 16:42:28.000000000 -0500
@@ -68,7 +68,11 @@
define(`home_domain_ro_access', `
allow $1 { home_root_t $2_home_dir_t }:dir { search getattr };
@@ -3539,7 +3693,7 @@
####################################################################
diff --exclude-from=exclude -N -u -r nsapolicy/macros/network_macros.te policy-1.27.1/macros/network_macros.te
--- nsapolicy/macros/network_macros.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/macros/network_macros.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/macros/network_macros.te 2005-11-30 16:42:28.000000000 -0500
@@ -153,7 +153,8 @@
')dnl end can_network definition
@@ -3570,7 +3724,7 @@
+')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/apache_macros.te policy-1.27.1/macros/program/apache_macros.te
--- nsapolicy/macros/program/apache_macros.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/macros/program/apache_macros.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/macros/program/apache_macros.te 2005-11-30 16:42:28.000000000 -0500
@@ -38,7 +38,7 @@
allow httpd_$1_script_t etc_runtime_t:file { getattr read };
read_locale(httpd_$1_script_t)
@@ -3613,7 +3767,7 @@
')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/bonobo_macros.te policy-1.27.1/macros/program/bonobo_macros.te
--- nsapolicy/macros/program/bonobo_macros.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/macros/program/bonobo_macros.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/macros/program/bonobo_macros.te 2005-11-30 16:42:28.000000000 -0500
@@ -72,9 +72,7 @@
# here temporarily, since bonobo runs as ROLE_t by default anyway
domain_auto_trans($1_bonobo_t, bin_t, $1_t)
@@ -3626,7 +3780,7 @@
') dnl bonobo_domain
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/cdrecord_macros.te policy-1.27.1/macros/program/cdrecord_macros.te
--- nsapolicy/macros/program/cdrecord_macros.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/macros/program/cdrecord_macros.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/macros/program/cdrecord_macros.te 2005-11-30 16:42:28.000000000 -0500
@@ -41,9 +41,13 @@
allow $1_cdrecord_t self:capability { ipc_lock sys_nice setuid dac_override sys_rawio };
@@ -3644,7 +3798,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/chkpwd_macros.te policy-1.27.1/macros/program/chkpwd_macros.te
--- nsapolicy/macros/program/chkpwd_macros.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/macros/program/chkpwd_macros.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/macros/program/chkpwd_macros.te 2005-11-30 16:42:28.000000000 -0500
@@ -19,6 +19,9 @@
role $1_r types $1_chkpwd_t;
@@ -3673,7 +3827,7 @@
access_terminal($1_chkpwd_t, $1)
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/crontab_macros.te policy-1.27.1/macros/program/crontab_macros.te
--- nsapolicy/macros/program/crontab_macros.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/macros/program/crontab_macros.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/macros/program/crontab_macros.te 2005-11-30 16:42:28.000000000 -0500
@@ -40,7 +40,7 @@
# Use capabilities dac_override is to create the file in the directory
@@ -3685,7 +3839,7 @@
file_type_auto_trans($1_crontab_t, tmp_t, $1_tmp_t, { dir file })
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/dbusd_macros.te policy-1.27.1/macros/program/dbusd_macros.te
--- nsapolicy/macros/program/dbusd_macros.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/macros/program/dbusd_macros.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/macros/program/dbusd_macros.te 2005-11-30 16:42:28.000000000 -0500
@@ -29,9 +29,7 @@
r_dir_file($1_dbusd_t, etc_dbusd_t)
tmp_domain($1_dbusd)
@@ -3721,7 +3875,7 @@
# can_dbusd_converse(dbus_type, domain_prefix_a, domain_prefix_b)
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/gconf_macros.te policy-1.27.1/macros/program/gconf_macros.te
--- nsapolicy/macros/program/gconf_macros.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/macros/program/gconf_macros.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/macros/program/gconf_macros.te 2005-11-30 16:42:28.000000000 -0500
@@ -31,8 +31,8 @@
# /tmp/gconfd-USER
tmp_domain($1_gconfd)
@@ -3734,7 +3888,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/gift_macros.te policy-1.27.1/macros/program/gift_macros.te
--- nsapolicy/macros/program/gift_macros.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/macros/program/gift_macros.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/macros/program/gift_macros.te 2005-11-30 16:42:28.000000000 -0500
@@ -90,9 +90,7 @@
r_dir_file($1_giftd_t, usr_t)
@@ -3747,7 +3901,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/gpg_macros.te policy-1.27.1/macros/program/gpg_macros.te
--- nsapolicy/macros/program/gpg_macros.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/macros/program/gpg_macros.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/macros/program/gpg_macros.te 2005-11-30 16:42:28.000000000 -0500
@@ -108,8 +108,6 @@
# for nscd
dontaudit $1_gpg_helper_t var_t:dir search;
@@ -3759,7 +3913,7 @@
')dnl end gpg_domain definition
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/i18n_input_macros.te policy-1.27.1/macros/program/i18n_input_macros.te
--- nsapolicy/macros/program/i18n_input_macros.te 1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.27.1/macros/program/i18n_input_macros.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/macros/program/i18n_input_macros.te 2005-11-30 16:42:28.000000000 -0500
@@ -0,0 +1,21 @@
+#
+# Macros for i18n_input
@@ -3784,7 +3938,7 @@
+
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/lpr_macros.te policy-1.27.1/macros/program/lpr_macros.te
--- nsapolicy/macros/program/lpr_macros.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/macros/program/lpr_macros.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/macros/program/lpr_macros.te 2005-11-30 16:42:28.000000000 -0500
@@ -39,7 +39,7 @@
can_ypbind($1_lpr_t)
@@ -3796,7 +3950,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mta_macros.te policy-1.27.1/macros/program/mta_macros.te
--- nsapolicy/macros/program/mta_macros.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/macros/program/mta_macros.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/macros/program/mta_macros.te 2005-11-30 16:42:28.000000000 -0500
@@ -34,7 +34,7 @@
uses_shlib($1_mail_t)
@@ -3817,7 +3971,7 @@
# For when the user wants to send mail via port 25 localhost
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/newrole_macros.te policy-1.27.1/macros/program/newrole_macros.te
--- nsapolicy/macros/program/newrole_macros.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/macros/program/newrole_macros.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/macros/program/newrole_macros.te 2005-11-30 16:42:28.000000000 -0500
@@ -20,6 +20,8 @@
read_locale($1_t)
read_sysctl($1_t)
@@ -3829,7 +3983,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/pyzor_macros.te policy-1.27.1/macros/program/pyzor_macros.te
--- nsapolicy/macros/program/pyzor_macros.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/macros/program/pyzor_macros.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/macros/program/pyzor_macros.te 2005-11-30 16:42:28.000000000 -0500
@@ -64,6 +64,6 @@
# Allow pyzor to be run by hand. Needed by any action other than
@@ -3840,7 +3994,7 @@
')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/razor_macros.te policy-1.27.1/macros/program/razor_macros.te
--- nsapolicy/macros/program/razor_macros.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/macros/program/razor_macros.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/macros/program/razor_macros.te 2005-11-30 16:42:28.000000000 -0500
@@ -70,6 +70,6 @@
# Allow razor to be run by hand. Needed by any action other than
@@ -3851,7 +4005,7 @@
')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/su_macros.te policy-1.27.1/macros/program/su_macros.te
--- nsapolicy/macros/program/su_macros.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/macros/program/su_macros.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/macros/program/su_macros.te 2005-11-30 16:42:28.000000000 -0500
@@ -54,7 +54,7 @@
allow $1_su_t self:process { setsched setrlimit };
allow $1_su_t device_t:dir search;
@@ -3872,7 +4026,7 @@
# Caused by su - init scripts
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/uml_macros.te policy-1.27.1/macros/program/uml_macros.te
--- nsapolicy/macros/program/uml_macros.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/macros/program/uml_macros.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/macros/program/uml_macros.te 2005-11-30 16:42:28.000000000 -0500
@@ -81,7 +81,7 @@
allow uml_net_t $1_uml_t:unix_stream_socket { read write };
allow uml_net_t $1_uml_t:unix_dgram_socket { read write };
@@ -3884,7 +4038,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/xdm_macros.te policy-1.27.1/macros/program/xdm_macros.te
--- nsapolicy/macros/program/xdm_macros.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/macros/program/xdm_macros.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/macros/program/xdm_macros.te 2005-11-30 16:42:28.000000000 -0500
@@ -6,6 +6,8 @@
#
@@ -3896,7 +4050,7 @@
') dnl can_pipe_xdm
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ypbind_macros.te policy-1.27.1/macros/program/ypbind_macros.te
--- nsapolicy/macros/program/ypbind_macros.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/macros/program/ypbind_macros.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/macros/program/ypbind_macros.te 2005-11-30 16:42:28.000000000 -0500
@@ -1,4 +1,3 @@
-
define(`uncond_can_ypbind', `
@@ -3904,7 +4058,7 @@
r_dir_file($1,var_yp_t)
diff --exclude-from=exclude -N -u -r nsapolicy/macros/user_macros.te policy-1.27.1/macros/user_macros.te
--- nsapolicy/macros/user_macros.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/macros/user_macros.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/macros/user_macros.te 2005-11-30 16:42:28.000000000 -0500
@@ -121,6 +121,8 @@
# user domains.
ifelse($1, sysadm, `',`
@@ -3942,7 +4096,7 @@
allow $1_t self:unix_stream_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/Makefile policy-1.27.1/Makefile
--- nsapolicy/Makefile 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/Makefile 2005-11-04 07:32:54.000000000 -0500
++++ policy-1.27.1/Makefile 2005-11-30 16:42:28.000000000 -0500
@@ -29,15 +29,10 @@
VERS := $(shell $(CHECKPOLICY) $(POLICYCOMPAT) -V |cut -f 1 -d ' ')
PREVERS := 19
@@ -3950,13 +4104,14 @@
+MLSENABLED := $(shell cat /selinux/mls)
POLICYVER := policy.$(VERS)
TOPDIR = $(DESTDIR)/etc/selinux
- TYPE=strict
+-TYPE=strict
-ifeq ($(MLS),y)
-TYPE=mls
-endif
-ifeq ($(MCS),y)
-TYPE=mcs
-endif
++TYPE=targeted
INSTALLDIR = $(TOPDIR)/$(TYPE)
POLICYPATH = $(INSTALLDIR)/policy
@@ -4022,7 +4177,7 @@
@mv Makefile.new Makefile
diff --exclude-from=exclude -N -u -r nsapolicy/man/man8/ftpd_selinux.8 policy-1.27.1/man/man8/ftpd_selinux.8
--- nsapolicy/man/man8/ftpd_selinux.8 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/man/man8/ftpd_selinux.8 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/man/man8/ftpd_selinux.8 2005-11-30 16:42:28.000000000 -0500
@@ -8,23 +8,24 @@
.SH FILE_CONTEXTS
SELinux requires files to have an extended attribute to define the file type.
@@ -4059,7 +4214,7 @@
SELinux ftp daemon policy is customizable based on least access required. So by
diff --exclude-from=exclude -N -u -r nsapolicy/man/man8/httpd_selinux.8 policy-1.27.1/man/man8/httpd_selinux.8
--- nsapolicy/man/man8/httpd_selinux.8 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/man/man8/httpd_selinux.8 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/man/man8/httpd_selinux.8 2005-11-30 16:42:28.000000000 -0500
@@ -45,6 +45,15 @@
.SH NOTE
With certain policies you can define addional file contexts based on roles like user or staff. httpd_user_script_exec_t can be defined where it would only have access to "user" contexts.
@@ -4078,7 +4233,7 @@
default SElinux prevents certain http scripts from working. httpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd with the tightest access possible.
diff --exclude-from=exclude -N -u -r nsapolicy/man/man8/rsync_selinux.8 policy-1.27.1/man/man8/rsync_selinux.8
--- nsapolicy/man/man8/rsync_selinux.8 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/man/man8/rsync_selinux.8 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/man/man8/rsync_selinux.8 2005-11-30 16:42:28.000000000 -0500
@@ -8,16 +8,22 @@
.SH FILE_CONTEXTS
SELinux requires files to have an extended attribute to define the file type.
@@ -4107,7 +4262,7 @@
.TP
diff --exclude-from=exclude -N -u -r nsapolicy/man/man8/samba_selinux.8 policy-1.27.1/man/man8/samba_selinux.8
--- nsapolicy/man/man8/samba_selinux.8 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/man/man8/samba_selinux.8 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/man/man8/samba_selinux.8 2005-11-30 16:42:28.000000000 -0500
@@ -20,6 +20,11 @@
.br
/var/eng(/.*)? system_u:object_r:samba_share_t
@@ -4133,7 +4288,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/mcs policy-1.27.1/mcs
--- nsapolicy/mcs 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/mcs 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/mcs 2005-11-30 16:42:28.000000000 -0500
@@ -18,141 +18,77 @@
#
# Each category has a name and zero or more aliases.
@@ -4368,7 +4523,7 @@
#
diff --exclude-from=exclude -N -u -r nsapolicy/mls policy-1.27.1/mls
--- nsapolicy/mls 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/mls 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/mls 2005-11-30 16:42:28.000000000 -0500
@@ -13,12 +13,17 @@
sensitivity s7;
sensitivity s8;
@@ -4723,7 +4878,7 @@
#
diff --exclude-from=exclude -N -u -r nsapolicy/net_contexts policy-1.27.1/net_contexts
--- nsapolicy/net_contexts 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/net_contexts 2005-11-09 20:25:54.000000000 -0500
++++ policy-1.27.1/net_contexts 2005-11-30 16:42:28.000000000 -0500
@@ -50,6 +50,10 @@
portcon tcp 53 system_u:object_r:dns_port_t
@@ -4752,7 +4907,15 @@
portcon tcp 783 system_u:object_r:spamd_port_t
portcon tcp 540 system_u:object_r:uucpd_port_t
portcon tcp 2401 system_u:object_r:cvs_port_t
-@@ -161,9 +164,14 @@
+@@ -146,6 +149,7 @@
+ portcon udp 5060 system_u:object_r:asterisk_port_t
+ portcon tcp 2000 system_u:object_r:mail_port_t
+ portcon tcp 2601 system_u:object_r:zebra_port_t
++portcon tcp 2605 system_u:object_r:zebra_port_t
+ portcon tcp 2628 system_u:object_r:dict_port_t
+ portcon tcp 3306 system_u:object_r:mysqld_port_t
+ portcon tcp 3632 system_u:object_r:distccd_port_t
+@@ -161,9 +165,14 @@
portcon tcp 5432 system_u:object_r:postgresql_port_t
portcon tcp 5666 system_u:object_r:inetd_child_port_t
portcon tcp 5703 system_u:object_r:ptal_port_t
@@ -4769,7 +4932,7 @@
portcon tcp 6002 system_u:object_r:xserver_port_t
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/appconfig/root_default_contexts policy-1.27.1/targeted/appconfig/root_default_contexts
--- nsapolicy/targeted/appconfig/root_default_contexts 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/targeted/appconfig/root_default_contexts 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/targeted/appconfig/root_default_contexts 2005-11-30 16:42:28.000000000 -0500
@@ -1,2 +1,6 @@
system_r:unconfined_t system_r:unconfined_t
system_r:initrc_t system_r:unconfined_t
@@ -4779,7 +4942,7 @@
+system_r:crond_t system_r:unconfined_t
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/assert.te policy-1.27.1/targeted/assert.te
--- nsapolicy/targeted/assert.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/targeted/assert.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/targeted/assert.te 2005-11-30 16:42:28.000000000 -0500
@@ -22,7 +22,7 @@
# Confined domains must never touch an unconfined domain except to
@@ -4791,7 +4954,7 @@
neverallow { domain -unrestricted -snmpd_t } unconfined_t:dir { getattr search };
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/compat.te policy-1.27.1/targeted/domains/program/compat.te
--- nsapolicy/targeted/domains/program/compat.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/targeted/domains/program/compat.te 2005-11-03 18:26:47.000000000 -0500
++++ policy-1.27.1/targeted/domains/program/compat.te 2005-11-30 16:42:28.000000000 -0500
@@ -1,3 +1,4 @@
typealias bin_t alias mount_exec_t;
typealias bin_t alias dmesg_exec_t;
@@ -4799,7 +4962,7 @@
+typealias sbin_t alias lvm_exec_t;
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/sendmail.te policy-1.27.1/targeted/domains/program/sendmail.te
--- nsapolicy/targeted/domains/program/sendmail.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/targeted/domains/program/sendmail.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/targeted/domains/program/sendmail.te 2005-11-30 16:42:28.000000000 -0500
@@ -12,7 +12,6 @@
#
type sendmail_exec_t, file_type, sysadmfile, exec_type;
@@ -4810,7 +4973,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/ssh.te policy-1.27.1/targeted/domains/program/ssh.te
--- nsapolicy/targeted/domains/program/ssh.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/targeted/domains/program/ssh.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/targeted/domains/program/ssh.te 2005-11-30 16:42:28.000000000 -0500
@@ -17,3 +17,6 @@
type sshd_key_t, file_type, sysadmfile;
type sshd_var_run_t, file_type, sysadmfile;
@@ -4820,7 +4983,7 @@
+')
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/xdm.te policy-1.27.1/targeted/domains/program/xdm.te
--- nsapolicy/targeted/domains/program/xdm.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/targeted/domains/program/xdm.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/targeted/domains/program/xdm.te 2005-11-30 16:42:28.000000000 -0500
@@ -20,3 +20,7 @@
type xdm_tmp_t, file_type, sysadmfile;
domain_auto_trans(initrc_t, xdm_exec_t, xdm_t)
@@ -4831,7 +4994,7 @@
+')
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/unconfined.te policy-1.27.1/targeted/domains/unconfined.te
--- nsapolicy/targeted/domains/unconfined.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/targeted/domains/unconfined.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/targeted/domains/unconfined.te 2005-11-30 16:42:28.000000000 -0500
@@ -63,6 +63,7 @@
bool use_samba_home_dirs false;
@@ -4860,7 +5023,7 @@
+
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.27.1/tunables/distro.tun
--- nsapolicy/tunables/distro.tun 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/tunables/distro.tun 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/tunables/distro.tun 2005-11-30 16:42:28.000000000 -0500
@@ -5,7 +5,7 @@
# appropriate ifdefs.
@@ -4872,7 +5035,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.27.1/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/tunables/tunable.tun 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/tunables/tunable.tun 2005-11-30 16:42:28.000000000 -0500
@@ -1,5 +1,5 @@
# Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
@@ -4891,7 +5054,7 @@
# Otherwise, only staff_r can do so.
diff --exclude-from=exclude -N -u -r nsapolicy/types/device.te policy-1.27.1/types/device.te
--- nsapolicy/types/device.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/types/device.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/types/device.te 2005-11-30 16:42:28.000000000 -0500
@@ -131,8 +131,8 @@
# Type for /dev/.devfsd
type devfs_control_t, device_type, dev_fs;
@@ -4905,7 +5068,7 @@
type power_device_t, device_type, dev_fs;
diff --exclude-from=exclude -N -u -r nsapolicy/types/devpts.te policy-1.27.1/types/devpts.te
--- nsapolicy/types/devpts.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/types/devpts.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/types/devpts.te 2005-11-30 16:42:28.000000000 -0500
@@ -18,4 +18,6 @@
#
type devpts_t, mount_point, fs_type;
@@ -4916,7 +5079,7 @@
+')
diff --exclude-from=exclude -N -u -r nsapolicy/types/file.te policy-1.27.1/types/file.te
--- nsapolicy/types/file.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/types/file.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/types/file.te 2005-11-30 16:42:28.000000000 -0500
@@ -84,6 +84,9 @@
#
type etc_t, file_type, sysadmfile;
@@ -4927,7 +5090,15 @@
#
# shadow_t is the type of the /etc/shadow file
#
-@@ -273,9 +276,6 @@
+@@ -196,6 +199,7 @@
+ type faillog_t, file_type, sysadmfile, logfile;
+ type var_lock_t, file_type, sysadmfile, lockfile;
+ type var_lib_t, mount_point, file_type, sysadmfile;
++type var_auth_t, file_type, sysadmfile;
+ # for /var/{spool,lib}/texmf index files
+ type tetex_data_t, file_type, sysadmfile, tmpfile;
+ type var_spool_t, file_type, sysadmfile, tmpfile;
+@@ -273,9 +277,6 @@
#
allow { file_type device_type ttyfile } fs_t:filesystem associate;
@@ -4937,7 +5108,7 @@
type tmpfs_t, file_type, mount_point, sysadmfile, fs_type;
allow { logfile tmpfs_t tmpfile home_type } tmpfs_t:filesystem associate;
allow { logfile tmpfile home_type } tmp_t:filesystem associate;
-@@ -284,31 +284,14 @@
+@@ -284,31 +285,14 @@
')
type autofs_t, fs_type, noexattrfile, sysadmfile;
@@ -4970,7 +5141,7 @@
# udev_runtime_t is the type of the udev table file
type udev_runtime_t, file_type, sysadmfile;
-@@ -317,26 +300,26 @@
+@@ -317,26 +301,26 @@
type krb5_conf_t, file_type, sysadmfile;
type cifs_t, fs_type, noexattrfile, sysadmfile;
@@ -5009,7 +5180,7 @@
+
diff --exclude-from=exclude -N -u -r nsapolicy/types/network.te policy-1.27.1/types/network.te
--- nsapolicy/types/network.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/types/network.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/types/network.te 2005-11-30 16:42:28.000000000 -0500
@@ -18,7 +18,7 @@
type dhcpd_port_t, port_type, reserved_port_type;
type smbd_port_t, port_type, reserved_port_type;
@@ -5063,7 +5234,7 @@
type rsync_port_t, port_type, reserved_port_type;
diff --exclude-from=exclude -N -u -r nsapolicy/types/nfs.te policy-1.27.1/types/nfs.te
--- nsapolicy/types/nfs.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/types/nfs.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/types/nfs.te 2005-11-30 16:42:28.000000000 -0500
@@ -18,5 +18,4 @@
#
# Allow NFS files to be associated with an NFS file system.
@@ -5072,7 +5243,7 @@
allow file_type nfs_t:filesystem associate;
diff --exclude-from=exclude -N -u -r nsapolicy/types/security.te policy-1.27.1/types/security.te
--- nsapolicy/types/security.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/types/security.te 2005-11-03 18:21:50.000000000 -0500
++++ policy-1.27.1/types/security.te 2005-11-30 16:42:28.000000000 -0500
@@ -13,12 +13,18 @@
# applied to selinuxfs inodes.
#
Index: selinux-policy-targeted.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-targeted/FC-4/selinux-policy-targeted.spec,v
retrieving revision 1.350
retrieving revision 1.351
diff -u -r1.350 -r1.351
--- selinux-policy-targeted.spec 10 Nov 2005 01:53:18 -0000 1.350
+++ selinux-policy-targeted.spec 30 Nov 2005 22:06:37 -0000 1.351
@@ -9,14 +9,13 @@
Summary: SELinux %{type} policy configuration
Name: selinux-policy-%{type}
Version: 1.27.1
-Release: 2.14
+Release: 2.15
License: GPL
Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policy-%{version}.tgz
Source1: booleans
BuildRoot: %{_tmppath}/%{name}-buildroot
-Patch: policy-20050916.patch
-Patch1: policy-%{type}.patch
+Patch1: policy-20050916.patch
BuildArch: noarch
BuildRequires: checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils
@@ -41,7 +40,6 @@
%prep
%setup -q -n policy-%{version}
-%patch0 -p1
%patch1 -p1
%build
@@ -236,6 +234,13 @@
exit 0
%changelog
+* Mon Nov 28 2005 Dan Walsh <dwalsh at redhat.com> 1.27.1-2.15
+- Allow privoxy to write /etc/privoxy/user.action
+- allow syslog to log to tty in targeted
+- Allow dovecot to read etc_runtime_t
+- Fixes for procmail and spam
+- Allow zebra to write routing rules
+
* Wed Nov 9 2005 Dan Walsh <dwalsh at redhat.com> 1.27.1-2.14
- remove lvm.static
- Fix slapd
More information about the fedora-cvs-commits
mailing list