rpms/selinux-policy-strict/FC-4 policy-20050916.patch, 1.3, 1.4 selinux-policy-strict.spec, 1.320, 1.321
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Tue Oct 11 20:18:20 UTC 2005
- Previous message (by thread): rpms/openssl097a/FC-4 openssl-0.9.7d-ICA_engine-jun142004.patch, NONE, 1.1 openssl.spec, 1.4, 1.5 openssl-0.9.7c-ICA_engine_apr292004.patch, 1.1, NONE
- Next message (by thread): rpms/openssl097a/FC-4 openssl-0.9.7a-can-2005-2969.patch, NONE, 1.1 openssl-0.9.7a-dsa-consttime.patch, NONE, 1.1
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy-strict/FC-4
In directory cvs.devel.redhat.com:/tmp/cvs-serv4990
Modified Files:
policy-20050916.patch selinux-policy-strict.spec
Log Message:
* Tue Oct 11 2005 Dan Walsh <dwalsh at redhat.com> 1.27.1-2.5
- Update Amanda, pegusus, ftpd, apache to match upstream version
- Update Bluetooth, rsync
policy-20050916.patch:
Makefile | 22 +++++----
attrib.te | 3 +
domains/program/crond.te | 2
domains/program/fsadm.te | 7 ++
domains/program/hostname.te | 2
domains/program/ifconfig.te | 5 +-
domains/program/initrc.te | 17 ++++++-
domains/program/ldconfig.te | 3 -
domains/program/load_policy.te | 7 +-
domains/program/login.te | 21 +++++---
domains/program/modutil.te | 14 +++--
domains/program/mount.te | 5 +-
domains/program/netutils.te | 3 -
domains/program/passwd.te | 1
domains/program/restorecon.te | 3 -
domains/program/setfiles.te | 4 -
domains/program/ssh.te | 6 ++
domains/program/su.te | 9 +++
domains/program/syslogd.te | 6 +-
domains/program/unused/NetworkManager.te | 3 -
domains/program/unused/alsa.te | 2
domains/program/unused/amanda.te | 74 +++++++------------------------
domains/program/unused/anaconda.te | 5 --
domains/program/unused/apache.te | 17 ++++---
domains/program/unused/apmd.te | 13 +++++
domains/program/unused/auditd.te | 2
domains/program/unused/automount.te | 4 +
domains/program/unused/bluetooth.te | 63 +++++++++++++++++++++++++-
domains/program/unused/cups.te | 18 +++++--
domains/program/unused/cvs.te | 3 +
domains/program/unused/cyrus.te | 2
domains/program/unused/dbusd.te | 4 +
domains/program/unused/dhcpc.te | 5 +-
domains/program/unused/dhcpd.te | 3 -
domains/program/unused/dovecot.te | 4 +
domains/program/unused/ftpd.te | 6 +-
domains/program/unused/hald.te | 2
domains/program/unused/hotplug.te | 5 +-
domains/program/unused/hwclock.te | 2
domains/program/unused/ipsec.te | 2
domains/program/unused/kudzu.te | 5 +-
domains/program/unused/mta.te | 8 +++
domains/program/unused/mysqld.te | 6 +-
domains/program/unused/named.te | 29 ++++++++++--
domains/program/unused/nscd.te | 1
domains/program/unused/ntpd.te | 10 ++--
domains/program/unused/openct.te | 16 ++++++
domains/program/unused/pamconsole.te | 2
domains/program/unused/pegasus.te | 37 +++++++++++++++
domains/program/unused/ping.te | 3 -
domains/program/unused/postfix.te | 30 +++++++-----
domains/program/unused/pppd.te | 8 ++-
domains/program/unused/procmail.te | 11 +++-
domains/program/unused/readahead.te | 21 ++++++++
domains/program/unused/rlogind.te | 4 +
domains/program/unused/roundup.te | 29 ++++++++++++
domains/program/unused/rpcd.te | 13 ++++-
domains/program/unused/rsync.te | 3 -
domains/program/unused/samba.te | 12 ++++-
domains/program/unused/snmpd.te | 6 +-
domains/program/unused/squid.te | 3 -
domains/program/unused/udev.te | 10 +++-
domains/program/unused/utempter.te | 2
domains/program/unused/webalizer.te | 3 +
domains/program/unused/winbind.te | 1
domains/program/unused/xdm.te | 3 +
domains/program/unused/yppasswdd.te | 40 ++++++++++++++++
domains/program/unused/ypserv.te | 1
domains/program/useradd.te | 5 +-
file_contexts/distros.fc | 2
file_contexts/program/bluetooth.fc | 3 +
file_contexts/program/dhcpc.fc | 2
file_contexts/program/dhcpd.fc | 1
file_contexts/program/ftpd.fc | 5 +-
file_contexts/program/games.fc | 11 +++-
file_contexts/program/ipsec.fc | 1
file_contexts/program/openct.fc | 2
file_contexts/program/pegasus.fc | 11 ++++
file_contexts/program/pppd.fc | 2
file_contexts/program/readahead.fc | 1
file_contexts/program/roundup.fc | 2
file_contexts/program/rpm.fc | 4 +
file_contexts/program/rsync.fc | 2
file_contexts/program/xdm.fc | 2
file_contexts/program/yppasswdd.fc | 2
file_contexts/program/ypserv.fc | 1
file_contexts/types.fc | 2
genfs_contexts | 2
macros/base_user_macros.te | 6 ++
macros/core_macros.te | 3 +
macros/global_macros.te | 18 +++++--
macros/network_macros.te | 17 ++++++-
macros/program/apache_macros.te | 13 ++++-
macros/program/cdrecord_macros.te | 2
macros/program/i18n_input_macros.te | 21 ++++++++
macros/program/mta_macros.te | 4 -
macros/program/newrole_macros.te | 2
macros/program/pyzor_macros.te | 2
macros/program/razor_macros.te | 2
macros/program/su_macros.te | 4 -
macros/program/uml_macros.te | 2
macros/user_macros.te | 1
man/man8/ftpd_selinux.8 | 19 ++++---
man/man8/httpd_selinux.8 | 9 +++
man/man8/rsync_selinux.8 | 12 +++--
man/man8/samba_selinux.8 | 9 +++
mcs | 16 ++++++
net_contexts | 6 ++
targeted/appconfig/root_default_contexts | 4 +
targeted/assert.te | 2
targeted/domains/program/ssh.te | 3 +
targeted/domains/program/xdm.te | 4 +
targeted/domains/unconfined.te | 15 ++++++
tunables/distro.tun | 2
tunables/tunable.tun | 4 -
types/devpts.te | 4 +
types/file.te | 15 ++++--
types/network.te | 12 ++---
types/security.te | 5 ++
119 files changed, 766 insertions(+), 231 deletions(-)
Index: policy-20050916.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-strict/FC-4/policy-20050916.patch,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- policy-20050916.patch 27 Sep 2005 14:00:12 -0000 1.3
+++ policy-20050916.patch 11 Oct 2005 20:18:16 -0000 1.4
@@ -1,6 +1,19 @@
+diff --exclude-from=exclude -N -u -r nsapolicy/attrib.te policy-1.27.1/attrib.te
+--- nsapolicy/attrib.te 2005-09-16 11:17:27.000000000 -0400
++++ policy-1.27.1/attrib.te 2005-10-11 11:25:21.000000000 -0400
+@@ -443,6 +443,9 @@
+ # Attribute to designate unrestricted access
+ attribute unrestricted;
+
++# Attribute to designate can transition to unconfined_t
++attribute unconfinedtrans;
++
+ # For clients of nscd.
+ attribute nscd_client_domain;
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/crond.te policy-1.27.1/domains/program/crond.te
--- nsapolicy/domains/program/crond.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/crond.te 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/domains/program/crond.te 2005-10-11 11:25:21.000000000 -0400
@@ -106,7 +106,7 @@
# Inherit and use descriptors from initrc for anacron.
@@ -12,7 +25,7 @@
allow system_crond_t self:capability { dac_read_search chown setgid setuid fowner net_bind_service fsetid };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/fsadm.te policy-1.27.1/domains/program/fsadm.te
--- nsapolicy/domains/program/fsadm.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/fsadm.te 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/domains/program/fsadm.te 2005-10-11 11:25:21.000000000 -0400
@@ -102,10 +102,10 @@
allow fsadm_t kernel_t:system syslog_console;
@@ -35,7 +48,7 @@
+allow fsadm_t file_type:dir { getattr search };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/hostname.te policy-1.27.1/domains/program/hostname.te
--- nsapolicy/domains/program/hostname.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/hostname.te 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/domains/program/hostname.te 2005-10-11 11:25:21.000000000 -0400
@@ -24,5 +24,5 @@
ifdef(`distro_redhat', `
allow hostname_t tmpfs_t:chr_file rw_file_perms;
@@ -45,7 +58,7 @@
allow hostname_t initrc_t:fd use;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ifconfig.te policy-1.27.1/domains/program/ifconfig.te
--- nsapolicy/domains/program/ifconfig.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/ifconfig.te 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/domains/program/ifconfig.te 2005-10-11 11:25:21.000000000 -0400
@@ -52,7 +52,8 @@
allow ifconfig_t self:udp_socket create_socket_perms;
@@ -56,9 +69,18 @@
ifdef(`gnome-pty-helper.te', `allow ifconfig_t sysadm_gph_t:fd use;')
allow ifconfig_t tun_tap_device_t:chr_file { read write };
+@@ -60,7 +61,7 @@
+ # ifconfig attempts to search some sysctl entries.
+ # Do not audit those attempts; comment out these rules if it is desired to
+ # see the denials.
+-dontaudit ifconfig_t { sysctl_t sysctl_net_t }:dir search;
++allow ifconfig_t { sysctl_t sysctl_net_t }:dir search;
+
+ allow ifconfig_t fs_t:filesystem getattr;
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/initrc.te policy-1.27.1/domains/program/initrc.te
--- nsapolicy/domains/program/initrc.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/initrc.te 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/domains/program/initrc.te 2005-10-11 11:25:21.000000000 -0400
@@ -56,6 +56,10 @@
can_create_pty(initrc)
@@ -96,7 +118,7 @@
+r_dir_file(initrc_t, cert_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ldconfig.te policy-1.27.1/domains/program/ldconfig.te
--- nsapolicy/domains/program/ldconfig.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/ldconfig.te 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/domains/program/ldconfig.te 2005-10-11 11:25:21.000000000 -0400
@@ -16,7 +16,8 @@
domain_auto_trans({ sysadm_t initrc_t }, ldconfig_exec_t, ldconfig_t)
@@ -109,7 +131,7 @@
uses_shlib(ldconfig_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/load_policy.te policy-1.27.1/domains/program/load_policy.te
--- nsapolicy/domains/program/load_policy.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/load_policy.te 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/domains/program/load_policy.te 2005-10-11 11:25:21.000000000 -0400
@@ -45,11 +45,12 @@
allow load_policy_t root_t:dir search;
allow load_policy_t etc_t:dir search;
@@ -128,7 +150,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/login.te policy-1.27.1/domains/program/login.te
--- nsapolicy/domains/program/login.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/login.te 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/domains/program/login.te 2005-10-11 11:25:21.000000000 -0400
@@ -62,6 +62,11 @@
ifdef(`pamconsole.te', `
@@ -180,7 +202,7 @@
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/modutil.te policy-1.27.1/domains/program/modutil.te
--- nsapolicy/domains/program/modutil.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/modutil.te 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/domains/program/modutil.te 2005-10-11 11:25:21.000000000 -0400
@@ -59,7 +59,8 @@
allow depmod_t modules_object_t:file unlink;
@@ -233,7 +255,7 @@
allow update_modules_t urandom_device_t:chr_file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/mount.te policy-1.27.1/domains/program/mount.te
--- nsapolicy/domains/program/mount.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/mount.te 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/domains/program/mount.te 2005-10-11 11:25:21.000000000 -0400
@@ -16,13 +16,14 @@
role sysadm_r types mount_t;
role system_r types mount_t;
@@ -253,7 +275,7 @@
allow mount_t file_type:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/netutils.te policy-1.27.1/domains/program/netutils.te
--- nsapolicy/domains/program/netutils.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/netutils.te 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/domains/program/netutils.te 2005-10-11 11:25:21.000000000 -0400
@@ -55,7 +55,8 @@
# Access terminals.
@@ -266,7 +288,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/passwd.te policy-1.27.1/domains/program/passwd.te
--- nsapolicy/domains/program/passwd.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/passwd.te 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/domains/program/passwd.te 2005-10-11 11:25:21.000000000 -0400
@@ -153,5 +153,4 @@
ifdef(`targeted_policy', `
@@ -275,7 +297,7 @@
')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/restorecon.te policy-1.27.1/domains/program/restorecon.te
--- nsapolicy/domains/program/restorecon.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/restorecon.te 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/domains/program/restorecon.te 2005-10-11 11:25:21.000000000 -0400
@@ -19,7 +19,7 @@
role sysadm_r types restorecon_t;
role secadm_r types restorecon_t;
@@ -292,7 +314,7 @@
+allow restorecon_t autofs_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/setfiles.te policy-1.27.1/domains/program/setfiles.te
--- nsapolicy/domains/program/setfiles.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/setfiles.te 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/domains/program/setfiles.te 2005-10-11 11:25:21.000000000 -0400
@@ -12,7 +12,7 @@
#
# needs auth_write attribute because it has relabelfrom/relabelto
@@ -313,7 +335,7 @@
allow setfiles_t self:unix_dgram_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ssh.te policy-1.27.1/domains/program/ssh.te
--- nsapolicy/domains/program/ssh.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/ssh.te 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/domains/program/ssh.te 2005-10-11 11:25:21.000000000 -0400
@@ -153,6 +153,7 @@
#
sshd_program_domain(sshd)
@@ -340,7 +362,7 @@
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/su.te policy-1.27.1/domains/program/su.te
--- nsapolicy/domains/program/su.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/su.te 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/domains/program/su.te 2005-10-11 11:25:21.000000000 -0400
@@ -12,3 +12,12 @@
# Everything else is in the su_domain macro in
@@ -356,7 +378,19 @@
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/syslogd.te policy-1.27.1/domains/program/syslogd.te
--- nsapolicy/domains/program/syslogd.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/syslogd.te 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/domains/program/syslogd.te 2005-10-11 11:25:21.000000000 -0400
+@@ -14,9 +14,9 @@
+ # by syslogd.
+ #
+ ifdef(`klogd.te', `
+-daemon_domain(syslogd, `, privkmsg')
++daemon_domain(syslogd, `, privkmsg, nscd_client_domain')
+ ', `
+-daemon_domain(syslogd, `, privmem, privkmsg')
++daemon_domain(syslogd, `, privmem, privkmsg, nscd_client_domain')
+ ')
+
+ # can_network is for the UDP socket
@@ -33,7 +33,7 @@
tmp_domain(syslogd)
@@ -368,7 +402,7 @@
allow syslogd_t self:capability { dac_override net_admin net_bind_service sys_resource sys_tty_config };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/alsa.te policy-1.27.1/domains/program/unused/alsa.te
--- nsapolicy/domains/program/unused/alsa.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/alsa.te 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/domains/program/unused/alsa.te 2005-10-11 11:25:21.000000000 -0400
@@ -11,6 +11,8 @@
allow alsa_t self:unix_stream_socket create_stream_socket_perms;
allow alsa_t self:unix_dgram_socket create_socket_perms;
@@ -380,7 +414,7 @@
allow alsa_t self:capability { setgid setuid ipc_owner };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/amanda.te policy-1.27.1/domains/program/unused/amanda.te
--- nsapolicy/domains/program/unused/amanda.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/amanda.te 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/domains/program/unused/amanda.te 2005-10-11 11:25:21.000000000 -0400
@@ -84,7 +84,6 @@
# configuration files -> read only
@@ -434,15 +468,26 @@
# access to fs_t
allow amanda_t fs_t:filesystem getattr;
-@@ -159,6 +133,8 @@
+@@ -158,7 +132,8 @@
+
allow amanda_t self:capability { chown dac_override setuid };
allow amanda_t self:process { fork sigchld setpgid signal };
- allow amanda_t self:unix_dgram_socket create;
+-allow amanda_t self:unix_dgram_socket create;
+allow amanda_t self:dir search;
+allow amanda_t self:file { getattr read };
###################################
+@@ -170,7 +145,8 @@
+ can_exec(amanda_t, sbin_t);
+
+ allow amanda_t self:fifo_file { getattr read write ioctl lock };
+-allow amanda_t self:unix_stream_socket { connect create read write };
++allow amanda_t self:unix_stream_socket create_stream_socket_perms;
++allow amanda_t self:unix_dgram_socket create_socket_perms;
+
+
+ ##########################
@@ -192,18 +168,8 @@
########################
@@ -531,7 +576,7 @@
+allow amanda_t file_type:fifo_file getattr;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/anaconda.te policy-1.27.1/domains/program/unused/anaconda.te
--- nsapolicy/domains/program/unused/anaconda.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/anaconda.te 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/domains/program/unused/anaconda.te 2005-10-11 11:25:21.000000000 -0400
@@ -17,11 +17,6 @@
role system_r types ldconfig_t;
domain_auto_trans(anaconda_t, ldconfig_exec_t, ldconfig_t)
@@ -546,7 +591,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.27.1/domains/program/unused/apache.te
--- nsapolicy/domains/program/unused/apache.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/apache.te 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/domains/program/unused/apache.te 2005-10-11 11:25:21.000000000 -0400
@@ -113,9 +113,12 @@
can_network_server(httpd_t)
can_kerberos(httpd_t)
@@ -571,9 +616,37 @@
anonymous_domain(httpd)
# connect to mysql
+@@ -305,9 +308,9 @@
+ if (httpd_tty_comm) {
+ allow { httpd_t httpd_helper_t } devpts_t:dir search;
+ ifdef(`targeted_policy', `
+-allow { httpd_helper_t httpd_t } { devtty_t devpts_t }:chr_file { read write };
++allow { httpd_helper_t httpd_t } { devtty_t devpts_t }:chr_file rw_file_perms;
+ ')
+-allow { httpd_t httpd_helper_t } admin_tty_type:chr_file { read write };
++allow { httpd_t httpd_helper_t } admin_tty_type:chr_file rw_file_perms;
+ } else {
+ dontaudit httpd_t admin_tty_type:chr_file rw_file_perms;
+ }
+@@ -367,13 +370,13 @@
+ allow httpd_suexec_t autofs_t:dir { search getattr };
+ tmp_domain(httpd_suexec)
+
+-if (httpd_enable_cgi && httpd_unified ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
++if (httpd_enable_cgi && httpd_unified) {
+ domain_auto_trans(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
+ ifdef(`targeted_policy', `', `
+ domain_auto_trans(sysadm_t, httpdcontent, httpd_sys_script_t)
+ ')
+ }
+-if (httpd_enable_cgi && httpd_unified && httpd_builtin_scripting ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
++if (httpd_enable_cgi && httpd_unified && httpd_builtin_scripting) {
+ domain_auto_trans(httpd_t, httpdcontent, httpd_sys_script_t)
+ create_dir_file(httpd_t, httpdcontent)
+ }
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apmd.te policy-1.27.1/domains/program/unused/apmd.te
--- nsapolicy/domains/program/unused/apmd.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/apmd.te 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/domains/program/unused/apmd.te 2005-10-11 11:25:21.000000000 -0400
@@ -47,6 +47,7 @@
# acpid also has a logfile
@@ -600,7 +673,7 @@
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/auditd.te policy-1.27.1/domains/program/unused/auditd.te
--- nsapolicy/domains/program/unused/auditd.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/auditd.te 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/domains/program/unused/auditd.te 2005-10-11 11:25:21.000000000 -0400
@@ -65,3 +65,5 @@
allow auditctl_t privfd:fd use;
@@ -609,7 +682,7 @@
+can_exec(auditd_t, sbin_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/automount.te policy-1.27.1/domains/program/unused/automount.te
--- nsapolicy/domains/program/unused/automount.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/automount.te 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/domains/program/unused/automount.te 2005-10-11 11:25:21.000000000 -0400
@@ -34,7 +34,9 @@
can_exec(automount_t, { etc_t automount_etc_t })
@@ -635,8 +708,8 @@
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/bluetooth.te policy-1.27.1/domains/program/unused/bluetooth.te
--- nsapolicy/domains/program/unused/bluetooth.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/bluetooth.te 2005-09-27 09:57:41.000000000 -0400
-@@ -11,11 +11,17 @@
++++ policy-1.27.1/domains/program/unused/bluetooth.te 2005-10-11 14:00:07.000000000 -0400
+@@ -11,16 +11,23 @@
daemon_domain(bluetooth)
file_type_auto_trans(bluetooth_t, var_run_t, bluetooth_var_run_t, sock_file)
@@ -646,6 +719,7 @@
+var_lib_domain(bluetooth)
# Use capabilities.
++allow bluetooth_t self:file read;
allow bluetooth_t self:capability { net_admin net_raw sys_tty_config };
+allow bluetooth_t self:process getsched;
+allow bluetooth_t proc_t:file { getattr read };
@@ -654,7 +728,13 @@
lock_domain(bluetooth)
-@@ -35,6 +41,7 @@
+ # Use the network.
+-can_network_server(bluetooth_t)
++can_network(bluetooth_t)
+ can_ypbind(bluetooth_t)
+ ifdef(`dbusd.te', `
+ dbusd_client(system, bluetooth)
+@@ -35,6 +42,7 @@
# bluetooth_conf_t is the type of the /etc/bluetooth dir.
type bluetooth_conf_t, file_type, sysadmfile;
@@ -662,7 +742,7 @@
# Read /etc/bluetooth
allow bluetooth_t bluetooth_conf_t:dir search;
-@@ -44,5 +51,57 @@
+@@ -44,5 +52,56 @@
allow bluetooth_t usbfs_t:dir r_dir_perms;
allow bluetooth_t usbfs_t:file rw_file_perms;
allow bluetooth_t bin_t:dir search;
@@ -717,13 +797,12 @@
+allow unpriv_userdomain bluetooth_t:dbus send_msg;
+')
+allow bluetooth_helper_t bluetooth_t:socket { read write };
-+
+
+dontaudit bluetooth_helper_t default_t:dir { read search };
+dontaudit bluetooth_helper_t { devtty_t ttyfile }:chr_file { read write };
-
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.27.1/domains/program/unused/cups.te
--- nsapolicy/domains/program/unused/cups.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/cups.te 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/domains/program/unused/cups.te 2005-10-11 11:25:21.000000000 -0400
@@ -188,6 +188,7 @@
# Uses networking to talk to the daemons
allow hplip_t self:unix_dgram_socket create_socket_perms;
@@ -742,6 +821,15 @@
dontaudit cupsd_t selinux_config_t:dir search;
dontaudit cupsd_t selinux_config_t:file { getattr read };
+@@ -209,7 +213,7 @@
+ ')
+
+ # CUPS configuration daemon
+-daemon_domain(cupsd_config)
++daemon_domain(cupsd_config, `, nscd_client_domain')
+
+ allow cupsd_config_t devpts_t:dir search;
+ allow cupsd_config_t devpts_t:chr_file { getattr ioctl };
@@ -231,12 +235,13 @@
allow cupsd_config_t cupsd_t:{ file lnk_file } { getattr read };
can_ps(cupsd_config_t, cupsd_t)
@@ -774,12 +862,12 @@
r_dir_file(cupsd_lpd_t, cupsd_rw_etc_t)
allow cupsd_lpd_t ipp_port_t:tcp_socket name_connect;
+ifdef(`use_mcs', `
-+range_transition initrc_t cupsd_exec_t s0 - s0:c0.c127;
++range_transition initrc_t cupsd_exec_t s0 - s0:c0.c255;
+')
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cvs.te policy-1.27.1/domains/program/unused/cvs.te
--- nsapolicy/domains/program/unused/cvs.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/cvs.te 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/domains/program/unused/cvs.te 2005-10-11 11:25:21.000000000 -0400
@@ -23,6 +23,9 @@
allow cvs_t etc_runtime_t:file { getattr read };
allow system_mail_t cvs_data_t:file { getattr read };
@@ -792,7 +880,7 @@
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cyrus.te policy-1.27.1/domains/program/unused/cyrus.te
--- nsapolicy/domains/program/unused/cyrus.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/cyrus.te 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/domains/program/unused/cyrus.te 2005-10-11 11:25:21.000000000 -0400
@@ -42,7 +42,7 @@
create_dir_file(cyrus_t, mail_spool_t)
allow cyrus_t var_spool_t:dir search;
@@ -804,7 +892,7 @@
allow cyrus_t saslauthd_t:unix_stream_socket { connectto };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dbusd.te policy-1.27.1/domains/program/unused/dbusd.te
--- nsapolicy/domains/program/unused/dbusd.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/dbusd.te 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/domains/program/unused/dbusd.te 2005-10-11 11:25:21.000000000 -0400
@@ -12,7 +12,7 @@
# dac_override: /var/run/dbus is owned by messagebus on Debian
@@ -822,7 +910,7 @@
+allow system_dbusd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dhcpc.te policy-1.27.1/domains/program/unused/dhcpc.te
--- nsapolicy/domains/program/unused/dhcpc.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/dhcpc.te 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/domains/program/unused/dhcpc.te 2005-10-11 11:25:21.000000000 -0400
@@ -120,6 +120,7 @@
allow dhcpc_t self:packet_socket create_socket_perms;
allow dhcpc_t var_lib_t:dir search;
@@ -856,7 +944,7 @@
')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dhcpd.te policy-1.27.1/domains/program/unused/dhcpd.te
--- nsapolicy/domains/program/unused/dhcpd.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/dhcpd.te 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/domains/program/unused/dhcpd.te 2005-10-11 11:25:21.000000000 -0400
@@ -17,8 +17,6 @@
#
daemon_domain(dhcpd, `, nscd_client_domain')
@@ -876,7 +964,7 @@
allow dhcpd_t self:unix_stream_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dovecot.te policy-1.27.1/domains/program/unused/dovecot.te
--- nsapolicy/domains/program/unused/dovecot.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/dovecot.te 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/domains/program/unused/dovecot.te 2005-10-11 11:25:21.000000000 -0400
@@ -43,7 +43,9 @@
can_kerberos(dovecot_t)
@@ -888,9 +976,26 @@
create_dir_file(dovecot_t, dovecot_spool_t)
create_dir_file(mta_delivery_agent, dovecot_spool_t)
allow dovecot_t mail_spool_t:lnk_file read;
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ftpd.te policy-1.27.1/domains/program/unused/ftpd.te
+--- nsapolicy/domains/program/unused/ftpd.te 2005-09-16 11:17:27.000000000 -0400
++++ policy-1.27.1/domains/program/unused/ftpd.te 2005-10-11 11:25:21.000000000 -0400
+@@ -99,9 +99,11 @@
+
+ if (ftp_home_dir) {
+ # allow access to /home
+-allow ftpd_t home_root_t:dir { getattr search };
+-allow ftpd_t home_dir_type:dir r_dir_perms;
++allow ftpd_t home_root_t:dir r_dir_perms;
+ create_dir_file(ftpd_t, home_type)
++ifdef(`targeted_policy', `
++file_type_auto_trans(ftpd_t, user_home_dir_t, user_home_t)
++')
+ }
+ if (use_nfs_home_dirs && ftp_home_dir) {
+ r_dir_file(ftpd_t, nfs_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hald.te policy-1.27.1/domains/program/unused/hald.te
--- nsapolicy/domains/program/unused/hald.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/hald.te 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/domains/program/unused/hald.te 2005-10-11 11:25:21.000000000 -0400
@@ -100,4 +100,4 @@
ifdef(`mount.te', `
domain_auto_trans(hald_t, mount_exec_t, mount_t)
@@ -899,7 +1004,19 @@
+r_dir_file(hald_t, hwdata_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hotplug.te policy-1.27.1/domains/program/unused/hotplug.te
--- nsapolicy/domains/program/unused/hotplug.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/hotplug.te 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/domains/program/unused/hotplug.te 2005-10-11 11:25:21.000000000 -0400
+@@ -11,9 +11,9 @@
+ # hotplug_exec_t is the type of the hotplug executable.
+ #
+ ifdef(`unlimitedUtils', `
+-daemon_domain(hotplug, `, admin, etc_writer, fs_domain, privmem, auth_write, privowner, privmodule, domain, privlog, sysctl_kernel_writer')
++daemon_domain(hotplug, `, admin, etc_writer, fs_domain, privmem, auth_write, privowner, privmodule, domain, privlog, sysctl_kernel_writer, nscd_client_domain')
+ ', `
+-daemon_domain(hotplug, `, privmodule')
++daemon_domain(hotplug, `, privmodule, nscd_client_domain')
+ ')
+
+ etcdir_domain(hotplug)
@@ -132,6 +132,7 @@
allow hotplug_t sysfs_t:dir { getattr read search write };
allow hotplug_t sysfs_t:file rw_file_perms;
@@ -910,7 +1027,7 @@
allow hotplug_t printer_device_t:chr_file setattr;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hwclock.te policy-1.27.1/domains/program/unused/hwclock.te
--- nsapolicy/domains/program/unused/hwclock.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/hwclock.te 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/domains/program/unused/hwclock.te 2005-10-11 11:25:21.000000000 -0400
@@ -21,7 +21,6 @@
domain_auto_trans(sysadm_t, hwclock_exec_t, hwclock_t)
')
@@ -926,7 +1043,7 @@
+r_dir_file(hwclock_t, etc_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ipsec.te policy-1.27.1/domains/program/unused/ipsec.te
--- nsapolicy/domains/program/unused/ipsec.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/ipsec.te 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/domains/program/unused/ipsec.te 2005-10-11 11:25:21.000000000 -0400
@@ -219,7 +219,7 @@
dontaudit ipsec_mgmt_t selinux_config_t:dir search;
dontaudit ipsec_t ttyfile:chr_file { read write };
@@ -938,7 +1055,7 @@
allow ipsec_mgmt_t self:{ tcp_socket udp_socket } create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/kudzu.te policy-1.27.1/domains/program/unused/kudzu.te
--- nsapolicy/domains/program/unused/kudzu.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/kudzu.te 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/domains/program/unused/kudzu.te 2005-10-11 11:25:21.000000000 -0400
@@ -20,7 +20,7 @@
allow kudzu_t ramfs_t:dir search;
allow kudzu_t ramfs_t:sock_file write;
@@ -967,7 +1084,7 @@
allow kudzu_t initrc_t:unix_stream_socket connectto;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mta.te policy-1.27.1/domains/program/unused/mta.te
--- nsapolicy/domains/program/unused/mta.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/mta.te 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/domains/program/unused/mta.te 2005-10-11 11:25:21.000000000 -0400
@@ -31,6 +31,10 @@
create_dir_file(system_mail_t, mail_spool_t)
allow system_mail_t mail_spool_t:fifo_file rw_file_perms;
@@ -989,7 +1106,7 @@
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mysqld.te policy-1.27.1/domains/program/unused/mysqld.te
--- nsapolicy/domains/program/unused/mysqld.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/mysqld.te 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/domains/program/unused/mysqld.te 2005-10-11 11:25:21.000000000 -0400
@@ -12,7 +12,7 @@
#
daemon_domain(mysqld, `, nscd_client_domain')
@@ -1019,7 +1136,7 @@
-allow mysqld_t self:netlink_route_socket r_netlink_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/named.te policy-1.27.1/domains/program/unused/named.te
--- nsapolicy/domains/program/unused/named.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/named.te 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/domains/program/unused/named.te 2005-10-11 11:25:21.000000000 -0400
@@ -36,7 +36,7 @@
allow named_t self:process { setsched setcap setrlimit };
@@ -1029,7 +1146,29 @@
# for primary zone files
type named_zone_t, file_type, sysadmfile;
-@@ -113,13 +113,19 @@
+@@ -101,6 +101,21 @@
+ # Use a pipe created by self.
+ allow named_t self:fifo_file rw_file_perms;
+
++# Enable named dbus support:
++ifdef(`dbusd.te', `
++dbusd_client(system, named)
++domain_auto_trans(system_dbusd_t, named_exec_t, named_t)
++allow named_t system_dbusd_t:dbus { acquire_svc send_msg };
++allow named_t self:dbus send_msg;
++allow { NetworkManager_t dhcpc_t initrc_t } named_t:dbus send_msg;
++allow named_t { NetworkManager_t dhcpc_t initrc_t }:dbus send_msg;
++ifdef(`unconfined.te', `
++allow unconfined_t named_t:dbus send_msg;
++allow named_t unconfined_t:dbus send_msg;
++')
++')
++
++
+ # Set own capabilities.
+ #A type for /usr/sbin/ndc
+ type ndc_exec_t, file_type,sysadmfile, exec_type;
+@@ -113,13 +128,19 @@
read_locale(ndc_t)
can_tcp_connect(ndc_t, named_t)
@@ -1051,7 +1190,7 @@
allow { ndc_t initrc_t } named_conf_t:file { getattr read };
allow ndc_t etc_t:dir r_dir_perms;
-@@ -161,3 +167,5 @@
+@@ -161,3 +182,5 @@
')
allow ndc_t self:netlink_route_socket r_netlink_socket_perms;
dontaudit ndc_t sysadm_tty_device_t:chr_file { ioctl };
@@ -1059,7 +1198,7 @@
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/NetworkManager.te policy-1.27.1/domains/program/unused/NetworkManager.te
--- nsapolicy/domains/program/unused/NetworkManager.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/NetworkManager.te 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/domains/program/unused/NetworkManager.te 2005-10-11 11:25:21.000000000 -0400
@@ -11,7 +11,7 @@
# NetworkManager_t is the domain for the NetworkManager daemon.
# NetworkManager_exec_t is the type of the NetworkManager executable.
@@ -1076,7 +1215,7 @@
+dontaudit NetworkManager_t security_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/nscd.te policy-1.27.1/domains/program/unused/nscd.te
--- nsapolicy/domains/program/unused/nscd.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/nscd.te 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/domains/program/unused/nscd.te 2005-10-11 11:25:21.000000000 -0400
@@ -76,3 +76,4 @@
log_domain(nscd)
r_dir_file(nscd_t, cert_t)
@@ -1084,21 +1223,24 @@
+allow nscd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ntpd.te policy-1.27.1/domains/program/unused/ntpd.te
--- nsapolicy/domains/program/unused/ntpd.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/ntpd.te 2005-09-27 09:57:41.000000000 -0400
-@@ -26,9 +26,10 @@
++++ policy-1.27.1/domains/program/unused/ntpd.te 2005-10-11 11:25:21.000000000 -0400
+@@ -26,11 +26,11 @@
# for SSP
allow ntpd_t urandom_device_t:chr_file { getattr read };
-allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time net_bind_service ipc_lock sys_chroot };
-+# sys_resource and setrlimit is for locking memory
-+allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time net_bind_service ipc_lock sys_chroot sys_resource };
- dontaudit ntpd_t self:capability { net_admin };
+-dontaudit ntpd_t self:capability { net_admin };
-allow ntpd_t self:process { setcap setsched };
++# sys_resource and setrlimit is for locking memory
++allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time net_bind_service ipc_lock sys_chroot sys_nice sys_resource };
++dontaudit ntpd_t self:capability { fsetid net_admin };
+allow ntpd_t self:process { setcap setsched setrlimit };
# ntpdate wants sys_nice
- dontaudit ntpd_t self:capability { fsetid sys_nice };
+-dontaudit ntpd_t self:capability { fsetid sys_nice };
-@@ -54,7 +55,7 @@
+ # for some reason it creates a file in /tmp
+ tmp_domain(ntpd)
+@@ -54,7 +54,7 @@
# for cron jobs
# system_crond_t is not right, cron is not doing what it should
ifdef(`crond.te', `
@@ -1109,7 +1251,7 @@
can_exec(ntpd_t, initrc_exec_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/openct.te policy-1.27.1/domains/program/unused/openct.te
--- nsapolicy/domains/program/unused/openct.te 1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.27.1/domains/program/unused/openct.te 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/domains/program/unused/openct.te 2005-10-11 11:25:21.000000000 -0400
@@ -0,0 +1,16 @@
+#DESC openct - read files in page cache
+#
@@ -1129,7 +1271,7 @@
+allow openct_t etc_t:file r_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pamconsole.te policy-1.27.1/domains/program/unused/pamconsole.te
--- nsapolicy/domains/program/unused/pamconsole.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/pamconsole.te 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/domains/program/unused/pamconsole.te 2005-10-11 11:25:21.000000000 -0400
@@ -25,6 +25,7 @@
# for /var/run/console.lock checking
allow pam_console_t { var_t var_run_t }:dir search;
@@ -1145,8 +1287,8 @@
+nsswitch_domain(pam_console_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pegasus.te policy-1.27.1/domains/program/unused/pegasus.te
--- nsapolicy/domains/program/unused/pegasus.te 1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.27.1/domains/program/unused/pegasus.te 2005-09-27 09:57:41.000000000 -0400
-@@ -0,0 +1,31 @@
++++ policy-1.27.1/domains/program/unused/pegasus.te 2005-10-11 11:25:21.000000000 -0400
+@@ -0,0 +1,37 @@
+#DESC pegasus - The Open Group Pegasus CIM/WBEM Server
+#
+# Author: Jason Vas Dias <jvdias at redhat.com>
@@ -1156,17 +1298,20 @@
+#
+# Rules for the pegasus domain
+#
-+daemon_domain(pegasus, `, nscd_client_domain')
++daemon_domain(pegasus, `, nscd_client_domain, auth')
+type pegasus_data_t, file_type, sysadmfile;
+type pegasus_conf_t, file_type, sysadmfile;
+type pegasus_mof_t, file_type, sysadmfile;
+type pegasus_conf_exec_t, file_type, exec_type, sysadmfile;
-+allow pegasus_t self:capability { dac_override net_bind_service };
++allow pegasus_t self:capability { dac_override net_bind_service audit_write };
+can_network_tcp(pegasus_t);
+nsswitch_domain(pegasus_t);
+allow pegasus_t pegasus_var_run_t:sock_file { create setattr };
+allow pegasus_t self:unix_dgram_socket create_socket_perms;
+allow pegasus_t self:unix_stream_socket create_stream_socket_perms;
++allow pegasus_t self:file { read getattr };
++allow pegasus_t self:fifo_file rw_file_perms;
++allow pegasus_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+allow pegasus_t { pegasus_http_port_t pegasus_https_port_t }:tcp_socket { name_bind name_connect };
+allow pegasus_t proc_t:file { getattr read };
+allow pegasus_t sysctl_vm_t:dir search;
@@ -1178,9 +1323,12 @@
+rw_dir_create_file(pegasus_t, pegasus_conf_t)
+rw_dir_create_file(pegasus_t, pegasus_data_t)
+rw_dir_create_file(pegasus_conf_exec_t, pegasus_conf_t)
++allow pegasus_t shadow_t:file { getattr read };
++dontaudit pegasus_t selinux_config_t:dir search;
++
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ping.te policy-1.27.1/domains/program/unused/ping.te
--- nsapolicy/domains/program/unused/ping.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/ping.te 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/domains/program/unused/ping.te 2005-10-11 11:25:21.000000000 -0400
@@ -37,6 +37,7 @@
uses_shlib(ping_t)
can_network_client(ping_t)
@@ -1199,7 +1347,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/postfix.te policy-1.27.1/domains/program/unused/postfix.te
--- nsapolicy/domains/program/unused/postfix.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/postfix.te 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/domains/program/unused/postfix.te 2005-10-11 11:25:21.000000000 -0400
@@ -54,6 +54,8 @@
allow postfix_$1_t proc_net_t:dir search;
allow postfix_$1_t proc_net_t:file { getattr read };
@@ -1219,15 +1367,22 @@
read_sysctl(postfix_master_t)
domain_auto_trans(initrc_t, postfix_master_exec_t, postfix_master_t)
-@@ -98,6 +103,7 @@
+@@ -97,10 +102,12 @@
+ dontaudit postfix_master_t selinux_config_t:dir search;
can_exec({ sysadm_mail_t system_mail_t }, postfix_master_exec_t)
ifdef(`distro_redhat', `
++# compatability for old default main.cf
file_type_auto_trans({ sysadm_mail_t system_mail_t postfix_master_t }, postfix_etc_t, etc_aliases_t)
-+file_type_auto_trans({ sysadm_mail_t system_mail_t postfix_master_t }, etc_t, etc_aliases_t)
- ', `
- file_type_auto_trans({ sysadm_mail_t system_mail_t }, etc_t, etc_aliases_t)
- ')
-@@ -121,7 +127,7 @@
+-', `
+-file_type_auto_trans({ sysadm_mail_t system_mail_t }, etc_t, etc_aliases_t)
++# for newer main.cf that uses /etc/aliases
++file_type_auto_trans(postfix_master_t, etc_t, etc_aliases_t)
+ ')
++file_type_auto_trans({ sysadm_mail_t system_mail_t }, etc_t, etc_aliases_t)
+ allow postfix_master_t sendmail_exec_t:file r_file_perms;
+ allow postfix_master_t sbin_t:lnk_file { getattr read };
+ ifdef(`pppd.te', `
+@@ -121,7 +128,7 @@
can_network(postfix_master_t)
allow postfix_master_t port_type:tcp_socket name_connect;
can_ypbind(postfix_master_t)
@@ -1236,7 +1391,7 @@
allow postfix_master_t postfix_spool_maildrop_t:dir rw_dir_perms;
allow postfix_master_t postfix_spool_maildrop_t:file { unlink rename getattr };
allow postfix_master_t postfix_prng_t:file getattr;
-@@ -135,13 +141,11 @@
+@@ -135,14 +142,10 @@
')
create_dir_file(postfix_master_t, postfix_spool_flush_t)
@@ -1245,12 +1400,13 @@
# for ls to get the current context
allow postfix_master_t self:file { getattr read };
- # for SSP
+-# for SSP
-allow postfix_master_t urandom_device_t:chr_file read;
-
+-
# allow access to deferred queue and allow removing bogus incoming entries
allow postfix_master_t postfix_spool_t:dir create_dir_perms;
-@@ -163,7 +167,6 @@
+ allow postfix_master_t postfix_spool_t:file create_file_perms;
+@@ -163,7 +166,6 @@
allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
allow postfix_smtp_t { postfix_private_t postfix_public_t }:dir search;
allow postfix_smtp_t { postfix_private_t postfix_public_t }:sock_file write;
@@ -1258,7 +1414,7 @@
allow postfix_smtp_t postfix_master_t:unix_stream_socket connectto;
# if you have two different mail servers on the same host let them talk via
# SMTP, also if one mail server wants to talk to itself then allow it and let
-@@ -172,7 +175,6 @@
+@@ -172,7 +174,6 @@
can_tcp_connect(postfix_smtp_t, mail_server_domain)
postfix_server_domain(smtpd)
@@ -1266,25 +1422,32 @@
allow postfix_smtpd_t postfix_master_t:tcp_socket rw_stream_socket_perms;
allow postfix_smtpd_t { postfix_private_t postfix_public_t }:dir search;
allow postfix_smtpd_t { postfix_private_t postfix_public_t }:sock_file rw_file_perms;
-@@ -184,7 +186,7 @@
+@@ -184,7 +185,6 @@
# for prng_exch
allow postfix_smtpd_t postfix_spool_t:file rw_file_perms;
-
-+dontaudit postfix_smtpd_t { home_root_t boot_t }:dir getattr;
allow { postfix_smtp_t postfix_smtpd_t } postfix_prng_t:file rw_file_perms;
postfix_server_domain(local, `, mta_delivery_agent')
-@@ -196,7 +198,7 @@
+@@ -196,7 +196,7 @@
')
allow postfix_local_t etc_aliases_t:file r_file_perms;
allow postfix_local_t self:fifo_file rw_file_perms;
-allow postfix_local_t self:process setrlimit;
-+allow postfix_local_t postfix_local_t:process { setsched setrlimit };
++allow postfix_local_t self:process { setsched setrlimit };
allow postfix_local_t postfix_spool_t:file rw_file_perms;
# for .forward - maybe we need a new type for it?
allow postfix_local_t postfix_private_t:dir search;
-@@ -260,7 +262,7 @@
+@@ -241,6 +241,7 @@
+ allow postfix_postqueue_t postfix_public_t:dir search;
+ allow postfix_postqueue_t postfix_public_t:fifo_file getattr;
+ allow postfix_postqueue_t self:udp_socket { create ioctl };
++allow postfix_postqueue_t self:tcp_socket create;
+ allow postfix_master_t postfix_postqueue_exec_t:file getattr;
+ domain_auto_trans(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t)
+ allow postfix_postqueue_t initrc_t:process sigchld;
+@@ -260,7 +261,7 @@
postfix_user_domain(showq)
# the following auto_trans is usually in postfix server domain
domain_auto_trans(postfix_master_t, postfix_showq_exec_t, postfix_showq_t)
@@ -1293,6 +1456,14 @@
r_dir_file(postfix_showq_t, postfix_spool_maildrop_t)
domain_auto_trans(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t)
allow postfix_showq_t self:capability { setuid setgid };
+@@ -284,6 +285,7 @@
+ allow postfix_postdrop_t { crond_t system_crond_t }:fifo_file rw_file_perms;')
+ # usually it does not need a UDP socket
+ allow postfix_postdrop_t self:udp_socket create_socket_perms;
++allow postfix_postdrop_t self:tcp_socket create;
+ allow postfix_postdrop_t self:capability sys_resource;
+
+ postfix_public_domain(pickup)
@@ -329,7 +331,8 @@
domain_auto_trans(postfix_pipe_t, procmail_exec_t, procmail_t)
')
@@ -1303,18 +1474,14 @@
')
# Program for creating database files
-@@ -348,5 +351,8 @@
- dontaudit postfix_map_t var_t:dir search;
- can_network_server(postfix_map_t)
+@@ -350,3 +353,4 @@
allow postfix_map_t port_type:tcp_socket name_connect;
-+r_dir_file(postfix_local_t, etc_mail_t)
allow postfix_local_t mail_spool_t:dir { remove_name };
allow postfix_local_t mail_spool_t:file { unlink };
+can_exec(postfix_local_t, bin_t)
-+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pppd.te policy-1.27.1/domains/program/unused/pppd.te
--- nsapolicy/domains/program/unused/pppd.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/pppd.te 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/domains/program/unused/pppd.te 2005-10-11 11:25:21.000000000 -0400
@@ -14,7 +14,7 @@
#
bool pppd_for_user false;
@@ -1337,7 +1504,7 @@
can_exec(pppd_t, { shell_exec_t bin_t sbin_t etc_t ifconfig_exec_t })
allow pppd_t { bin_t sbin_t }:dir search;
allow pppd_t { sbin_t bin_t }:lnk_file read;
-+dontaudit ifconfig_t pppd_t:fd use;
++allow ifconfig_t pppd_t:fd use;
# Access /dev/ppp.
allow pppd_t ppp_device_t:chr_file rw_file_perms;
@@ -1350,9 +1517,14 @@
can_network_client_tcp(pptp_t)
allow pptp_t { reserved_port_type port_t }:tcp_socket name_connect;
can_exec(pptp_t, hostname_exec_t)
+@@ -144,3 +145,4 @@
+ # Allow /etc/ppp/ip-{up,down} to run most anything
+ type pppd_script_exec_t, file_type, sysadmfile;
+ domain_auto_trans(pppd_t, pppd_script_exec_t, initrc_t)
++allow pppd_t initrc_t:process noatsecure;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/procmail.te policy-1.27.1/domains/program/unused/procmail.te
--- nsapolicy/domains/program/unused/procmail.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/procmail.te 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/domains/program/unused/procmail.te 2005-10-11 11:25:21.000000000 -0400
@@ -19,8 +19,7 @@
uses_shlib(procmail_t)
allow procmail_t device_t:dir search;
@@ -1380,7 +1552,7 @@
# Search /var/run.
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/readahead.te policy-1.27.1/domains/program/unused/readahead.te
--- nsapolicy/domains/program/unused/readahead.te 1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.27.1/domains/program/unused/readahead.te 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/domains/program/unused/readahead.te 2005-10-11 11:25:21.000000000 -0400
@@ -0,0 +1,21 @@
+#DESC readahead - read files in page cache
+#
@@ -1405,7 +1577,7 @@
+dontaudit readahead_t device_type:blk_file read;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rlogind.te policy-1.27.1/domains/program/unused/rlogind.te
--- nsapolicy/domains/program/unused/rlogind.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/rlogind.te 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/domains/program/unused/rlogind.te 2005-10-11 11:25:21.000000000 -0400
@@ -35,4 +35,6 @@
allow rlogind_t default_t:dir search;
typealias rlogind_port_t alias rlogin_port_t;
@@ -1416,7 +1588,7 @@
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/roundup.te policy-1.27.1/domains/program/unused/roundup.te
--- nsapolicy/domains/program/unused/roundup.te 1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.27.1/domains/program/unused/roundup.te 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/domains/program/unused/roundup.te 2005-10-11 11:25:21.000000000 -0400
@@ -0,0 +1,29 @@
+# Roundup Issue Tracking System
+#
@@ -1449,7 +1621,7 @@
+allow roundup_t etc_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rpcd.te policy-1.27.1/domains/program/unused/rpcd.te
--- nsapolicy/domains/program/unused/rpcd.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/rpcd.te 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/domains/program/unused/rpcd.te 2005-10-11 12:56:56.000000000 -0400
@@ -19,7 +19,7 @@
can_network($1_t)
allow $1_t port_type:tcp_socket name_connect;
@@ -1459,8 +1631,12 @@
read_locale($1_t)
allow $1_t self:capability net_bind_service;
dontaudit $1_t self:capability net_admin;
-@@ -151,3 +151,13 @@
- allow gssd_t self:capability setuid;
+@@ -148,6 +148,15 @@
+ allow gssd_t rpc_pipefs_t:dir r_dir_perms;
+ allow gssd_t rpc_pipefs_t:sock_file { read write };
+ allow gssd_t rpc_pipefs_t:file r_file_perms;
+-allow gssd_t self:capability setuid;
++allow gssd_t self:capability { dac_override dac_read_search setuid };
allow nfsd_t devtty_t:chr_file rw_file_perms;
allow rpcd_t devtty_t:chr_file rw_file_perms;
+
@@ -1472,10 +1648,19 @@
+r_dir_file(gssd_t, user_tmpfile)
+')
+}
-+
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rsync.te policy-1.27.1/domains/program/unused/rsync.te
+--- nsapolicy/domains/program/unused/rsync.te 2005-09-16 11:17:27.000000000 -0400
++++ policy-1.27.1/domains/program/unused/rsync.te 2005-10-11 14:01:01.000000000 -0400
+@@ -15,5 +15,4 @@
+ type rsync_data_t, file_type, sysadmfile;
+ r_dir_file(rsync_t, rsync_data_t)
+ anonymous_domain(rsync)
+-
+-
++allow rsync_t self:capability sys_chroot;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/samba.te policy-1.27.1/domains/program/unused/samba.te
--- nsapolicy/domains/program/unused/samba.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/samba.te 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/domains/program/unused/samba.te 2005-10-11 11:25:21.000000000 -0400
@@ -25,6 +25,9 @@
# not sure why it needs this
tmp_domain(smbd)
@@ -1497,7 +1682,7 @@
allow smbd_t { smbd_port_t ipp_port_t }:tcp_socket name_connect;
allow smbd_t urandom_device_t:chr_file { getattr read };
-@@ -75,6 +77,11 @@
+@@ -75,6 +77,12 @@
allow smbd_t samba_log_t:dir ra_dir_perms;
dontaudit smbd_t samba_log_t:dir remove_name;
@@ -1505,13 +1690,14 @@
+dontaudit smbd_t { devpts_t boot_t default_t tmpfs_t }:dir getattr;
+dontaudit smbd_t devpts_t:dir getattr;
+')
++allow smbd_t fs_t:filesystem quotaget;
+
allow smbd_t usr_t:file { getattr read };
# Access Samba shares.
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/snmpd.te policy-1.27.1/domains/program/unused/snmpd.te
--- nsapolicy/domains/program/unused/snmpd.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/snmpd.te 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/domains/program/unused/snmpd.te 2005-10-11 11:25:21.000000000 -0400
@@ -22,8 +22,9 @@
# for the .index file
@@ -1532,9 +1718,16 @@
allow snmpd_t etc_t:lnk_file read;
allow snmpd_t { etc_t etc_runtime_t }:file r_file_perms;
allow snmpd_t { random_device_t urandom_device_t }:chr_file { getattr read };
+@@ -79,5 +80,6 @@
+
+ allow snmpd_t domain:dir { getattr search };
+ allow snmpd_t domain:file { getattr read };
++allow snmpd_t domain:process signull;
+
+ dontaudit snmpd_t selinux_config_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/squid.te policy-1.27.1/domains/program/unused/squid.te
--- nsapolicy/domains/program/unused/squid.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/squid.te 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/domains/program/unused/squid.te 2005-10-11 11:25:21.000000000 -0400
@@ -60,7 +60,7 @@
can_tcp_connect(web_client_domain, squid_t)
@@ -1552,7 +1745,7 @@
')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/udev.te policy-1.27.1/domains/program/unused/udev.te
--- nsapolicy/domains/program/unused/udev.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/udev.te 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/domains/program/unused/udev.te 2005-10-11 11:25:21.000000000 -0400
@@ -28,12 +28,12 @@
type udev_tdb_t, file_type, sysadmfile, dev_fs;
typealias udev_tdb_t alias udev_tbl_t;
@@ -1584,7 +1777,7 @@
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/utempter.te policy-1.27.1/domains/program/unused/utempter.te
--- nsapolicy/domains/program/unused/utempter.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/utempter.te 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/domains/program/unused/utempter.te 2005-10-11 11:25:21.000000000 -0400
@@ -19,6 +19,8 @@
type utempter_exec_t, file_type, sysadmfile, exec_type;
domain_auto_trans(userdomain, utempter_exec_t, utempter_t)
@@ -1596,7 +1789,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/webalizer.te policy-1.27.1/domains/program/unused/webalizer.te
--- nsapolicy/domains/program/unused/webalizer.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/webalizer.te 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/domains/program/unused/webalizer.te 2005-10-11 11:25:21.000000000 -0400
@@ -20,6 +20,9 @@
#read apache log
allow webalizer_t var_log_t:dir r_dir_perms;
@@ -1609,7 +1802,7 @@
var_lib_domain(webalizer)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/winbind.te policy-1.27.1/domains/program/unused/winbind.te
--- nsapolicy/domains/program/unused/winbind.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/winbind.te 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/domains/program/unused/winbind.te 2005-10-11 11:25:21.000000000 -0400
@@ -44,6 +44,7 @@
r_dir_file(winbind_t, samba_etc_t)
allow winbind_helper_t self:unix_dgram_socket create_socket_perms;
@@ -1620,7 +1813,7 @@
allow winbind_helper_t privfd:fd use;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/xdm.te policy-1.27.1/domains/program/unused/xdm.te
--- nsapolicy/domains/program/unused/xdm.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/xdm.te 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/domains/program/unused/xdm.te 2005-10-11 11:25:21.000000000 -0400
@@ -371,3 +371,6 @@
dontaudit xdm_t ice_tmp_t:dir { getattr setattr };
@@ -1630,7 +1823,7 @@
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/yppasswdd.te policy-1.27.1/domains/program/unused/yppasswdd.te
--- nsapolicy/domains/program/unused/yppasswdd.te 1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.27.1/domains/program/unused/yppasswdd.te 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/domains/program/unused/yppasswdd.te 2005-10-11 11:25:21.000000000 -0400
@@ -0,0 +1,40 @@
+#DESC yppassdd - NIS password update daemon
+#
@@ -1674,7 +1867,7 @@
+rw_dir_create_file(yppasswdd_t, var_yp_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ypserv.te policy-1.27.1/domains/program/unused/ypserv.te
--- nsapolicy/domains/program/unused/ypserv.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/ypserv.te 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/domains/program/unused/ypserv.te 2005-10-11 11:25:21.000000000 -0400
@@ -39,3 +39,4 @@
')
allow ypserv_t reserved_port_t:{ udp_socket tcp_socket } name_bind;
@@ -1682,7 +1875,7 @@
+can_exec(ypserv_t, bin_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/useradd.te policy-1.27.1/domains/program/useradd.te
--- nsapolicy/domains/program/useradd.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/useradd.te 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/domains/program/useradd.te 2005-10-11 11:25:21.000000000 -0400
@@ -55,7 +55,6 @@
# useradd/userdel request read/write for /var/log/lastlog, and read of /dev,
# but will operate without them.
@@ -1706,8 +1899,16 @@
read_sysctl(useradd_t)
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/distros.fc policy-1.27.1/file_contexts/distros.fc
--- nsapolicy/file_contexts/distros.fc 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/file_contexts/distros.fc 2005-09-27 09:57:41.000000000 -0400
-@@ -99,6 +99,7 @@
++++ policy-1.27.1/file_contexts/distros.fc 2005-10-11 11:25:21.000000000 -0400
+@@ -89,6 +89,7 @@
+ /usr/lib/valgrind/hp2ps -- system_u:object_r:texrel_shlib_t
+ /usr/lib/valgrind/stage2 -- system_u:object_r:texrel_shlib_t
+ /usr/lib/valgrind/vg.*\.so -- system_u:object_r:texrel_shlib_t
++/usr/lib/.*/libxpcom_core.so -- system_u:object_r:texrel_shlib_t
+ /usr/lib/.*/program(/.*)? system_u:object_r:bin_t
+ /usr/lib/.*/program/.*\.so.* system_u:object_r:shlib_t
+ /usr/lib/.*/program/libicudata\.so.* -- system_u:object_r:texrel_shlib_t
+@@ -99,6 +100,7 @@
/usr/lib(64)?/.*/program/librecentfile\.so -- system_u:object_r:texrel_shlib_t
/usr/lib(64)?/.*/program/libsvx680li\.so -- system_u:object_r:texrel_shlib_t
/usr/lib(64)?/.*/program/libcomphelp4gcc3\.so -- system_u:object_r:texrel_shlib_t
@@ -1717,7 +1918,7 @@
/usr/lib/ladspa/analogue_osc_1416\.so -- system_u:object_r:texrel_shlib_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/bluetooth.fc policy-1.27.1/file_contexts/program/bluetooth.fc
--- nsapolicy/file_contexts/program/bluetooth.fc 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/file_contexts/program/bluetooth.fc 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/file_contexts/program/bluetooth.fc 2005-10-11 13:57:59.000000000 -0400
@@ -1,8 +1,11 @@
# bluetooth
/etc/bluetooth(/.*)? system_u:object_r:bluetooth_conf_t
@@ -1728,11 +1929,11 @@
/usr/sbin/hciattach -- system_u:object_r:bluetooth_exec_t
/var/run/sdp -s system_u:object_r:bluetooth_var_run_t
/usr/sbin/hid2hci -- system_u:object_r:bluetooth_exec_t
-+/usr/bin/bluepin -- system_u:object_r:bluetooth_helper_exec_t
++/usr/bin/blue.*pin -- system_u:object_r:bluetooth_helper_exec_t
+/var/lib/bluetooth(/.*)? system_u:object_r:bluetooth_var_lib_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/dhcpc.fc policy-1.27.1/file_contexts/program/dhcpc.fc
--- nsapolicy/file_contexts/program/dhcpc.fc 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/file_contexts/program/dhcpc.fc 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/file_contexts/program/dhcpc.fc 2005-10-11 11:25:21.000000000 -0400
@@ -4,9 +4,11 @@
/etc/dhclient.*conf -- system_u:object_r:dhcp_etc_t
/etc/dhclient-script -- system_u:object_r:dhcp_etc_t
@@ -1747,7 +1948,7 @@
# pump
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/dhcpd.fc policy-1.27.1/file_contexts/program/dhcpd.fc
--- nsapolicy/file_contexts/program/dhcpd.fc 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/file_contexts/program/dhcpd.fc 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/file_contexts/program/dhcpd.fc 2005-10-11 11:25:21.000000000 -0400
@@ -13,6 +13,7 @@
/etc/dhcp -d system_u:object_r:dhcp_etc_t
/etc/dhcp(/.*)? -- system_u:object_r:dhcp_etc_t
@@ -1758,7 +1959,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/ftpd.fc policy-1.27.1/file_contexts/program/ftpd.fc
--- nsapolicy/file_contexts/program/ftpd.fc 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/file_contexts/program/ftpd.fc 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/file_contexts/program/ftpd.fc 2005-10-11 11:25:21.000000000 -0400
@@ -10,7 +10,8 @@
/var/run/proftpd/proftpd\.scoreboard -- system_u:object_r:ftpd_var_run_t
/var/log/muddleftpd\.log.* -- system_u:object_r:xferlog_t
@@ -1772,7 +1973,7 @@
+/srv/([^/]*/)?ftp(/.*)? system_u:object_r:public_content_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/games.fc policy-1.27.1/file_contexts/program/games.fc
--- nsapolicy/file_contexts/program/games.fc 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/file_contexts/program/games.fc 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/file_contexts/program/games.fc 2005-10-11 11:25:21.000000000 -0400
@@ -1,8 +1,10 @@
# games
-/usr/lib(64)?/games/.* -- system_u:object_r:games_exec_t
@@ -1797,7 +1998,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/ipsec.fc policy-1.27.1/file_contexts/program/ipsec.fc
--- nsapolicy/file_contexts/program/ipsec.fc 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/file_contexts/program/ipsec.fc 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/file_contexts/program/ipsec.fc 2005-10-11 11:25:21.000000000 -0400
@@ -21,6 +21,7 @@
/usr/lib(64)?/ipsec/spi -- system_u:object_r:ipsec_exec_t
/usr/local/lib(64)?/ipsec/spi -- system_u:object_r:ipsec_exec_t
@@ -1808,13 +2009,13 @@
/usr/sbin/racoon -- system_u:object_r:ipsec_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/openct.fc policy-1.27.1/file_contexts/program/openct.fc
--- nsapolicy/file_contexts/program/openct.fc 1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.27.1/file_contexts/program/openct.fc 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/file_contexts/program/openct.fc 2005-10-11 11:25:21.000000000 -0400
@@ -0,0 +1,2 @@
+/usr/sbin/openct-control -- system_u:object_r:openct_exec_t
+/var/run/openct(/.*)? system_u:object_r:openct_var_run_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/pegasus.fc policy-1.27.1/file_contexts/program/pegasus.fc
--- nsapolicy/file_contexts/program/pegasus.fc 1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.27.1/file_contexts/program/pegasus.fc 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/file_contexts/program/pegasus.fc 2005-10-11 11:25:21.000000000 -0400
@@ -0,0 +1,11 @@
+# File Contexts for The Open Group Pegasus (tog-pegasus) cimserver
+/usr/sbin/cimserver -- system_u:object_r:pegasus_exec_t
@@ -1829,7 +2030,7 @@
+/usr/share/Pegasus/mof(/.*)?/.*\.mof system_u:object_r:pegasus_mof_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/pppd.fc policy-1.27.1/file_contexts/program/pppd.fc
--- nsapolicy/file_contexts/program/pppd.fc 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/file_contexts/program/pppd.fc 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/file_contexts/program/pppd.fc 2005-10-11 11:25:21.000000000 -0400
@@ -20,6 +20,6 @@
/etc/ppp/plugins/rp-pppoe\.so -- system_u:object_r:shlib_t
/etc/ppp/resolv\.conf -- system_u:object_r:pppd_etc_rw_t
@@ -1840,18 +2041,18 @@
/etc/ppp/(auth|ip(v6|x)?)-(up|down) -- system_u:object_r:pppd_script_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/readahead.fc policy-1.27.1/file_contexts/program/readahead.fc
--- nsapolicy/file_contexts/program/readahead.fc 1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.27.1/file_contexts/program/readahead.fc 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/file_contexts/program/readahead.fc 2005-10-11 11:25:21.000000000 -0400
@@ -0,0 +1 @@
+/usr/sbin/readahead -- system_u:object_r:readahead_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/roundup.fc policy-1.27.1/file_contexts/program/roundup.fc
--- nsapolicy/file_contexts/program/roundup.fc 1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.27.1/file_contexts/program/roundup.fc 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/file_contexts/program/roundup.fc 2005-10-11 11:25:21.000000000 -0400
@@ -0,0 +1,2 @@
+/usr/bin/roundup-server -- system_u:object_r:roundup_exec_t
+/var/lib/roundup(/.*)? -- system_u:object_r:roundup_var_lib_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/rpm.fc policy-1.27.1/file_contexts/program/rpm.fc
--- nsapolicy/file_contexts/program/rpm.fc 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/file_contexts/program/rpm.fc 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/file_contexts/program/rpm.fc 2005-10-11 11:25:21.000000000 -0400
@@ -23,3 +23,7 @@
/var/lib/YaST2(/.*)? system_u:object_r:rpm_var_lib_t
/var/log/YaST2(/.*)? system_u:object_r:rpm_log_t
@@ -1862,7 +2063,7 @@
+')
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/rsync.fc policy-1.27.1/file_contexts/program/rsync.fc
--- nsapolicy/file_contexts/program/rsync.fc 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/file_contexts/program/rsync.fc 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/file_contexts/program/rsync.fc 2005-10-11 11:25:21.000000000 -0400
@@ -1,3 +1,3 @@
# rsync program
/usr/bin/rsync -- system_u:object_r:rsync_exec_t
@@ -1870,7 +2071,7 @@
+/srv/([^/]*/)?rsync(/.*)? system_u:object_r:public_content_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/xdm.fc policy-1.27.1/file_contexts/program/xdm.fc
--- nsapolicy/file_contexts/program/xdm.fc 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/file_contexts/program/xdm.fc 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/file_contexts/program/xdm.fc 2005-10-11 11:25:21.000000000 -0400
@@ -3,7 +3,7 @@
/usr/X11R6/bin/[xgkw]dm -- system_u:object_r:xdm_exec_t
/opt/kde3/bin/kdm -- system_u:object_r:xdm_exec_t
@@ -1882,13 +2083,13 @@
/var/log/[kw]dm\.log -- system_u:object_r:xserver_log_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/yppasswdd.fc policy-1.27.1/file_contexts/program/yppasswdd.fc
--- nsapolicy/file_contexts/program/yppasswdd.fc 1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.27.1/file_contexts/program/yppasswdd.fc 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/file_contexts/program/yppasswdd.fc 2005-10-11 11:25:21.000000000 -0400
@@ -0,0 +1,2 @@
+# yppasswd
+/usr/sbin/rpc.yppasswdd -- system_u:object_r:yppasswdd_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/ypserv.fc policy-1.27.1/file_contexts/program/ypserv.fc
--- nsapolicy/file_contexts/program/ypserv.fc 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/file_contexts/program/ypserv.fc 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/file_contexts/program/ypserv.fc 2005-10-11 11:25:21.000000000 -0400
@@ -1,3 +1,4 @@
# ypserv
/usr/sbin/ypserv -- system_u:object_r:ypserv_exec_t
@@ -1896,7 +2097,7 @@
/etc/ypserv\.conf -- system_u:object_r:ypserv_conf_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/types.fc policy-1.27.1/file_contexts/types.fc
--- nsapolicy/file_contexts/types.fc 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/file_contexts/types.fc 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/file_contexts/types.fc 2005-10-11 11:25:21.000000000 -0400
@@ -133,6 +133,7 @@
/dev/dcbri[0-9]+ -c system_u:object_r:tty_device_t
/dev/irlpt[0-9]+ -c system_u:object_r:printer_device_t
@@ -1915,7 +2116,7 @@
# initrd mount point, only used during boot
diff --exclude-from=exclude -N -u -r nsapolicy/genfs_contexts policy-1.27.1/genfs_contexts
--- nsapolicy/genfs_contexts 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/genfs_contexts 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/genfs_contexts 2005-10-11 11:25:21.000000000 -0400
@@ -94,7 +94,7 @@
genfscon debugfs / system_u:object_r:debugfs_t
genfscon inotifyfs / system_u:object_r:inotifyfs_t
@@ -1925,9 +2126,25 @@
# needs more work
genfscon eventpollfs / system_u:object_r:eventpollfs_t
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/base_user_macros.te policy-1.27.1/macros/base_user_macros.te
+--- nsapolicy/macros/base_user_macros.te 2005-09-16 11:17:27.000000000 -0400
++++ policy-1.27.1/macros/base_user_macros.te 2005-10-11 11:25:21.000000000 -0400
+@@ -40,6 +40,12 @@
+ allow $1_t $1_home_t:{ notdevfile_class_set dir } { relabelfrom relabelto };
+ can_setfscreate($1_t)
+
++ifdef(`ftpd.te' , `
++if (ftpd_is_daemon) {
++file_type_auto_trans(ftpd_t, $1_home_dir_t, $1_home_t)
++}
++')
++
+ allow $1_t self:capability { setgid chown fowner };
+ dontaudit $1_t self:capability { sys_nice fsetid };
+
diff --exclude-from=exclude -N -u -r nsapolicy/macros/core_macros.te policy-1.27.1/macros/core_macros.te
--- nsapolicy/macros/core_macros.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/macros/core_macros.te 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/macros/core_macros.te 2005-10-11 11:25:21.000000000 -0400
@@ -620,6 +620,9 @@
# Label pty files with a derived type.
type_transition $1_t devpts_t:chr_file $1_devpts_t;
@@ -1940,7 +2157,7 @@
')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/global_macros.te policy-1.27.1/macros/global_macros.te
--- nsapolicy/macros/global_macros.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/macros/global_macros.te 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/macros/global_macros.te 2005-10-11 11:25:21.000000000 -0400
@@ -157,6 +157,11 @@
r_dir_file($1, locale_t)
')
@@ -1978,7 +2195,7 @@
#
define(`anonymous_domain', `
-r_dir_file($1_t, ftpd_anon_t)
-+r_dir_file($1_t, public_content_t)
++r_dir_file($1_t, { public_content_t public_content_rw_t } )
bool allow_$1_anon_write false;
if (allow_$1_anon_write) {
-create_dir_file($1_t,ftpd_anon_rw_t)
@@ -1994,9 +2211,18 @@
# Mount/unmount any filesystem.
allow $1 fs_type:filesystem *;
+@@ -653,7 +661,7 @@
+ allow $1 port_type:tcp_socket name_connect;
+
+ # Bind to any network address.
+-allow $1 port_type:{ tcp_socket udp_socket } name_bind;
++allow $1 port_type:{ rawip_socket tcp_socket udp_socket } name_bind;
+ allow $1 node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
+ allow $1 file_type:{ unix_stream_socket unix_dgram_socket } name_bind;
+
diff --exclude-from=exclude -N -u -r nsapolicy/macros/network_macros.te policy-1.27.1/macros/network_macros.te
--- nsapolicy/macros/network_macros.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/macros/network_macros.te 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/macros/network_macros.te 2005-10-11 11:25:21.000000000 -0400
@@ -153,7 +153,8 @@
')dnl end can_network definition
@@ -2027,7 +2253,7 @@
+')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/apache_macros.te policy-1.27.1/macros/program/apache_macros.te
--- nsapolicy/macros/program/apache_macros.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/macros/program/apache_macros.te 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/macros/program/apache_macros.te 2005-10-11 11:25:21.000000000 -0400
@@ -38,7 +38,7 @@
allow httpd_$1_script_t etc_runtime_t:file { getattr read };
read_locale(httpd_$1_script_t)
@@ -2070,7 +2296,7 @@
')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/cdrecord_macros.te policy-1.27.1/macros/program/cdrecord_macros.te
--- nsapolicy/macros/program/cdrecord_macros.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/macros/program/cdrecord_macros.te 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/macros/program/cdrecord_macros.te 2005-10-11 11:25:21.000000000 -0400
@@ -41,7 +41,7 @@
allow $1_cdrecord_t self:capability { ipc_lock sys_nice setuid dac_override sys_rawio };
@@ -2082,7 +2308,7 @@
allow $1_cdrecord_t $1_home_t:file r_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/i18n_input_macros.te policy-1.27.1/macros/program/i18n_input_macros.te
--- nsapolicy/macros/program/i18n_input_macros.te 1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.27.1/macros/program/i18n_input_macros.te 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/macros/program/i18n_input_macros.te 2005-10-11 11:25:21.000000000 -0400
@@ -0,0 +1,21 @@
+#
+# Macros for i18n_input
@@ -2107,7 +2333,7 @@
+
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mta_macros.te policy-1.27.1/macros/program/mta_macros.te
--- nsapolicy/macros/program/mta_macros.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/macros/program/mta_macros.te 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/macros/program/mta_macros.te 2005-10-11 11:25:21.000000000 -0400
@@ -34,7 +34,7 @@
uses_shlib($1_mail_t)
@@ -2128,7 +2354,7 @@
# For when the user wants to send mail via port 25 localhost
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/newrole_macros.te policy-1.27.1/macros/program/newrole_macros.te
--- nsapolicy/macros/program/newrole_macros.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/macros/program/newrole_macros.te 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/macros/program/newrole_macros.te 2005-10-11 11:25:21.000000000 -0400
@@ -20,6 +20,8 @@
read_locale($1_t)
read_sysctl($1_t)
@@ -2140,7 +2366,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/pyzor_macros.te policy-1.27.1/macros/program/pyzor_macros.te
--- nsapolicy/macros/program/pyzor_macros.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/macros/program/pyzor_macros.te 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/macros/program/pyzor_macros.te 2005-10-11 11:25:21.000000000 -0400
@@ -64,6 +64,6 @@
# Allow pyzor to be run by hand. Needed by any action other than
@@ -2151,7 +2377,7 @@
')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/razor_macros.te policy-1.27.1/macros/program/razor_macros.te
--- nsapolicy/macros/program/razor_macros.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/macros/program/razor_macros.te 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/macros/program/razor_macros.te 2005-10-11 11:25:21.000000000 -0400
@@ -70,6 +70,6 @@
# Allow razor to be run by hand. Needed by any action other than
@@ -2162,7 +2388,7 @@
')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/su_macros.te policy-1.27.1/macros/program/su_macros.te
--- nsapolicy/macros/program/su_macros.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/macros/program/su_macros.te 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/macros/program/su_macros.te 2005-10-11 11:25:21.000000000 -0400
@@ -54,7 +54,7 @@
allow $1_su_t self:process { setsched setrlimit };
allow $1_su_t device_t:dir search;
@@ -2172,9 +2398,18 @@
r_dir_file($1_su_t, selinux_config_t)
dontaudit $1_su_t shadow_t:file { getattr read };
+@@ -68,7 +68,7 @@
+ ')
+
+ # Use capabilities.
+-allow $1_su_t self:capability { setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource audit_control };
++allow $1_su_t self:capability { setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource audit_control audit_write };
+ dontaudit $1_su_t self:capability sys_tty_config;
+ #
+ # Caused by su - init scripts
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/uml_macros.te policy-1.27.1/macros/program/uml_macros.te
--- nsapolicy/macros/program/uml_macros.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/macros/program/uml_macros.te 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/macros/program/uml_macros.te 2005-10-11 11:25:21.000000000 -0400
@@ -81,7 +81,7 @@
allow uml_net_t $1_uml_t:unix_stream_socket { read write };
allow uml_net_t $1_uml_t:unix_dgram_socket { read write };
@@ -2186,7 +2421,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/macros/user_macros.te policy-1.27.1/macros/user_macros.te
--- nsapolicy/macros/user_macros.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/macros/user_macros.te 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/macros/user_macros.te 2005-10-11 11:25:21.000000000 -0400
@@ -121,6 +121,7 @@
# user domains.
ifelse($1, sysadm, `',`
@@ -2197,7 +2432,7 @@
ifdef(`lockdev.te', `lockdev_domain($1)')
diff --exclude-from=exclude -N -u -r nsapolicy/Makefile policy-1.27.1/Makefile
--- nsapolicy/Makefile 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/Makefile 2005-09-27 09:59:36.000000000 -0400
++++ policy-1.27.1/Makefile 2005-10-11 11:25:22.000000000 -0400
@@ -29,15 +29,10 @@
VERS := $(shell $(CHECKPOLICY) $(POLICYCOMPAT) -V |cut -f 1 -d ' ')
PREVERS := 19
@@ -2205,13 +2440,14 @@
+MLSENABLED := $(shell cat /selinux/mls)
POLICYVER := policy.$(VERS)
TOPDIR = $(DESTDIR)/etc/selinux
- TYPE=strict
+-TYPE=strict
-ifeq ($(MLS),y)
-TYPE=mls
-endif
-ifeq ($(MCS),y)
-TYPE=mcs
-endif
++TYPE=targeted
INSTALLDIR = $(TOPDIR)/$(TYPE)
POLICYPATH = $(INSTALLDIR)/policy
@@ -2264,24 +2500,29 @@
@mv Makefile.new Makefile
diff --exclude-from=exclude -N -u -r nsapolicy/man/man8/ftpd_selinux.8 policy-1.27.1/man/man8/ftpd_selinux.8
--- nsapolicy/man/man8/ftpd_selinux.8 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/man/man8/ftpd_selinux.8 2005-09-27 09:57:41.000000000 -0400
-@@ -8,23 +8,23 @@
++++ policy-1.27.1/man/man8/ftpd_selinux.8 2005-10-11 14:02:17.000000000 -0400
+@@ -8,23 +8,24 @@
.SH FILE_CONTEXTS
SELinux requires files to have an extended attribute to define the file type.
Policy governs the access daemons have to these files.
-If you want to share files anonymously, you must label the files and directories ftpd_anon_t. So if you created a special directory /var/ftp, you
-+If you want to share files anonymously, you must label the files and directories public_content_t. So if you created a special directory /var/ftp, you
- would need to label the directory with the chcon tool.
+-would need to label the directory with the chcon tool.
++If you want to share files anonymously, you must label the files and directories public_content_t. So if you created a special directory /var/ftp, you would need to label the directory with the chcon tool.
.TP
-chcon -R -t ftpd_anon_t /var/ftp
+chcon -R -t public_content_t /var/ftp
.TP
- If you want to setup a directory where you can upload files to you must label the files and directories ftpd_anon_rw_t. So if you created a special directory /var/ftp/incoming, you
- would need to label the directory with the chcon tool.
+-If you want to setup a directory where you can upload files to you must label the files and directories ftpd_anon_rw_t. So if you created a special directory /var/ftp/incoming, you
+-would need to label the directory with the chcon tool.
++If you want to setup a directory where you can upload files to you must label the files and directories ftpd_anon_rw_t. So if you created a special directory /var/ftp/incoming, you would need to label the directory with the chcon tool.
.TP
-chcon -t ftpd_anon_rw_t /var/ftp/incoming
+-
+chcon -t public_content_rw_t /var/ftp/incoming
-
++.TP
++You must also turn on the boolean allow_ftp_anon_write.
++.TP
++setsebool -P allow_ftp_anon_write=1
.TP
If you want to make this permanant, i.e. survive a relabel, you must add an entry to the file_contexts.local file.
.TP
@@ -2294,10 +2535,29 @@
.SH BOOLEANS
SELinux ftp daemon policy is customizable based on least access required. So by
+diff --exclude-from=exclude -N -u -r nsapolicy/man/man8/httpd_selinux.8 policy-1.27.1/man/man8/httpd_selinux.8
+--- nsapolicy/man/man8/httpd_selinux.8 2005-09-16 11:17:27.000000000 -0400
++++ policy-1.27.1/man/man8/httpd_selinux.8 2005-10-11 14:02:17.000000000 -0400
+@@ -45,6 +45,15 @@
+ .SH NOTE
+ With certain policies you can define addional file contexts based on roles like user or staff. httpd_user_script_exec_t can be defined where it would only have access to "user" contexts.
+
++.SH SHARING FILES
++If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. allow_DOMAIN_anon_write. So for httpd you would execute:
++
++setsebool -P allow_httpd_anon_write=1
++
++or
++
++setsebool -P allow_httpd_sys_script_anon_write=1
++
+ .SH BOOLEANS
+ SELinux policy is customizable based on least access required. So by
+ default SElinux prevents certain http scripts from working. httpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd with the tightest access possible.
diff --exclude-from=exclude -N -u -r nsapolicy/man/man8/rsync_selinux.8 policy-1.27.1/man/man8/rsync_selinux.8
--- nsapolicy/man/man8/rsync_selinux.8 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/man/man8/rsync_selinux.8 2005-09-27 09:57:41.000000000 -0400
-@@ -8,16 +8,16 @@
++++ policy-1.27.1/man/man8/rsync_selinux.8 2005-10-11 14:02:17.000000000 -0400
+@@ -8,16 +8,22 @@
.SH FILE_CONTEXTS
SELinux requires files to have an extended attribute to define the file type.
Policy governs the access daemons have to these files.
@@ -2314,12 +2574,44 @@
.br
-/var/rsync(/.*)? system_u:object_r:ftpd_anon_t
+/var/rsync(/.*)? system_u:object_r:public_content_t
++
++.SH SHARING FILES
++If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. allow_DOMAIN_anon_write. So for rsync you would execute:
++
++setsebool -P allow_rsync_anon_write=1
++
.SH BOOLEANS
.TP
+diff --exclude-from=exclude -N -u -r nsapolicy/man/man8/samba_selinux.8 policy-1.27.1/man/man8/samba_selinux.8
+--- nsapolicy/man/man8/samba_selinux.8 2005-09-16 11:17:27.000000000 -0400
++++ policy-1.27.1/man/man8/samba_selinux.8 2005-10-11 14:02:17.000000000 -0400
+@@ -20,6 +20,11 @@
+ .br
+ /var/eng(/.*)? system_u:object_r:samba_share_t
+
++.SH SHARING FILES
++If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. allow_DOMAIN_anon_write. So for samba you would execute:
++
++setsebool -P allow_smb_anon_write=1
++
+ .SH BOOLEANS
+ .br
+ SELinux policy is customizable based on least access required. So by
+@@ -44,6 +49,10 @@
+ service smb restart
+ .TP
+ system-config-securitylevel is a GUI tool available to customize SELinux policy settings.
++
++
++
++
+ .SH AUTHOR
+ This manual page was written by Dan Walsh <dwalsh at redhat.com>.
+
diff --exclude-from=exclude -N -u -r nsapolicy/mcs policy-1.27.1/mcs
--- nsapolicy/mcs 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/mcs 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/mcs 2005-10-11 11:25:22.000000000 -0400
@@ -200,9 +200,23 @@
#
# Only files are constrained by MCS at this stage.
@@ -2347,7 +2639,7 @@
#
diff --exclude-from=exclude -N -u -r nsapolicy/net_contexts policy-1.27.1/net_contexts
--- nsapolicy/net_contexts 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/net_contexts 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/net_contexts 2005-10-11 11:25:22.000000000 -0400
@@ -50,6 +50,10 @@
portcon tcp 53 system_u:object_r:dns_port_t
@@ -2370,7 +2662,7 @@
portcon tcp 6002 system_u:object_r:xserver_port_t
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/appconfig/root_default_contexts policy-1.27.1/targeted/appconfig/root_default_contexts
--- nsapolicy/targeted/appconfig/root_default_contexts 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/targeted/appconfig/root_default_contexts 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/targeted/appconfig/root_default_contexts 2005-10-11 11:25:22.000000000 -0400
@@ -1,2 +1,6 @@
system_r:unconfined_t system_r:unconfined_t
system_r:initrc_t system_r:unconfined_t
@@ -2378,9 +2670,21 @@
+system_r:remote_login_t system_r:unconfined_t
+system_r:rshd_t system_r:unconfined_t
+system_r:crond_t system_r:unconfined_t
+diff --exclude-from=exclude -N -u -r nsapolicy/targeted/assert.te policy-1.27.1/targeted/assert.te
+--- nsapolicy/targeted/assert.te 2005-09-16 11:17:27.000000000 -0400
++++ policy-1.27.1/targeted/assert.te 2005-10-11 11:25:22.000000000 -0400
+@@ -22,7 +22,7 @@
+
+ # Confined domains must never touch an unconfined domain except to
+ # send SIGCHLD for child termination notifications.
+-neverallow { domain -unrestricted } unconfined_t:process ~sigchld;
++neverallow { domain -unrestricted -unconfinedtrans -snmpd_t } unconfined_t:process ~sigchld;
+
+ # Confined domains must never see /proc/pid entries for an unconfined domain.
+ neverallow { domain -unrestricted -snmpd_t } unconfined_t:dir { getattr search };
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/ssh.te policy-1.27.1/targeted/domains/program/ssh.te
--- nsapolicy/targeted/domains/program/ssh.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/targeted/domains/program/ssh.te 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/targeted/domains/program/ssh.te 2005-10-11 11:25:22.000000000 -0400
@@ -17,3 +17,6 @@
type sshd_key_t, file_type, sysadmfile;
type sshd_var_run_t, file_type, sysadmfile;
@@ -2390,7 +2694,7 @@
+')
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/xdm.te policy-1.27.1/targeted/domains/program/xdm.te
--- nsapolicy/targeted/domains/program/xdm.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/targeted/domains/program/xdm.te 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/targeted/domains/program/xdm.te 2005-10-11 11:25:22.000000000 -0400
@@ -20,3 +20,7 @@
type xdm_tmp_t, file_type, sysadmfile;
domain_auto_trans(initrc_t, xdm_exec_t, xdm_t)
@@ -2401,7 +2705,7 @@
+')
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/unconfined.te policy-1.27.1/targeted/domains/unconfined.te
--- nsapolicy/targeted/domains/unconfined.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/targeted/domains/unconfined.te 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/targeted/domains/unconfined.te 2005-10-11 11:25:22.000000000 -0400
@@ -63,6 +63,7 @@
bool use_samba_home_dirs false;
@@ -2430,7 +2734,7 @@
+
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.27.1/tunables/distro.tun
--- nsapolicy/tunables/distro.tun 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/tunables/distro.tun 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/tunables/distro.tun 2005-10-11 11:25:22.000000000 -0400
@@ -5,7 +5,7 @@
# appropriate ifdefs.
@@ -2442,7 +2746,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.27.1/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/tunables/tunable.tun 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/tunables/tunable.tun 2005-10-11 11:25:22.000000000 -0400
@@ -1,5 +1,5 @@
# Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
@@ -2461,7 +2765,7 @@
# Otherwise, only staff_r can do so.
diff --exclude-from=exclude -N -u -r nsapolicy/types/devpts.te policy-1.27.1/types/devpts.te
--- nsapolicy/types/devpts.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/types/devpts.te 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/types/devpts.te 2005-10-11 11:25:22.000000000 -0400
@@ -18,4 +18,6 @@
#
type devpts_t, mount_point, fs_type;
@@ -2472,7 +2776,7 @@
+')
diff --exclude-from=exclude -N -u -r nsapolicy/types/file.te policy-1.27.1/types/file.te
--- nsapolicy/types/file.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/types/file.te 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/types/file.te 2005-10-11 11:25:22.000000000 -0400
@@ -307,8 +307,7 @@
type hugetlbfs_t, mount_point, fs_type, sysadmfile;
allow hugetlbfs_t self:filesystem associate;
@@ -2514,7 +2818,7 @@
+
diff --exclude-from=exclude -N -u -r nsapolicy/types/network.te policy-1.27.1/types/network.te
--- nsapolicy/types/network.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/types/network.te 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/types/network.te 2005-10-11 11:25:22.000000000 -0400
@@ -18,7 +18,7 @@
type dhcpd_port_t, port_type, reserved_port_type;
type smbd_port_t, port_type, reserved_port_type;
@@ -2560,7 +2864,7 @@
type rsync_port_t, port_type, reserved_port_type;
diff --exclude-from=exclude -N -u -r nsapolicy/types/security.te policy-1.27.1/types/security.te
--- nsapolicy/types/security.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/types/security.te 2005-09-27 09:57:41.000000000 -0400
++++ policy-1.27.1/types/security.te 2005-10-11 11:25:22.000000000 -0400
@@ -13,12 +13,17 @@
# applied to selinuxfs inodes.
#
Index: selinux-policy-strict.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-strict/FC-4/selinux-policy-strict.spec,v
retrieving revision 1.320
retrieving revision 1.321
diff -u -r1.320 -r1.321
--- selinux-policy-strict.spec 27 Sep 2005 13:45:02 -0000 1.320
+++ selinux-policy-strict.spec 11 Oct 2005 20:18:17 -0000 1.321
@@ -11,7 +11,7 @@
Summary: SELinux %{type} policy configuration
Name: selinux-policy-%{type}
Version: 1.27.1
-Release: 2.3
+Release: 2.5
License: GPL
Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policy-%{version}.tgz
@@ -229,6 +229,10 @@
exit 0
%changelog
+* Tue Oct 11 2005 Dan Walsh <dwalsh at redhat.com> 1.27.1-2.5
+- Update Amanda, pegusus, ftpd, apache to match upstream version
+- Update Bluetooth, rsync
+
* Tue Sep 27 2005 Dan Walsh <dwalsh at redhat.com> 1.27.1-2.3
- Fixes for postfix, amanda, bluetooth
- Merge in changes from Rawhide.
- Previous message (by thread): rpms/openssl097a/FC-4 openssl-0.9.7d-ICA_engine-jun142004.patch, NONE, 1.1 openssl.spec, 1.4, 1.5 openssl-0.9.7c-ICA_engine_apr292004.patch, 1.1, NONE
- Next message (by thread): rpms/openssl097a/FC-4 openssl-0.9.7a-can-2005-2969.patch, NONE, 1.1 openssl-0.9.7a-dsa-consttime.patch, NONE, 1.1
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-cvs-commits
mailing list