rpms/selinux-policy-strict/FC-4 policy-20050916.patch, 1.8, 1.9 selinux-policy-strict.spec, 1.325, 1.326
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Thu Oct 20 12:58:54 UTC 2005
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy-strict/FC-4
In directory cvs.devel.redhat.com:/tmp/cvs-serv14828
Modified Files:
policy-20050916.patch selinux-policy-strict.spec
Log Message:
* Wed Oct 19 2005 Dan Walsh <dwalsh at redhat.com> 1.27.1-2.9
- Fix mysql
- Add spamd.te
policy-20050916.patch:
Makefile | 24 +-
attrib.te | 96 ++++++++++-
domains/misc/kernel.te | 2
domains/program/crond.te | 2
domains/program/fsadm.te | 7
domains/program/hostname.te | 2
domains/program/ifconfig.te | 5
domains/program/initrc.te | 20 ++
domains/program/ldconfig.te | 3
domains/program/load_policy.te | 7
domains/program/login.te | 21 +-
domains/program/modutil.te | 14 -
domains/program/mount.te | 6
domains/program/netutils.te | 3
domains/program/newrole.te | 4
domains/program/passwd.te | 1
domains/program/restorecon.te | 3
domains/program/setfiles.te | 4
domains/program/ssh.te | 6
domains/program/su.te | 9 +
domains/program/syslogd.te | 6
domains/program/unused/NetworkManager.te | 8
domains/program/unused/alsa.te | 2
domains/program/unused/amanda.te | 74 ++------
domains/program/unused/anaconda.te | 5
domains/program/unused/apache.te | 22 +-
domains/program/unused/apmd.te | 19 ++
domains/program/unused/auditd.te | 2
domains/program/unused/automount.te | 4
domains/program/unused/bluetooth.te | 72 ++++++++
domains/program/unused/cups.te | 18 +-
domains/program/unused/cvs.te | 3
domains/program/unused/cyrus.te | 2
domains/program/unused/dbusd.te | 4
domains/program/unused/dcc.te | 5
domains/program/unused/dhcpc.te | 7
domains/program/unused/dhcpd.te | 3
domains/program/unused/dovecot.te | 4
domains/program/unused/ftpd.te | 6
domains/program/unused/hald.te | 5
domains/program/unused/hotplug.te | 5
domains/program/unused/hwclock.te | 2
domains/program/unused/ipsec.te | 2
domains/program/unused/kudzu.te | 5
domains/program/unused/mta.te | 8
domains/program/unused/mysqld.te | 10 -
domains/program/unused/named.te | 29 ++-
domains/program/unused/nscd.te | 1
domains/program/unused/ntpd.te | 10 -
domains/program/unused/openct.te | 16 +
domains/program/unused/pamconsole.te | 2
domains/program/unused/pegasus.te | 37 ++++
domains/program/unused/ping.te | 3
domains/program/unused/postfix.te | 57 ++++--
domains/program/unused/pppd.te | 8
domains/program/unused/procmail.te | 11 +
domains/program/unused/readahead.te | 21 ++
domains/program/unused/rlogind.te | 4
domains/program/unused/roundup.te | 29 +++
domains/program/unused/rpcd.te | 18 +-
domains/program/unused/rsync.te | 3
domains/program/unused/samba.te | 12 +
domains/program/unused/snmpd.te | 6
domains/program/unused/squid.te | 3
domains/program/unused/udev.te | 10 -
domains/program/unused/utempter.te | 2
domains/program/unused/webalizer.te | 3
domains/program/unused/winbind.te | 1
domains/program/unused/xdm.te | 3
domains/program/unused/yppasswdd.te | 40 ++++
domains/program/unused/ypserv.te | 1
domains/program/useradd.te | 5
file_contexts/distros.fc | 2
file_contexts/program/apache.fc | 2
file_contexts/program/bluetooth.fc | 3
file_contexts/program/dhcpc.fc | 2
file_contexts/program/dhcpd.fc | 5
file_contexts/program/ftpd.fc | 5
file_contexts/program/games.fc | 11 -
file_contexts/program/ipsec.fc | 1
file_contexts/program/openct.fc | 2
file_contexts/program/pegasus.fc | 11 +
file_contexts/program/pppd.fc | 2
file_contexts/program/readahead.fc | 1
file_contexts/program/roundup.fc | 2
file_contexts/program/rpm.fc | 4
file_contexts/program/rshd.fc | 1
file_contexts/program/rsync.fc | 2
file_contexts/program/squid.fc | 3
file_contexts/program/xdm.fc | 2
file_contexts/program/yppasswdd.fc | 2
file_contexts/program/ypserv.fc | 1
file_contexts/types.fc | 4
genfs_contexts | 3
macros/base_user_macros.te | 6
macros/core_macros.te | 3
macros/global_macros.te | 18 +-
macros/network_macros.te | 17 +
macros/program/apache_macros.te | 13 +
macros/program/bonobo_macros.te | 2
macros/program/cdrecord_macros.te | 2
macros/program/crontab_macros.te | 2
macros/program/dbusd_macros.te | 4
macros/program/gconf_macros.te | 2
macros/program/gift_macros.te | 2
macros/program/gpg_macros.te | 2
macros/program/i18n_input_macros.te | 21 ++
macros/program/lpr_macros.te | 2
macros/program/mta_macros.te | 4
macros/program/newrole_macros.te | 2
macros/program/pyzor_macros.te | 2
macros/program/razor_macros.te | 2
macros/program/su_macros.te | 4
macros/program/uml_macros.te | 2
macros/program/xdm_macros.te | 2
macros/user_macros.te | 6
man/man8/ftpd_selinux.8 | 19 +-
man/man8/httpd_selinux.8 | 9 +
man/man8/rsync_selinux.8 | 12 +
man/man8/samba_selinux.8 | 9 +
mcs | 210 +++++++++---------------
mls | 270 +++++++++++--------------------
net_contexts | 8
targeted/appconfig/root_default_contexts | 4
targeted/assert.te | 2
targeted/domains/program/ssh.te | 3
targeted/domains/program/xdm.te | 4
targeted/domains/unconfined.te | 15 +
tunables/distro.tun | 2
tunables/tunable.tun | 4
types/device.te | 4
types/devpts.te | 4
types/file.te | 18 +-
types/network.te | 13 -
types/security.te | 5
135 files changed, 1108 insertions(+), 575 deletions(-)
Index: policy-20050916.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-strict/FC-4/policy-20050916.patch,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -r1.8 -r1.9
--- policy-20050916.patch 18 Oct 2005 18:25:42 -0000 1.8
+++ policy-20050916.patch 20 Oct 2005 12:58:50 -0000 1.9
@@ -1,57 +1,145 @@
diff --exclude-from=exclude -N -u -r nsapolicy/attrib.te policy-1.27.1/attrib.te
--- nsapolicy/attrib.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/attrib.te 2005-10-17 15:43:08.000000000 -0400
-@@ -17,17 +17,49 @@
++++ policy-1.27.1/attrib.te 2005-10-20 08:55:14.000000000 -0400
+@@ -8,51 +8,130 @@
+ # explicitly declared here, and can then be associated with particular
+ # types in type declarations. Attribute names can then be used throughout
+ # the configuration to express the set of types that are associated with
+-# the attribute. Except for the MLS attributes, attributes have no implicit
+-# meaning to SELinux. The meaning of all other attributes are completely
+-# defined through their usage within the configuration, but should be
+-# documented here as comments preceding the attribute declaration.
++# the attribute. Attributes have no implicit meaning to SELinux. The
++# meaning of all attributes are completely defined through their
++# usage within the configuration, but should be documented here as
++# comments preceding the attribute declaration.
+
+ #####################
# Attributes for MLS:
#
-+# Read files and search directories that have a classification higher than
-+# subject clearance
- attribute mlsfileread;
++# Common Terminology
++# MLS Range: low-high
++# low referred to as "Effective Sensitivity Label (SL)"
++# high referred to as "Clearance SL"
+
-+# Read files and search directories with a classification higher than the
-+# effective clearance but not higher than the clearance
- attribute mlsfilereadtoclr;
+
-+# Write files and directories in situations where MLS normally denies writes
++#
++# File System MLS attributes/privileges
++#
++# Grant MLS read access to files not dominated by the process Effective SL
+ attribute mlsfileread;
++# Grant MLS read access to files which dominate the process Effective SL
++# and are dominated by the process Clearance SL
+ attribute mlsfilereadtoclr;
++# Grant MLS write access to files not equal to the Effective SL
attribute mlsfilewrite;
-+
-+# Write files and directories where clearance of the subject dominates the
-+# classification of the file/dir and the classification of the file/dir
-+# dominates the effective clearance of the subject.
++# Grant MLS write access to files which dominate the process Effective SL
++# and are dominated by the process Clearance SL
attribute mlsfilewritetoclr;
-+
-+# Increase the classification and/or effective classification of the object
-+# regardless of the clearance of the subject.
++# Grant MLS ability to change file label to a new label which dominates
++# the old label
attribute mlsfileupgrade;
-+
-+# Decrease the classification and/or effective classification of the object
-+# regardless of the clearance of the subject. NB An new label with an
-+# incomparable effective classification and an equal classification is
-+# considered a downgrade as is an incomparable classification
++# Grant MLS ability to change file label to a new label which is
++# dominated by or incomparable to the old label
attribute mlsfiledowngrade;
-+# Read network data with a lower effective classification than the effective
-+# clearance of the process
++#
++# Network MLS attributes/privileges
++#
++# Grant MLS read access to packets not dominated by the process Effective SL
attribute mlsnetread;
-+
-+# Read network data with a lower effective classification than the effective
-+# clearance of the process when the classification of the process is higher
++# Grant MLS read access to packets which dominate the process Effective SL
++# and are dominated by the process Clearance SL
attribute mlsnetreadtoclr;
-+
-+# Write network data with a higher effective classification or with a
-+# classification higher than the clearance of the subject
++# Grant MLS write access to packets not equal to the Effective SL
attribute mlsnetwrite;
-+
-+# Write network data where the clearance of the process dominates the
-+# effective classification of the data and the effective classification of
-+# the data dominates the effective clearance of the subject.
++# Grant MLS write access to packets which dominate the Effective SL
++# and are dominated by the process Clearance SL
attribute mlsnetwritetoclr;
-+
++# Grant MLS read access to packets from hosts or interfaces which dominate
++# or incomparable to the process Effective SL
++attribute mlsnetrecvall;
++# Grant MLS ability to change socket label to a new label which dominates
++# the old label
attribute mlsnetupgrade;
++# Grant MLS ability to change socket label to a new label which is
++# dominated by or incomparable to the old label
attribute mlsnetdowngrade;
- attribute mlsnetrecvall;
-@@ -443,6 +475,9 @@
+-attribute mlsnetrecvall;
+
++#
++# IPC MLS attributes/privileges
++#
++# Grant MLS read access to IPC objects not dominated by the process Effective SL
+ attribute mlsipcread;
++# Grant MLS read access to IPC objects which dominate the process Effective SL
++# and are dominated by the process Clearance SL
+ attribute mlsipcreadtoclr;
++# Grant MLS write access to IPC objects not equal to the process Effective SL
+ attribute mlsipcwrite;
++# Grant MLS write access to IPC objects which dominate the process Effective SL
++# and are dominated by the process Clearance SL
+ attribute mlsipcwritetoclr;
+
++#
++# Process MLS attributes/privileges
++#
++# Grant MLS read access to processes not dominated by the process Effective SL
+ attribute mlsprocread;
++# Grant MLS read access to processes which dominate the process Effective SL
++# and are dominated by the process Clearance SL
+ attribute mlsprocreadtoclr;
++# Grant MLS write access to processes not equal to the Effective SL
+ attribute mlsprocwrite;
++# Grant MLS write access to processes which dominate the process Effective SL
++# and are dominated by the process Clearance SL
+ attribute mlsprocwritetoclr;
++# Grant MLS ability to change Effective SL or Clearance SL of process to a
++# label dominated by the Clearance SL
+ attribute mlsprocsetsl;
+
++#
++# X Window MLS attributes/privileges
++#
++# Grant MLS read access to X objects not dominated by the process Effective SL
+ attribute mlsxwinread;
++# Grant MLS read access to X objects which dominate the process Effective SL
++# and are dominated by the process Clearance SL
+ attribute mlsxwinreadtoclr;
++# Grant MLS write access to X objects not equal to the process Effective SL
+ attribute mlsxwinwrite;
++# Grant MLS write access to X objects which dominate the process Effective SL
++# and are dominated by the process Clearance SL
+ attribute mlsxwinwritetoclr;
+-attribute mlsxwinupgrade;
+-attribute mlsxwindowngrade;
++# Grant MLS read access to X properties not dominated by
++# the process Effective SL
++attribute mlsxwinreadproperty;
++# Grant MLS write access to X properties not equal to the process Effective SL
++attribute mlsxwinwriteproperty;
++# Grant MLS read access to X colormaps not dominated by
++# the process Effective SL
++attribute mlsxwinreadcolormap;
++# Grant MLS write access to X colormaps not equal to the process Effective SL
++attribute mlsxwinwritecolormap;
++# Grant MLS write access to X xinputs not equal to the process Effective SL
++attribute mlsxwinwritexinput;
+
++# Grant MLS read/write access to objects which internally arbitrate MLS
+ attribute mlstrustedobject;
+
++#
++# Both of the following attributes are needed for a range transition to succeed
++#
++# Grant ability for the current domain to change SL upon process transition
+ attribute privrangetrans;
++# Grant ability for the new process domain to change SL upon process transition
+ attribute mlsrangetrans;
+
+ #########################
+@@ -443,6 +522,9 @@
# Attribute to designate unrestricted access
attribute unrestricted;
@@ -63,7 +151,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/domains/misc/kernel.te policy-1.27.1/domains/misc/kernel.te
--- nsapolicy/domains/misc/kernel.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/misc/kernel.te 2005-10-17 15:48:01.000000000 -0400
++++ policy-1.27.1/domains/misc/kernel.te 2005-10-19 09:24:25.000000000 -0400
@@ -30,7 +30,7 @@
ifdef(`mls_policy', `
@@ -75,7 +163,7 @@
# Share state with the init process.
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/crond.te policy-1.27.1/domains/program/crond.te
--- nsapolicy/domains/program/crond.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/crond.te 2005-10-17 15:45:51.000000000 -0400
++++ policy-1.27.1/domains/program/crond.te 2005-10-19 09:24:25.000000000 -0400
@@ -106,7 +106,7 @@
# Inherit and use descriptors from initrc for anacron.
@@ -87,7 +175,7 @@
allow system_crond_t self:capability { dac_read_search chown setgid setuid fowner net_bind_service fsetid };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/fsadm.te policy-1.27.1/domains/program/fsadm.te
--- nsapolicy/domains/program/fsadm.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/fsadm.te 2005-10-17 15:45:51.000000000 -0400
++++ policy-1.27.1/domains/program/fsadm.te 2005-10-19 09:24:25.000000000 -0400
@@ -102,10 +102,10 @@
allow fsadm_t kernel_t:system syslog_console;
@@ -110,7 +198,7 @@
+allow fsadm_t file_type:dir { getattr search };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/hostname.te policy-1.27.1/domains/program/hostname.te
--- nsapolicy/domains/program/hostname.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/hostname.te 2005-10-17 15:45:51.000000000 -0400
++++ policy-1.27.1/domains/program/hostname.te 2005-10-19 09:24:25.000000000 -0400
@@ -24,5 +24,5 @@
ifdef(`distro_redhat', `
allow hostname_t tmpfs_t:chr_file rw_file_perms;
@@ -120,7 +208,7 @@
allow hostname_t initrc_t:fd use;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ifconfig.te policy-1.27.1/domains/program/ifconfig.te
--- nsapolicy/domains/program/ifconfig.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/ifconfig.te 2005-10-17 15:45:51.000000000 -0400
++++ policy-1.27.1/domains/program/ifconfig.te 2005-10-19 09:24:25.000000000 -0400
@@ -52,7 +52,8 @@
allow ifconfig_t self:udp_socket create_socket_perms;
@@ -142,7 +230,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/initrc.te policy-1.27.1/domains/program/initrc.te
--- nsapolicy/domains/program/initrc.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/initrc.te 2005-10-18 14:19:49.000000000 -0400
++++ policy-1.27.1/domains/program/initrc.te 2005-10-19 09:24:25.000000000 -0400
@@ -56,6 +56,10 @@
can_create_pty(initrc)
@@ -183,7 +271,7 @@
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ldconfig.te policy-1.27.1/domains/program/ldconfig.te
--- nsapolicy/domains/program/ldconfig.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/ldconfig.te 2005-10-17 15:45:51.000000000 -0400
++++ policy-1.27.1/domains/program/ldconfig.te 2005-10-19 09:24:25.000000000 -0400
@@ -16,7 +16,8 @@
domain_auto_trans({ sysadm_t initrc_t }, ldconfig_exec_t, ldconfig_t)
@@ -196,7 +284,7 @@
uses_shlib(ldconfig_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/load_policy.te policy-1.27.1/domains/program/load_policy.te
--- nsapolicy/domains/program/load_policy.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/load_policy.te 2005-10-17 15:45:51.000000000 -0400
++++ policy-1.27.1/domains/program/load_policy.te 2005-10-19 09:24:25.000000000 -0400
@@ -45,11 +45,12 @@
allow load_policy_t root_t:dir search;
allow load_policy_t etc_t:dir search;
@@ -215,7 +303,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/login.te policy-1.27.1/domains/program/login.te
--- nsapolicy/domains/program/login.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/login.te 2005-10-17 15:45:51.000000000 -0400
++++ policy-1.27.1/domains/program/login.te 2005-10-19 09:24:25.000000000 -0400
@@ -62,6 +62,11 @@
ifdef(`pamconsole.te', `
@@ -267,7 +355,7 @@
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/modutil.te policy-1.27.1/domains/program/modutil.te
--- nsapolicy/domains/program/modutil.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/modutil.te 2005-10-17 15:45:51.000000000 -0400
++++ policy-1.27.1/domains/program/modutil.te 2005-10-19 09:24:25.000000000 -0400
@@ -59,7 +59,8 @@
allow depmod_t modules_object_t:file unlink;
@@ -320,7 +408,7 @@
allow update_modules_t urandom_device_t:chr_file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/mount.te policy-1.27.1/domains/program/mount.te
--- nsapolicy/domains/program/mount.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/mount.te 2005-10-17 15:45:51.000000000 -0400
++++ policy-1.27.1/domains/program/mount.te 2005-10-19 09:24:25.000000000 -0400
@@ -16,13 +16,14 @@
role sysadm_r types mount_t;
role system_r types mount_t;
@@ -346,7 +434,7 @@
allow mount_t proc_t:lnk_file read;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/netutils.te policy-1.27.1/domains/program/netutils.te
--- nsapolicy/domains/program/netutils.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/netutils.te 2005-10-17 15:45:51.000000000 -0400
++++ policy-1.27.1/domains/program/netutils.te 2005-10-19 09:24:25.000000000 -0400
@@ -55,7 +55,8 @@
# Access terminals.
@@ -359,7 +447,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/newrole.te policy-1.27.1/domains/program/newrole.te
--- nsapolicy/domains/program/newrole.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/newrole.te 2005-10-17 15:45:51.000000000 -0400
++++ policy-1.27.1/domains/program/newrole.te 2005-10-19 09:24:25.000000000 -0400
@@ -18,3 +18,7 @@
allow newrole_t initrc_var_run_t:file rw_file_perms;
@@ -370,7 +458,7 @@
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/passwd.te policy-1.27.1/domains/program/passwd.te
--- nsapolicy/domains/program/passwd.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/passwd.te 2005-10-17 15:45:51.000000000 -0400
++++ policy-1.27.1/domains/program/passwd.te 2005-10-19 09:24:25.000000000 -0400
@@ -153,5 +153,4 @@
ifdef(`targeted_policy', `
@@ -379,7 +467,7 @@
')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/restorecon.te policy-1.27.1/domains/program/restorecon.te
--- nsapolicy/domains/program/restorecon.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/restorecon.te 2005-10-17 15:45:51.000000000 -0400
++++ policy-1.27.1/domains/program/restorecon.te 2005-10-19 09:24:25.000000000 -0400
@@ -19,7 +19,7 @@
role sysadm_r types restorecon_t;
role secadm_r types restorecon_t;
@@ -396,7 +484,7 @@
+allow restorecon_t autofs_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/setfiles.te policy-1.27.1/domains/program/setfiles.te
--- nsapolicy/domains/program/setfiles.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/setfiles.te 2005-10-17 15:45:51.000000000 -0400
++++ policy-1.27.1/domains/program/setfiles.te 2005-10-19 09:24:25.000000000 -0400
@@ -12,7 +12,7 @@
#
# needs auth_write attribute because it has relabelfrom/relabelto
@@ -417,7 +505,7 @@
allow setfiles_t self:unix_dgram_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ssh.te policy-1.27.1/domains/program/ssh.te
--- nsapolicy/domains/program/ssh.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/ssh.te 2005-10-17 15:45:51.000000000 -0400
++++ policy-1.27.1/domains/program/ssh.te 2005-10-19 09:24:25.000000000 -0400
@@ -153,6 +153,7 @@
#
sshd_program_domain(sshd)
@@ -444,7 +532,7 @@
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/su.te policy-1.27.1/domains/program/su.te
--- nsapolicy/domains/program/su.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/su.te 2005-10-17 15:45:51.000000000 -0400
++++ policy-1.27.1/domains/program/su.te 2005-10-19 09:24:25.000000000 -0400
@@ -12,3 +12,12 @@
# Everything else is in the su_domain macro in
@@ -460,7 +548,7 @@
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/syslogd.te policy-1.27.1/domains/program/syslogd.te
--- nsapolicy/domains/program/syslogd.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/syslogd.te 2005-10-17 15:45:51.000000000 -0400
++++ policy-1.27.1/domains/program/syslogd.te 2005-10-19 09:24:25.000000000 -0400
@@ -14,9 +14,9 @@
# by syslogd.
#
@@ -484,7 +572,7 @@
allow syslogd_t self:capability { dac_override net_admin net_bind_service sys_resource sys_tty_config };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/alsa.te policy-1.27.1/domains/program/unused/alsa.te
--- nsapolicy/domains/program/unused/alsa.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/alsa.te 2005-10-18 14:20:13.000000000 -0400
++++ policy-1.27.1/domains/program/unused/alsa.te 2005-10-19 09:26:00.000000000 -0400
@@ -11,6 +11,8 @@
allow alsa_t self:unix_stream_socket create_stream_socket_perms;
allow alsa_t self:unix_dgram_socket create_socket_perms;
@@ -496,7 +584,7 @@
allow alsa_t self:capability { setgid setuid ipc_owner };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/amanda.te policy-1.27.1/domains/program/unused/amanda.te
--- nsapolicy/domains/program/unused/amanda.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/amanda.te 2005-10-18 14:20:13.000000000 -0400
++++ policy-1.27.1/domains/program/unused/amanda.te 2005-10-19 09:26:00.000000000 -0400
@@ -84,7 +84,6 @@
# configuration files -> read only
@@ -658,7 +746,7 @@
+allow amanda_t file_type:fifo_file getattr;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/anaconda.te policy-1.27.1/domains/program/unused/anaconda.te
--- nsapolicy/domains/program/unused/anaconda.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/anaconda.te 2005-10-18 14:20:13.000000000 -0400
++++ policy-1.27.1/domains/program/unused/anaconda.te 2005-10-19 09:26:00.000000000 -0400
@@ -17,11 +17,6 @@
role system_r types ldconfig_t;
domain_auto_trans(anaconda_t, ldconfig_exec_t, ldconfig_t)
@@ -673,7 +761,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.27.1/domains/program/unused/apache.te
--- nsapolicy/domains/program/unused/apache.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/apache.te 2005-10-18 14:20:13.000000000 -0400
++++ policy-1.27.1/domains/program/unused/apache.te 2005-10-19 09:26:00.000000000 -0400
@@ -113,9 +113,12 @@
can_network_server(httpd_t)
can_kerberos(httpd_t)
@@ -737,7 +825,7 @@
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apmd.te policy-1.27.1/domains/program/unused/apmd.te
--- nsapolicy/domains/program/unused/apmd.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/apmd.te 2005-10-18 14:20:13.000000000 -0400
++++ policy-1.27.1/domains/program/unused/apmd.te 2005-10-19 09:26:00.000000000 -0400
@@ -47,6 +47,7 @@
# acpid also has a logfile
@@ -746,7 +834,7 @@
ifdef(`distro_suse', `
var_lib_domain(apmd)
-@@ -140,3 +141,15 @@
+@@ -140,3 +141,21 @@
allow apmd_t user_tty_type:chr_file rw_file_perms;
# Access /dev/apm_bios.
allow initrc_t apm_bios_t:chr_file { setattr getattr read };
@@ -762,9 +850,15 @@
+unconfined_domain(apmd_t)
+')
+
++ifdef(`NetworkManager.te', `
++ifdef(`dbusd.te', `
++allow apmd_t NetworkManager_t:dbus send_msg;
++allow NetworkManager_t apmd_t:dbus send_msg;
++')
++')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/auditd.te policy-1.27.1/domains/program/unused/auditd.te
--- nsapolicy/domains/program/unused/auditd.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/auditd.te 2005-10-18 14:20:13.000000000 -0400
++++ policy-1.27.1/domains/program/unused/auditd.te 2005-10-19 09:26:00.000000000 -0400
@@ -65,3 +65,5 @@
allow auditctl_t privfd:fd use;
@@ -773,7 +867,7 @@
+can_exec(auditd_t, sbin_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/automount.te policy-1.27.1/domains/program/unused/automount.te
--- nsapolicy/domains/program/unused/automount.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/automount.te 2005-10-18 14:20:13.000000000 -0400
++++ policy-1.27.1/domains/program/unused/automount.te 2005-10-19 09:26:00.000000000 -0400
@@ -34,7 +34,9 @@
can_exec(automount_t, { etc_t automount_etc_t })
@@ -799,7 +893,7 @@
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/bluetooth.te policy-1.27.1/domains/program/unused/bluetooth.te
--- nsapolicy/domains/program/unused/bluetooth.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/bluetooth.te 2005-10-18 14:20:13.000000000 -0400
++++ policy-1.27.1/domains/program/unused/bluetooth.te 2005-10-19 09:26:00.000000000 -0400
@@ -11,16 +11,23 @@
daemon_domain(bluetooth)
@@ -902,7 +996,7 @@
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.27.1/domains/program/unused/cups.te
--- nsapolicy/domains/program/unused/cups.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/cups.te 2005-10-18 14:20:13.000000000 -0400
++++ policy-1.27.1/domains/program/unused/cups.te 2005-10-19 09:26:00.000000000 -0400
@@ -188,6 +188,7 @@
# Uses networking to talk to the daemons
allow hplip_t self:unix_dgram_socket create_socket_perms;
@@ -967,7 +1061,7 @@
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cvs.te policy-1.27.1/domains/program/unused/cvs.te
--- nsapolicy/domains/program/unused/cvs.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/cvs.te 2005-10-18 14:20:13.000000000 -0400
++++ policy-1.27.1/domains/program/unused/cvs.te 2005-10-19 09:26:00.000000000 -0400
@@ -23,6 +23,9 @@
allow cvs_t etc_runtime_t:file { getattr read };
allow system_mail_t cvs_data_t:file { getattr read };
@@ -980,7 +1074,7 @@
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cyrus.te policy-1.27.1/domains/program/unused/cyrus.te
--- nsapolicy/domains/program/unused/cyrus.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/cyrus.te 2005-10-18 14:20:13.000000000 -0400
++++ policy-1.27.1/domains/program/unused/cyrus.te 2005-10-19 09:26:00.000000000 -0400
@@ -42,7 +42,7 @@
create_dir_file(cyrus_t, mail_spool_t)
allow cyrus_t var_spool_t:dir search;
@@ -992,7 +1086,7 @@
allow cyrus_t saslauthd_t:unix_stream_socket { connectto };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dbusd.te policy-1.27.1/domains/program/unused/dbusd.te
--- nsapolicy/domains/program/unused/dbusd.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/dbusd.te 2005-10-18 14:20:13.000000000 -0400
++++ policy-1.27.1/domains/program/unused/dbusd.te 2005-10-19 09:26:00.000000000 -0400
@@ -12,7 +12,7 @@
# dac_override: /var/run/dbus is owned by messagebus on Debian
@@ -1010,7 +1104,7 @@
+allow system_dbusd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dcc.te policy-1.27.1/domains/program/unused/dcc.te
--- nsapolicy/domains/program/unused/dcc.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/dcc.te 2005-10-18 14:20:13.000000000 -0400
++++ policy-1.27.1/domains/program/unused/dcc.te 2005-10-19 09:26:00.000000000 -0400
@@ -200,9 +200,8 @@
can_exec_any(dcc_script_t)
dcc_common(dcc_script)
@@ -1025,7 +1119,7 @@
# the dcc user (even though the default dcc user is root).
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dhcpc.te policy-1.27.1/domains/program/unused/dhcpc.te
--- nsapolicy/domains/program/unused/dhcpc.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/dhcpc.te 2005-10-18 14:20:13.000000000 -0400
++++ policy-1.27.1/domains/program/unused/dhcpc.te 2005-10-20 08:56:04.000000000 -0400
@@ -120,6 +120,7 @@
allow dhcpc_t self:packet_socket create_socket_perms;
allow dhcpc_t var_lib_t:dir search;
@@ -1050,16 +1144,18 @@
')
ifdef(`ntpd.te', `
domain_auto_trans(dhcpc_t, ntpd_exec_t, ntpd_t)
-@@ -161,5 +162,5 @@
+@@ -161,5 +162,7 @@
ifdef(`unconfined.te', `
allow unconfined_t dhcpc_t:dbus send_msg;
allow dhcpc_t unconfined_t:dbus send_msg;
-')dnl end ifdef unconfined.te
-+')
')
++')
++ifdef(`netutils.te', `domain_auto_trans(dhcpd_t, netutils_exec_t, netutils_t)')
++allow dhcpc_t locale_t:file write;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dhcpd.te policy-1.27.1/domains/program/unused/dhcpd.te
--- nsapolicy/domains/program/unused/dhcpd.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/dhcpd.te 2005-10-18 14:20:13.000000000 -0400
++++ policy-1.27.1/domains/program/unused/dhcpd.te 2005-10-19 09:26:00.000000000 -0400
@@ -17,8 +17,6 @@
#
daemon_domain(dhcpd, `, nscd_client_domain')
@@ -1079,7 +1175,7 @@
allow dhcpd_t self:unix_stream_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dovecot.te policy-1.27.1/domains/program/unused/dovecot.te
--- nsapolicy/domains/program/unused/dovecot.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/dovecot.te 2005-10-18 14:20:13.000000000 -0400
++++ policy-1.27.1/domains/program/unused/dovecot.te 2005-10-19 09:26:00.000000000 -0400
@@ -43,7 +43,9 @@
can_kerberos(dovecot_t)
@@ -1093,7 +1189,7 @@
allow dovecot_t mail_spool_t:lnk_file read;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ftpd.te policy-1.27.1/domains/program/unused/ftpd.te
--- nsapolicy/domains/program/unused/ftpd.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/ftpd.te 2005-10-18 14:20:13.000000000 -0400
++++ policy-1.27.1/domains/program/unused/ftpd.te 2005-10-19 09:26:00.000000000 -0400
@@ -99,9 +99,11 @@
if (ftp_home_dir) {
@@ -1110,7 +1206,7 @@
r_dir_file(ftpd_t, nfs_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hald.te policy-1.27.1/domains/program/unused/hald.te
--- nsapolicy/domains/program/unused/hald.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/hald.te 2005-10-18 14:20:13.000000000 -0400
++++ policy-1.27.1/domains/program/unused/hald.te 2005-10-19 09:26:00.000000000 -0400
@@ -24,7 +24,8 @@
allow hald_t self:dbus send_msg;
')
@@ -1129,7 +1225,7 @@
+r_dir_file(hald_t, hwdata_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hotplug.te policy-1.27.1/domains/program/unused/hotplug.te
--- nsapolicy/domains/program/unused/hotplug.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/hotplug.te 2005-10-18 14:20:13.000000000 -0400
++++ policy-1.27.1/domains/program/unused/hotplug.te 2005-10-19 09:26:00.000000000 -0400
@@ -11,9 +11,9 @@
# hotplug_exec_t is the type of the hotplug executable.
#
@@ -1152,7 +1248,7 @@
allow hotplug_t printer_device_t:chr_file setattr;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hwclock.te policy-1.27.1/domains/program/unused/hwclock.te
--- nsapolicy/domains/program/unused/hwclock.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/hwclock.te 2005-10-18 14:20:13.000000000 -0400
++++ policy-1.27.1/domains/program/unused/hwclock.te 2005-10-19 09:26:00.000000000 -0400
@@ -21,7 +21,6 @@
domain_auto_trans(sysadm_t, hwclock_exec_t, hwclock_t)
')
@@ -1168,7 +1264,7 @@
+r_dir_file(hwclock_t, etc_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ipsec.te policy-1.27.1/domains/program/unused/ipsec.te
--- nsapolicy/domains/program/unused/ipsec.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/ipsec.te 2005-10-18 14:20:13.000000000 -0400
++++ policy-1.27.1/domains/program/unused/ipsec.te 2005-10-19 09:26:00.000000000 -0400
@@ -219,7 +219,7 @@
dontaudit ipsec_mgmt_t selinux_config_t:dir search;
dontaudit ipsec_t ttyfile:chr_file { read write };
@@ -1180,7 +1276,7 @@
allow ipsec_mgmt_t self:{ tcp_socket udp_socket } create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/kudzu.te policy-1.27.1/domains/program/unused/kudzu.te
--- nsapolicy/domains/program/unused/kudzu.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/kudzu.te 2005-10-18 14:20:13.000000000 -0400
++++ policy-1.27.1/domains/program/unused/kudzu.te 2005-10-19 09:26:00.000000000 -0400
@@ -20,7 +20,7 @@
allow kudzu_t ramfs_t:dir search;
allow kudzu_t ramfs_t:sock_file write;
@@ -1209,7 +1305,7 @@
allow kudzu_t initrc_t:unix_stream_socket connectto;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mta.te policy-1.27.1/domains/program/unused/mta.te
--- nsapolicy/domains/program/unused/mta.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/mta.te 2005-10-18 14:20:13.000000000 -0400
++++ policy-1.27.1/domains/program/unused/mta.te 2005-10-19 09:26:00.000000000 -0400
@@ -31,6 +31,10 @@
create_dir_file(system_mail_t, mail_spool_t)
allow system_mail_t mail_spool_t:fifo_file rw_file_perms;
@@ -1231,7 +1327,7 @@
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mysqld.te policy-1.27.1/domains/program/unused/mysqld.te
--- nsapolicy/domains/program/unused/mysqld.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/mysqld.te 2005-10-18 14:20:13.000000000 -0400
++++ policy-1.27.1/domains/program/unused/mysqld.te 2005-10-19 09:26:00.000000000 -0400
@@ -12,7 +12,7 @@
#
daemon_domain(mysqld, `, nscd_client_domain')
@@ -1241,6 +1337,17 @@
allow mysqld_t mysqld_var_run_t:sock_file create_file_perms;
+@@ -33,8 +33,8 @@
+
+ allow initrc_t mysqld_log_t:file { write append setattr ioctl };
+
+-allow mysqld_t self:capability { dac_override setgid setuid net_bind_service };
+-allow mysqld_t self:process { setsched getsched };
++allow mysqld_t self:capability { dac_override setgid setuid net_bind_service sys_resource };
++allow mysqld_t self:process { setrlimit setsched getsched };
+
+ allow mysqld_t proc_t:file { getattr read };
+
@@ -42,7 +42,7 @@
create_dir_file(mysqld_t, mysqld_db_t)
allow mysqld_t var_lib_t:dir { getattr search };
@@ -1261,7 +1368,7 @@
-allow mysqld_t self:netlink_route_socket r_netlink_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/named.te policy-1.27.1/domains/program/unused/named.te
--- nsapolicy/domains/program/unused/named.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/named.te 2005-10-18 14:20:13.000000000 -0400
++++ policy-1.27.1/domains/program/unused/named.te 2005-10-19 09:26:00.000000000 -0400
@@ -36,7 +36,7 @@
allow named_t self:process { setsched setcap setrlimit };
@@ -1323,7 +1430,7 @@
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/NetworkManager.te policy-1.27.1/domains/program/unused/NetworkManager.te
--- nsapolicy/domains/program/unused/NetworkManager.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/NetworkManager.te 2005-10-18 14:20:13.000000000 -0400
++++ policy-1.27.1/domains/program/unused/NetworkManager.te 2005-10-19 09:26:00.000000000 -0400
@@ -11,7 +11,7 @@
# NetworkManager_t is the domain for the NetworkManager daemon.
# NetworkManager_exec_t is the type of the NetworkManager executable.
@@ -1345,7 +1452,7 @@
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/nscd.te policy-1.27.1/domains/program/unused/nscd.te
--- nsapolicy/domains/program/unused/nscd.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/nscd.te 2005-10-18 14:20:13.000000000 -0400
++++ policy-1.27.1/domains/program/unused/nscd.te 2005-10-19 09:26:00.000000000 -0400
@@ -76,3 +76,4 @@
log_domain(nscd)
r_dir_file(nscd_t, cert_t)
@@ -1353,7 +1460,7 @@
+allow nscd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ntpd.te policy-1.27.1/domains/program/unused/ntpd.te
--- nsapolicy/domains/program/unused/ntpd.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/ntpd.te 2005-10-18 14:20:13.000000000 -0400
++++ policy-1.27.1/domains/program/unused/ntpd.te 2005-10-19 09:26:00.000000000 -0400
@@ -26,11 +26,11 @@
# for SSP
allow ntpd_t urandom_device_t:chr_file { getattr read };
@@ -1381,7 +1488,7 @@
can_exec(ntpd_t, initrc_exec_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/openct.te policy-1.27.1/domains/program/unused/openct.te
--- nsapolicy/domains/program/unused/openct.te 1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.27.1/domains/program/unused/openct.te 2005-10-18 14:20:13.000000000 -0400
++++ policy-1.27.1/domains/program/unused/openct.te 2005-10-19 09:26:00.000000000 -0400
@@ -0,0 +1,16 @@
+#DESC openct - read files in page cache
+#
@@ -1401,7 +1508,7 @@
+allow openct_t etc_t:file r_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pamconsole.te policy-1.27.1/domains/program/unused/pamconsole.te
--- nsapolicy/domains/program/unused/pamconsole.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/pamconsole.te 2005-10-18 14:20:13.000000000 -0400
++++ policy-1.27.1/domains/program/unused/pamconsole.te 2005-10-19 09:26:00.000000000 -0400
@@ -25,6 +25,7 @@
# for /var/run/console.lock checking
allow pam_console_t { var_t var_run_t }:dir search;
@@ -1417,7 +1524,7 @@
+nsswitch_domain(pam_console_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pegasus.te policy-1.27.1/domains/program/unused/pegasus.te
--- nsapolicy/domains/program/unused/pegasus.te 1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.27.1/domains/program/unused/pegasus.te 2005-10-18 14:20:13.000000000 -0400
++++ policy-1.27.1/domains/program/unused/pegasus.te 2005-10-19 09:26:00.000000000 -0400
@@ -0,0 +1,37 @@
+#DESC pegasus - The Open Group Pegasus CIM/WBEM Server
+#
@@ -1458,7 +1565,7 @@
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ping.te policy-1.27.1/domains/program/unused/ping.te
--- nsapolicy/domains/program/unused/ping.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/ping.te 2005-10-18 14:20:13.000000000 -0400
++++ policy-1.27.1/domains/program/unused/ping.te 2005-10-19 09:26:00.000000000 -0400
@@ -37,6 +37,7 @@
uses_shlib(ping_t)
can_network_client(ping_t)
@@ -1477,7 +1584,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/postfix.te policy-1.27.1/domains/program/unused/postfix.te
--- nsapolicy/domains/program/unused/postfix.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/postfix.te 2005-10-18 14:20:13.000000000 -0400
++++ policy-1.27.1/domains/program/unused/postfix.te 2005-10-19 09:26:00.000000000 -0400
@@ -54,6 +54,8 @@
allow postfix_$1_t proc_net_t:dir search;
allow postfix_$1_t proc_net_t:file { getattr read };
@@ -1663,7 +1770,7 @@
-allow postfix_local_t mail_spool_t:file { unlink };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pppd.te policy-1.27.1/domains/program/unused/pppd.te
--- nsapolicy/domains/program/unused/pppd.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/pppd.te 2005-10-18 14:20:13.000000000 -0400
++++ policy-1.27.1/domains/program/unused/pppd.te 2005-10-19 09:26:00.000000000 -0400
@@ -14,7 +14,7 @@
#
bool pppd_for_user false;
@@ -1706,7 +1813,7 @@
+allow pppd_t initrc_t:process noatsecure;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/procmail.te policy-1.27.1/domains/program/unused/procmail.te
--- nsapolicy/domains/program/unused/procmail.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/procmail.te 2005-10-18 14:20:13.000000000 -0400
++++ policy-1.27.1/domains/program/unused/procmail.te 2005-10-19 09:26:00.000000000 -0400
@@ -19,8 +19,7 @@
uses_shlib(procmail_t)
allow procmail_t device_t:dir search;
@@ -1734,7 +1841,7 @@
# Search /var/run.
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/readahead.te policy-1.27.1/domains/program/unused/readahead.te
--- nsapolicy/domains/program/unused/readahead.te 1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.27.1/domains/program/unused/readahead.te 2005-10-18 14:20:13.000000000 -0400
++++ policy-1.27.1/domains/program/unused/readahead.te 2005-10-19 09:26:00.000000000 -0400
@@ -0,0 +1,21 @@
+#DESC readahead - read files in page cache
+#
@@ -1759,7 +1866,7 @@
+dontaudit readahead_t device_type:blk_file read;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rlogind.te policy-1.27.1/domains/program/unused/rlogind.te
--- nsapolicy/domains/program/unused/rlogind.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/rlogind.te 2005-10-18 14:20:13.000000000 -0400
++++ policy-1.27.1/domains/program/unused/rlogind.te 2005-10-19 09:26:00.000000000 -0400
@@ -35,4 +35,6 @@
allow rlogind_t default_t:dir search;
typealias rlogind_port_t alias rlogin_port_t;
@@ -1770,7 +1877,7 @@
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/roundup.te policy-1.27.1/domains/program/unused/roundup.te
--- nsapolicy/domains/program/unused/roundup.te 1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.27.1/domains/program/unused/roundup.te 2005-10-18 14:20:13.000000000 -0400
++++ policy-1.27.1/domains/program/unused/roundup.te 2005-10-19 09:26:00.000000000 -0400
@@ -0,0 +1,29 @@
+# Roundup Issue Tracking System
+#
@@ -1803,7 +1910,7 @@
+allow roundup_t etc_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rpcd.te policy-1.27.1/domains/program/unused/rpcd.te
--- nsapolicy/domains/program/unused/rpcd.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/rpcd.te 2005-10-18 14:20:13.000000000 -0400
++++ policy-1.27.1/domains/program/unused/rpcd.te 2005-10-19 09:26:00.000000000 -0400
@@ -19,7 +19,7 @@
can_network($1_t)
allow $1_t port_type:tcp_socket name_connect;
@@ -1837,7 +1944,7 @@
+}
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rsync.te policy-1.27.1/domains/program/unused/rsync.te
--- nsapolicy/domains/program/unused/rsync.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/rsync.te 2005-10-18 14:20:13.000000000 -0400
++++ policy-1.27.1/domains/program/unused/rsync.te 2005-10-19 09:26:00.000000000 -0400
@@ -15,5 +15,4 @@
type rsync_data_t, file_type, sysadmfile;
r_dir_file(rsync_t, rsync_data_t)
@@ -1847,7 +1954,7 @@
+allow rsync_t self:capability sys_chroot;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/samba.te policy-1.27.1/domains/program/unused/samba.te
--- nsapolicy/domains/program/unused/samba.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/samba.te 2005-10-18 14:20:13.000000000 -0400
++++ policy-1.27.1/domains/program/unused/samba.te 2005-10-19 09:26:00.000000000 -0400
@@ -25,6 +25,9 @@
# not sure why it needs this
tmp_domain(smbd)
@@ -1884,7 +1991,7 @@
# Access Samba shares.
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/snmpd.te policy-1.27.1/domains/program/unused/snmpd.te
--- nsapolicy/domains/program/unused/snmpd.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/snmpd.te 2005-10-18 14:20:13.000000000 -0400
++++ policy-1.27.1/domains/program/unused/snmpd.te 2005-10-19 09:26:00.000000000 -0400
@@ -22,8 +22,9 @@
# for the .index file
@@ -1914,7 +2021,7 @@
dontaudit snmpd_t selinux_config_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/squid.te policy-1.27.1/domains/program/unused/squid.te
--- nsapolicy/domains/program/unused/squid.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/squid.te 2005-10-18 14:20:13.000000000 -0400
++++ policy-1.27.1/domains/program/unused/squid.te 2005-10-19 09:26:00.000000000 -0400
@@ -60,7 +60,7 @@
can_tcp_connect(web_client_domain, squid_t)
@@ -1932,7 +2039,7 @@
')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/udev.te policy-1.27.1/domains/program/unused/udev.te
--- nsapolicy/domains/program/unused/udev.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/udev.te 2005-10-18 14:20:13.000000000 -0400
++++ policy-1.27.1/domains/program/unused/udev.te 2005-10-19 09:26:00.000000000 -0400
@@ -28,12 +28,12 @@
type udev_tdb_t, file_type, sysadmfile, dev_fs;
typealias udev_tdb_t alias udev_tbl_t;
@@ -1964,7 +2071,7 @@
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/utempter.te policy-1.27.1/domains/program/unused/utempter.te
--- nsapolicy/domains/program/unused/utempter.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/utempter.te 2005-10-18 14:20:13.000000000 -0400
++++ policy-1.27.1/domains/program/unused/utempter.te 2005-10-19 09:26:00.000000000 -0400
@@ -19,6 +19,8 @@
type utempter_exec_t, file_type, sysadmfile, exec_type;
domain_auto_trans(userdomain, utempter_exec_t, utempter_t)
@@ -1976,7 +2083,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/webalizer.te policy-1.27.1/domains/program/unused/webalizer.te
--- nsapolicy/domains/program/unused/webalizer.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/webalizer.te 2005-10-18 14:20:13.000000000 -0400
++++ policy-1.27.1/domains/program/unused/webalizer.te 2005-10-19 09:26:00.000000000 -0400
@@ -20,6 +20,9 @@
#read apache log
allow webalizer_t var_log_t:dir r_dir_perms;
@@ -1989,7 +2096,7 @@
var_lib_domain(webalizer)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/winbind.te policy-1.27.1/domains/program/unused/winbind.te
--- nsapolicy/domains/program/unused/winbind.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/winbind.te 2005-10-18 14:20:13.000000000 -0400
++++ policy-1.27.1/domains/program/unused/winbind.te 2005-10-19 09:26:00.000000000 -0400
@@ -44,6 +44,7 @@
r_dir_file(winbind_t, samba_etc_t)
allow winbind_helper_t self:unix_dgram_socket create_socket_perms;
@@ -2000,7 +2107,7 @@
allow winbind_helper_t privfd:fd use;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/xdm.te policy-1.27.1/domains/program/unused/xdm.te
--- nsapolicy/domains/program/unused/xdm.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/xdm.te 2005-10-18 14:20:13.000000000 -0400
++++ policy-1.27.1/domains/program/unused/xdm.te 2005-10-19 09:26:00.000000000 -0400
@@ -371,3 +371,6 @@
dontaudit xdm_t ice_tmp_t:dir { getattr setattr };
@@ -2010,7 +2117,7 @@
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/yppasswdd.te policy-1.27.1/domains/program/unused/yppasswdd.te
--- nsapolicy/domains/program/unused/yppasswdd.te 1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.27.1/domains/program/unused/yppasswdd.te 2005-10-18 14:20:13.000000000 -0400
++++ policy-1.27.1/domains/program/unused/yppasswdd.te 2005-10-19 09:26:00.000000000 -0400
@@ -0,0 +1,40 @@
+#DESC yppassdd - NIS password update daemon
+#
@@ -2054,7 +2161,7 @@
+rw_dir_create_file(yppasswdd_t, var_yp_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ypserv.te policy-1.27.1/domains/program/unused/ypserv.te
--- nsapolicy/domains/program/unused/ypserv.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/ypserv.te 2005-10-18 14:20:13.000000000 -0400
++++ policy-1.27.1/domains/program/unused/ypserv.te 2005-10-19 09:26:00.000000000 -0400
@@ -39,3 +39,4 @@
')
allow ypserv_t reserved_port_t:{ udp_socket tcp_socket } name_bind;
@@ -2062,7 +2169,7 @@
+can_exec(ypserv_t, bin_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/useradd.te policy-1.27.1/domains/program/useradd.te
--- nsapolicy/domains/program/useradd.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/useradd.te 2005-10-17 15:45:51.000000000 -0400
++++ policy-1.27.1/domains/program/useradd.te 2005-10-19 09:24:26.000000000 -0400
@@ -55,7 +55,6 @@
# useradd/userdel request read/write for /var/log/lastlog, and read of /dev,
# but will operate without them.
@@ -2086,7 +2193,7 @@
read_sysctl(useradd_t)
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/distros.fc policy-1.27.1/file_contexts/distros.fc
--- nsapolicy/file_contexts/distros.fc 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/file_contexts/distros.fc 2005-10-17 15:46:49.000000000 -0400
++++ policy-1.27.1/file_contexts/distros.fc 2005-10-19 09:24:26.000000000 -0400
@@ -89,6 +89,7 @@
/usr/lib/valgrind/hp2ps -- system_u:object_r:texrel_shlib_t
/usr/lib/valgrind/stage2 -- system_u:object_r:texrel_shlib_t
@@ -2105,7 +2212,7 @@
/usr/lib/ladspa/analogue_osc_1416\.so -- system_u:object_r:texrel_shlib_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/apache.fc policy-1.27.1/file_contexts/program/apache.fc
--- nsapolicy/file_contexts/program/apache.fc 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/file_contexts/program/apache.fc 2005-10-17 15:46:28.000000000 -0400
++++ policy-1.27.1/file_contexts/program/apache.fc 2005-10-19 09:24:26.000000000 -0400
@@ -9,6 +9,8 @@
/var/cache/httpd(/.*)? system_u:object_r:httpd_cache_t
/var/cache/php-eaccelerator(/.*)? system_u:object_r:httpd_cache_t
@@ -2117,7 +2224,7 @@
/etc/httpd/logs system_u:object_r:httpd_log_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/bluetooth.fc policy-1.27.1/file_contexts/program/bluetooth.fc
--- nsapolicy/file_contexts/program/bluetooth.fc 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/file_contexts/program/bluetooth.fc 2005-10-17 15:46:28.000000000 -0400
++++ policy-1.27.1/file_contexts/program/bluetooth.fc 2005-10-19 09:24:26.000000000 -0400
@@ -1,8 +1,11 @@
# bluetooth
/etc/bluetooth(/.*)? system_u:object_r:bluetooth_conf_t
@@ -2132,7 +2239,7 @@
+/var/lib/bluetooth(/.*)? system_u:object_r:bluetooth_var_lib_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/dhcpc.fc policy-1.27.1/file_contexts/program/dhcpc.fc
--- nsapolicy/file_contexts/program/dhcpc.fc 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/file_contexts/program/dhcpc.fc 2005-10-17 15:46:28.000000000 -0400
++++ policy-1.27.1/file_contexts/program/dhcpc.fc 2005-10-19 09:24:26.000000000 -0400
@@ -4,9 +4,11 @@
/etc/dhclient.*conf -- system_u:object_r:dhcp_etc_t
/etc/dhclient-script -- system_u:object_r:dhcp_etc_t
@@ -2147,7 +2254,7 @@
# pump
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/dhcpd.fc policy-1.27.1/file_contexts/program/dhcpd.fc
--- nsapolicy/file_contexts/program/dhcpd.fc 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/file_contexts/program/dhcpd.fc 2005-10-17 15:46:28.000000000 -0400
++++ policy-1.27.1/file_contexts/program/dhcpd.fc 2005-10-19 09:24:26.000000000 -0400
@@ -2,10 +2,10 @@
/etc/dhcpd\.conf -- system_u:object_r:dhcp_etc_t
/etc/dhcp3(/.*)? system_u:object_r:dhcp_etc_t
@@ -2171,7 +2278,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/ftpd.fc policy-1.27.1/file_contexts/program/ftpd.fc
--- nsapolicy/file_contexts/program/ftpd.fc 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/file_contexts/program/ftpd.fc 2005-10-17 15:46:28.000000000 -0400
++++ policy-1.27.1/file_contexts/program/ftpd.fc 2005-10-19 09:24:26.000000000 -0400
@@ -10,7 +10,8 @@
/var/run/proftpd/proftpd\.scoreboard -- system_u:object_r:ftpd_var_run_t
/var/log/muddleftpd\.log.* -- system_u:object_r:xferlog_t
@@ -2185,7 +2292,7 @@
+/srv/([^/]*/)?ftp(/.*)? system_u:object_r:public_content_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/games.fc policy-1.27.1/file_contexts/program/games.fc
--- nsapolicy/file_contexts/program/games.fc 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/file_contexts/program/games.fc 2005-10-17 15:46:28.000000000 -0400
++++ policy-1.27.1/file_contexts/program/games.fc 2005-10-19 09:24:26.000000000 -0400
@@ -1,8 +1,10 @@
# games
-/usr/lib(64)?/games/.* -- system_u:object_r:games_exec_t
@@ -2210,7 +2317,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/ipsec.fc policy-1.27.1/file_contexts/program/ipsec.fc
--- nsapolicy/file_contexts/program/ipsec.fc 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/file_contexts/program/ipsec.fc 2005-10-17 15:46:28.000000000 -0400
++++ policy-1.27.1/file_contexts/program/ipsec.fc 2005-10-19 09:24:26.000000000 -0400
@@ -21,6 +21,7 @@
/usr/lib(64)?/ipsec/spi -- system_u:object_r:ipsec_exec_t
/usr/local/lib(64)?/ipsec/spi -- system_u:object_r:ipsec_exec_t
@@ -2221,13 +2328,13 @@
/usr/sbin/racoon -- system_u:object_r:ipsec_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/openct.fc policy-1.27.1/file_contexts/program/openct.fc
--- nsapolicy/file_contexts/program/openct.fc 1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.27.1/file_contexts/program/openct.fc 2005-10-17 15:46:28.000000000 -0400
++++ policy-1.27.1/file_contexts/program/openct.fc 2005-10-19 09:24:26.000000000 -0400
@@ -0,0 +1,2 @@
+/usr/sbin/openct-control -- system_u:object_r:openct_exec_t
+/var/run/openct(/.*)? system_u:object_r:openct_var_run_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/pegasus.fc policy-1.27.1/file_contexts/program/pegasus.fc
--- nsapolicy/file_contexts/program/pegasus.fc 1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.27.1/file_contexts/program/pegasus.fc 2005-10-17 15:46:28.000000000 -0400
++++ policy-1.27.1/file_contexts/program/pegasus.fc 2005-10-19 09:24:26.000000000 -0400
@@ -0,0 +1,11 @@
+# File Contexts for The Open Group Pegasus (tog-pegasus) cimserver
+/usr/sbin/cimserver -- system_u:object_r:pegasus_exec_t
@@ -2242,7 +2349,7 @@
+/usr/share/Pegasus/mof(/.*)?/.*\.mof system_u:object_r:pegasus_mof_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/pppd.fc policy-1.27.1/file_contexts/program/pppd.fc
--- nsapolicy/file_contexts/program/pppd.fc 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/file_contexts/program/pppd.fc 2005-10-17 15:46:28.000000000 -0400
++++ policy-1.27.1/file_contexts/program/pppd.fc 2005-10-19 09:24:26.000000000 -0400
@@ -20,6 +20,6 @@
/etc/ppp/plugins/rp-pppoe\.so -- system_u:object_r:shlib_t
/etc/ppp/resolv\.conf -- system_u:object_r:pppd_etc_rw_t
@@ -2253,18 +2360,18 @@
/etc/ppp/(auth|ip(v6|x)?)-(up|down) -- system_u:object_r:pppd_script_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/readahead.fc policy-1.27.1/file_contexts/program/readahead.fc
--- nsapolicy/file_contexts/program/readahead.fc 1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.27.1/file_contexts/program/readahead.fc 2005-10-17 15:46:28.000000000 -0400
++++ policy-1.27.1/file_contexts/program/readahead.fc 2005-10-19 09:24:26.000000000 -0400
@@ -0,0 +1 @@
+/usr/sbin/readahead -- system_u:object_r:readahead_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/roundup.fc policy-1.27.1/file_contexts/program/roundup.fc
--- nsapolicy/file_contexts/program/roundup.fc 1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.27.1/file_contexts/program/roundup.fc 2005-10-17 15:46:28.000000000 -0400
++++ policy-1.27.1/file_contexts/program/roundup.fc 2005-10-19 09:24:26.000000000 -0400
@@ -0,0 +1,2 @@
+/usr/bin/roundup-server -- system_u:object_r:roundup_exec_t
+/var/lib/roundup(/.*)? -- system_u:object_r:roundup_var_lib_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/rpm.fc policy-1.27.1/file_contexts/program/rpm.fc
--- nsapolicy/file_contexts/program/rpm.fc 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/file_contexts/program/rpm.fc 2005-10-17 15:46:28.000000000 -0400
++++ policy-1.27.1/file_contexts/program/rpm.fc 2005-10-19 09:24:26.000000000 -0400
@@ -23,3 +23,7 @@
/var/lib/YaST2(/.*)? system_u:object_r:rpm_var_lib_t
/var/log/YaST2(/.*)? system_u:object_r:rpm_log_t
@@ -2275,7 +2382,7 @@
+')
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/rshd.fc policy-1.27.1/file_contexts/program/rshd.fc
--- nsapolicy/file_contexts/program/rshd.fc 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/file_contexts/program/rshd.fc 2005-10-17 15:46:28.000000000 -0400
++++ policy-1.27.1/file_contexts/program/rshd.fc 2005-10-19 09:24:26.000000000 -0400
@@ -1,3 +1,4 @@
# rshd.
/usr/sbin/in\.rshd -- system_u:object_r:rshd_exec_t
@@ -2283,7 +2390,7 @@
/usr/kerberos/sbin/kshd -- system_u:object_r:rshd_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/rsync.fc policy-1.27.1/file_contexts/program/rsync.fc
--- nsapolicy/file_contexts/program/rsync.fc 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/file_contexts/program/rsync.fc 2005-10-17 15:46:28.000000000 -0400
++++ policy-1.27.1/file_contexts/program/rsync.fc 2005-10-19 09:24:26.000000000 -0400
@@ -1,3 +1,3 @@
# rsync program
/usr/bin/rsync -- system_u:object_r:rsync_exec_t
@@ -2291,7 +2398,7 @@
+/srv/([^/]*/)?rsync(/.*)? system_u:object_r:public_content_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/squid.fc policy-1.27.1/file_contexts/program/squid.fc
--- nsapolicy/file_contexts/program/squid.fc 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/file_contexts/program/squid.fc 2005-10-17 15:46:28.000000000 -0400
++++ policy-1.27.1/file_contexts/program/squid.fc 2005-10-19 09:24:26.000000000 -0400
@@ -6,3 +6,6 @@
/etc/squid(/.*)? system_u:object_r:squid_conf_t
/var/run/squid\.pid -- system_u:object_r:squid_var_run_t
@@ -2301,7 +2408,7 @@
+')
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/xdm.fc policy-1.27.1/file_contexts/program/xdm.fc
--- nsapolicy/file_contexts/program/xdm.fc 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/file_contexts/program/xdm.fc 2005-10-17 15:46:28.000000000 -0400
++++ policy-1.27.1/file_contexts/program/xdm.fc 2005-10-19 09:24:26.000000000 -0400
@@ -3,7 +3,7 @@
/usr/X11R6/bin/[xgkw]dm -- system_u:object_r:xdm_exec_t
/opt/kde3/bin/kdm -- system_u:object_r:xdm_exec_t
@@ -2313,13 +2420,13 @@
/var/log/[kw]dm\.log -- system_u:object_r:xserver_log_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/yppasswdd.fc policy-1.27.1/file_contexts/program/yppasswdd.fc
--- nsapolicy/file_contexts/program/yppasswdd.fc 1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.27.1/file_contexts/program/yppasswdd.fc 2005-10-17 15:46:28.000000000 -0400
++++ policy-1.27.1/file_contexts/program/yppasswdd.fc 2005-10-19 09:24:26.000000000 -0400
@@ -0,0 +1,2 @@
+# yppasswd
+/usr/sbin/rpc.yppasswdd -- system_u:object_r:yppasswdd_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/ypserv.fc policy-1.27.1/file_contexts/program/ypserv.fc
--- nsapolicy/file_contexts/program/ypserv.fc 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/file_contexts/program/ypserv.fc 2005-10-17 15:46:28.000000000 -0400
++++ policy-1.27.1/file_contexts/program/ypserv.fc 2005-10-19 09:24:26.000000000 -0400
@@ -1,3 +1,4 @@
# ypserv
/usr/sbin/ypserv -- system_u:object_r:ypserv_exec_t
@@ -2327,7 +2434,7 @@
/etc/ypserv\.conf -- system_u:object_r:ypserv_conf_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/types.fc policy-1.27.1/file_contexts/types.fc
--- nsapolicy/file_contexts/types.fc 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/file_contexts/types.fc 2005-10-17 15:46:49.000000000 -0400
++++ policy-1.27.1/file_contexts/types.fc 2005-10-19 09:24:26.000000000 -0400
@@ -133,6 +133,7 @@
/dev/dcbri[0-9]+ -c system_u:object_r:tty_device_t
/dev/irlpt[0-9]+ -c system_u:object_r:printer_device_t
@@ -2352,7 +2459,7 @@
+/etc/sysconfig/network-scripts/ifdown-.* -- system_u:object_r:bin_t
diff --exclude-from=exclude -N -u -r nsapolicy/genfs_contexts policy-1.27.1/genfs_contexts
--- nsapolicy/genfs_contexts 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/genfs_contexts 2005-10-17 15:41:20.000000000 -0400
++++ policy-1.27.1/genfs_contexts 2005-10-19 09:24:26.000000000 -0400
@@ -94,7 +94,8 @@
genfscon debugfs / system_u:object_r:debugfs_t
genfscon inotifyfs / system_u:object_r:inotifyfs_t
@@ -2365,7 +2472,7 @@
genfscon eventpollfs / system_u:object_r:eventpollfs_t
diff --exclude-from=exclude -N -u -r nsapolicy/macros/base_user_macros.te policy-1.27.1/macros/base_user_macros.te
--- nsapolicy/macros/base_user_macros.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/macros/base_user_macros.te 2005-10-18 14:21:21.000000000 -0400
++++ policy-1.27.1/macros/base_user_macros.te 2005-10-19 09:24:26.000000000 -0400
@@ -40,6 +40,12 @@
allow $1_t $1_home_t:{ notdevfile_class_set dir } { relabelfrom relabelto };
can_setfscreate($1_t)
@@ -2381,7 +2488,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/macros/core_macros.te policy-1.27.1/macros/core_macros.te
--- nsapolicy/macros/core_macros.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/macros/core_macros.te 2005-10-18 14:21:21.000000000 -0400
++++ policy-1.27.1/macros/core_macros.te 2005-10-19 09:24:26.000000000 -0400
@@ -620,6 +620,9 @@
# Label pty files with a derived type.
type_transition $1_t devpts_t:chr_file $1_devpts_t;
@@ -2394,7 +2501,7 @@
')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/global_macros.te policy-1.27.1/macros/global_macros.te
--- nsapolicy/macros/global_macros.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/macros/global_macros.te 2005-10-18 14:21:21.000000000 -0400
++++ policy-1.27.1/macros/global_macros.te 2005-10-19 09:24:26.000000000 -0400
@@ -157,6 +157,11 @@
r_dir_file($1, locale_t)
')
@@ -2459,7 +2566,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/macros/network_macros.te policy-1.27.1/macros/network_macros.te
--- nsapolicy/macros/network_macros.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/macros/network_macros.te 2005-10-18 14:21:21.000000000 -0400
++++ policy-1.27.1/macros/network_macros.te 2005-10-19 09:24:26.000000000 -0400
@@ -153,7 +153,8 @@
')dnl end can_network definition
@@ -2490,7 +2597,7 @@
+')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/apache_macros.te policy-1.27.1/macros/program/apache_macros.te
--- nsapolicy/macros/program/apache_macros.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/macros/program/apache_macros.te 2005-10-18 14:20:55.000000000 -0400
++++ policy-1.27.1/macros/program/apache_macros.te 2005-10-19 09:24:26.000000000 -0400
@@ -38,7 +38,7 @@
allow httpd_$1_script_t etc_runtime_t:file { getattr read };
read_locale(httpd_$1_script_t)
@@ -2533,7 +2640,7 @@
')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/bonobo_macros.te policy-1.27.1/macros/program/bonobo_macros.te
--- nsapolicy/macros/program/bonobo_macros.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/macros/program/bonobo_macros.te 2005-10-18 14:20:55.000000000 -0400
++++ policy-1.27.1/macros/program/bonobo_macros.te 2005-10-19 09:24:26.000000000 -0400
@@ -72,9 +72,7 @@
# here temporarily, since bonobo runs as ROLE_t by default anyway
domain_auto_trans($1_bonobo_t, bin_t, $1_t)
@@ -2546,7 +2653,7 @@
') dnl bonobo_domain
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/cdrecord_macros.te policy-1.27.1/macros/program/cdrecord_macros.te
--- nsapolicy/macros/program/cdrecord_macros.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/macros/program/cdrecord_macros.te 2005-10-18 14:20:55.000000000 -0400
++++ policy-1.27.1/macros/program/cdrecord_macros.te 2005-10-19 09:24:26.000000000 -0400
@@ -41,7 +41,7 @@
allow $1_cdrecord_t self:capability { ipc_lock sys_nice setuid dac_override sys_rawio };
@@ -2558,7 +2665,7 @@
allow $1_cdrecord_t $1_home_t:file r_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/crontab_macros.te policy-1.27.1/macros/program/crontab_macros.te
--- nsapolicy/macros/program/crontab_macros.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/macros/program/crontab_macros.te 2005-10-18 14:20:55.000000000 -0400
++++ policy-1.27.1/macros/program/crontab_macros.te 2005-10-19 09:24:26.000000000 -0400
@@ -40,7 +40,7 @@
# Use capabilities dac_override is to create the file in the directory
@@ -2570,7 +2677,7 @@
file_type_auto_trans($1_crontab_t, tmp_t, $1_tmp_t, { dir file })
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/dbusd_macros.te policy-1.27.1/macros/program/dbusd_macros.te
--- nsapolicy/macros/program/dbusd_macros.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/macros/program/dbusd_macros.te 2005-10-18 14:20:55.000000000 -0400
++++ policy-1.27.1/macros/program/dbusd_macros.te 2005-10-19 09:24:26.000000000 -0400
@@ -29,9 +29,7 @@
r_dir_file($1_dbusd_t, etc_dbusd_t)
tmp_domain($1_dbusd)
@@ -2596,7 +2703,7 @@
# can_dbusd_converse(dbus_type, domain_prefix_a, domain_prefix_b)
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/gconf_macros.te policy-1.27.1/macros/program/gconf_macros.te
--- nsapolicy/macros/program/gconf_macros.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/macros/program/gconf_macros.te 2005-10-18 14:20:55.000000000 -0400
++++ policy-1.27.1/macros/program/gconf_macros.te 2005-10-19 09:24:26.000000000 -0400
@@ -31,8 +31,8 @@
# /tmp/gconfd-USER
tmp_domain($1_gconfd)
@@ -2609,7 +2716,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/gift_macros.te policy-1.27.1/macros/program/gift_macros.te
--- nsapolicy/macros/program/gift_macros.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/macros/program/gift_macros.te 2005-10-18 14:20:55.000000000 -0400
++++ policy-1.27.1/macros/program/gift_macros.te 2005-10-19 09:24:26.000000000 -0400
@@ -90,9 +90,7 @@
r_dir_file($1_giftd_t, usr_t)
@@ -2622,7 +2729,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/gpg_macros.te policy-1.27.1/macros/program/gpg_macros.te
--- nsapolicy/macros/program/gpg_macros.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/macros/program/gpg_macros.te 2005-10-18 14:20:55.000000000 -0400
++++ policy-1.27.1/macros/program/gpg_macros.te 2005-10-19 09:24:26.000000000 -0400
@@ -108,8 +108,6 @@
# for nscd
dontaudit $1_gpg_helper_t var_t:dir search;
@@ -2634,7 +2741,7 @@
')dnl end gpg_domain definition
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/i18n_input_macros.te policy-1.27.1/macros/program/i18n_input_macros.te
--- nsapolicy/macros/program/i18n_input_macros.te 1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.27.1/macros/program/i18n_input_macros.te 2005-10-18 14:20:55.000000000 -0400
++++ policy-1.27.1/macros/program/i18n_input_macros.te 2005-10-19 09:24:26.000000000 -0400
@@ -0,0 +1,21 @@
+#
+# Macros for i18n_input
@@ -2659,7 +2766,7 @@
+
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/lpr_macros.te policy-1.27.1/macros/program/lpr_macros.te
--- nsapolicy/macros/program/lpr_macros.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/macros/program/lpr_macros.te 2005-10-18 14:20:55.000000000 -0400
++++ policy-1.27.1/macros/program/lpr_macros.te 2005-10-19 09:24:26.000000000 -0400
@@ -39,7 +39,7 @@
can_ypbind($1_lpr_t)
@@ -2671,7 +2778,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mta_macros.te policy-1.27.1/macros/program/mta_macros.te
--- nsapolicy/macros/program/mta_macros.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/macros/program/mta_macros.te 2005-10-18 14:20:55.000000000 -0400
++++ policy-1.27.1/macros/program/mta_macros.te 2005-10-19 09:24:26.000000000 -0400
@@ -34,7 +34,7 @@
uses_shlib($1_mail_t)
@@ -2692,7 +2799,7 @@
# For when the user wants to send mail via port 25 localhost
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/newrole_macros.te policy-1.27.1/macros/program/newrole_macros.te
--- nsapolicy/macros/program/newrole_macros.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/macros/program/newrole_macros.te 2005-10-18 14:20:55.000000000 -0400
++++ policy-1.27.1/macros/program/newrole_macros.te 2005-10-19 09:24:26.000000000 -0400
@@ -20,6 +20,8 @@
read_locale($1_t)
read_sysctl($1_t)
@@ -2704,7 +2811,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/pyzor_macros.te policy-1.27.1/macros/program/pyzor_macros.te
--- nsapolicy/macros/program/pyzor_macros.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/macros/program/pyzor_macros.te 2005-10-18 14:20:55.000000000 -0400
++++ policy-1.27.1/macros/program/pyzor_macros.te 2005-10-19 09:24:26.000000000 -0400
@@ -64,6 +64,6 @@
# Allow pyzor to be run by hand. Needed by any action other than
@@ -2715,7 +2822,7 @@
')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/razor_macros.te policy-1.27.1/macros/program/razor_macros.te
--- nsapolicy/macros/program/razor_macros.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/macros/program/razor_macros.te 2005-10-18 14:20:55.000000000 -0400
++++ policy-1.27.1/macros/program/razor_macros.te 2005-10-19 09:24:26.000000000 -0400
@@ -70,6 +70,6 @@
# Allow razor to be run by hand. Needed by any action other than
@@ -2726,7 +2833,7 @@
')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/su_macros.te policy-1.27.1/macros/program/su_macros.te
--- nsapolicy/macros/program/su_macros.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/macros/program/su_macros.te 2005-10-18 14:20:55.000000000 -0400
++++ policy-1.27.1/macros/program/su_macros.te 2005-10-19 09:24:26.000000000 -0400
@@ -54,7 +54,7 @@
allow $1_su_t self:process { setsched setrlimit };
allow $1_su_t device_t:dir search;
@@ -2747,7 +2854,7 @@
# Caused by su - init scripts
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/uml_macros.te policy-1.27.1/macros/program/uml_macros.te
--- nsapolicy/macros/program/uml_macros.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/macros/program/uml_macros.te 2005-10-18 14:20:55.000000000 -0400
++++ policy-1.27.1/macros/program/uml_macros.te 2005-10-19 09:24:26.000000000 -0400
@@ -81,7 +81,7 @@
allow uml_net_t $1_uml_t:unix_stream_socket { read write };
allow uml_net_t $1_uml_t:unix_dgram_socket { read write };
@@ -2759,7 +2866,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/xdm_macros.te policy-1.27.1/macros/program/xdm_macros.te
--- nsapolicy/macros/program/xdm_macros.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/macros/program/xdm_macros.te 2005-10-18 14:20:55.000000000 -0400
++++ policy-1.27.1/macros/program/xdm_macros.te 2005-10-19 09:24:26.000000000 -0400
@@ -6,6 +6,8 @@
#
@@ -2771,7 +2878,7 @@
') dnl can_pipe_xdm
diff --exclude-from=exclude -N -u -r nsapolicy/macros/user_macros.te policy-1.27.1/macros/user_macros.te
--- nsapolicy/macros/user_macros.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/macros/user_macros.te 2005-10-18 14:21:21.000000000 -0400
++++ policy-1.27.1/macros/user_macros.te 2005-10-19 09:24:26.000000000 -0400
@@ -121,6 +121,7 @@
# user domains.
ifelse($1, sysadm, `',`
@@ -2808,7 +2915,7 @@
allow $1_t self:unix_stream_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/Makefile policy-1.27.1/Makefile
--- nsapolicy/Makefile 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/Makefile 2005-10-17 15:51:33.000000000 -0400
++++ policy-1.27.1/Makefile 2005-10-20 08:57:08.000000000 -0400
@@ -29,15 +29,10 @@
VERS := $(shell $(CHECKPOLICY) $(POLICYCOMPAT) -V |cut -f 1 -d ' ')
PREVERS := 19
@@ -2888,7 +2995,7 @@
@mv Makefile.new Makefile
diff --exclude-from=exclude -N -u -r nsapolicy/man/man8/ftpd_selinux.8 policy-1.27.1/man/man8/ftpd_selinux.8
--- nsapolicy/man/man8/ftpd_selinux.8 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/man/man8/ftpd_selinux.8 2005-10-12 14:40:15.000000000 -0400
++++ policy-1.27.1/man/man8/ftpd_selinux.8 2005-10-19 09:24:26.000000000 -0400
@@ -8,23 +8,24 @@
.SH FILE_CONTEXTS
SELinux requires files to have an extended attribute to define the file type.
@@ -2925,7 +3032,7 @@
SELinux ftp daemon policy is customizable based on least access required. So by
diff --exclude-from=exclude -N -u -r nsapolicy/man/man8/httpd_selinux.8 policy-1.27.1/man/man8/httpd_selinux.8
--- nsapolicy/man/man8/httpd_selinux.8 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/man/man8/httpd_selinux.8 2005-10-12 14:40:15.000000000 -0400
++++ policy-1.27.1/man/man8/httpd_selinux.8 2005-10-19 09:24:26.000000000 -0400
@@ -45,6 +45,15 @@
.SH NOTE
With certain policies you can define addional file contexts based on roles like user or staff. httpd_user_script_exec_t can be defined where it would only have access to "user" contexts.
@@ -2944,7 +3051,7 @@
default SElinux prevents certain http scripts from working. httpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd with the tightest access possible.
diff --exclude-from=exclude -N -u -r nsapolicy/man/man8/rsync_selinux.8 policy-1.27.1/man/man8/rsync_selinux.8
--- nsapolicy/man/man8/rsync_selinux.8 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/man/man8/rsync_selinux.8 2005-10-12 14:40:15.000000000 -0400
++++ policy-1.27.1/man/man8/rsync_selinux.8 2005-10-19 09:24:26.000000000 -0400
@@ -8,16 +8,22 @@
.SH FILE_CONTEXTS
SELinux requires files to have an extended attribute to define the file type.
@@ -2973,7 +3080,7 @@
.TP
diff --exclude-from=exclude -N -u -r nsapolicy/man/man8/samba_selinux.8 policy-1.27.1/man/man8/samba_selinux.8
--- nsapolicy/man/man8/samba_selinux.8 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/man/man8/samba_selinux.8 2005-10-12 14:40:15.000000000 -0400
++++ policy-1.27.1/man/man8/samba_selinux.8 2005-10-19 09:24:26.000000000 -0400
@@ -20,6 +20,11 @@
.br
/var/eng(/.*)? system_u:object_r:samba_share_t
@@ -2999,7 +3106,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/mcs policy-1.27.1/mcs
--- nsapolicy/mcs 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/mcs 2005-10-17 15:42:08.000000000 -0400
++++ policy-1.27.1/mcs 2005-10-19 09:24:26.000000000 -0400
@@ -18,141 +18,77 @@
#
# Each category has a name and zero or more aliases.
@@ -3234,7 +3341,7 @@
#
diff --exclude-from=exclude -N -u -r nsapolicy/mls policy-1.27.1/mls
--- nsapolicy/mls 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/mls 2005-10-17 15:42:14.000000000 -0400
++++ policy-1.27.1/mls 2005-10-20 08:55:38.000000000 -0400
@@ -13,12 +13,17 @@
sensitivity s7;
sensitivity s8;
@@ -3486,9 +3593,110 @@
#
+@@ -545,7 +492,8 @@
+ mlsconstrain window { addchild create destroy chstack chproplist chprop setattr setfocus move chselection chparent ctrllife transparent clientcomevent }
+ (( l1 eq l2 ) or
+ (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+- ( t1 == mlsxwinwrite ));
++ ( t1 == mlsxwinwrite ) or
++ ( t2 == mlstrustedobject ));
+
+ # these access vectors have no MLS restrictions
+ # window { map unmap }
+@@ -583,12 +531,14 @@
+ mlsconstrain colormap { list read getattr }
+ (( l1 dom l2 ) or
+ (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
++ ( t1 == mlsxwinreadcolormap ) or
+ ( t1 == mlsxwinread ));
+
+ # the colormap "write" ops (implicit single level)
+ mlsconstrain colormap { create free install uninstall store setattr }
+ (( l1 eq l2 ) or
+ (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
++ ( t1 == mlsxwinwritecolormap ) or
+ ( t1 == mlsxwinwrite ));
+
+
+@@ -602,12 +552,14 @@
+ mlsconstrain property { read }
+ (( l1 dom l2 ) or
+ (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
++ ( t1 == mlsxwinreadproperty ) or
+ ( t1 == mlsxwinread ));
+
+ # the property "write" ops (implicit single level)
+ mlsconstrain property { create free write }
+ (( l1 eq l2 ) or
+ (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
++ ( t1 == mlsxwinwriteproperty ) or
+ ( t1 == mlsxwinwrite ));
+
+
+@@ -643,16 +595,14 @@
+ # MLS policy for the xinput class
+ #
+
+-# the xinput "read" ops (implicit single level)
+-mlsconstrain xinput { lookup getattr mousemotion }
+- (( l1 dom l2 ) or
+- (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
+- ( t1 == mlsxwinread ));
++# these access vectors have no MLS restrictions
++# xinput ~{ relabelinput setattr }
+
+ # the xinput "write" ops (implicit single level)
+-mlsconstrain xinput { setattr setfocus warppointer activegrab passivegrab ungrab bell relabelinput }
++mlsconstrain xinput { setattr relabelinput }
+ (( l1 eq l2 ) or
+ (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
++ ( t1 == mlsxwinwritexinput ) or
+ ( t1 == mlsxwinwrite ));
+
+
+@@ -662,17 +612,8 @@
+ # MLS policy for the xserver class
+ #
+
+-# the xserver "read" ops (implicit single level)
+-mlsconstrain xserver { gethostlist getfontpath getattr screensaver }
+- (( l1 dom l2 ) or
+- (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
+- ( t1 == mlsxwinread ));
+-
+-# the xserver "write" ops (implicit single level)
+-mlsconstrain xserver { sethostlist setfontpath grab ungrab screensaver }
+- (( l1 eq l2 ) or
+- (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+- ( t1 == mlsxwinwrite ));
++# these access vectors have no MLS restrictions
++# xserver *
+
+
+
+@@ -681,17 +622,8 @@
+ # MLS policy for the xextension class
+ #
+
+-# the xextension "read" ops (implicit single level)
+-mlsconstrain xextension query
+- (( l1 dom l2 ) or
+- (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
+- ( t1 == mlsxwinread ));
+-
+-# the xextension "write" ops (implicit single level)
+-mlsconstrain xextension use
+- (( l1 eq l2 ) or
+- (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+- ( t1 == mlsxwinwrite ));
++# these access vectors have no MLS restrictions
++# xextension { query use }
+
+
+ #
diff --exclude-from=exclude -N -u -r nsapolicy/net_contexts policy-1.27.1/net_contexts
--- nsapolicy/net_contexts 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/net_contexts 2005-10-18 14:21:39.000000000 -0400
++++ policy-1.27.1/net_contexts 2005-10-19 09:24:26.000000000 -0400
@@ -50,6 +50,10 @@
portcon tcp 53 system_u:object_r:dns_port_t
@@ -3520,7 +3728,7 @@
portcon tcp 6002 system_u:object_r:xserver_port_t
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/appconfig/root_default_contexts policy-1.27.1/targeted/appconfig/root_default_contexts
--- nsapolicy/targeted/appconfig/root_default_contexts 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/targeted/appconfig/root_default_contexts 2005-10-12 14:40:15.000000000 -0400
++++ policy-1.27.1/targeted/appconfig/root_default_contexts 2005-10-19 09:24:26.000000000 -0400
@@ -1,2 +1,6 @@
system_r:unconfined_t system_r:unconfined_t
system_r:initrc_t system_r:unconfined_t
@@ -3530,7 +3738,7 @@
+system_r:crond_t system_r:unconfined_t
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/assert.te policy-1.27.1/targeted/assert.te
--- nsapolicy/targeted/assert.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/targeted/assert.te 2005-10-12 14:40:15.000000000 -0400
++++ policy-1.27.1/targeted/assert.te 2005-10-19 09:24:26.000000000 -0400
@@ -22,7 +22,7 @@
# Confined domains must never touch an unconfined domain except to
@@ -3542,7 +3750,7 @@
neverallow { domain -unrestricted -snmpd_t } unconfined_t:dir { getattr search };
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/ssh.te policy-1.27.1/targeted/domains/program/ssh.te
--- nsapolicy/targeted/domains/program/ssh.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/targeted/domains/program/ssh.te 2005-10-17 15:49:55.000000000 -0400
++++ policy-1.27.1/targeted/domains/program/ssh.te 2005-10-19 09:24:26.000000000 -0400
@@ -17,3 +17,6 @@
type sshd_key_t, file_type, sysadmfile;
type sshd_var_run_t, file_type, sysadmfile;
@@ -3552,7 +3760,7 @@
+')
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/xdm.te policy-1.27.1/targeted/domains/program/xdm.te
--- nsapolicy/targeted/domains/program/xdm.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/targeted/domains/program/xdm.te 2005-10-17 15:49:55.000000000 -0400
++++ policy-1.27.1/targeted/domains/program/xdm.te 2005-10-19 09:24:26.000000000 -0400
@@ -20,3 +20,7 @@
type xdm_tmp_t, file_type, sysadmfile;
domain_auto_trans(initrc_t, xdm_exec_t, xdm_t)
@@ -3563,7 +3771,7 @@
+')
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/unconfined.te policy-1.27.1/targeted/domains/unconfined.te
--- nsapolicy/targeted/domains/unconfined.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/targeted/domains/unconfined.te 2005-10-12 14:40:15.000000000 -0400
++++ policy-1.27.1/targeted/domains/unconfined.te 2005-10-19 09:24:26.000000000 -0400
@@ -63,6 +63,7 @@
bool use_samba_home_dirs false;
@@ -3592,7 +3800,7 @@
+
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.27.1/tunables/distro.tun
--- nsapolicy/tunables/distro.tun 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/tunables/distro.tun 2005-10-12 14:40:15.000000000 -0400
++++ policy-1.27.1/tunables/distro.tun 2005-10-19 09:24:26.000000000 -0400
@@ -5,7 +5,7 @@
# appropriate ifdefs.
@@ -3604,7 +3812,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.27.1/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/tunables/tunable.tun 2005-10-12 14:40:15.000000000 -0400
++++ policy-1.27.1/tunables/tunable.tun 2005-10-19 09:24:26.000000000 -0400
@@ -1,5 +1,5 @@
# Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
@@ -3623,7 +3831,7 @@
# Otherwise, only staff_r can do so.
diff --exclude-from=exclude -N -u -r nsapolicy/types/device.te policy-1.27.1/types/device.te
--- nsapolicy/types/device.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/types/device.te 2005-10-18 14:19:04.000000000 -0400
++++ policy-1.27.1/types/device.te 2005-10-19 09:24:26.000000000 -0400
@@ -131,8 +131,8 @@
# Type for /dev/.devfsd
type devfs_control_t, device_type, dev_fs;
@@ -3637,7 +3845,7 @@
type power_device_t, device_type, dev_fs;
diff --exclude-from=exclude -N -u -r nsapolicy/types/devpts.te policy-1.27.1/types/devpts.te
--- nsapolicy/types/devpts.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/types/devpts.te 2005-10-18 14:19:04.000000000 -0400
++++ policy-1.27.1/types/devpts.te 2005-10-19 09:24:26.000000000 -0400
@@ -18,4 +18,6 @@
#
type devpts_t, mount_point, fs_type;
@@ -3648,7 +3856,7 @@
+')
diff --exclude-from=exclude -N -u -r nsapolicy/types/file.te policy-1.27.1/types/file.te
--- nsapolicy/types/file.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/types/file.te 2005-10-18 14:19:04.000000000 -0400
++++ policy-1.27.1/types/file.te 2005-10-19 09:24:26.000000000 -0400
@@ -307,8 +307,7 @@
type hugetlbfs_t, mount_point, fs_type, sysadmfile;
allow hugetlbfs_t self:filesystem associate;
@@ -3696,7 +3904,7 @@
+
diff --exclude-from=exclude -N -u -r nsapolicy/types/network.te policy-1.27.1/types/network.te
--- nsapolicy/types/network.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/types/network.te 2005-10-18 14:19:04.000000000 -0400
++++ policy-1.27.1/types/network.te 2005-10-19 09:24:26.000000000 -0400
@@ -18,7 +18,7 @@
type dhcpd_port_t, port_type, reserved_port_type;
type smbd_port_t, port_type, reserved_port_type;
@@ -3750,7 +3958,7 @@
type rsync_port_t, port_type, reserved_port_type;
diff --exclude-from=exclude -N -u -r nsapolicy/types/security.te policy-1.27.1/types/security.te
--- nsapolicy/types/security.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/types/security.te 2005-10-18 14:19:04.000000000 -0400
++++ policy-1.27.1/types/security.te 2005-10-19 09:24:26.000000000 -0400
@@ -13,12 +13,17 @@
# applied to selinuxfs inodes.
#
Index: selinux-policy-strict.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-strict/FC-4/selinux-policy-strict.spec,v
retrieving revision 1.325
retrieving revision 1.326
diff -u -r1.325 -r1.326
--- selinux-policy-strict.spec 18 Oct 2005 18:25:42 -0000 1.325
+++ selinux-policy-strict.spec 20 Oct 2005 12:58:50 -0000 1.326
@@ -11,7 +11,7 @@
Summary: SELinux %{type} policy configuration
Name: selinux-policy-%{type}
Version: 1.27.1
-Release: 2.8
+Release: 2.9
License: GPL
Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policy-%{version}.tgz
@@ -229,6 +229,10 @@
exit 0
%changelog
+* Wed Oct 19 2005 Dan Walsh <dwalsh at redhat.com> 1.27.1-2.9
+- Fix mysql
+- Add spamd.te
+
* Tue Oct 18 2005 Dan Walsh <dwalsh at redhat.com> 1.27.1-2.8
- Fix gssd
More information about the fedora-cvs-commits
mailing list