rpms/selinux-policy-targeted/FC-4 policy-20050916.patch, 1.13, 1.14 selinux-policy-targeted.spec, 1.346, 1.347
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Thu Oct 27 04:15:37 UTC 2005
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy-targeted/FC-4
In directory cvs.devel.redhat.com:/tmp/cvs-serv21054
Modified Files:
policy-20050916.patch selinux-policy-targeted.spec
Log Message:
* Thu Oct 27 2005 Dan Walsh <dwalsh at redhat.com> 1.27.1-2.11
- Fix disable_postfix_trans boolean
policy-20050916.patch:
Makefile | 24 +-
attrib.te | 100 +++++++++-
domains/admin.te | 2
domains/misc/kernel.te | 2
domains/program/crond.te | 2
domains/program/fsadm.te | 9
domains/program/hostname.te | 2
domains/program/ifconfig.te | 5
domains/program/init.te | 2
domains/program/initrc.te | 26 ++
domains/program/ldconfig.te | 3
domains/program/load_policy.te | 11 -
domains/program/login.te | 21 +-
domains/program/logrotate.te | 2
domains/program/modutil.te | 27 +-
domains/program/mount.te | 6
domains/program/netutils.te | 3
domains/program/newrole.te | 4
domains/program/restorecon.te | 3
domains/program/setfiles.te | 4
domains/program/ssh.te | 6
domains/program/su.te | 9
domains/program/syslogd.te | 6
domains/program/tmpreaper.te | 2
domains/program/unused/NetworkManager.te | 13 +
domains/program/unused/alsa.te | 2
domains/program/unused/amanda.te | 74 +------
domains/program/unused/anaconda.te | 5
domains/program/unused/apache.te | 22 +-
domains/program/unused/apmd.te | 19 +
domains/program/unused/auditd.te | 8
domains/program/unused/automount.te | 4
domains/program/unused/bluetooth.te | 72 +++++++
domains/program/unused/cups.te | 20 +-
domains/program/unused/cvs.te | 2
domains/program/unused/cyrus.te | 2
domains/program/unused/dbusd.te | 4
domains/program/unused/dcc.te | 5
domains/program/unused/dhcpc.te | 5
domains/program/unused/dhcpd.te | 3
domains/program/unused/dovecot.te | 4
domains/program/unused/exim.te | 309 +++++++++++++++++++++++++++++++
domains/program/unused/ftpd.te | 6
domains/program/unused/hald.te | 5
domains/program/unused/hotplug.te | 5
domains/program/unused/hwclock.te | 1
domains/program/unused/ipsec.te | 2
domains/program/unused/kudzu.te | 5
domains/program/unused/mta.te | 8
domains/program/unused/mysqld.te | 10 -
domains/program/unused/named.te | 27 ++
domains/program/unused/nscd.te | 1
domains/program/unused/ntpd.te | 10 -
domains/program/unused/openct.te | 16 +
domains/program/unused/pamconsole.te | 4
domains/program/unused/pegasus.te | 37 +++
domains/program/unused/ping.te | 2
domains/program/unused/postfix.te | 58 +++--
domains/program/unused/postgresql.te | 11 -
domains/program/unused/pppd.te | 21 +-
domains/program/unused/procmail.te | 11 -
domains/program/unused/readahead.te | 21 ++
domains/program/unused/rlogind.te | 4
domains/program/unused/roundup.te | 29 ++
domains/program/unused/rpcd.te | 18 +
domains/program/unused/rpm.te | 4
domains/program/unused/rsync.te | 3
domains/program/unused/samba.te | 12 +
domains/program/unused/sendmail.te | 3
domains/program/unused/snmpd.te | 6
domains/program/unused/spamd.te | 18 -
domains/program/unused/squid.te | 3
domains/program/unused/udev.te | 10 -
domains/program/unused/utempter.te | 2
domains/program/unused/webalizer.te | 3
domains/program/unused/winbind.te | 1
domains/program/unused/xdm.te | 3
domains/program/unused/yppasswdd.te | 40 ++++
domains/program/unused/ypserv.te | 1
domains/program/useradd.te | 5
file_contexts/distros.fc | 2
file_contexts/program/apache.fc | 2
file_contexts/program/bluetooth.fc | 3
file_contexts/program/dhcpc.fc | 2
file_contexts/program/dhcpd.fc | 5
file_contexts/program/ftpd.fc | 5
file_contexts/program/games.fc | 11 -
file_contexts/program/ipsec.fc | 1
file_contexts/program/openct.fc | 2
file_contexts/program/pegasus.fc | 9
file_contexts/program/pppd.fc | 2
file_contexts/program/readahead.fc | 1
file_contexts/program/roundup.fc | 2
file_contexts/program/rpm.fc | 4
file_contexts/program/rshd.fc | 1
file_contexts/program/rsync.fc | 2
file_contexts/program/squid.fc | 3
file_contexts/program/xdm.fc | 2
file_contexts/program/yppasswdd.fc | 2
file_contexts/program/ypserv.fc | 1
file_contexts/types.fc | 4
genfs_contexts | 3
macros/base_user_macros.te | 7
macros/core_macros.te | 9
macros/global_macros.te | 25 +-
macros/home_macros.te | 9
macros/network_macros.te | 17 +
macros/program/apache_macros.te | 13 +
macros/program/bonobo_macros.te | 2
macros/program/cdrecord_macros.te | 6
macros/program/chkpwd_macros.te | 8
macros/program/crontab_macros.te | 2
macros/program/dbusd_macros.te | 7
macros/program/gconf_macros.te | 2
macros/program/gift_macros.te | 2
macros/program/gpg_macros.te | 2
macros/program/i18n_input_macros.te | 21 ++
macros/program/lpr_macros.te | 2
macros/program/mta_macros.te | 4
macros/program/newrole_macros.te | 2
macros/program/pyzor_macros.te | 2
macros/program/razor_macros.te | 2
macros/program/su_macros.te | 4
macros/program/uml_macros.te | 2
macros/program/xdm_macros.te | 2
macros/program/ypbind_macros.te | 1
macros/user_macros.te | 7
man/man8/ftpd_selinux.8 | 19 +
man/man8/httpd_selinux.8 | 9
man/man8/rsync_selinux.8 | 12 -
man/man8/samba_selinux.8 | 9
mcs | 210 ++++++++-------------
mls | 270 ++++++++++-----------------
net_contexts | 8
targeted/appconfig/root_default_contexts | 4
targeted/assert.te | 2
targeted/domains/program/sendmail.te | 1
targeted/domains/program/ssh.te | 3
targeted/domains/program/xdm.te | 4
targeted/domains/unconfined.te | 15 +
tunables/distro.tun | 2
tunables/tunable.tun | 4
types/device.te | 4
types/devpts.te | 4
types/file.te | 45 +---
types/network.te | 13 -
types/nfs.te | 1
types/security.te | 6
148 files changed, 1506 insertions(+), 648 deletions(-)
Index: policy-20050916.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-targeted/FC-4/policy-20050916.patch,v
retrieving revision 1.13
retrieving revision 1.14
diff -u -r1.13 -r1.14
--- policy-20050916.patch 24 Oct 2005 14:39:55 -0000 1.13
+++ policy-20050916.patch 27 Oct 2005 04:15:26 -0000 1.14
@@ -696,7 +696,7 @@
role system_r types tmpreaper_t;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/alsa.te policy-1.27.1/domains/program/unused/alsa.te
--- nsapolicy/domains/program/unused/alsa.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/alsa.te 2005-10-24 10:26:42.000000000 -0400
++++ policy-1.27.1/domains/program/unused/alsa.te 2005-10-27 00:08:05.000000000 -0400
@@ -11,6 +11,8 @@
allow alsa_t self:unix_stream_socket create_stream_socket_perms;
allow alsa_t self:unix_dgram_socket create_socket_perms;
@@ -708,7 +708,7 @@
allow alsa_t self:capability { setgid setuid ipc_owner };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/amanda.te policy-1.27.1/domains/program/unused/amanda.te
--- nsapolicy/domains/program/unused/amanda.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/amanda.te 2005-10-24 10:26:42.000000000 -0400
++++ policy-1.27.1/domains/program/unused/amanda.te 2005-10-27 00:08:05.000000000 -0400
@@ -84,7 +84,6 @@
# configuration files -> read only
@@ -870,7 +870,7 @@
+allow amanda_t file_type:fifo_file getattr;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/anaconda.te policy-1.27.1/domains/program/unused/anaconda.te
--- nsapolicy/domains/program/unused/anaconda.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/anaconda.te 2005-10-24 10:26:42.000000000 -0400
++++ policy-1.27.1/domains/program/unused/anaconda.te 2005-10-27 00:08:05.000000000 -0400
@@ -17,11 +17,6 @@
role system_r types ldconfig_t;
domain_auto_trans(anaconda_t, ldconfig_exec_t, ldconfig_t)
@@ -885,7 +885,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.27.1/domains/program/unused/apache.te
--- nsapolicy/domains/program/unused/apache.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/apache.te 2005-10-24 10:26:42.000000000 -0400
++++ policy-1.27.1/domains/program/unused/apache.te 2005-10-27 00:08:05.000000000 -0400
@@ -113,9 +113,12 @@
can_network_server(httpd_t)
can_kerberos(httpd_t)
@@ -949,7 +949,7 @@
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apmd.te policy-1.27.1/domains/program/unused/apmd.te
--- nsapolicy/domains/program/unused/apmd.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/apmd.te 2005-10-24 10:26:42.000000000 -0400
++++ policy-1.27.1/domains/program/unused/apmd.te 2005-10-27 00:08:05.000000000 -0400
@@ -47,6 +47,7 @@
# acpid also has a logfile
@@ -982,7 +982,7 @@
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/auditd.te policy-1.27.1/domains/program/unused/auditd.te
--- nsapolicy/domains/program/unused/auditd.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/auditd.te 2005-10-24 10:26:42.000000000 -0400
++++ policy-1.27.1/domains/program/unused/auditd.te 2005-10-27 00:08:05.000000000 -0400
@@ -12,6 +12,12 @@
daemon_domain(auditd)
@@ -1004,7 +1004,7 @@
+can_exec(auditd_t, sbin_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/automount.te policy-1.27.1/domains/program/unused/automount.te
--- nsapolicy/domains/program/unused/automount.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/automount.te 2005-10-24 10:26:42.000000000 -0400
++++ policy-1.27.1/domains/program/unused/automount.te 2005-10-27 00:08:05.000000000 -0400
@@ -34,7 +34,9 @@
can_exec(automount_t, { etc_t automount_etc_t })
@@ -1030,7 +1030,7 @@
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/bluetooth.te policy-1.27.1/domains/program/unused/bluetooth.te
--- nsapolicy/domains/program/unused/bluetooth.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/bluetooth.te 2005-10-24 10:26:42.000000000 -0400
++++ policy-1.27.1/domains/program/unused/bluetooth.te 2005-10-27 00:08:05.000000000 -0400
@@ -11,16 +11,23 @@
daemon_domain(bluetooth)
@@ -1133,7 +1133,7 @@
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.27.1/domains/program/unused/cups.te
--- nsapolicy/domains/program/unused/cups.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/cups.te 2005-10-24 10:26:42.000000000 -0400
++++ policy-1.27.1/domains/program/unused/cups.te 2005-10-27 00:08:05.000000000 -0400
@@ -48,7 +48,7 @@
# this is not ideal, and allowing setattr access to cupsd_etc_t is wrong
@@ -1207,7 +1207,7 @@
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cvs.te policy-1.27.1/domains/program/unused/cvs.te
--- nsapolicy/domains/program/unused/cvs.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/cvs.te 2005-10-24 10:26:42.000000000 -0400
++++ policy-1.27.1/domains/program/unused/cvs.te 2005-10-27 00:08:05.000000000 -0400
@@ -23,6 +23,8 @@
allow cvs_t etc_runtime_t:file { getattr read };
allow system_mail_t cvs_data_t:file { getattr read };
@@ -1219,7 +1219,7 @@
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cyrus.te policy-1.27.1/domains/program/unused/cyrus.te
--- nsapolicy/domains/program/unused/cyrus.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/cyrus.te 2005-10-24 10:26:42.000000000 -0400
++++ policy-1.27.1/domains/program/unused/cyrus.te 2005-10-27 00:08:05.000000000 -0400
@@ -42,7 +42,7 @@
create_dir_file(cyrus_t, mail_spool_t)
allow cyrus_t var_spool_t:dir search;
@@ -1231,7 +1231,7 @@
allow cyrus_t saslauthd_t:unix_stream_socket { connectto };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dbusd.te policy-1.27.1/domains/program/unused/dbusd.te
--- nsapolicy/domains/program/unused/dbusd.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/dbusd.te 2005-10-24 10:26:42.000000000 -0400
++++ policy-1.27.1/domains/program/unused/dbusd.te 2005-10-27 00:08:05.000000000 -0400
@@ -12,7 +12,7 @@
# dac_override: /var/run/dbus is owned by messagebus on Debian
@@ -1249,7 +1249,7 @@
+allow system_dbusd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dcc.te policy-1.27.1/domains/program/unused/dcc.te
--- nsapolicy/domains/program/unused/dcc.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/dcc.te 2005-10-24 10:26:42.000000000 -0400
++++ policy-1.27.1/domains/program/unused/dcc.te 2005-10-27 00:08:05.000000000 -0400
@@ -200,9 +200,8 @@
can_exec_any(dcc_script_t)
dcc_common(dcc_script)
@@ -1264,7 +1264,7 @@
# the dcc user (even though the default dcc user is root).
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dhcpc.te policy-1.27.1/domains/program/unused/dhcpc.te
--- nsapolicy/domains/program/unused/dhcpc.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/dhcpc.te 2005-10-24 10:26:42.000000000 -0400
++++ policy-1.27.1/domains/program/unused/dhcpc.te 2005-10-27 00:08:05.000000000 -0400
@@ -120,6 +120,7 @@
allow dhcpc_t self:packet_socket create_socket_perms;
allow dhcpc_t var_lib_t:dir search;
@@ -1297,7 +1297,7 @@
+allow dhcpc_t locale_t:file write;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dhcpd.te policy-1.27.1/domains/program/unused/dhcpd.te
--- nsapolicy/domains/program/unused/dhcpd.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/dhcpd.te 2005-10-24 10:26:42.000000000 -0400
++++ policy-1.27.1/domains/program/unused/dhcpd.te 2005-10-27 00:08:05.000000000 -0400
@@ -17,8 +17,6 @@
#
daemon_domain(dhcpd, `, nscd_client_domain')
@@ -1317,7 +1317,7 @@
allow dhcpd_t self:unix_stream_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dovecot.te policy-1.27.1/domains/program/unused/dovecot.te
--- nsapolicy/domains/program/unused/dovecot.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/dovecot.te 2005-10-24 10:26:42.000000000 -0400
++++ policy-1.27.1/domains/program/unused/dovecot.te 2005-10-27 00:08:05.000000000 -0400
@@ -43,7 +43,9 @@
can_kerberos(dovecot_t)
@@ -1329,9 +1329,322 @@
create_dir_file(dovecot_t, dovecot_spool_t)
create_dir_file(mta_delivery_agent, dovecot_spool_t)
allow dovecot_t mail_spool_t:lnk_file read;
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/exim.te policy-1.27.1/domains/program/unused/exim.te
+--- nsapolicy/domains/program/unused/exim.te 1969-12-31 19:00:00.000000000 -0500
++++ policy-1.27.1/domains/program/unused/exim.te 2005-10-27 00:08:05.000000000 -0400
+@@ -0,0 +1,309 @@
++#DESC Exim - Mail server
++#
++# Author: David Hampton <hampton at employees.org>
++# From postfix.te by Russell Coker <russell at coker.com.au>
++# Depends: mta.te
++#
++
++type exim_spool_t, file_type, sysadmfile;
++type exim_spool_db_t, file_type, sysadmfile;
++
++
++##########
++# Exim daemon
++##########
++daemon_domain(exim, `, mta_delivery_agent, mail_server_domain, mail_server_sender, nscd_client_domain, privlog, privhome', nosysadm)
++exim_common(exim);
++etcdir_domain(exim)
++logdir_domain(exim)
++########################################
++########################################
++role sysadm_r types exim_t;
++
++# Server side networking
++can_network_tcp(exim_t);
++allow exim_t { smtp_port_t amavisd_send_port_t }:tcp_socket name_bind;
++# The exim daemon gets to listen to mail coming back from amavisd
++# For identd lookups
++allow exim_t inetd_child_port_t:tcp_socket name_connect;
++allow exim_t self:unix_dgram_socket create_socke_perms;
++
++# Lock file between exim processes. Exim creates a lock file in /tmp
++# that doesn't transition to the exim_tmp_t domain for some reason,
++# thus the allow statement.
++tmp_domain(exim)
++allow exim_t tmp_t:file { getattr read };
++
++# Lock files for the actual mail delivery. Exim wants to create a
++# 'hitching post' file in the same directory as the delivery file.
++# These are the additiona privileges over and above what's defined for
++# an mta_delivery_agent. Additional privs for maildir mail files
++allow exim_t mail_spool_t:dir remove_name;
++allow exim_t mail_spool_t:file { link setattr unlink write rename };
++
++# For access to users .forward files
++allow exim_t home_dir_type:dir { getattr search };
++
++allow exim_t self:capability { dac_read_search net_bind_service };
++
++# Create exim spool files, update spool database
++create_dir_file(exim_t, exim_spool_t)
++rw_dir_file(exim_t, exim_spool_db_t)
++
++# Start daemon/child processes
++can_exec(exim_t, exim_exec_t)
++
++allow exim_t sbin_t:dir r_dir_perms;
++
++# Read aliases file
++allow exim_t etc_aliases_t:file r_file_perms;
++
++#
++allow exim_t devpts_t:chr_file getattr;
++
++ifdef(`crond.te', `
++system_crond_entry(exim_exec_t, exim_t)
++domain_auto_trans(crond_t, exim_exec_t, exim_t)
++allow exim_t system_crond_tmp_t:file { getattr read append };
++#logwatch
++allow system_crond_t exim_log_t:file read;
++')
++
++# For squirrelmail
++ifdef(`httpd.te', `
++domain_auto_trans(httpd_sys_script_t, exim_exec_t, exim_t)
++allow exim_t httpd_t:fd use;
++allow exim_t httpd_t:process sigchld;
++allow exim_t httpd_log_t:file { append getattr };
++allow exim_t httpd_squirrelmail_t:file { append read };
++allow exim_t httpd_t:fifo_file { read write getattr };
++allow exim_t httpd_t:tcp_socket { read write };
++')
++
++########################################
++########################################
++
++
++## --------------------------------------------------
++## exim_ro, exim_ro_net
++##
++## Many of the subsequent applications call exim for
++## the sole purpose of extracting configuration or
++## other information. Lock down the permissions on
++## these instances to be pretty much read-only
++## everything.
++##
++## One of the applications calls exim only to
++## determine whether an address is valid. It does
++## this by having exim attempt to deliver an empty
++## message, without doing the actual deliver.
++## These function are aplit out here to keep all the
++## access controls on exim itself in poe part of the
++## file.
++## --------------------------------------------------
++
++define(`exim_ro_base', `
++application_domain($1)
++role system_r types $1_t;
++read_sysctl($1_t)
++r_dir_file($1_t, etc_t) #for nsswitch.conf
++r_dir_file($1_t, var_spool_t)
++r_dir_file($1_t, exim_spool_t)
++allow $1_t devpts_t:chr_file { getattr read write };
++allow $1_t self:capability { dac_override setgid setuid };
++')
++
++exim_ro_base(exim_ro)
++dontaudit exim_ro_t self:unix_stream_socket { connect create };
++
++exim_ro_base(exim_ro_net)
++can_network(exim_ro_net_t)
++general_proc_read_access(exim_ro_net_t)
++read_locale(exim_ro_net_t)
++allow exim_ro_net_t mail_spool_t:dir search;
++allow exim_ro_net_t etc_aliases_t:file r_file_perms;
++allow exim_ro_net_t self:unix_stream_socket { create connect };
++
++
++
++
++## --------------------------------------------------
++## exim_helper_base
++##
++## Define the base attributes for an exim helper
++## program.
++## --------------------------------------------------
++define(`exim_helper_base',`
++application_domain($1)
++role system_r types $1_t;
++can_exec_any($1_t)
++
++allow $1_t devpts_t:dir search;
++
++# Needed for perl
++general_domain_access($1_t)
++general_proc_read_access($1_t)
++allow $1_t urandom_device_t:chr_file read;
++allow $1_t { devtty_t devpts_t }:chr_file { read write ioctl };
++read_locale($1_t)
++allow $1_t sbin_t:dir r_dir_perms;
++')
++
++
++
++
++## --------------------------------------------------
++## exim_helper_script_base
++## --------------------------------------------------
++define(`exim_helper_script_base',`
++exim_helper_base($1)
++
++# Needed for bash
++allow $1_t { devtty_t devpts_t }:chr_file { read write getattr };
++allow $1_t devpts_t:dir search;
++allow $1_t fs_t:filesystem getattr;
++rw_dir_create_file($1_t, tmp_t) # Script uses a "here" document
++dontaudit $1_t etc_runtime_t:file { getattr read }; # mtab
++dontaudit $1_t selinux_config_t:dir { search };
++dontaudit $1_t selinux_config_t:file { getattr read }; # mtab
++allow $1_t var_spool_t:dir search; # Needed to traverse to get to /var/spool/exim
++
++')
++
++
++## --------------------------------------------------
++## exicyclog
++## --------------------------------------------------
++
++exim_helper_script_base(exicyclog)
++allow exicyclog_t self:capability { dac_override setuid setgid };
++create_dir_file(exicyclog_t, exim_log_t)
++allow exicyclog_t var_t:dir r_dir_perms;
++allow exicyclog_t var_log_t:dir r_dir_perms;
++allow exicyclog_t exim_spool_t:dir r_dir_perms;
++
++
++
++
++## --------------------------------------------------
++## exigrep
++## --------------------------------------------------
++
++exim_helper_base(exigrep)
++allow exigrep_t self:capability dac_override;
++r_dir_file(exigrep_t, var_log_t)
++r_dir_file(exigrep_t, exim_log_t)
++
++
++
++
++## --------------------------------------------------
++## exipick
++## --------------------------------------------------
++
++exim_helper_base(exipick)
++domain_auto_trans(exipick_t, exim_exec_t, exim_ro_t)
++r_dir_file(exipick_t, var_spool_t)
++r_dir_file(exipick_t, exim_spool_t)
++allow exipick_t self:capability dac_override;
++
++
++
++
++## --------------------------------------------------
++## exiqgrep
++## --------------------------------------------------
++
++exim_helper_base(exiqgrep)
++domain_auto_trans(exiqgrep_t, exim_exec_t, exim_ro_t)
++
++
++
++application_domain(exim_lock)
++role system_r types exim_lock_t;
++
++
++## --------------------------------------------------
++## exiwhat
++## 1) Runs exim to extract config info
++## 2) Sends a signal to all running exim processes
++## 3) Collects the status files they drop in the spool directory
++## --------------------------------------------------
++
++exim_helper_script_base(exiwhat)
++domain_auto_trans(exiwhat_t, exim_exec_t, exim_ro_t)
++allow exiwhat_t exim_spool_t:dir { rw_dir_perms };
++allow exiwhat_t exim_spool_t:file { r_file_perms unlink };
++
++# killall
++r_dir_file(exiwhat_t, exim_t)
++r_dir_file(exiwhat_t, selinux_config_t)
++allow exiwhat_t exim_t:process signal;
++allow exiwhat_t self:capability { dac_override kill sys_nice };
++
++dontaudit exiwhat_t file_type:dir search;
++dontaudit exiwhat_t file_type:file { getattr read };
++
++# rm
++allow exiwhat_t devpts_t:chr_file ioctl;
++
++
++
++
++## --------------------------------------------------
++## exim_check_access
++## 1) Runs exim to simulate mail receipt
++## 2) Checks on whether the mail address is allowed from the ip address
++## --------------------------------------------------
++
++exim_helper_script_base(exim_checkaccess)
++domain_auto_trans(exim_checkaccess_t, exim_exec_t, exim_ro_net_t)
++allow exim_checkaccess_t exim_spool_t:dir { r_dir_perms };
++allow exim_checkaccess_t self:capability dac_override;
++
++
++
++
++
++## --------------------------------------------------
++## exim_helper
++## --------------------------------------------------
++application_domain(exim_helper)
++domain_auto_trans(exim_helper_t, exim_exec_t, exim_ro_t)
++can_exec(exim_helper_t, bin_t)
++role system_r types exim_helper_t;
++general_domain_access(exim_helper_t)
++read_locale(exim_helper_t)
++
++allow exim_helper_t { devtty_t devpts_t }:chr_file { read write };
++
++# Have to walk through /var/log to get to /var/log/exim
++allow exim_helper_t var_t:dir r_dir_perms;
++r_dir_file(exim_helper_t, exim_log_t)
++
++
++
++
++
++
++## --------------------------------------------------
++## exim database maintenance programs
++## exim_dump_db, exim_fixdb, exim_tidydb
++## --------------------------------------------------
++define(`exim_db_base',`
++application_domain($1)
++role system_r types $1_t;
++read_locale($1_t)
++general_proc_read_access($1_t)
++allow $1_t devpts_t:chr_file { getattr read write };
++allow $1_t self:capability { dac_override setgid setuid };
++allow $1_t tmp_t:dir { getattr };
++r_dir_file($1_t, var_spool_t)
++r_dir_file($1_t, exim_spool_t)
++r_dir_file($1_t, exim_spool_db_t)
++dontaudit $1_t etc_runtime_t:file { getattr read }; # mtab
++')
++
++exim_db_base(exim_db_ro)
++exim_db_base(exim_db_rw)
++rw_dir_file(exim_db_rw_t, exim_spool_db_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ftpd.te policy-1.27.1/domains/program/unused/ftpd.te
--- nsapolicy/domains/program/unused/ftpd.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/ftpd.te 2005-10-24 10:26:42.000000000 -0400
++++ policy-1.27.1/domains/program/unused/ftpd.te 2005-10-27 00:08:05.000000000 -0400
@@ -99,9 +99,11 @@
if (ftp_home_dir) {
@@ -1348,7 +1661,7 @@
r_dir_file(ftpd_t, nfs_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hald.te policy-1.27.1/domains/program/unused/hald.te
--- nsapolicy/domains/program/unused/hald.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/hald.te 2005-10-24 10:26:42.000000000 -0400
++++ policy-1.27.1/domains/program/unused/hald.te 2005-10-27 00:08:05.000000000 -0400
@@ -24,7 +24,8 @@
allow hald_t self:dbus send_msg;
')
@@ -1367,7 +1680,7 @@
+r_dir_file(hald_t, hwdata_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hotplug.te policy-1.27.1/domains/program/unused/hotplug.te
--- nsapolicy/domains/program/unused/hotplug.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/hotplug.te 2005-10-24 10:26:42.000000000 -0400
++++ policy-1.27.1/domains/program/unused/hotplug.te 2005-10-27 00:08:05.000000000 -0400
@@ -11,9 +11,9 @@
# hotplug_exec_t is the type of the hotplug executable.
#
@@ -1390,7 +1703,7 @@
allow hotplug_t printer_device_t:chr_file setattr;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hwclock.te policy-1.27.1/domains/program/unused/hwclock.te
--- nsapolicy/domains/program/unused/hwclock.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/hwclock.te 2005-10-24 10:26:42.000000000 -0400
++++ policy-1.27.1/domains/program/unused/hwclock.te 2005-10-27 00:08:05.000000000 -0400
@@ -47,3 +47,4 @@
# for when /usr is not mounted
dontaudit hwclock_t file_t:dir search;
@@ -1398,7 +1711,7 @@
+r_dir_file(hwclock_t, etc_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ipsec.te policy-1.27.1/domains/program/unused/ipsec.te
--- nsapolicy/domains/program/unused/ipsec.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/ipsec.te 2005-10-24 10:26:42.000000000 -0400
++++ policy-1.27.1/domains/program/unused/ipsec.te 2005-10-27 00:08:05.000000000 -0400
@@ -219,7 +219,7 @@
dontaudit ipsec_mgmt_t selinux_config_t:dir search;
dontaudit ipsec_t ttyfile:chr_file { read write };
@@ -1410,7 +1723,7 @@
allow ipsec_mgmt_t self:{ tcp_socket udp_socket } create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/kudzu.te policy-1.27.1/domains/program/unused/kudzu.te
--- nsapolicy/domains/program/unused/kudzu.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/kudzu.te 2005-10-24 10:26:42.000000000 -0400
++++ policy-1.27.1/domains/program/unused/kudzu.te 2005-10-27 00:08:05.000000000 -0400
@@ -20,7 +20,7 @@
allow kudzu_t ramfs_t:dir search;
allow kudzu_t ramfs_t:sock_file write;
@@ -1439,7 +1752,7 @@
allow kudzu_t initrc_t:unix_stream_socket connectto;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mta.te policy-1.27.1/domains/program/unused/mta.te
--- nsapolicy/domains/program/unused/mta.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/mta.te 2005-10-24 10:26:42.000000000 -0400
++++ policy-1.27.1/domains/program/unused/mta.te 2005-10-27 00:08:05.000000000 -0400
@@ -31,6 +31,10 @@
create_dir_file(system_mail_t, mail_spool_t)
allow system_mail_t mail_spool_t:fifo_file rw_file_perms;
@@ -1461,7 +1774,7 @@
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mysqld.te policy-1.27.1/domains/program/unused/mysqld.te
--- nsapolicy/domains/program/unused/mysqld.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/mysqld.te 2005-10-24 10:26:42.000000000 -0400
++++ policy-1.27.1/domains/program/unused/mysqld.te 2005-10-27 00:08:05.000000000 -0400
@@ -12,7 +12,7 @@
#
daemon_domain(mysqld, `, nscd_client_domain')
@@ -1494,7 +1807,7 @@
# read config files
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/named.te policy-1.27.1/domains/program/unused/named.te
--- nsapolicy/domains/program/unused/named.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/named.te 2005-10-24 10:26:42.000000000 -0400
++++ policy-1.27.1/domains/program/unused/named.te 2005-10-27 00:08:05.000000000 -0400
@@ -36,7 +36,7 @@
allow named_t self:process { setsched setcap setrlimit };
@@ -1550,7 +1863,7 @@
allow ndc_t etc_t:dir r_dir_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/NetworkManager.te policy-1.27.1/domains/program/unused/NetworkManager.te
--- nsapolicy/domains/program/unused/NetworkManager.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/NetworkManager.te 2005-10-24 10:26:42.000000000 -0400
++++ policy-1.27.1/domains/program/unused/NetworkManager.te 2005-10-27 00:08:05.000000000 -0400
@@ -11,7 +11,7 @@
# NetworkManager_t is the domain for the NetworkManager daemon.
# NetworkManager_exec_t is the type of the NetworkManager executable.
@@ -1585,7 +1898,7 @@
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/nscd.te policy-1.27.1/domains/program/unused/nscd.te
--- nsapolicy/domains/program/unused/nscd.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/nscd.te 2005-10-24 10:26:42.000000000 -0400
++++ policy-1.27.1/domains/program/unused/nscd.te 2005-10-27 00:08:05.000000000 -0400
@@ -76,3 +76,4 @@
log_domain(nscd)
r_dir_file(nscd_t, cert_t)
@@ -1593,7 +1906,7 @@
+allow nscd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ntpd.te policy-1.27.1/domains/program/unused/ntpd.te
--- nsapolicy/domains/program/unused/ntpd.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/ntpd.te 2005-10-24 10:26:42.000000000 -0400
++++ policy-1.27.1/domains/program/unused/ntpd.te 2005-10-27 00:08:05.000000000 -0400
@@ -26,11 +26,11 @@
# for SSP
allow ntpd_t urandom_device_t:chr_file { getattr read };
@@ -1602,7 +1915,7 @@
-dontaudit ntpd_t self:capability { net_admin };
-allow ntpd_t self:process { setcap setsched };
+# sys_resource and setrlimit is for locking memory
-+allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time net_bind_service ipc_lock sys_chroot sys_nice sys_resource };
++allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time net_bind_service ipc_lock ipc_owner sys_chroot sys_nice sys_resource };
+dontaudit ntpd_t self:capability { fsetid net_admin };
+allow ntpd_t self:process { setcap setsched setrlimit };
# ntpdate wants sys_nice
@@ -1621,7 +1934,7 @@
can_exec(ntpd_t, initrc_exec_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/openct.te policy-1.27.1/domains/program/unused/openct.te
--- nsapolicy/domains/program/unused/openct.te 1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.27.1/domains/program/unused/openct.te 2005-10-24 10:26:42.000000000 -0400
++++ policy-1.27.1/domains/program/unused/openct.te 2005-10-27 00:08:05.000000000 -0400
@@ -0,0 +1,16 @@
+#DESC openct - read files in page cache
+#
@@ -1641,7 +1954,7 @@
+allow openct_t etc_t:file r_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pamconsole.te policy-1.27.1/domains/program/unused/pamconsole.te
--- nsapolicy/domains/program/unused/pamconsole.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/pamconsole.te 2005-10-24 10:26:42.000000000 -0400
++++ policy-1.27.1/domains/program/unused/pamconsole.te 2005-10-27 00:08:05.000000000 -0400
@@ -3,7 +3,7 @@
#
# pam_console_apply
@@ -1666,7 +1979,7 @@
+nsswitch_domain(pam_console_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pegasus.te policy-1.27.1/domains/program/unused/pegasus.te
--- nsapolicy/domains/program/unused/pegasus.te 1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.27.1/domains/program/unused/pegasus.te 2005-10-24 10:26:42.000000000 -0400
++++ policy-1.27.1/domains/program/unused/pegasus.te 2005-10-27 00:08:05.000000000 -0400
@@ -0,0 +1,37 @@
+#DESC pegasus - The Open Group Pegasus CIM/WBEM Server
+#
@@ -1680,8 +1993,8 @@
+daemon_domain(pegasus, `, nscd_client_domain, auth')
+type pegasus_data_t, file_type, sysadmfile;
+type pegasus_conf_t, file_type, sysadmfile;
++typealias sbin_t alias pegasus_conf_exec_t;
+type pegasus_mof_t, file_type, sysadmfile;
-+type pegasus_conf_exec_t, file_type, exec_type, sysadmfile;
+allow pegasus_t self:capability { dac_override net_bind_service audit_write };
+can_network_tcp(pegasus_t);
+nsswitch_domain(pegasus_t);
@@ -1699,15 +2012,15 @@
+r_dir_file(pegasus_t, etc_t)
+r_dir_file(pegasus_t, var_lib_t)
+r_dir_file(pegasus_t, pegasus_mof_t)
-+rw_dir_create_file(pegasus_t, pegasus_conf_t)
++r_dir_file(pegasus_t, pegasus_conf_t)
++file_type_auto_trans(pegasus_t, pegasus_conf_t, pegasus_data_t)
+rw_dir_create_file(pegasus_t, pegasus_data_t)
-+rw_dir_create_file(pegasus_conf_exec_t, pegasus_conf_t)
+allow pegasus_t shadow_t:file { getattr read };
+dontaudit pegasus_t selinux_config_t:dir search;
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ping.te policy-1.27.1/domains/program/unused/ping.te
--- nsapolicy/domains/program/unused/ping.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/ping.te 2005-10-24 10:26:42.000000000 -0400
++++ policy-1.27.1/domains/program/unused/ping.te 2005-10-27 00:08:05.000000000 -0400
@@ -58,6 +58,6 @@
dontaudit ping_t devtty_t:chr_file { read write };
dontaudit ping_t self:capability sys_tty_config;
@@ -1718,7 +2031,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/postfix.te policy-1.27.1/domains/program/unused/postfix.te
--- nsapolicy/domains/program/unused/postfix.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/postfix.te 2005-10-24 10:26:42.000000000 -0400
++++ policy-1.27.1/domains/program/unused/postfix.te 2005-10-27 00:08:05.000000000 -0400
@@ -54,6 +54,8 @@
allow postfix_$1_t proc_net_t:dir search;
allow postfix_$1_t proc_net_t:file { getattr read };
@@ -1738,8 +2051,8 @@
read_sysctl(postfix_master_t)
+ifdef(`targeted_policy', `
-+bool disable_postfix_trans false;
-+if (!disable_postfix_trans) {
++bool postfix_disable_trans false;
++if (!postfix_disable_trans) {
+')
domain_auto_trans(initrc_t, postfix_master_exec_t, postfix_master_t)
allow initrc_t postfix_master_t:process { noatsecure siginh rlimitinh };
@@ -1896,9 +2209,39 @@
allow postfix_map_t port_type:tcp_socket name_connect;
-allow postfix_local_t mail_spool_t:dir { remove_name };
-allow postfix_local_t mail_spool_t:file { unlink };
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/postgresql.te policy-1.27.1/domains/program/unused/postgresql.te
+--- nsapolicy/domains/program/unused/postgresql.te 2005-09-16 11:17:27.000000000 -0400
++++ policy-1.27.1/domains/program/unused/postgresql.te 2005-10-27 00:08:05.000000000 -0400
+@@ -51,7 +51,6 @@
+
+ # Use the network.
+ can_network(postgresql_t)
+-can_ypbind(postgresql_t)
+ allow postgresql_t self:fifo_file { getattr read write ioctl };
+ allow postgresql_t self:unix_stream_socket create_stream_socket_perms;
+ can_unix_connect(postgresql_t, self)
+@@ -130,9 +129,17 @@
+ ')
+
+ dontaudit postgresql_t home_root_t:dir search;
+-can_kerberos(postgresql_t)
+ allow postgresql_t urandom_device_t:chr_file { getattr read };
+
+ if (allow_execmem) {
+ allow postgresql_t self:process execmem;
+ }
++
++authentication_domain(postgresql_t)
++#
++# postgresql has pam support
++#
++bool allow_postgresql_use_pam false;
++if (allow_postgresql_use_pam) {
++domain_auto_trans(postgresql_t, chkpwd_exec_t, system_chkpwd_t)
++}
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pppd.te policy-1.27.1/domains/program/unused/pppd.te
--- nsapolicy/domains/program/unused/pppd.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/pppd.te 2005-10-24 10:26:42.000000000 -0400
++++ policy-1.27.1/domains/program/unused/pppd.te 2005-10-27 00:08:05.000000000 -0400
@@ -14,7 +14,7 @@
#
bool pppd_for_user false;
@@ -1925,7 +2268,15 @@
# Access /dev/ppp.
allow pppd_t ppp_device_t:chr_file rw_file_perms;
-@@ -104,14 +105,16 @@
+@@ -74,6 +75,7 @@
+ allow pppd_t tty_device_t:chr_file { setattr rw_file_perms };
+
+ allow pppd_t devpts_t:dir search;
++allow pppd_t devpts_t:chr_file ioctl;
+
+ # for scripts
+ allow pppd_t self:fifo_file rw_file_perms;
+@@ -104,14 +106,16 @@
dontaudit pppd_t initrc_var_run_t:file { lock write };
# pppd needs to load kernel modules for certain modems
@@ -1946,14 +2297,28 @@
can_network_client_tcp(pptp_t)
allow pptp_t { reserved_port_type port_t }:tcp_socket name_connect;
can_exec(pptp_t, hostname_exec_t)
-@@ -144,3 +147,4 @@
+@@ -120,11 +124,11 @@
+ allow pptp_t self:unix_stream_socket { connectto create_stream_socket_perms };
+ allow pptp_t self:unix_dgram_socket create_socket_perms;
+ can_exec(pptp_t, pppd_etc_rw_t)
++allow pptp_t devpts_t:dir search;
++allow pptp_t pppd_devpts_t:chr_file rw_file_perms;
+ allow pptp_t devpts_t:chr_file ioctl;
+ r_dir_file(pptp_t, pppd_etc_rw_t)
+ r_dir_file(pptp_t, pppd_etc_t)
+-allow pptp_t devpts_t:dir search;
+-allow pppd_t devpts_t:chr_file ioctl;
+ allow pppd_t pptp_t:process signal;
+ allow pptp_t self:capability net_raw;
+ allow pptp_t self:fifo_file { read write };
+@@ -144,3 +148,4 @@
# Allow /etc/ppp/ip-{up,down} to run most anything
type pppd_script_exec_t, file_type, sysadmfile;
domain_auto_trans(pppd_t, pppd_script_exec_t, initrc_t)
+allow pppd_t initrc_t:process noatsecure;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/procmail.te policy-1.27.1/domains/program/unused/procmail.te
--- nsapolicy/domains/program/unused/procmail.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/procmail.te 2005-10-24 10:26:42.000000000 -0400
++++ policy-1.27.1/domains/program/unused/procmail.te 2005-10-27 00:08:05.000000000 -0400
@@ -19,8 +19,7 @@
uses_shlib(procmail_t)
allow procmail_t device_t:dir search;
@@ -1981,7 +2346,7 @@
# Search /var/run.
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/readahead.te policy-1.27.1/domains/program/unused/readahead.te
--- nsapolicy/domains/program/unused/readahead.te 1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.27.1/domains/program/unused/readahead.te 2005-10-24 10:26:42.000000000 -0400
++++ policy-1.27.1/domains/program/unused/readahead.te 2005-10-27 00:08:05.000000000 -0400
@@ -0,0 +1,21 @@
+#DESC readahead - read files in page cache
+#
@@ -2006,7 +2371,7 @@
+dontaudit readahead_t device_type:blk_file read;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rlogind.te policy-1.27.1/domains/program/unused/rlogind.te
--- nsapolicy/domains/program/unused/rlogind.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/rlogind.te 2005-10-24 10:26:42.000000000 -0400
++++ policy-1.27.1/domains/program/unused/rlogind.te 2005-10-27 00:08:05.000000000 -0400
@@ -35,4 +35,6 @@
allow rlogind_t default_t:dir search;
typealias rlogind_port_t alias rlogin_port_t;
@@ -2017,7 +2382,7 @@
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/roundup.te policy-1.27.1/domains/program/unused/roundup.te
--- nsapolicy/domains/program/unused/roundup.te 1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.27.1/domains/program/unused/roundup.te 2005-10-24 10:26:42.000000000 -0400
++++ policy-1.27.1/domains/program/unused/roundup.te 2005-10-27 00:08:05.000000000 -0400
@@ -0,0 +1,29 @@
+# Roundup Issue Tracking System
+#
@@ -2050,7 +2415,7 @@
+allow roundup_t etc_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rpcd.te policy-1.27.1/domains/program/unused/rpcd.te
--- nsapolicy/domains/program/unused/rpcd.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/rpcd.te 2005-10-24 10:26:42.000000000 -0400
++++ policy-1.27.1/domains/program/unused/rpcd.te 2005-10-27 00:08:05.000000000 -0400
@@ -19,7 +19,7 @@
can_network($1_t)
allow $1_t port_type:tcp_socket name_connect;
@@ -2084,7 +2449,7 @@
+}
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rpm.te policy-1.27.1/domains/program/unused/rpm.te
--- nsapolicy/domains/program/unused/rpm.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/rpm.te 2005-10-24 10:26:42.000000000 -0400
++++ policy-1.27.1/domains/program/unused/rpm.te 2005-10-27 00:08:05.000000000 -0400
@@ -10,7 +10,7 @@
# rpm_log_t is the type for rpm log files (/var/log/rpmpkgs*)
# rpm_var_lib_t is the type for rpm files in /var/lib
@@ -2105,7 +2470,7 @@
uses_shlib(rpm_script_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rsync.te policy-1.27.1/domains/program/unused/rsync.te
--- nsapolicy/domains/program/unused/rsync.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/rsync.te 2005-10-24 10:26:42.000000000 -0400
++++ policy-1.27.1/domains/program/unused/rsync.te 2005-10-27 00:08:05.000000000 -0400
@@ -15,5 +15,4 @@
type rsync_data_t, file_type, sysadmfile;
r_dir_file(rsync_t, rsync_data_t)
@@ -2115,7 +2480,7 @@
+allow rsync_t self:capability sys_chroot;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/samba.te policy-1.27.1/domains/program/unused/samba.te
--- nsapolicy/domains/program/unused/samba.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/samba.te 2005-10-24 10:26:42.000000000 -0400
++++ policy-1.27.1/domains/program/unused/samba.te 2005-10-27 00:08:05.000000000 -0400
@@ -25,6 +25,9 @@
# not sure why it needs this
tmp_domain(smbd)
@@ -2152,7 +2517,7 @@
# Access Samba shares.
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/sendmail.te policy-1.27.1/domains/program/unused/sendmail.te
--- nsapolicy/domains/program/unused/sendmail.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/sendmail.te 2005-10-24 10:26:42.000000000 -0400
++++ policy-1.27.1/domains/program/unused/sendmail.te 2005-10-27 00:08:05.000000000 -0400
@@ -13,9 +13,6 @@
# daemon started by the init rc scripts.
#
@@ -2165,7 +2530,7 @@
tmp_domain(sendmail)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/snmpd.te policy-1.27.1/domains/program/unused/snmpd.te
--- nsapolicy/domains/program/unused/snmpd.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/snmpd.te 2005-10-24 10:26:42.000000000 -0400
++++ policy-1.27.1/domains/program/unused/snmpd.te 2005-10-27 00:08:05.000000000 -0400
@@ -22,8 +22,9 @@
# for the .index file
@@ -2195,7 +2560,7 @@
dontaudit snmpd_t selinux_config_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/spamd.te policy-1.27.1/domains/program/unused/spamd.te
--- nsapolicy/domains/program/unused/spamd.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/spamd.te 2005-10-24 10:26:42.000000000 -0400
++++ policy-1.27.1/domains/program/unused/spamd.te 2005-10-27 00:08:05.000000000 -0400
@@ -52,20 +52,4 @@
allow spamd_t urandom_device_t:chr_file { getattr read };
@@ -2220,7 +2585,7 @@
+ifdef(`targeted_policy', `home_domain_ro_access(spamd_t, user)')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/squid.te policy-1.27.1/domains/program/unused/squid.te
--- nsapolicy/domains/program/unused/squid.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/squid.te 2005-10-24 10:26:42.000000000 -0400
++++ policy-1.27.1/domains/program/unused/squid.te 2005-10-27 00:08:05.000000000 -0400
@@ -60,7 +60,7 @@
can_tcp_connect(web_client_domain, squid_t)
@@ -2238,7 +2603,7 @@
')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/udev.te policy-1.27.1/domains/program/unused/udev.te
--- nsapolicy/domains/program/unused/udev.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/udev.te 2005-10-24 10:26:42.000000000 -0400
++++ policy-1.27.1/domains/program/unused/udev.te 2005-10-27 00:08:05.000000000 -0400
@@ -28,12 +28,12 @@
type udev_tdb_t, file_type, sysadmfile, dev_fs;
typealias udev_tdb_t alias udev_tbl_t;
@@ -2270,7 +2635,7 @@
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/utempter.te policy-1.27.1/domains/program/unused/utempter.te
--- nsapolicy/domains/program/unused/utempter.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/utempter.te 2005-10-24 10:26:42.000000000 -0400
++++ policy-1.27.1/domains/program/unused/utempter.te 2005-10-27 00:08:05.000000000 -0400
@@ -19,6 +19,8 @@
type utempter_exec_t, file_type, sysadmfile, exec_type;
domain_auto_trans(userdomain, utempter_exec_t, utempter_t)
@@ -2282,7 +2647,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/webalizer.te policy-1.27.1/domains/program/unused/webalizer.te
--- nsapolicy/domains/program/unused/webalizer.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/webalizer.te 2005-10-24 10:26:42.000000000 -0400
++++ policy-1.27.1/domains/program/unused/webalizer.te 2005-10-27 00:08:05.000000000 -0400
@@ -20,6 +20,9 @@
#read apache log
allow webalizer_t var_log_t:dir r_dir_perms;
@@ -2295,7 +2660,7 @@
var_lib_domain(webalizer)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/winbind.te policy-1.27.1/domains/program/unused/winbind.te
--- nsapolicy/domains/program/unused/winbind.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/winbind.te 2005-10-24 10:26:42.000000000 -0400
++++ policy-1.27.1/domains/program/unused/winbind.te 2005-10-27 00:08:05.000000000 -0400
@@ -44,6 +44,7 @@
r_dir_file(winbind_t, samba_etc_t)
allow winbind_helper_t self:unix_dgram_socket create_socket_perms;
@@ -2306,7 +2671,7 @@
allow winbind_helper_t privfd:fd use;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/xdm.te policy-1.27.1/domains/program/unused/xdm.te
--- nsapolicy/domains/program/unused/xdm.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/xdm.te 2005-10-24 10:26:42.000000000 -0400
++++ policy-1.27.1/domains/program/unused/xdm.te 2005-10-27 00:08:05.000000000 -0400
@@ -371,3 +371,6 @@
dontaudit xdm_t ice_tmp_t:dir { getattr setattr };
@@ -2316,7 +2681,7 @@
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/yppasswdd.te policy-1.27.1/domains/program/unused/yppasswdd.te
--- nsapolicy/domains/program/unused/yppasswdd.te 1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.27.1/domains/program/unused/yppasswdd.te 2005-10-24 10:26:42.000000000 -0400
++++ policy-1.27.1/domains/program/unused/yppasswdd.te 2005-10-27 00:08:05.000000000 -0400
@@ -0,0 +1,40 @@
+#DESC yppassdd - NIS password update daemon
+#
@@ -2360,7 +2725,7 @@
+rw_dir_create_file(yppasswdd_t, var_yp_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ypserv.te policy-1.27.1/domains/program/unused/ypserv.te
--- nsapolicy/domains/program/unused/ypserv.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/ypserv.te 2005-10-24 10:26:42.000000000 -0400
++++ policy-1.27.1/domains/program/unused/ypserv.te 2005-10-27 00:08:05.000000000 -0400
@@ -39,3 +39,4 @@
')
allow ypserv_t reserved_port_t:{ udp_socket tcp_socket } name_bind;
@@ -2533,19 +2898,17 @@
+/var/run/openct(/.*)? system_u:object_r:openct_var_run_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/pegasus.fc policy-1.27.1/file_contexts/program/pegasus.fc
--- nsapolicy/file_contexts/program/pegasus.fc 1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.27.1/file_contexts/program/pegasus.fc 2005-10-24 10:17:29.000000000 -0400
-@@ -0,0 +1,11 @@
++++ policy-1.27.1/file_contexts/program/pegasus.fc 2005-10-27 00:12:16.000000000 -0400
+@@ -0,0 +1,9 @@
+# File Contexts for The Open Group Pegasus (tog-pegasus) cimserver
+/usr/sbin/cimserver -- system_u:object_r:pegasus_exec_t
-+/usr/sbin/cimconfig -- system_u:object_r:pegasus_conf_exec_t
-+/usr/sbin/cimuser -- system_u:object_r:pegasus_conf_exec_t
-+/usr/sbin/cimauth -- system_u:object_r:pegasus_conf_exec_t
+/usr/sbin/init_repository -- system_u:object_r:pegasus_exec_t
-+/usr/lib(64)?/Pegasus/providers/.*\.so.* system_u:object_r:shlib_t
+/etc/Pegasus(/.*)? system_u:object_r:pegasus_conf_t
+/var/lib/Pegasus(/.*)? system_u:object_r:pegasus_data_t
+/var/run/tog-pegasus(/.*)? system_u:object_r:pegasus_var_run_t
+/usr/share/Pegasus/mof(/.*)?/.*\.mof system_u:object_r:pegasus_mof_t
++/etc/Pegasus/pegasus_current.conf system_u:object_r:pegasus_data_t
++
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/pppd.fc policy-1.27.1/file_contexts/program/pppd.fc
--- nsapolicy/file_contexts/program/pppd.fc 2005-09-16 11:17:27.000000000 -0400
+++ policy-1.27.1/file_contexts/program/pppd.fc 2005-10-24 10:17:29.000000000 -0400
@@ -2671,7 +3034,7 @@
genfscon eventpollfs / system_u:object_r:eventpollfs_t
diff --exclude-from=exclude -N -u -r nsapolicy/macros/base_user_macros.te policy-1.27.1/macros/base_user_macros.te
--- nsapolicy/macros/base_user_macros.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/macros/base_user_macros.te 2005-10-24 10:34:26.000000000 -0400
++++ policy-1.27.1/macros/base_user_macros.te 2005-10-27 00:11:22.000000000 -0400
@@ -40,6 +40,12 @@
allow $1_t $1_home_t:{ notdevfile_class_set dir } { relabelfrom relabelto };
can_setfscreate($1_t)
@@ -2685,14 +3048,14 @@
allow $1_t self:capability { setgid chown fowner };
dontaudit $1_t self:capability { sys_nice fsetid };
-@@ -182,6 +188,7 @@
- ifdef(`ssh.te', `ssh_domain($1)')
- ifdef(`irc.te', `irc_domain($1)')
- ifdef(`using_spamassassin', `spamassassin_domain($1)')
-+ifdef(`spamd.te', `home_domain_ro_access(spamd_t, $1)')
- ifdef(`pyzor.te', `pyzor_domain($1)')
- ifdef(`razor.te', `razor_domain($1)')
- ifdef(`uml.te', `uml_domain($1)')
+@@ -167,6 +173,7 @@
+ ifdef(`chkpwd.te', `chkpwd_domain($1)')
+ ifdef(`fingerd.te', `fingerd_macro($1)')
+ ifdef(`mta.te', `mail_domain($1)')
++ifdef(`exim.te', `exim_user_domain($1)')
+ ifdef(`crontab.te', `crontab_domain($1)')
+
+ ifdef(`screen.te', `screen_domain($1)')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/core_macros.te policy-1.27.1/macros/core_macros.te
--- nsapolicy/macros/core_macros.te 2005-09-16 11:17:27.000000000 -0400
+++ policy-1.27.1/macros/core_macros.te 2005-10-24 10:34:26.000000000 -0400
@@ -2741,7 +3104,7 @@
')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/global_macros.te policy-1.27.1/macros/global_macros.te
--- nsapolicy/macros/global_macros.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/macros/global_macros.te 2005-10-24 10:34:26.000000000 -0400
++++ policy-1.27.1/macros/global_macros.te 2005-10-27 00:10:52.000000000 -0400
@@ -157,6 +157,11 @@
r_dir_file($1, locale_t)
')
@@ -2831,6 +3194,13 @@
# Perform certain system operations that lacked individual capabilities.
allow $1 kernel_t:system *;
+@@ -750,4 +761,6 @@
+ allow $1 { random_device_t urandom_device_t }:chr_file { getattr read };
+ allow $1 self:capability { audit_write audit_control };
+ dontaudit $1 shadow_t:file { getattr read };
++allow $1 sbin_t:dir search;
++allow $1 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+ ')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/home_macros.te policy-1.27.1/macros/home_macros.te
--- nsapolicy/macros/home_macros.te 2005-09-16 11:17:27.000000000 -0400
+++ policy-1.27.1/macros/home_macros.te 2005-10-24 10:34:26.000000000 -0400
@@ -2966,7 +3336,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/chkpwd_macros.te policy-1.27.1/macros/program/chkpwd_macros.te
--- nsapolicy/macros/program/chkpwd_macros.te 2005-09-16 11:17:27.000000000 -0400
-+++ policy-1.27.1/macros/program/chkpwd_macros.te 2005-10-24 10:34:16.000000000 -0400
++++ policy-1.27.1/macros/program/chkpwd_macros.te 2005-10-27 00:09:27.000000000 -0400
@@ -19,6 +19,9 @@
role $1_r types $1_chkpwd_t;
@@ -2977,6 +3347,22 @@
# is_selinux_enabled
allow $1_chkpwd_t proc_t:file read;
+@@ -27,15 +30,10 @@
+
+ ifelse($1, system, `
+ domain_auto_trans(auth_chkpwd, chkpwd_exec_t, system_chkpwd_t)
+-allow auth_chkpwd sbin_t:dir search;
+-allow auth_chkpwd self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+-
+ dontaudit system_chkpwd_t { user_tty_type tty_device_t }:chr_file rw_file_perms;
+ authentication_domain(auth_chkpwd)
+ ', `
+ domain_auto_trans($1_t, chkpwd_exec_t, $1_chkpwd_t)
+-allow $1_t sbin_t:dir search;
+-allow $1_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+
+ # Write to the user domain tty.
+ access_terminal($1_chkpwd_t, $1)
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/crontab_macros.te policy-1.27.1/macros/program/crontab_macros.te
--- nsapolicy/macros/program/crontab_macros.te 2005-09-16 11:17:27.000000000 -0400
+++ policy-1.27.1/macros/program/crontab_macros.te 2005-10-24 10:34:16.000000000 -0400
@@ -3200,6 +3586,14 @@
allow $1 xdm_t:fifo_file { getattr read write ioctl };
+')
') dnl can_pipe_xdm
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ypbind_macros.te policy-1.27.1/macros/program/ypbind_macros.te
+--- nsapolicy/macros/program/ypbind_macros.te 2005-09-16 11:17:27.000000000 -0400
++++ policy-1.27.1/macros/program/ypbind_macros.te 2005-10-27 00:09:43.000000000 -0400
+@@ -1,4 +1,3 @@
+-
+ define(`uncond_can_ypbind', `
+ can_network($1)
+ r_dir_file($1,var_yp_t)
diff --exclude-from=exclude -N -u -r nsapolicy/macros/user_macros.te policy-1.27.1/macros/user_macros.te
--- nsapolicy/macros/user_macros.te 2005-09-16 11:17:27.000000000 -0400
+++ policy-1.27.1/macros/user_macros.te 2005-10-24 10:34:26.000000000 -0400
Index: selinux-policy-targeted.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-targeted/FC-4/selinux-policy-targeted.spec,v
retrieving revision 1.346
retrieving revision 1.347
diff -u -r1.346 -r1.347
--- selinux-policy-targeted.spec 24 Oct 2005 14:39:55 -0000 1.346
+++ selinux-policy-targeted.spec 27 Oct 2005 04:15:26 -0000 1.347
@@ -9,7 +9,7 @@
Summary: SELinux %{type} policy configuration
Name: selinux-policy-%{type}
Version: 1.27.1
-Release: 2.10
+Release: 2.11
License: GPL
Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policy-%{version}.tgz
@@ -236,6 +236,9 @@
exit 0
%changelog
+* Thu Oct 27 2005 Dan Walsh <dwalsh at redhat.com> 1.27.1-2.11
+- Fix disable_postfix_trans boolean
+
* Mon Oct 24 2005 Dan Walsh <dwalsh at redhat.com> 1.27.1-2.10
- Update to match Rawhide
More information about the fedora-cvs-commits
mailing list