rpms/selinux-policy-strict/devel policy-20051021.patch, 1.6, 1.7 selinux-policy-strict.spec, 1.405, 1.406
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Thu Oct 27 14:28:29 UTC 2005
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy-strict/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv6354
Modified Files:
policy-20051021.patch selinux-policy-strict.spec
Log Message:
* Wed Oct 26 2005 Dan Walsh <dwalsh at redhat.com> 1.27.2-6
- Allow restorecon access to devpts on targetd machines
- Fix setrans.conf on strict policy
policy-20051021.patch:
Makefile | 14 -
attrib.te | 18 +
domains/admin.te | 2
domains/misc/kernel.te | 2
domains/program/fsadm.te | 2
domains/program/ifconfig.te | 2
domains/program/init.te | 2
domains/program/initrc.te | 13 +
domains/program/logrotate.te | 2
domains/program/modutil.te | 8
domains/program/newrole.te | 4
domains/program/restorecon.te | 4
domains/program/setfiles.te | 2
domains/program/ssh.te | 2
domains/program/su.te | 4
domains/program/syslogd.te | 4
domains/program/tmpreaper.te | 2
domains/program/unused/NetworkManager.te | 10 +
domains/program/unused/amanda.te | 21 +-
domains/program/unused/apache.te | 15 +
domains/program/unused/apmd.te | 13 +
domains/program/unused/auditd.te | 6
domains/program/unused/bluetooth.te | 57 +++++
domains/program/unused/cups.te | 11 -
domains/program/unused/dbusd.te | 2
domains/program/unused/dhcpc.te | 3
domains/program/unused/dhcpd.te | 3
domains/program/unused/exim.te | 309 +++++++++++++++++++++++++++++++
domains/program/unused/ftpd.te | 6
domains/program/unused/hald.te | 5
domains/program/unused/hotplug.te | 5
domains/program/unused/ipsec.te | 2
domains/program/unused/kudzu.te | 3
domains/program/unused/mysqld.te | 6
domains/program/unused/named.te | 17 +
domains/program/unused/nscd.te | 1
domains/program/unused/ntpd.te | 5
domains/program/unused/pamconsole.te | 2
domains/program/unused/pegasus.te | 16 +
domains/program/unused/ping.te | 2
domains/program/unused/postfix.te | 50 +++--
domains/program/unused/postgresql.te | 11 -
domains/program/unused/pppd.te | 22 +-
domains/program/unused/rpcd.te | 16 +
domains/program/unused/rpm.te | 4
domains/program/unused/rsync.te | 3
domains/program/unused/samba.te | 3
domains/program/unused/sendmail.te | 3
domains/program/unused/snmpd.te | 1
domains/program/unused/spamd.te | 18 -
domains/program/unused/udev.te | 8
domains/program/unused/webalizer.te | 3
domains/program/unused/xdm.te | 2
domains/program/unused/yppasswdd.te | 40 ++++
file_contexts/distros.fc | 1
file_contexts/program/apache.fc | 2
file_contexts/program/backup.fc | 2
file_contexts/program/bluetooth.fc | 2
file_contexts/program/dhcpc.fc | 1
file_contexts/program/dhcpd.fc | 5
file_contexts/program/exim.fc | 18 +
file_contexts/program/ftpd.fc | 5
file_contexts/program/games.fc | 3
file_contexts/program/kudzu.fc | 2
file_contexts/program/pegasus.fc | 6
file_contexts/program/rshd.fc | 1
file_contexts/program/rsync.fc | 2
file_contexts/program/squid.fc | 3
file_contexts/program/yppasswdd.fc | 2
file_contexts/types.fc | 4
genfs_contexts | 1
macros/base_user_macros.te | 7
macros/global_macros.te | 25 --
macros/home_macros.te | 9
macros/program/chkpwd_macros.te | 7
macros/program/dbusd_macros.te | 1
macros/program/exim_macros.te | 75 +++++++
macros/program/su_macros.te | 2
macros/program/ypbind_macros.te | 1
macros/user_macros.te | 1
man/man8/ftpd_selinux.8 | 19 +
man/man8/httpd_selinux.8 | 9
man/man8/rsync_selinux.8 | 12 -
man/man8/samba_selinux.8 | 9
mcs | 194 ++++++-------------
mls | 227 ++++++++--------------
targeted/assert.te | 2
targeted/domains/program/sendmail.te | 1
targeted/domains/program/ssh.te | 2
targeted/domains/program/xdm.te | 4
targeted/domains/unconfined.te | 7
tunables/distro.tun | 2
tunables/tunable.tun | 4
types/devpts.te | 4
types/file.te | 43 +---
types/network.te | 10 -
types/nfs.te | 1
types/security.te | 2
98 files changed, 1026 insertions(+), 505 deletions(-)
Index: policy-20051021.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-strict/devel/policy-20051021.patch,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -r1.6 -r1.7
--- policy-20051021.patch 27 Oct 2005 04:03:24 -0000 1.6
+++ policy-20051021.patch 27 Oct 2005 14:28:26 -0000 1.7
@@ -1,6 +1,6 @@
diff --exclude-from=exclude -N -u -r nsapolicy/attrib.te policy-1.27.2/attrib.te
--- nsapolicy/attrib.te 2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/attrib.te 2005-10-21 12:55:51.000000000 -0400
++++ policy-1.27.2/attrib.te 2005-10-27 00:01:04.000000000 -0400
@@ -28,7 +28,8 @@
#
# Grant MLS read access to files not dominated by the process Effective SL
@@ -63,7 +63,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/domains/admin.te policy-1.27.2/domains/admin.te
--- nsapolicy/domains/admin.te 2005-09-12 16:40:28.000000000 -0400
-+++ policy-1.27.2/domains/admin.te 2005-10-21 12:55:51.000000000 -0400
++++ policy-1.27.2/domains/admin.te 2005-10-27 00:01:04.000000000 -0400
@@ -4,7 +4,7 @@
# sysadm_t is the system administrator domain.
@@ -75,7 +75,7 @@
allow privhome home_root_t:dir { getattr search };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/misc/kernel.te policy-1.27.2/domains/misc/kernel.te
--- nsapolicy/domains/misc/kernel.te 2005-09-16 11:17:08.000000000 -0400
-+++ policy-1.27.2/domains/misc/kernel.te 2005-10-21 12:55:51.000000000 -0400
++++ policy-1.27.2/domains/misc/kernel.te 2005-10-27 00:01:04.000000000 -0400
@@ -30,7 +30,7 @@
ifdef(`mls_policy', `
@@ -87,7 +87,7 @@
# Share state with the init process.
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/fsadm.te policy-1.27.2/domains/program/fsadm.te
--- nsapolicy/domains/program/fsadm.te 2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/domains/program/fsadm.te 2005-10-21 12:55:51.000000000 -0400
++++ policy-1.27.2/domains/program/fsadm.te 2005-10-27 00:01:04.000000000 -0400
@@ -12,7 +12,7 @@
# administration.
# fsadm_exec_t is the type of the corresponding programs.
@@ -99,7 +99,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ifconfig.te policy-1.27.2/domains/program/ifconfig.te
--- nsapolicy/domains/program/ifconfig.te 2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/domains/program/ifconfig.te 2005-10-21 12:55:51.000000000 -0400
++++ policy-1.27.2/domains/program/ifconfig.te 2005-10-27 00:01:04.000000000 -0400
@@ -61,7 +61,7 @@
# ifconfig attempts to search some sysctl entries.
# Do not audit those attempts; comment out these rules if it is desired to
@@ -111,7 +111,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/initrc.te policy-1.27.2/domains/program/initrc.te
--- nsapolicy/domains/program/initrc.te 2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/domains/program/initrc.te 2005-10-21 12:55:51.000000000 -0400
++++ policy-1.27.2/domains/program/initrc.te 2005-10-27 00:01:04.000000000 -0400
@@ -12,7 +12,7 @@
# initrc_exec_t is the type of the init program.
#
@@ -152,7 +152,7 @@
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/init.te policy-1.27.2/domains/program/init.te
--- nsapolicy/domains/program/init.te 2005-09-12 16:40:29.000000000 -0400
-+++ policy-1.27.2/domains/program/init.te 2005-10-21 12:55:51.000000000 -0400
++++ policy-1.27.2/domains/program/init.te 2005-10-27 00:01:04.000000000 -0400
@@ -14,7 +14,7 @@
# by init during initialization. This pipe is used
# to communicate with init.
@@ -164,7 +164,7 @@
type init_exec_t, file_type, sysadmfile, exec_type;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/logrotate.te policy-1.27.2/domains/program/logrotate.te
--- nsapolicy/domains/program/logrotate.te 2005-09-12 16:40:29.000000000 -0400
-+++ policy-1.27.2/domains/program/logrotate.te 2005-10-21 12:55:51.000000000 -0400
++++ policy-1.27.2/domains/program/logrotate.te 2005-10-27 00:01:04.000000000 -0400
@@ -13,7 +13,7 @@
# logrotate_t is the domain for the logrotate program.
# logrotate_exec_t is the type of the corresponding program.
@@ -176,7 +176,7 @@
uses_shlib(logrotate_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/modutil.te policy-1.27.2/domains/program/modutil.te
--- nsapolicy/domains/program/modutil.te 2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/domains/program/modutil.te 2005-10-21 13:31:27.000000000 -0400
++++ policy-1.27.2/domains/program/modutil.te 2005-10-27 00:01:04.000000000 -0400
@@ -82,7 +82,6 @@
bool secure_mode_insmod false;
@@ -216,7 +216,7 @@
rw_dir_create_file(system_crond_t, var_log_ksyms_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/newrole.te policy-1.27.2/domains/program/newrole.te
--- nsapolicy/domains/program/newrole.te 2005-09-12 16:40:29.000000000 -0400
-+++ policy-1.27.2/domains/program/newrole.te 2005-10-21 12:55:51.000000000 -0400
++++ policy-1.27.2/domains/program/newrole.te 2005-10-27 00:01:04.000000000 -0400
@@ -18,3 +18,7 @@
allow newrole_t initrc_var_run_t:file rw_file_perms;
@@ -227,15 +227,18 @@
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/restorecon.te policy-1.27.2/domains/program/restorecon.te
--- nsapolicy/domains/program/restorecon.te 2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/domains/program/restorecon.te 2005-10-21 12:55:51.000000000 -0400
-@@ -63,3 +63,4 @@
++++ policy-1.27.2/domains/program/restorecon.te 2005-10-27 10:02:06.000000000 -0400
+@@ -63,3 +63,7 @@
allow restorecon_t kernel_t:fifo_file { read write };
allow restorecon_t kernel_t:unix_dgram_socket { read write };
r_dir_file(restorecon_t, { selinux_config_t file_context_t default_context_t } )
+allow restorecon_t autofs_t:dir search;
++ifdef(`targeted_policy', `
++allow restorecon_t devpts_t:chr_file getattr;
++')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/setfiles.te policy-1.27.2/domains/program/setfiles.te
--- nsapolicy/domains/program/setfiles.te 2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/domains/program/setfiles.te 2005-10-21 12:55:51.000000000 -0400
++++ policy-1.27.2/domains/program/setfiles.te 2005-10-27 00:01:04.000000000 -0400
@@ -12,7 +12,7 @@
#
# needs auth_write attribute because it has relabelfrom/relabelto
@@ -247,7 +250,7 @@
role system_r types setfiles_t;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ssh.te policy-1.27.2/domains/program/ssh.te
--- nsapolicy/domains/program/ssh.te 2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/domains/program/ssh.te 2005-10-21 12:55:51.000000000 -0400
++++ policy-1.27.2/domains/program/ssh.te 2005-10-27 00:01:04.000000000 -0400
@@ -233,5 +233,5 @@
allow ssh_keygen_t sysadm_tty_device_t:chr_file { read write };
allow ssh_keygen_t urandom_device_t:chr_file { getattr read };
@@ -257,7 +260,7 @@
')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/su.te policy-1.27.2/domains/program/su.te
--- nsapolicy/domains/program/su.te 2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/domains/program/su.te 2005-10-21 12:55:51.000000000 -0400
++++ policy-1.27.2/domains/program/su.te 2005-10-27 00:01:04.000000000 -0400
@@ -15,7 +15,9 @@
ifdef(`use_mcs', `
@@ -271,7 +274,7 @@
')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/syslogd.te policy-1.27.2/domains/program/syslogd.te
--- nsapolicy/domains/program/syslogd.te 2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/domains/program/syslogd.te 2005-10-21 12:55:51.000000000 -0400
++++ policy-1.27.2/domains/program/syslogd.te 2005-10-27 00:01:04.000000000 -0400
@@ -14,9 +14,9 @@
# by syslogd.
#
@@ -286,7 +289,7 @@
# can_network is for the UDP socket
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/tmpreaper.te policy-1.27.2/domains/program/tmpreaper.te
--- nsapolicy/domains/program/tmpreaper.te 2005-09-12 16:40:28.000000000 -0400
-+++ policy-1.27.2/domains/program/tmpreaper.te 2005-10-21 12:55:51.000000000 -0400
++++ policy-1.27.2/domains/program/tmpreaper.te 2005-10-27 00:01:04.000000000 -0400
@@ -8,7 +8,7 @@
#
# Rules for the tmpreaper_t domain.
@@ -298,7 +301,7 @@
role system_r types tmpreaper_t;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/amanda.te policy-1.27.2/domains/program/unused/amanda.te
--- nsapolicy/domains/program/unused/amanda.te 2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/domains/program/unused/amanda.te 2005-10-21 12:55:51.000000000 -0400
++++ policy-1.27.2/domains/program/unused/amanda.te 2005-10-27 00:01:04.000000000 -0400
@@ -132,7 +132,8 @@
allow amanda_t self:capability { chown dac_override setuid };
@@ -360,7 +363,7 @@
############################
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.27.2/domains/program/unused/apache.te
--- nsapolicy/domains/program/unused/apache.te 2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/domains/program/unused/apache.te 2005-10-21 12:55:51.000000000 -0400
++++ policy-1.27.2/domains/program/unused/apache.te 2005-10-27 00:01:04.000000000 -0400
@@ -225,7 +225,7 @@
# Creation of lock files for apache2
lock_domain(httpd)
@@ -409,7 +412,7 @@
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apmd.te policy-1.27.2/domains/program/unused/apmd.te
--- nsapolicy/domains/program/unused/apmd.te 2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/domains/program/unused/apmd.te 2005-10-21 12:55:51.000000000 -0400
++++ policy-1.27.2/domains/program/unused/apmd.te 2005-10-27 00:01:04.000000000 -0400
@@ -147,4 +147,15 @@
')dnl end if logrotate.te
allow apmd_t devpts_t:dir { getattr search };
@@ -429,7 +432,7 @@
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/auditd.te policy-1.27.2/domains/program/unused/auditd.te
--- nsapolicy/domains/program/unused/auditd.te 2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/domains/program/unused/auditd.te 2005-10-21 12:55:51.000000000 -0400
++++ policy-1.27.2/domains/program/unused/auditd.te 2005-10-27 00:01:04.000000000 -0400
@@ -12,6 +12,12 @@
daemon_domain(auditd)
@@ -445,7 +448,7 @@
allow auditd_t self:capability { audit_write audit_control sys_nice sys_resource };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/bluetooth.te policy-1.27.2/domains/program/unused/bluetooth.te
--- nsapolicy/domains/program/unused/bluetooth.te 2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/domains/program/unused/bluetooth.te 2005-10-21 12:55:51.000000000 -0400
++++ policy-1.27.2/domains/program/unused/bluetooth.te 2005-10-27 00:01:04.000000000 -0400
@@ -14,8 +14,10 @@
file_type_auto_trans(bluetooth_t, bluetooth_conf_t, bluetooth_conf_rw_t)
@@ -529,7 +532,7 @@
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.27.2/domains/program/unused/cups.te
--- nsapolicy/domains/program/unused/cups.te 2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/domains/program/unused/cups.te 2005-10-21 12:55:51.000000000 -0400
++++ policy-1.27.2/domains/program/unused/cups.te 2005-10-27 00:01:04.000000000 -0400
@@ -48,7 +48,7 @@
# this is not ideal, and allowing setattr access to cupsd_etc_t is wrong
@@ -570,7 +573,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dbusd.te policy-1.27.2/domains/program/unused/dbusd.te
--- nsapolicy/domains/program/unused/dbusd.te 2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/domains/program/unused/dbusd.te 2005-10-21 12:55:51.000000000 -0400
++++ policy-1.27.2/domains/program/unused/dbusd.te 2005-10-27 00:01:04.000000000 -0400
@@ -24,4 +24,4 @@
allow system_dbusd_t self:fifo_file { read write };
allow system_dbusd_t self:unix_stream_socket connectto;
@@ -579,7 +582,7 @@
+allow system_dbusd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dhcpc.te policy-1.27.2/domains/program/unused/dhcpc.te
--- nsapolicy/domains/program/unused/dhcpc.te 2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/domains/program/unused/dhcpc.te 2005-10-21 12:55:51.000000000 -0400
++++ policy-1.27.2/domains/program/unused/dhcpc.te 2005-10-27 00:01:04.000000000 -0400
@@ -120,6 +120,7 @@
allow dhcpc_t self:packet_socket create_socket_perms;
allow dhcpc_t var_lib_t:dir search;
@@ -596,7 +599,7 @@
+allow dhcpc_t locale_t:file write;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dhcpd.te policy-1.27.2/domains/program/unused/dhcpd.te
--- nsapolicy/domains/program/unused/dhcpd.te 2005-09-12 16:40:28.000000000 -0400
-+++ policy-1.27.2/domains/program/unused/dhcpd.te 2005-10-21 12:55:51.000000000 -0400
++++ policy-1.27.2/domains/program/unused/dhcpd.te 2005-10-27 00:01:04.000000000 -0400
@@ -17,8 +17,6 @@
#
daemon_domain(dhcpd, `, nscd_client_domain')
@@ -616,7 +619,7 @@
allow dhcpd_t self:unix_stream_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/exim.te policy-1.27.2/domains/program/unused/exim.te
--- nsapolicy/domains/program/unused/exim.te 1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.27.2/domains/program/unused/exim.te 2005-10-26 17:05:10.000000000 -0400
++++ policy-1.27.2/domains/program/unused/exim.te 2005-10-27 00:01:04.000000000 -0400
@@ -0,0 +1,309 @@
+#DESC Exim - Mail server
+#
@@ -929,7 +932,7 @@
+rw_dir_file(exim_db_rw_t, exim_spool_db_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ftpd.te policy-1.27.2/domains/program/unused/ftpd.te
--- nsapolicy/domains/program/unused/ftpd.te 2005-09-16 11:17:09.000000000 -0400
-+++ policy-1.27.2/domains/program/unused/ftpd.te 2005-10-21 12:55:51.000000000 -0400
++++ policy-1.27.2/domains/program/unused/ftpd.te 2005-10-27 00:01:04.000000000 -0400
@@ -99,9 +99,11 @@
if (ftp_home_dir) {
@@ -946,7 +949,7 @@
r_dir_file(ftpd_t, nfs_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hald.te policy-1.27.2/domains/program/unused/hald.te
--- nsapolicy/domains/program/unused/hald.te 2005-09-16 11:17:09.000000000 -0400
-+++ policy-1.27.2/domains/program/unused/hald.te 2005-10-21 12:55:51.000000000 -0400
++++ policy-1.27.2/domains/program/unused/hald.te 2005-10-27 00:01:04.000000000 -0400
@@ -24,7 +24,8 @@
allow hald_t self:dbus send_msg;
')
@@ -965,7 +968,7 @@
+r_dir_file(hald_t, hwdata_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hotplug.te policy-1.27.2/domains/program/unused/hotplug.te
--- nsapolicy/domains/program/unused/hotplug.te 2005-09-12 16:40:28.000000000 -0400
-+++ policy-1.27.2/domains/program/unused/hotplug.te 2005-10-21 12:55:51.000000000 -0400
++++ policy-1.27.2/domains/program/unused/hotplug.te 2005-10-27 00:01:04.000000000 -0400
@@ -11,9 +11,9 @@
# hotplug_exec_t is the type of the hotplug executable.
#
@@ -988,7 +991,7 @@
allow hotplug_t printer_device_t:chr_file setattr;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ipsec.te policy-1.27.2/domains/program/unused/ipsec.te
--- nsapolicy/domains/program/unused/ipsec.te 2005-09-16 11:17:09.000000000 -0400
-+++ policy-1.27.2/domains/program/unused/ipsec.te 2005-10-21 12:55:51.000000000 -0400
++++ policy-1.27.2/domains/program/unused/ipsec.te 2005-10-27 00:01:04.000000000 -0400
@@ -219,7 +219,7 @@
dontaudit ipsec_mgmt_t selinux_config_t:dir search;
dontaudit ipsec_t ttyfile:chr_file { read write };
@@ -1000,7 +1003,7 @@
allow ipsec_mgmt_t self:{ tcp_socket udp_socket } create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/kudzu.te policy-1.27.2/domains/program/unused/kudzu.te
--- nsapolicy/domains/program/unused/kudzu.te 2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/domains/program/unused/kudzu.te 2005-10-21 12:55:51.000000000 -0400
++++ policy-1.27.2/domains/program/unused/kudzu.te 2005-10-27 00:01:04.000000000 -0400
@@ -64,6 +64,7 @@
allow kudzu_t lib_t:file { read getattr };
# Read /usr/share/hwdata/.* and /usr/share/terminfo/l/linux
@@ -1020,7 +1023,7 @@
allow kudzu_t initrc_t:unix_stream_socket connectto;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mysqld.te policy-1.27.2/domains/program/unused/mysqld.te
--- nsapolicy/domains/program/unused/mysqld.te 2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/domains/program/unused/mysqld.te 2005-10-21 12:55:51.000000000 -0400
++++ policy-1.27.2/domains/program/unused/mysqld.te 2005-10-27 00:01:04.000000000 -0400
@@ -33,14 +33,14 @@
allow initrc_t mysqld_log_t:file { write append setattr ioctl };
@@ -1041,7 +1044,7 @@
can_ypbind(mysqld_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/named.te policy-1.27.2/domains/program/unused/named.te
--- nsapolicy/domains/program/unused/named.te 2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/domains/program/unused/named.te 2005-10-21 12:55:51.000000000 -0400
++++ policy-1.27.2/domains/program/unused/named.te 2005-10-27 00:01:04.000000000 -0400
@@ -36,7 +36,7 @@
allow named_t self:process { setsched setcap setrlimit };
@@ -1075,7 +1078,7 @@
type ndc_exec_t, file_type,sysadmfile, exec_type;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/NetworkManager.te policy-1.27.2/domains/program/unused/NetworkManager.te
--- nsapolicy/domains/program/unused/NetworkManager.te 2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/domains/program/unused/NetworkManager.te 2005-10-21 13:27:19.000000000 -0400
++++ policy-1.27.2/domains/program/unused/NetworkManager.te 2005-10-27 00:01:04.000000000 -0400
@@ -91,7 +91,12 @@
allow NetworkManager_t howl_t:process signal;
allow NetworkManager_t initrc_var_run_t:file { getattr read };
@@ -1100,7 +1103,7 @@
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/nscd.te policy-1.27.2/domains/program/unused/nscd.te
--- nsapolicy/domains/program/unused/nscd.te 2005-09-12 16:40:28.000000000 -0400
-+++ policy-1.27.2/domains/program/unused/nscd.te 2005-10-21 12:55:51.000000000 -0400
++++ policy-1.27.2/domains/program/unused/nscd.te 2005-10-27 00:01:04.000000000 -0400
@@ -76,3 +76,4 @@
log_domain(nscd)
r_dir_file(nscd_t, cert_t)
@@ -1108,7 +1111,7 @@
+allow nscd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ntpd.te policy-1.27.2/domains/program/unused/ntpd.te
--- nsapolicy/domains/program/unused/ntpd.te 2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/domains/program/unused/ntpd.te 2005-10-24 17:30:44.000000000 -0400
++++ policy-1.27.2/domains/program/unused/ntpd.te 2005-10-27 00:01:04.000000000 -0400
@@ -27,11 +27,10 @@
allow ntpd_t urandom_device_t:chr_file { getattr read };
@@ -1125,7 +1128,7 @@
tmp_domain(ntpd)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pamconsole.te policy-1.27.2/domains/program/unused/pamconsole.te
--- nsapolicy/domains/program/unused/pamconsole.te 2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/domains/program/unused/pamconsole.te 2005-10-21 12:55:51.000000000 -0400
++++ policy-1.27.2/domains/program/unused/pamconsole.te 2005-10-27 00:01:04.000000000 -0400
@@ -3,7 +3,7 @@
#
# pam_console_apply
@@ -1137,7 +1140,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pegasus.te policy-1.27.2/domains/program/unused/pegasus.te
--- nsapolicy/domains/program/unused/pegasus.te 2005-10-20 15:53:02.000000000 -0400
-+++ policy-1.27.2/domains/program/unused/pegasus.te 2005-10-24 14:13:31.000000000 -0400
++++ policy-1.27.2/domains/program/unused/pegasus.te 2005-10-27 00:01:04.000000000 -0400
@@ -7,17 +7,20 @@
#
# Rules for the pegasus domain
@@ -1176,7 +1179,7 @@
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ping.te policy-1.27.2/domains/program/unused/ping.te
--- nsapolicy/domains/program/unused/ping.te 2005-09-16 11:17:09.000000000 -0400
-+++ policy-1.27.2/domains/program/unused/ping.te 2005-10-21 12:55:51.000000000 -0400
++++ policy-1.27.2/domains/program/unused/ping.te 2005-10-27 00:01:04.000000000 -0400
@@ -58,6 +58,6 @@
dontaudit ping_t devtty_t:chr_file { read write };
dontaudit ping_t self:capability sys_tty_config;
@@ -1187,7 +1190,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/postfix.te policy-1.27.2/domains/program/unused/postfix.te
--- nsapolicy/domains/program/unused/postfix.te 2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/domains/program/unused/postfix.te 2005-10-21 12:55:51.000000000 -0400
++++ policy-1.27.2/domains/program/unused/postfix.te 2005-10-27 00:01:04.000000000 -0400
@@ -54,6 +54,8 @@
allow postfix_$1_t proc_net_t:dir search;
allow postfix_$1_t proc_net_t:file { getattr read };
@@ -1343,7 +1346,7 @@
-allow postfix_local_t mail_spool_t:file { unlink };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/postgresql.te policy-1.27.2/domains/program/unused/postgresql.te
--- nsapolicy/domains/program/unused/postgresql.te 2005-09-16 11:17:09.000000000 -0400
-+++ policy-1.27.2/domains/program/unused/postgresql.te 2005-10-26 17:02:37.000000000 -0400
++++ policy-1.27.2/domains/program/unused/postgresql.te 2005-10-27 00:01:04.000000000 -0400
@@ -51,7 +51,6 @@
# Use the network.
@@ -1373,7 +1376,7 @@
+}
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pppd.te policy-1.27.2/domains/program/unused/pppd.te
--- nsapolicy/domains/program/unused/pppd.te 2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/domains/program/unused/pppd.te 2005-10-26 15:40:43.000000000 -0400
++++ policy-1.27.2/domains/program/unused/pppd.te 2005-10-27 00:01:04.000000000 -0400
@@ -14,7 +14,7 @@
#
bool pppd_for_user false;
@@ -1451,7 +1454,7 @@
+allow pppd_t initrc_t:process noatsecure;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rpcd.te policy-1.27.2/domains/program/unused/rpcd.te
--- nsapolicy/domains/program/unused/rpcd.te 2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/domains/program/unused/rpcd.te 2005-10-21 12:55:51.000000000 -0400
++++ policy-1.27.2/domains/program/unused/rpcd.te 2005-10-27 00:01:04.000000000 -0400
@@ -148,6 +148,20 @@
allow gssd_t rpc_pipefs_t:dir r_dir_perms;
allow gssd_t rpc_pipefs_t:sock_file { read write };
@@ -1476,7 +1479,7 @@
+}
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rpm.te policy-1.27.2/domains/program/unused/rpm.te
--- nsapolicy/domains/program/unused/rpm.te 2005-09-16 11:17:09.000000000 -0400
-+++ policy-1.27.2/domains/program/unused/rpm.te 2005-10-21 12:55:51.000000000 -0400
++++ policy-1.27.2/domains/program/unused/rpm.te 2005-10-27 00:01:04.000000000 -0400
@@ -10,7 +10,7 @@
# rpm_log_t is the type for rpm log files (/var/log/rpmpkgs*)
# rpm_var_lib_t is the type for rpm files in /var/lib
@@ -1497,7 +1500,7 @@
uses_shlib(rpm_script_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rsync.te policy-1.27.2/domains/program/unused/rsync.te
--- nsapolicy/domains/program/unused/rsync.te 2005-09-16 11:17:09.000000000 -0400
-+++ policy-1.27.2/domains/program/unused/rsync.te 2005-10-21 12:55:51.000000000 -0400
++++ policy-1.27.2/domains/program/unused/rsync.te 2005-10-27 00:01:04.000000000 -0400
@@ -15,5 +15,4 @@
type rsync_data_t, file_type, sysadmfile;
r_dir_file(rsync_t, rsync_data_t)
@@ -1507,7 +1510,7 @@
+allow rsync_t self:capability sys_chroot;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/samba.te policy-1.27.2/domains/program/unused/samba.te
--- nsapolicy/domains/program/unused/samba.te 2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/domains/program/unused/samba.te 2005-10-21 12:55:51.000000000 -0400
++++ policy-1.27.2/domains/program/unused/samba.te 2005-10-27 00:01:04.000000000 -0400
@@ -78,9 +78,10 @@
dontaudit smbd_t samba_log_t:dir remove_name;
@@ -1522,7 +1525,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/sendmail.te policy-1.27.2/domains/program/unused/sendmail.te
--- nsapolicy/domains/program/unused/sendmail.te 2005-09-12 16:40:29.000000000 -0400
-+++ policy-1.27.2/domains/program/unused/sendmail.te 2005-10-21 12:55:51.000000000 -0400
++++ policy-1.27.2/domains/program/unused/sendmail.te 2005-10-27 00:01:04.000000000 -0400
@@ -13,9 +13,6 @@
# daemon started by the init rc scripts.
#
@@ -1535,7 +1538,7 @@
tmp_domain(sendmail)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/snmpd.te policy-1.27.2/domains/program/unused/snmpd.te
--- nsapolicy/domains/program/unused/snmpd.te 2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/domains/program/unused/snmpd.te 2005-10-21 12:55:51.000000000 -0400
++++ policy-1.27.2/domains/program/unused/snmpd.te 2005-10-27 00:01:04.000000000 -0400
@@ -80,5 +80,6 @@
allow snmpd_t domain:dir { getattr search };
@@ -1545,7 +1548,7 @@
dontaudit snmpd_t selinux_config_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/spamd.te policy-1.27.2/domains/program/unused/spamd.te
--- nsapolicy/domains/program/unused/spamd.te 2005-09-12 16:40:29.000000000 -0400
-+++ policy-1.27.2/domains/program/unused/spamd.te 2005-10-24 09:50:10.000000000 -0400
++++ policy-1.27.2/domains/program/unused/spamd.te 2005-10-27 00:01:04.000000000 -0400
@@ -52,20 +52,4 @@
allow spamd_t urandom_device_t:chr_file { getattr read };
@@ -1570,7 +1573,7 @@
+ifdef(`targeted_policy', `home_domain_ro_access(spamd_t, user)')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/udev.te policy-1.27.2/domains/program/unused/udev.te
--- nsapolicy/domains/program/unused/udev.te 2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/domains/program/unused/udev.te 2005-10-21 12:55:51.000000000 -0400
++++ policy-1.27.2/domains/program/unused/udev.te 2005-10-27 00:01:04.000000000 -0400
@@ -28,12 +28,12 @@
type udev_tdb_t, file_type, sysadmfile, dev_fs;
typealias udev_tdb_t alias udev_tbl_t;
@@ -1597,7 +1600,7 @@
')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/webalizer.te policy-1.27.2/domains/program/unused/webalizer.te
--- nsapolicy/domains/program/unused/webalizer.te 2005-09-12 16:40:29.000000000 -0400
-+++ policy-1.27.2/domains/program/unused/webalizer.te 2005-10-21 12:55:51.000000000 -0400
++++ policy-1.27.2/domains/program/unused/webalizer.te 2005-10-27 00:01:04.000000000 -0400
@@ -20,6 +20,9 @@
#read apache log
allow webalizer_t var_log_t:dir r_dir_perms;
@@ -1610,7 +1613,7 @@
var_lib_domain(webalizer)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/xdm.te policy-1.27.2/domains/program/unused/xdm.te
--- nsapolicy/domains/program/unused/xdm.te 2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/domains/program/unused/xdm.te 2005-10-21 12:55:51.000000000 -0400
++++ policy-1.27.2/domains/program/unused/xdm.te 2005-10-27 00:01:04.000000000 -0400
@@ -372,5 +372,5 @@
#### Also see xdm_macros.te
@@ -1620,7 +1623,7 @@
')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/yppasswdd.te policy-1.27.2/domains/program/unused/yppasswdd.te
--- nsapolicy/domains/program/unused/yppasswdd.te 1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.27.2/domains/program/unused/yppasswdd.te 2005-10-21 12:55:51.000000000 -0400
++++ policy-1.27.2/domains/program/unused/yppasswdd.te 2005-10-27 00:01:04.000000000 -0400
@@ -0,0 +1,40 @@
+#DESC yppassdd - NIS password update daemon
+#
@@ -1664,7 +1667,7 @@
+rw_dir_create_file(yppasswdd_t, var_yp_t)
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/distros.fc policy-1.27.2/file_contexts/distros.fc
--- nsapolicy/file_contexts/distros.fc 2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/file_contexts/distros.fc 2005-10-21 12:55:51.000000000 -0400
++++ policy-1.27.2/file_contexts/distros.fc 2005-10-27 00:01:04.000000000 -0400
@@ -89,6 +89,7 @@
/usr/lib/valgrind/hp2ps -- system_u:object_r:texrel_shlib_t
/usr/lib/valgrind/stage2 -- system_u:object_r:texrel_shlib_t
@@ -1675,7 +1678,7 @@
/usr/lib/.*/program/libicudata\.so.* -- system_u:object_r:texrel_shlib_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/apache.fc policy-1.27.2/file_contexts/program/apache.fc
--- nsapolicy/file_contexts/program/apache.fc 2005-09-16 11:17:10.000000000 -0400
-+++ policy-1.27.2/file_contexts/program/apache.fc 2005-10-21 12:55:51.000000000 -0400
++++ policy-1.27.2/file_contexts/program/apache.fc 2005-10-27 00:01:04.000000000 -0400
@@ -9,6 +9,8 @@
/var/cache/httpd(/.*)? system_u:object_r:httpd_cache_t
/var/cache/php-eaccelerator(/.*)? system_u:object_r:httpd_cache_t
@@ -1687,7 +1690,7 @@
/etc/httpd/logs system_u:object_r:httpd_log_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/backup.fc policy-1.27.2/file_contexts/program/backup.fc
--- nsapolicy/file_contexts/program/backup.fc 2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/file_contexts/program/backup.fc 2005-10-21 12:55:51.000000000 -0400
++++ policy-1.27.2/file_contexts/program/backup.fc 2005-10-27 00:01:04.000000000 -0400
@@ -3,4 +3,4 @@
# calls tar) in backup_exec_t and label the directory for storing them as
# backup_store_t, Debian uses /var/backups
@@ -1696,7 +1699,7 @@
+/var/backups(/.*)? system_u:object_r:backup_store_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/bluetooth.fc policy-1.27.2/file_contexts/program/bluetooth.fc
--- nsapolicy/file_contexts/program/bluetooth.fc 2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/file_contexts/program/bluetooth.fc 2005-10-21 12:55:51.000000000 -0400
++++ policy-1.27.2/file_contexts/program/bluetooth.fc 2005-10-27 00:01:04.000000000 -0400
@@ -7,3 +7,5 @@
/usr/sbin/hciattach -- system_u:object_r:bluetooth_exec_t
/var/run/sdp -s system_u:object_r:bluetooth_var_run_t
@@ -1705,7 +1708,7 @@
+/var/lib/bluetooth(/.*)? system_u:object_r:bluetooth_var_lib_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/dhcpc.fc policy-1.27.2/file_contexts/program/dhcpc.fc
--- nsapolicy/file_contexts/program/dhcpc.fc 2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/file_contexts/program/dhcpc.fc 2005-10-21 12:55:51.000000000 -0400
++++ policy-1.27.2/file_contexts/program/dhcpc.fc 2005-10-27 00:01:04.000000000 -0400
@@ -8,6 +8,7 @@
/sbin/dhclient.* -- system_u:object_r:dhcpc_exec_t
/var/lib/dhcp(3)?/dhclient.* system_u:object_r:dhcpc_state_t
@@ -1716,7 +1719,7 @@
# pump
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/dhcpd.fc policy-1.27.2/file_contexts/program/dhcpd.fc
--- nsapolicy/file_contexts/program/dhcpd.fc 2005-09-16 11:17:10.000000000 -0400
-+++ policy-1.27.2/file_contexts/program/dhcpd.fc 2005-10-21 12:55:51.000000000 -0400
++++ policy-1.27.2/file_contexts/program/dhcpd.fc 2005-10-27 00:01:04.000000000 -0400
@@ -2,10 +2,10 @@
/etc/dhcpd\.conf -- system_u:object_r:dhcp_etc_t
/etc/dhcp3(/.*)? system_u:object_r:dhcp_etc_t
@@ -1740,7 +1743,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/exim.fc policy-1.27.2/file_contexts/program/exim.fc
--- nsapolicy/file_contexts/program/exim.fc 1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.27.2/file_contexts/program/exim.fc 2005-10-25 08:20:26.000000000 -0400
++++ policy-1.27.2/file_contexts/program/exim.fc 2005-10-27 00:01:04.000000000 -0400
@@ -0,0 +1,18 @@
+# exim
+/usr/sbin/exicyclog -- system_u:object_r:exicyclog_exec_t
@@ -1762,7 +1765,7 @@
+/var/log/exim(/.*)? system_u:object_r:exim_log_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/ftpd.fc policy-1.27.2/file_contexts/program/ftpd.fc
--- nsapolicy/file_contexts/program/ftpd.fc 2005-09-12 16:40:27.000000000 -0400
-+++ policy-1.27.2/file_contexts/program/ftpd.fc 2005-10-21 12:55:51.000000000 -0400
++++ policy-1.27.2/file_contexts/program/ftpd.fc 2005-10-27 00:01:04.000000000 -0400
@@ -10,7 +10,8 @@
/var/run/proftpd/proftpd\.scoreboard -- system_u:object_r:ftpd_var_run_t
/var/log/muddleftpd\.log.* -- system_u:object_r:xferlog_t
@@ -1776,7 +1779,7 @@
+/srv/([^/]*/)?ftp(/.*)? system_u:object_r:public_content_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/games.fc policy-1.27.2/file_contexts/program/games.fc
--- nsapolicy/file_contexts/program/games.fc 2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/file_contexts/program/games.fc 2005-10-21 12:55:51.000000000 -0400
++++ policy-1.27.2/file_contexts/program/games.fc 2005-10-27 00:01:04.000000000 -0400
@@ -1,5 +1,5 @@
# games
-/usr/lib/games/.* -- system_u:object_r:games_exec_t
@@ -1791,7 +1794,7 @@
+
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/kudzu.fc policy-1.27.2/file_contexts/program/kudzu.fc
--- nsapolicy/file_contexts/program/kudzu.fc 2005-09-12 16:40:28.000000000 -0400
-+++ policy-1.27.2/file_contexts/program/kudzu.fc 2005-10-21 12:55:51.000000000 -0400
++++ policy-1.27.2/file_contexts/program/kudzu.fc 2005-10-27 00:01:04.000000000 -0400
@@ -1,4 +1,4 @@
# kudzu
-/usr/sbin/kudzu -- system_u:object_r:kudzu_exec_t
@@ -1800,7 +1803,7 @@
/var/run/Xconfig -- root:object_r:kudzu_var_run_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/pegasus.fc policy-1.27.2/file_contexts/program/pegasus.fc
--- nsapolicy/file_contexts/program/pegasus.fc 2005-10-20 15:53:02.000000000 -0400
-+++ policy-1.27.2/file_contexts/program/pegasus.fc 2005-10-24 11:27:17.000000000 -0400
++++ policy-1.27.2/file_contexts/program/pegasus.fc 2005-10-27 00:01:04.000000000 -0400
@@ -1,11 +1,9 @@
# File Contexts for The Open Group Pegasus (tog-pegasus) cimserver
/usr/sbin/cimserver -- system_u:object_r:pegasus_exec_t
@@ -1817,7 +1820,7 @@
+
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/rshd.fc policy-1.27.2/file_contexts/program/rshd.fc
--- nsapolicy/file_contexts/program/rshd.fc 2005-09-12 16:40:27.000000000 -0400
-+++ policy-1.27.2/file_contexts/program/rshd.fc 2005-10-21 12:55:51.000000000 -0400
++++ policy-1.27.2/file_contexts/program/rshd.fc 2005-10-27 00:01:04.000000000 -0400
@@ -1,3 +1,4 @@
# rshd.
/usr/sbin/in\.rshd -- system_u:object_r:rshd_exec_t
@@ -1825,7 +1828,7 @@
/usr/kerberos/sbin/kshd -- system_u:object_r:rshd_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/rsync.fc policy-1.27.2/file_contexts/program/rsync.fc
--- nsapolicy/file_contexts/program/rsync.fc 2005-09-12 16:40:27.000000000 -0400
-+++ policy-1.27.2/file_contexts/program/rsync.fc 2005-10-21 12:55:51.000000000 -0400
++++ policy-1.27.2/file_contexts/program/rsync.fc 2005-10-27 00:01:04.000000000 -0400
@@ -1,3 +1,3 @@
# rsync program
/usr/bin/rsync -- system_u:object_r:rsync_exec_t
@@ -1833,7 +1836,7 @@
+/srv/([^/]*/)?rsync(/.*)? system_u:object_r:public_content_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/squid.fc policy-1.27.2/file_contexts/program/squid.fc
--- nsapolicy/file_contexts/program/squid.fc 2005-09-12 16:40:27.000000000 -0400
-+++ policy-1.27.2/file_contexts/program/squid.fc 2005-10-21 12:55:51.000000000 -0400
++++ policy-1.27.2/file_contexts/program/squid.fc 2005-10-27 00:01:04.000000000 -0400
@@ -6,3 +6,6 @@
/etc/squid(/.*)? system_u:object_r:squid_conf_t
/var/run/squid\.pid -- system_u:object_r:squid_var_run_t
@@ -1843,13 +1846,13 @@
+')
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/yppasswdd.fc policy-1.27.2/file_contexts/program/yppasswdd.fc
--- nsapolicy/file_contexts/program/yppasswdd.fc 1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.27.2/file_contexts/program/yppasswdd.fc 2005-10-21 12:55:51.000000000 -0400
++++ policy-1.27.2/file_contexts/program/yppasswdd.fc 2005-10-27 00:01:04.000000000 -0400
@@ -0,0 +1,2 @@
+# yppasswd
+/usr/sbin/rpc.yppasswdd -- system_u:object_r:yppasswdd_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/types.fc policy-1.27.2/file_contexts/types.fc
--- nsapolicy/file_contexts/types.fc 2005-09-16 11:17:10.000000000 -0400
-+++ policy-1.27.2/file_contexts/types.fc 2005-10-21 12:55:51.000000000 -0400
++++ policy-1.27.2/file_contexts/types.fc 2005-10-27 00:01:04.000000000 -0400
@@ -133,6 +133,7 @@
/dev/dcbri[0-9]+ -c system_u:object_r:tty_device_t
/dev/irlpt[0-9]+ -c system_u:object_r:printer_device_t
@@ -1874,7 +1877,7 @@
+/etc/sysconfig/network-scripts/ifdown-.* -- system_u:object_r:bin_t
diff --exclude-from=exclude -N -u -r nsapolicy/genfs_contexts policy-1.27.2/genfs_contexts
--- nsapolicy/genfs_contexts 2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/genfs_contexts 2005-10-21 12:55:51.000000000 -0400
++++ policy-1.27.2/genfs_contexts 2005-10-27 00:01:04.000000000 -0400
@@ -95,6 +95,7 @@
genfscon inotifyfs / system_u:object_r:inotifyfs_t
genfscon hugetlbfs / system_u:object_r:hugetlbfs_t
@@ -1885,7 +1888,7 @@
genfscon eventpollfs / system_u:object_r:eventpollfs_t
diff --exclude-from=exclude -N -u -r nsapolicy/macros/base_user_macros.te policy-1.27.2/macros/base_user_macros.te
--- nsapolicy/macros/base_user_macros.te 2005-09-16 11:17:11.000000000 -0400
-+++ policy-1.27.2/macros/base_user_macros.te 2005-10-25 08:44:42.000000000 -0400
++++ policy-1.27.2/macros/base_user_macros.te 2005-10-27 00:01:04.000000000 -0400
@@ -40,6 +40,12 @@
allow $1_t $1_home_t:{ notdevfile_class_set dir } { relabelfrom relabelto };
can_setfscreate($1_t)
@@ -1909,7 +1912,7 @@
ifdef(`screen.te', `screen_domain($1)')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/global_macros.te policy-1.27.2/macros/global_macros.te
--- nsapolicy/macros/global_macros.te 2005-10-21 11:36:16.000000000 -0400
-+++ policy-1.27.2/macros/global_macros.te 2005-10-25 18:08:49.000000000 -0400
++++ policy-1.27.2/macros/global_macros.te 2005-10-27 00:01:04.000000000 -0400
@@ -325,27 +325,13 @@
') dnl transitionbool
domain_auto_trans(initrc_t, $1_exec_t, $1_t)
@@ -1978,7 +1981,7 @@
')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/home_macros.te policy-1.27.2/macros/home_macros.te
--- nsapolicy/macros/home_macros.te 2005-09-12 16:40:26.000000000 -0400
-+++ policy-1.27.2/macros/home_macros.te 2005-10-24 11:12:50.000000000 -0400
++++ policy-1.27.2/macros/home_macros.te 2005-10-27 00:01:04.000000000 -0400
@@ -68,7 +68,11 @@
define(`home_domain_ro_access', `
allow $1 { home_root_t $2_home_dir_t }:dir { search getattr };
@@ -2006,7 +2009,7 @@
####################################################################
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/chkpwd_macros.te policy-1.27.2/macros/program/chkpwd_macros.te
--- nsapolicy/macros/program/chkpwd_macros.te 2005-10-21 11:36:16.000000000 -0400
-+++ policy-1.27.2/macros/program/chkpwd_macros.te 2005-10-25 17:34:24.000000000 -0400
++++ policy-1.27.2/macros/program/chkpwd_macros.te 2005-10-27 00:01:04.000000000 -0400
@@ -22,21 +22,18 @@
# read /selinux/mls
allow $1_chkpwd_t security_t:dir search;
@@ -2033,7 +2036,7 @@
access_terminal($1_chkpwd_t, $1)
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/dbusd_macros.te policy-1.27.2/macros/program/dbusd_macros.te
--- nsapolicy/macros/program/dbusd_macros.te 2005-10-21 11:36:16.000000000 -0400
-+++ policy-1.27.2/macros/program/dbusd_macros.te 2005-10-23 17:25:28.000000000 -0400
++++ policy-1.27.2/macros/program/dbusd_macros.te 2005-10-27 00:01:04.000000000 -0400
@@ -41,6 +41,7 @@
can_getsecurity($1_dbusd_t)
r_dir_file($1_dbusd_t, default_context_t)
@@ -2044,7 +2047,7 @@
r_dir_file($1_dbusd_t, pam_var_console_t)
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/exim_macros.te policy-1.27.2/macros/program/exim_macros.te
--- nsapolicy/macros/program/exim_macros.te 1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.27.2/macros/program/exim_macros.te 2005-10-25 08:31:03.000000000 -0400
++++ policy-1.27.2/macros/program/exim_macros.te 2005-10-27 00:01:04.000000000 -0400
@@ -0,0 +1,75 @@
+#DESC Exim - Mail server
+#
@@ -2123,7 +2126,7 @@
+
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/su_macros.te policy-1.27.2/macros/program/su_macros.te
--- nsapolicy/macros/program/su_macros.te 2005-10-21 11:36:16.000000000 -0400
-+++ policy-1.27.2/macros/program/su_macros.te 2005-10-21 12:55:51.000000000 -0400
++++ policy-1.27.2/macros/program/su_macros.te 2005-10-27 00:01:04.000000000 -0400
@@ -68,7 +68,7 @@
')
@@ -2135,7 +2138,7 @@
# Caused by su - init scripts
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ypbind_macros.te policy-1.27.2/macros/program/ypbind_macros.te
--- nsapolicy/macros/program/ypbind_macros.te 2005-09-12 16:40:26.000000000 -0400
-+++ policy-1.27.2/macros/program/ypbind_macros.te 2005-10-26 16:35:21.000000000 -0400
++++ policy-1.27.2/macros/program/ypbind_macros.te 2005-10-27 00:01:04.000000000 -0400
@@ -1,4 +1,3 @@
-
define(`uncond_can_ypbind', `
@@ -2143,7 +2146,7 @@
r_dir_file($1,var_yp_t)
diff --exclude-from=exclude -N -u -r nsapolicy/macros/user_macros.te policy-1.27.2/macros/user_macros.te
--- nsapolicy/macros/user_macros.te 2005-10-21 11:36:16.000000000 -0400
-+++ policy-1.27.2/macros/user_macros.te 2005-10-24 09:51:46.000000000 -0400
++++ policy-1.27.2/macros/user_macros.te 2005-10-27 00:01:04.000000000 -0400
@@ -122,6 +122,7 @@
ifelse($1, sysadm, `',`
ifdef(`apache.te', `apache_user_domain($1)')
@@ -2154,7 +2157,7 @@
ifdef(`lockdev.te', `lockdev_domain($1)')
diff --exclude-from=exclude -N -u -r nsapolicy/Makefile policy-1.27.2/Makefile
--- nsapolicy/Makefile 2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/Makefile 2005-10-26 22:42:44.000000000 -0400
++++ policy-1.27.2/Makefile 2005-10-27 00:01:04.000000000 -0400
@@ -27,7 +27,7 @@
GENHOMEDIRCON = $(SBINDIR)/genhomedircon
SETFILES = $(SBINDIR)/setfiles
@@ -2201,7 +2204,7 @@
@echo "Enabling MCS in the Makefile"
diff --exclude-from=exclude -N -u -r nsapolicy/man/man8/ftpd_selinux.8 policy-1.27.2/man/man8/ftpd_selinux.8
--- nsapolicy/man/man8/ftpd_selinux.8 2005-09-12 16:40:29.000000000 -0400
-+++ policy-1.27.2/man/man8/ftpd_selinux.8 2005-10-21 12:55:51.000000000 -0400
++++ policy-1.27.2/man/man8/ftpd_selinux.8 2005-10-27 00:01:04.000000000 -0400
@@ -8,23 +8,24 @@
.SH FILE_CONTEXTS
SELinux requires files to have an extended attribute to define the file type.
@@ -2238,7 +2241,7 @@
SELinux ftp daemon policy is customizable based on least access required. So by
diff --exclude-from=exclude -N -u -r nsapolicy/man/man8/httpd_selinux.8 policy-1.27.2/man/man8/httpd_selinux.8
--- nsapolicy/man/man8/httpd_selinux.8 2005-09-12 16:40:29.000000000 -0400
-+++ policy-1.27.2/man/man8/httpd_selinux.8 2005-10-21 12:55:51.000000000 -0400
++++ policy-1.27.2/man/man8/httpd_selinux.8 2005-10-27 00:01:04.000000000 -0400
@@ -45,6 +45,15 @@
.SH NOTE
With certain policies you can define addional file contexts based on roles like user or staff. httpd_user_script_exec_t can be defined where it would only have access to "user" contexts.
@@ -2257,7 +2260,7 @@
default SElinux prevents certain http scripts from working. httpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd with the tightest access possible.
diff --exclude-from=exclude -N -u -r nsapolicy/man/man8/rsync_selinux.8 policy-1.27.2/man/man8/rsync_selinux.8
--- nsapolicy/man/man8/rsync_selinux.8 2005-09-12 16:40:29.000000000 -0400
-+++ policy-1.27.2/man/man8/rsync_selinux.8 2005-10-21 12:55:51.000000000 -0400
++++ policy-1.27.2/man/man8/rsync_selinux.8 2005-10-27 00:01:04.000000000 -0400
@@ -8,16 +8,22 @@
.SH FILE_CONTEXTS
SELinux requires files to have an extended attribute to define the file type.
@@ -2286,7 +2289,7 @@
.TP
diff --exclude-from=exclude -N -u -r nsapolicy/man/man8/samba_selinux.8 policy-1.27.2/man/man8/samba_selinux.8
--- nsapolicy/man/man8/samba_selinux.8 2005-09-12 16:40:29.000000000 -0400
-+++ policy-1.27.2/man/man8/samba_selinux.8 2005-10-21 12:55:51.000000000 -0400
++++ policy-1.27.2/man/man8/samba_selinux.8 2005-10-27 00:01:04.000000000 -0400
@@ -20,6 +20,11 @@
.br
/var/eng(/.*)? system_u:object_r:samba_share_t
@@ -2312,7 +2315,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/mcs policy-1.27.2/mcs
--- nsapolicy/mcs 2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/mcs 2005-10-21 12:55:51.000000000 -0400
++++ policy-1.27.2/mcs 2005-10-27 00:01:04.000000000 -0400
@@ -18,141 +18,77 @@
#
# Each category has a name and zero or more aliases.
@@ -2522,7 +2525,7 @@
# Define the MCS policy
diff --exclude-from=exclude -N -u -r nsapolicy/mls policy-1.27.2/mls
--- nsapolicy/mls 2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/mls 2005-10-21 12:55:51.000000000 -0400
++++ policy-1.27.2/mls 2005-10-27 00:01:04.000000000 -0400
@@ -13,12 +13,17 @@
sensitivity s7;
sensitivity s8;
@@ -2776,7 +2779,7 @@
#
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/assert.te policy-1.27.2/targeted/assert.te
--- nsapolicy/targeted/assert.te 2005-09-16 11:17:12.000000000 -0400
-+++ policy-1.27.2/targeted/assert.te 2005-10-21 12:55:51.000000000 -0400
++++ policy-1.27.2/targeted/assert.te 2005-10-27 00:01:04.000000000 -0400
@@ -22,7 +22,7 @@
# Confined domains must never touch an unconfined domain except to
@@ -2788,7 +2791,7 @@
neverallow { domain -unrestricted -snmpd_t } unconfined_t:dir { getattr search };
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/sendmail.te policy-1.27.2/targeted/domains/program/sendmail.te
--- nsapolicy/targeted/domains/program/sendmail.te 2005-09-12 16:40:26.000000000 -0400
-+++ policy-1.27.2/targeted/domains/program/sendmail.te 2005-10-21 12:55:51.000000000 -0400
++++ policy-1.27.2/targeted/domains/program/sendmail.te 2005-10-27 00:01:04.000000000 -0400
@@ -12,7 +12,6 @@
#
type sendmail_exec_t, file_type, sysadmfile, exec_type;
@@ -2799,7 +2802,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/ssh.te policy-1.27.2/targeted/domains/program/ssh.te
--- nsapolicy/targeted/domains/program/ssh.te 2005-10-21 11:36:16.000000000 -0400
-+++ policy-1.27.2/targeted/domains/program/ssh.te 2005-10-21 12:55:51.000000000 -0400
++++ policy-1.27.2/targeted/domains/program/ssh.te 2005-10-27 00:01:04.000000000 -0400
@@ -18,5 +18,5 @@
type sshd_var_run_t, file_type, sysadmfile;
domain_auto_trans(initrc_t, sshd_exec_t, sshd_t)
@@ -2809,7 +2812,7 @@
')
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/xdm.te policy-1.27.2/targeted/domains/program/xdm.te
--- nsapolicy/targeted/domains/program/xdm.te 2005-10-21 11:36:16.000000000 -0400
-+++ policy-1.27.2/targeted/domains/program/xdm.te 2005-10-21 12:55:51.000000000 -0400
++++ policy-1.27.2/targeted/domains/program/xdm.te 2005-10-27 00:01:04.000000000 -0400
@@ -21,6 +21,6 @@
domain_auto_trans(initrc_t, xdm_exec_t, xdm_t)
domain_auto_trans(init_t, xdm_exec_t, xdm_t)
@@ -2821,7 +2824,7 @@
')
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/unconfined.te policy-1.27.2/targeted/domains/unconfined.te
--- nsapolicy/targeted/domains/unconfined.te 2005-10-21 11:36:16.000000000 -0400
-+++ policy-1.27.2/targeted/domains/unconfined.te 2005-10-21 12:55:51.000000000 -0400
++++ policy-1.27.2/targeted/domains/unconfined.te 2005-10-27 00:01:04.000000000 -0400
@@ -81,10 +81,11 @@
typealias bin_t alias i18n_input_exec_t;
typealias unconfined_t alias i18n_input_t;
@@ -2839,7 +2842,7 @@
+
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.27.2/tunables/distro.tun
--- nsapolicy/tunables/distro.tun 2005-09-12 16:40:26.000000000 -0400
-+++ policy-1.27.2/tunables/distro.tun 2005-10-21 12:55:51.000000000 -0400
++++ policy-1.27.2/tunables/distro.tun 2005-10-27 00:01:04.000000000 -0400
@@ -5,7 +5,7 @@
# appropriate ifdefs.
@@ -2851,7 +2854,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.27.2/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun 2005-09-12 16:40:26.000000000 -0400
-+++ policy-1.27.2/tunables/tunable.tun 2005-10-21 12:55:51.000000000 -0400
++++ policy-1.27.2/tunables/tunable.tun 2005-10-27 00:01:04.000000000 -0400
@@ -1,5 +1,5 @@
# Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
@@ -2870,7 +2873,7 @@
# Otherwise, only staff_r can do so.
diff --exclude-from=exclude -N -u -r nsapolicy/types/devpts.te policy-1.27.2/types/devpts.te
--- nsapolicy/types/devpts.te 2005-09-12 16:40:26.000000000 -0400
-+++ policy-1.27.2/types/devpts.te 2005-10-21 12:55:51.000000000 -0400
++++ policy-1.27.2/types/devpts.te 2005-10-27 00:01:04.000000000 -0400
@@ -18,4 +18,6 @@
#
type devpts_t, mount_point, fs_type;
@@ -2881,7 +2884,7 @@
+')
diff --exclude-from=exclude -N -u -r nsapolicy/types/file.te policy-1.27.2/types/file.te
--- nsapolicy/types/file.te 2005-10-21 11:36:16.000000000 -0400
-+++ policy-1.27.2/types/file.te 2005-10-21 12:55:51.000000000 -0400
++++ policy-1.27.2/types/file.te 2005-10-27 00:01:04.000000000 -0400
@@ -84,6 +84,9 @@
#
type etc_t, file_type, sysadmfile;
@@ -2973,7 +2976,7 @@
+
diff --exclude-from=exclude -N -u -r nsapolicy/types/network.te policy-1.27.2/types/network.te
--- nsapolicy/types/network.te 2005-10-21 11:36:16.000000000 -0400
-+++ policy-1.27.2/types/network.te 2005-10-21 12:55:51.000000000 -0400
++++ policy-1.27.2/types/network.te 2005-10-27 00:01:04.000000000 -0400
@@ -18,7 +18,7 @@
type dhcpd_port_t, port_type, reserved_port_type;
type smbd_port_t, port_type, reserved_port_type;
@@ -3016,7 +3019,7 @@
type rsync_port_t, port_type, reserved_port_type;
diff --exclude-from=exclude -N -u -r nsapolicy/types/nfs.te policy-1.27.2/types/nfs.te
--- nsapolicy/types/nfs.te 2005-09-12 16:40:26.000000000 -0400
-+++ policy-1.27.2/types/nfs.te 2005-10-21 12:55:51.000000000 -0400
++++ policy-1.27.2/types/nfs.te 2005-10-27 00:01:04.000000000 -0400
@@ -18,5 +18,4 @@
#
# Allow NFS files to be associated with an NFS file system.
@@ -3025,7 +3028,7 @@
allow file_type nfs_t:filesystem associate;
diff --exclude-from=exclude -N -u -r nsapolicy/types/security.te policy-1.27.2/types/security.te
--- nsapolicy/types/security.te 2005-10-21 11:36:16.000000000 -0400
-+++ policy-1.27.2/types/security.te 2005-10-21 12:55:51.000000000 -0400
++++ policy-1.27.2/types/security.te 2005-10-27 00:01:04.000000000 -0400
@@ -13,6 +13,8 @@
# applied to selinuxfs inodes.
#
Index: selinux-policy-strict.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-strict/devel/selinux-policy-strict.spec,v
retrieving revision 1.405
retrieving revision 1.406
diff -u -r1.405 -r1.406
--- selinux-policy-strict.spec 27 Oct 2005 04:03:24 -0000 1.405
+++ selinux-policy-strict.spec 27 Oct 2005 14:28:26 -0000 1.406
@@ -9,7 +9,7 @@
Summary: SELinux %{type} policy configuration
Name: selinux-policy-%{type}
Version: 1.27.2
-Release: 5
+Release: 6
License: GPL
Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policy-%{version}.tgz
@@ -79,7 +79,7 @@
install -m0755 %{SOURCE2} ${RPM_BUILD_ROOT}%{_sysconfdir}/profile.d/selinux.sh
install -m0755 %{SOURCE3} ${RPM_BUILD_ROOT}%{_sysconfdir}/profile.d/selinux.csh
install -m0644 %{SOURCE4} ${RPM_BUILD_ROOT}%{_sysconfdir}/selinux/%{type}/seusers
-install -m0644 %{SOURCE4} ${RPM_BUILD_ROOT}%{_sysconfdir}/selinux/%{type}/setrans.conf
+install -m0644 %{SOURCE5} ${RPM_BUILD_ROOT}%{_sysconfdir}/selinux/%{type}/setrans.conf
%clean
rm -rf ${RPM_BUILD_ROOT}
@@ -245,6 +245,10 @@
exit 0
%changelog
+* Wed Oct 26 2005 Dan Walsh <dwalsh at redhat.com> 1.27.2-6
+- Allow restorecon access to devpts on targetd machines
+- Fix setrans.conf on strict policy
+
* Wed Oct 26 2005 Dan Walsh <dwalsh at redhat.com> 1.27.2-5
- Fix reload policy in sources
- Fix postfix_disable_trans
More information about the fedora-cvs-commits
mailing list