rpms/selinux-policy-targeted/devel policy-20050912.parch, NONE, 1.1 .cvsignore, 1.116, 1.117 policy-20050811.patch, 1.9, 1.10 selinux-policy-targeted.spec, 1.369, 1.370 sources, 1.122, 1.123 policy-20050606.patch, 1.20, NONE policy-20050629.patch, 1.5, NONE policy-20050706.patch, 1.9, NONE policy-20050712.patch, 1.4, NONE policy-20050719.patch, 1.11, NONE
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Wed Sep 14 16:51:17 UTC 2005
- Previous message (by thread): rpms/selinux-policy-strict/devel policy-20050912.patch, NONE, 1.1 .cvsignore, 1.120, 1.121 policy-20050811.patch, 1.10, 1.11 selinux-policy-strict.spec, 1.374, 1.375 sources, 1.126, 1.127 policy-20050706.patch, 1.9, NONE policy-20050712.patch, 1.5, NONE policy-20050719.patch, 1.12, NONE
- Next message (by thread): rpms/selinux-policy-strict/devel policy-mcs.patch, NONE, 1.1 policy-mcsroot.patch, NONE, 1.1
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy-targeted/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv12307
Modified Files:
.cvsignore policy-20050811.patch selinux-policy-targeted.spec
sources
Added Files:
policy-20050912.parch
Removed Files:
policy-20050606.patch policy-20050629.patch
policy-20050706.patch policy-20050712.patch
policy-20050719.patch
Log Message:
* Tue Sep 13 2005 Dan Walsh <dwalsh at redhat.com> 1.26-1
- Update to latest from NSA
- Update to MCS policy
--- NEW FILE policy-20050912.parch ---
diff --exclude-from=exclude -N -u -r nsapolicy/domains/misc/kernel.te policy-1.25.4/domains/misc/kernel.te
--- nsapolicy/domains/misc/kernel.te 2005-09-12 16:40:29.000000000 -0400
+++ policy-1.25.4/domains/misc/kernel.te 2005-09-09 08:59:12.000000000 -0400
@@ -11,7 +11,7 @@
# kernel_t is the domain of kernel threads.
# It is also the target type when checking permissions in the system class.
#
-type kernel_t, domain, privmodule, privlog, sysctl_kernel_writer, mlsprocread, mlsprocwrite, privsysmod ifdef(`nfs_export_all_rw',`,etc_writer'), privrangetrans ;
+type kernel_t, domain, privmodule, privlog, sysctl_kernel_writer, mlsprocread, mlsprocwrite, privsysmod, etc_writer, privrangetrans ;
role system_r types kernel_t;
general_domain_access(kernel_t)
general_proc_read_access(kernel_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/crond.te policy-1.25.4/domains/program/crond.te
--- nsapolicy/domains/program/crond.te 2005-09-12 16:40:28.000000000 -0400
+++ policy-1.25.4/domains/program/crond.te 2005-09-09 08:59:12.000000000 -0400
@@ -44,7 +44,7 @@
read_locale(crond_t)
# Use capabilities.
-allow crond_t self:capability { dac_override setgid setuid net_bind_service sys_nice };
+allow crond_t self:capability { dac_override setgid setuid net_bind_service sys_nice audit_control };
dontaudit crond_t self:capability sys_resource;
# Get security policy decisions.
@@ -106,7 +106,7 @@
# Inherit and use descriptors from initrc for anacron.
allow system_crond_t initrc_t:fd use;
-allow system_crond_t initrc_devpts_t:chr_file { read write };
+can_access_pty(system_crond_t, initrc)
# Use capabilities.
allow system_crond_t self:capability { dac_read_search chown setgid setuid fowner net_bind_service fsetid };
@@ -207,5 +207,8 @@
#
ifdef(`apache.te', `
allow system_crond_t { httpd_log_t httpd_config_t }:file { getattr read };
+allow system_crond_t httpd_modules_t:lnk_file read;
')
dontaudit crond_t self:capability sys_tty_config;
+# Needed for certwatch
+can_exec(system_crond_t, httpd_modules_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/fsadm.te policy-1.25.4/domains/program/fsadm.te
--- nsapolicy/domains/program/fsadm.te 2005-09-12 16:40:29.000000000 -0400
+++ policy-1.25.4/domains/program/fsadm.te 2005-09-09 08:59:12.000000000 -0400
@@ -64,7 +64,7 @@
allow fsadm_t { urandom_device_t random_device_t }:chr_file { getattr read };
# Use capabilities. ipc_lock is for losetup
-allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_tty_config };
+allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_tty_config dac_override dac_read_search };
# Write to /etc/mtab.
file_type_auto_trans(fsadm_t, etc_t, etc_runtime_t, file)
@@ -102,10 +102,10 @@
allow fsadm_t kernel_t:system syslog_console;
# Access terminals.
-allow fsadm_t { initrc_devpts_t admin_tty_type devtty_t console_device_t }:chr_file rw_file_perms;
+can_access_pty(fsadm_t, initrc)
+allow fsadm_t { admin_tty_type devtty_t console_device_t }:chr_file rw_file_perms;
ifdef(`gnome-pty-helper.te', `allow fsadm_t sysadm_gph_t:fd use;')
allow fsadm_t privfd:fd use;
-allow fsadm_t devpts_t:dir { getattr search };
read_locale(fsadm_t)
@@ -117,3 +117,4 @@
allow fsadm_t { file_t unlabeled_t }:blk_file rw_file_perms;
allow fsadm_t usbfs_t:dir { getattr search };
allow fsadm_t ramfs_t:fifo_file rw_file_perms;
+allow fsadm_t device_type:chr_file getattr;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/hostname.te policy-1.25.4/domains/program/hostname.te
--- nsapolicy/domains/program/hostname.te 2005-09-12 16:40:28.000000000 -0400
+++ policy-1.25.4/domains/program/hostname.te 2005-09-09 08:59:12.000000000 -0400
@@ -24,4 +24,5 @@
ifdef(`distro_redhat', `
allow hostname_t tmpfs_t:chr_file rw_file_perms;
')
-allow hostname_t initrc_devpts_t:chr_file { read write };
+can_access_pty(hostname_t, initrc)
+allow hostname_t initrc_t:fd use;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ifconfig.te policy-1.25.4/domains/program/ifconfig.te
--- nsapolicy/domains/program/ifconfig.te 2005-09-12 16:40:28.000000000 -0400
+++ policy-1.25.4/domains/program/ifconfig.te 2005-09-09 08:59:12.000000000 -0400
@@ -34,7 +34,7 @@
allow ifconfig_t self:socket create_socket_perms;
# Use capabilities.
-allow ifconfig_t self:capability net_admin;
+allow ifconfig_t self:capability { net_raw net_admin };
dontaudit ifconfig_t self:capability sys_module;
allow ifconfig_t self:capability sys_tty_config;
@@ -52,7 +52,8 @@
allow ifconfig_t self:udp_socket create_socket_perms;
# Access terminals.
-allow ifconfig_t { user_tty_type initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
+can_access_pty(ifconfig_t, initrc)
+allow ifconfig_t { user_tty_type admin_tty_type }:chr_file rw_file_perms;
ifdef(`gnome-pty-helper.te', `allow ifconfig_t sysadm_gph_t:fd use;')
allow ifconfig_t tun_tap_device_t:chr_file { read write };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/initrc.te policy-1.25.4/domains/program/initrc.te
--- nsapolicy/domains/program/initrc.te 2005-09-12 16:40:29.000000000 -0400
+++ policy-1.25.4/domains/program/initrc.te 2005-09-09 08:59:12.000000000 -0400
@@ -214,7 +214,15 @@
allow initrc_t file_type:{ dir_file_class_set socket_class_set } getattr;
allow initrc_t self:capability sys_admin;
allow initrc_t device_t:dir create;
-
+# wants to delete /poweroff and other files
+allow initrc_t root_t:file unlink;
+# wants to read /.fonts directory
+allow initrc_t default_t:file { getattr read };
+ifdef(`xserver.te', `
+# wants to cleanup xserver log dir
+allow initrc_t xserver_log_t:dir rw_dir_perms;
+allow initrc_t xserver_log_t:file unlink;
+')
')dnl end distro_redhat
allow initrc_t system_map_t:{ file lnk_file } r_file_perms;
@@ -319,3 +327,9 @@
')
allow initrc_t self:netlink_route_socket r_netlink_socket_perms;
allow initrc_t device_t:lnk_file create_file_perms;
+ifdef(`dbusd.te', `
+allow initrc_t system_dbusd_var_run_t:sock_file write;
+')
+
+# Slapd needs to read cert files from its initscript
+r_dir_file(initrc_t, cert_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ldconfig.te policy-1.25.4/domains/program/ldconfig.te
--- nsapolicy/domains/program/ldconfig.te 2005-09-12 16:40:28.000000000 -0400
+++ policy-1.25.4/domains/program/ldconfig.te 2005-09-09 08:59:12.000000000 -0400
@@ -16,7 +16,8 @@
domain_auto_trans({ sysadm_t initrc_t }, ldconfig_exec_t, ldconfig_t)
dontaudit ldconfig_t device_t:dir search;
-allow ldconfig_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
+can_access_pty(ldconfig_t, initrc)
+allow ldconfig_t admin_tty_type:chr_file rw_file_perms;
allow ldconfig_t privfd:fd use;
uses_shlib(ldconfig_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/load_policy.te policy-1.25.4/domains/program/load_policy.te
--- nsapolicy/domains/program/load_policy.te 2005-09-12 16:40:28.000000000 -0400
+++ policy-1.25.4/domains/program/load_policy.te 2005-09-09 08:59:12.000000000 -0400
@@ -45,11 +45,9 @@
allow load_policy_t root_t:dir search;
allow load_policy_t etc_t:dir search;
-# Read the devpts root directory (needed?)
-allow load_policy_t devpts_t:dir r_dir_perms;
-
# Other access
-allow load_policy_t { admin_tty_type initrc_devpts_t devtty_t }:chr_file { read write ioctl getattr };
+can_access_pty(load_policy_t, initrc)
+allow load_policy_t { admin_tty_type devtty_t }:chr_file { read write ioctl getattr };
uses_shlib(load_policy_t)
allow load_policy_t self:capability dac_override;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/login.te policy-1.25.4/domains/program/login.te
--- nsapolicy/domains/program/login.te 2005-09-12 16:40:29.000000000 -0400
+++ policy-1.25.4/domains/program/login.te 2005-09-09 08:59:12.000000000 -0400
@@ -62,6 +62,7 @@
ifdef(`pamconsole.te', `
rw_dir_create_file($1_login_t, pam_var_console_t)
+domain_auto_trans($1_login_t, pam_console_exec_t, pam_console_t)
')
# Use capabilities
@@ -200,23 +201,20 @@
# since very weak authentication is used.
login_spawn_domain(remote_login, unpriv_userdomain)
-allow remote_login_t devpts_t:dir search;
allow remote_login_t userpty_type:chr_file { setattr write };
# Use the pty created by rlogind.
ifdef(`rlogind.te', `
-allow remote_login_t rlogind_devpts_t:chr_file { setattr rw_file_perms };
-
+can_access_pty(remote_login_t, rlogind)
# Relabel ptys created by rlogind.
-allow remote_login_t rlogind_devpts_t:chr_file { relabelfrom relabelto };
+allow remote_login_t rlogind_devpts_t:chr_file { setattr relabelfrom relabelto };
')
# Use the pty created by telnetd.
ifdef(`telnetd.te', `
-allow remote_login_t telnetd_devpts_t:chr_file { setattr rw_file_perms };
-
+can_access_pty(remote_login_t, telnetd)
# Relabel ptys created by telnetd.
-allow remote_login_t telnetd_devpts_t:chr_file { relabelfrom relabelto };
[...2801 lines suppressed...]
portcon tcp 50002 system_u:object_r:hplip_port_t
portcon tcp 5900 system_u:object_r:vnc_port_t
+portcon tcp 5988 system_u:object_r:pegasus_http_port_t
+portcon tcp 5989 system_u:object_r:pegasus_https_port_t
portcon tcp 6000 system_u:object_r:xserver_port_t
portcon tcp 6001 system_u:object_r:xserver_port_t
portcon tcp 6002 system_u:object_r:xserver_port_t
@@ -223,14 +229,6 @@
#
# interface netif_context default_msg_context
#
-netifcon lo system_u:object_r:netif_lo_t system_u:object_r:unlabeled_t
-netifcon eth0 system_u:object_r:netif_eth0_t system_u:object_r:unlabeled_t
-netifcon eth1 system_u:object_r:netif_eth1_t system_u:object_r:unlabeled_t
-netifcon eth2 system_u:object_r:netif_eth2_t system_u:object_r:unlabeled_t
-netifcon ippp0 system_u:object_r:netif_ippp0_t system_u:object_r:unlabeled_t
-netifcon ipsec0 system_u:object_r:netif_ipsec0_t system_u:object_r:unlabeled_t
-netifcon ipsec1 system_u:object_r:netif_ipsec1_t system_u:object_r:unlabeled_t
-netifcon ipsec2 system_u:object_r:netif_ipsec2_t system_u:object_r:unlabeled_t
# Nodes (default = initial SID "node")
#
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/appconfig/root_default_contexts policy-1.25.4/targeted/appconfig/root_default_contexts
--- nsapolicy/targeted/appconfig/root_default_contexts 2005-09-12 16:40:26.000000000 -0400
+++ policy-1.25.4/targeted/appconfig/root_default_contexts 2005-09-09 08:59:14.000000000 -0400
@@ -1,2 +1,6 @@
system_r:unconfined_t system_r:unconfined_t
system_r:initrc_t system_r:unconfined_t
+system_r:local_login_t system_r:unconfined_t
+system_r:remote_login_t system_r:unconfined_t
+system_r:rshd_t system_r:unconfined_t
+system_r:crond_t system_r:unconfined_t
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/assert.te policy-1.25.4/targeted/assert.te
--- nsapolicy/targeted/assert.te 2005-09-12 16:40:26.000000000 -0400
+++ policy-1.25.4/targeted/assert.te 2005-09-09 08:59:14.000000000 -0400
@@ -24,7 +24,7 @@
# send SIGCHLD for child termination notifications.
neverallow { domain -unrestricted } unconfined_t:process ~sigchld;
-# Confined domains must never see unconfined domain's /proc/pid entries.
+# Confined domains must never see /proc/pid entries for an unconfined domain.
neverallow { domain -unrestricted -snmpd_t } unconfined_t:dir { getattr search };
#
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/ssh.te policy-1.25.4/targeted/domains/program/ssh.te
--- nsapolicy/targeted/domains/program/ssh.te 2005-09-12 16:40:26.000000000 -0400
+++ policy-1.25.4/targeted/domains/program/ssh.te 2005-09-09 08:59:14.000000000 -0400
@@ -17,3 +17,6 @@
type sshd_key_t, file_type, sysadmfile;
type sshd_var_run_t, file_type, sysadmfile;
domain_auto_trans(initrc_t, sshd_exec_t, sshd_t)
+ifdef(`use_mcs', `
+range_transition initrc_t sshd_exec_t s0 - s0:c0.c127;
+')
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/xdm.te policy-1.25.4/targeted/domains/program/xdm.te
--- nsapolicy/targeted/domains/program/xdm.te 2005-09-12 16:40:26.000000000 -0400
+++ policy-1.25.4/targeted/domains/program/xdm.te 2005-09-09 15:23:29.000000000 -0400
@@ -20,3 +20,7 @@
type xdm_tmp_t, file_type, sysadmfile;
domain_auto_trans(initrc_t, xdm_exec_t, xdm_t)
domain_auto_trans(init_t, xdm_exec_t, xdm_t)
+ifdef(`use_mcs', `
+range_transition init_t xdm_exec_t s0 - s0:c0.c127;
+range_transition initrc_t xdm_exec_t s0 - s0:c0.c127;
+')
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/unconfined.te policy-1.25.4/targeted/domains/unconfined.te
--- nsapolicy/targeted/domains/unconfined.te 2005-09-12 16:40:26.000000000 -0400
+++ policy-1.25.4/targeted/domains/unconfined.te 2005-09-09 11:40:35.000000000 -0400
@@ -14,8 +14,8 @@
# Define some type aliases to help with compatibility with
# macros and domains from the "strict" policy.
-typealias bin_t alias su_exec_t;
typealias unconfined_t alias { logrotate_t sendmail_t sshd_t secadm_t sysadm_t rpm_t rpm_script_t xdm_t };
+
typeattribute tty_device_t admin_tty_type;
typeattribute devpts_t admin_tty_type;
@@ -63,6 +63,7 @@
bool use_samba_home_dirs false;
ifdef(`samba.te', `samba_domain(user)')
+ifdef(`i18n_input.te', `i18n_input_domain(user)')
# Allow system to run with NIS
bool allow_ypbind false;
@@ -77,3 +78,14 @@
allow domain self:process execmem;
}
+#Removing i18n_input from targeted for now, since wants to read users homedirs
+typealias bin_t alias i18n_input_exec_t;
+typealias unconfined_t alias i18n_input_t;
+typealias var_run_t alias i18n_input_var_run_t;
+# Needed to get su working
+bool secure_mode false;
+typealias unconfined_t alias { sysadm_chkpwd_t };
+typealias tmp_t alias { sysadm_tmp_t sshd_tmp_t };
+su_domain(sysadm)
+typeattribute sysadm_su_t unrestricted;
+role system_r types sysadm_su_t;
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.25.4/tunables/distro.tun
--- nsapolicy/tunables/distro.tun 2005-09-12 16:40:26.000000000 -0400
+++ policy-1.25.4/tunables/distro.tun 2005-09-09 08:59:14.000000000 -0400
@@ -5,7 +5,7 @@
# appropriate ifdefs.
-dnl define(`distro_redhat')
+define(`distro_redhat')
dnl define(`distro_suse')
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.25.4/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun 2005-09-12 16:40:26.000000000 -0400
+++ policy-1.25.4/tunables/tunable.tun 2005-09-09 16:04:13.000000000 -0400
@@ -1,5 +1,5 @@
# Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
+define(`unlimitedRPM')
# Allow privileged utilities like hotplug and insmod to run unconfined.
dnl define(`unlimitedUtils')
@@ -17,7 +17,7 @@
# Do not audit things that we know to be broken but which
# are not security risks
-dnl define(`hide_broken_symptoms')
+define(`hide_broken_symptoms')
# Allow user_r to reach sysadm_r via su, sudo, or userhelper.
# Otherwise, only staff_r can do so.
@@ -32,3 +32,4 @@
# Enable Polyinstantiation support
dnl define(`support_polyinstatiation')
+
diff --exclude-from=exclude -N -u -r nsapolicy/types/file.te policy-1.25.4/types/file.te
--- nsapolicy/types/file.te 2005-09-12 16:40:26.000000000 -0400
+++ policy-1.25.4/types/file.te 2005-09-09 08:59:14.000000000 -0400
@@ -325,6 +325,9 @@
type inotifyfs_t, fs_type, sysadmfile;
allow inotifyfs_t self:filesystem associate;
+type capifs_t, fs_type, sysadmfile;
+allow capifs_t self:filesystem associate;
+
# removable_t is the default type of all removable media
type removable_t, file_type, sysadmfile, usercanread;
allow removable_t self:filesystem associate;
@@ -333,6 +336,7 @@
# Type for anonymous FTP data, used by ftp and rsync
type ftpd_anon_t, file_type, sysadmfile, customizable;
+type ftpd_anon_rw_t, file_type, sysadmfile, customizable;
allow customizable self:filesystem associate;
diff --exclude-from=exclude -N -u -r nsapolicy/types/network.te policy-1.25.4/types/network.te
--- nsapolicy/types/network.te 2005-09-12 16:40:26.000000000 -0400
+++ policy-1.25.4/types/network.te 2005-09-09 08:59:14.000000000 -0400
@@ -74,15 +74,6 @@
# interfaces in net_contexts or net_contexts.mls.
#
type netif_t, netif_type;
-type netif_eth0_t, netif_type;
-type netif_eth1_t, netif_type;
-type netif_eth2_t, netif_type;
-type netif_lo_t, netif_type;
-type netif_ippp0_t, netif_type;
-
-type netif_ipsec0_t, netif_type;
-type netif_ipsec1_t, netif_type;
-type netif_ipsec2_t, netif_type;
#
# node_t is the default type of network nodes.
@@ -129,6 +120,8 @@
type zebra_port_t, port_type;
type i18n_input_port_t, port_type;
type vnc_port_t, port_type;
+type pegasus_http_port_t, port_type;
+type pegasus_https_port_t, port_type;
type openvpn_port_t, port_type;
type clamd_port_t, port_type, reserved_port_type;
type transproxy_port_t, port_type;
diff --exclude-from=exclude -N -u -r nsapolicy/types/security.te policy-1.25.4/types/security.te
--- nsapolicy/types/security.te 2005-09-12 16:40:26.000000000 -0400
+++ policy-1.25.4/types/security.te 2005-09-09 08:59:14.000000000 -0400
@@ -19,6 +19,10 @@
# the security server policy configuration.
#
type policy_config_t, file_type, secadmfile;
+# Since libselinux attempts to read these by default, most domains
+# do not need it.
+dontaudit domain selinux_config_t:dir search;
+dontaudit domain selinux_config_t:file { getattr read };
#
# policy_src_t is the type of the policy source
Index: .cvsignore
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-targeted/devel/.cvsignore,v
retrieving revision 1.116
retrieving revision 1.117
diff -u -r1.116 -r1.117
--- .cvsignore 11 Aug 2005 11:41:23 -0000 1.116
+++ .cvsignore 14 Sep 2005 16:51:14 -0000 1.117
@@ -81,3 +81,4 @@
policy-1.25.2.tgz
policy-1.25.3.tgz
policy-1.25.4.tgz
+policy-1.26.tgz
policy-20050811.patch:
Makefile | 38 ++++-
attrib.te | 2
constraints | 1
domains/misc/kernel.te | 2
domains/program/crond.te | 7
domains/program/fsadm.te | 7
domains/program/hostname.te | 3
domains/program/ifconfig.te | 5
domains/program/initrc.te | 16 ++
domains/program/ldconfig.te | 3
domains/program/load_policy.te | 6
domains/program/login.te | 17 +-
domains/program/modutil.te | 14 +
domains/program/mount.te | 3
domains/program/netutils.te | 3
domains/program/passwd.te | 3
domains/program/restorecon.te | 5
domains/program/setfiles.te | 2
domains/program/ssh.te | 21 +-
domains/program/su.te | 7
domains/program/syslogd.te | 2
domains/program/unused/NetworkManager.te | 8 -
domains/program/unused/acct.te | 10 -
domains/program/unused/alsa.te | 11 +
domains/program/unused/amanda.te | 53 -------
domains/program/unused/anaconda.te | 5
domains/program/unused/apache.te | 12 +
domains/program/unused/apmd.te | 8 +
domains/program/unused/auditd.te | 2
domains/program/unused/automount.te | 4
domains/program/unused/backup.te | 2
domains/program/unused/bluetooth.te | 18 ++
domains/program/unused/bootloader.te | 2
domains/program/unused/cardmgr.te | 3
domains/program/unused/certwatch.te | 11 +
domains/program/unused/clockspeed.te | 3
domains/program/unused/cups.te | 12 +
domains/program/unused/cvs.te | 10 -
domains/program/unused/cyrus.te | 10 +
domains/program/unused/dbusd.te | 9 +
domains/program/unused/ddclient.te | 6
domains/program/unused/dhcpc.te | 6
domains/program/unused/dovecot.te | 4
domains/program/unused/dpkg.te | 3
domains/program/unused/firstboot.te | 7
domains/program/unused/fs_daemon.te | 2
domains/program/unused/ftpd.te | 8 -
domains/program/unused/hald.te | 1
domains/program/unused/hwclock.te | 5
domains/program/unused/i18n_input.te | 2
domains/program/unused/ipsec.te | 7
domains/program/unused/kudzu.te | 4
domains/program/unused/lvm.te | 1
domains/program/unused/mailman.te | 2
domains/program/unused/mta.te | 6
domains/program/unused/mysqld.te | 7
domains/program/unused/ntpd.te | 4
domains/program/unused/openct.te | 16 ++
domains/program/unused/pamconsole.te | 2
domains/program/unused/pegasus.te | 31 ++++
domains/program/unused/ping.te | 12 -
domains/program/unused/postfix.te | 3
domains/program/unused/postgresql.te | 4
domains/program/unused/pppd.te | 22 ++-
domains/program/unused/procmail.te | 3
domains/program/unused/readahead.te | 21 ++
domains/program/unused/rlogind.te | 2
domains/program/unused/roundup.te | 29 +++
domains/program/unused/rpcd.te | 2
domains/program/unused/rpm.te | 3
domains/program/unused/rsync.te | 4
domains/program/unused/samba.te | 16 +-
domains/program/unused/saslauthd.te | 10 +
domains/program/unused/slocate.te | 4
domains/program/unused/snmpd.te | 5
domains/program/unused/squid.te | 3
domains/program/unused/sxid.te | 1
domains/program/unused/udev.te | 8 -
domains/program/unused/vpnc.te | 17 +-
domains/program/unused/winbind.te | 1
domains/program/unused/xdm.te | 3
domains/program/unused/ypserv.te | 1
domains/program/useradd.te | 2
file_contexts/distros.fc | 5
file_contexts/program/apache.fc | 8 -
file_contexts/program/bluetooth.fc | 1
file_contexts/program/certwatch.fc | 3
file_contexts/program/clamav.fc | 2
file_contexts/program/cups.fc | 1
file_contexts/program/dhcpc.fc | 1
file_contexts/program/dhcpd.fc | 2
file_contexts/program/fsadm.fc | 1
file_contexts/program/ipsec.fc | 1
file_contexts/program/openct.fc | 2
file_contexts/program/pegasus.fc | 11 +
file_contexts/program/postfix.fc | 2
file_contexts/program/postgresql.fc | 4
file_contexts/program/pppd.fc | 14 +
file_contexts/program/qmail.fc | 2
file_contexts/program/radvd.fc | 1
file_contexts/program/readahead.fc | 1
file_contexts/program/roundup.fc | 2
file_contexts/program/xdm.fc | 2
file_contexts/program/ypserv.fc | 1
file_contexts/types.fc | 8 -
genfs_contexts | 1
macros/base_user_macros.te | 4
macros/core_macros.te | 3
macros/global_macros.te | 32 ++++
macros/network_macros.te | 21 ++
macros/program/apache_macros.te | 19 ++
macros/program/cdrecord_macros.te | 16 --
macros/program/chkpwd_macros.te | 17 --
macros/program/ethereal_macros.te | 7
macros/program/evolution_macros.te | 2
macros/program/gpg_macros.te | 2
macros/program/i18n_input_macros.te | 21 ++
macros/program/mail_client_macros.te | 5
macros/program/mozilla_macros.te | 7
macros/program/mta_macros.te | 4
macros/program/pyzor_macros.te | 2
macros/program/razor_macros.te | 2
macros/program/spamassassin_macros.te | 2
macros/program/su_macros.te | 10 -
macros/program/thunderbird_macros.te | 6
macros/program/uml_macros.te | 2
macros/user_macros.te | 1
mcs | 226 +++++++++++++++++++++++++++++++
net_contexts | 14 -
targeted/appconfig/root_default_contexts | 4
targeted/assert.te | 2
targeted/domains/program/ssh.te | 3
targeted/domains/program/xdm.te | 4
targeted/domains/unconfined.te | 14 +
tunables/distro.tun | 2
tunables/tunable.tun | 5
types/file.te | 4
types/network.te | 11 -
types/security.te | 4
139 files changed, 940 insertions(+), 274 deletions(-)
Index: policy-20050811.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-targeted/devel/policy-20050811.patch,v
retrieving revision 1.9
retrieving revision 1.10
diff -u -r1.9 -r1.10
--- policy-20050811.patch 29 Aug 2005 17:47:56 -0000 1.9
+++ policy-20050811.patch 14 Sep 2005 16:51:15 -0000 1.10
@@ -1,6 +1,6 @@
diff --exclude-from=exclude -N -u -r nsapolicy/attrib.te policy-1.25.4/attrib.te
--- nsapolicy/attrib.te 2005-07-19 10:57:04.000000000 -0400
-+++ policy-1.25.4/attrib.te 2005-08-25 10:28:34.000000000 -0400
++++ policy-1.25.4/attrib.te 2005-09-09 08:59:12.000000000 -0400
@@ -94,7 +94,7 @@
# The privowner attribute identifies every domain that can
@@ -10,9 +10,17 @@
# process identity. This attribute is used in the constraints
# configuration.
attribute privowner;
+diff --exclude-from=exclude -N -u -r nsapolicy/constraints policy-1.25.4/constraints
+--- nsapolicy/constraints 2005-05-25 11:28:09.000000000 -0400
++++ policy-1.25.4/constraints 2005-09-09 12:01:13.000000000 -0400
+@@ -81,3 +81,4 @@
+
+ constrain socket_class_set { create relabelto relabelfrom }
+ ( u1 == u2 or t1 == privowner );
++
diff --exclude-from=exclude -N -u -r nsapolicy/domains/misc/kernel.te policy-1.25.4/domains/misc/kernel.te
--- nsapolicy/domains/misc/kernel.te 2005-07-06 17:15:06.000000000 -0400
-+++ policy-1.25.4/domains/misc/kernel.te 2005-08-25 10:28:34.000000000 -0400
++++ policy-1.25.4/domains/misc/kernel.te 2005-09-09 08:59:12.000000000 -0400
@@ -11,7 +11,7 @@
# kernel_t is the domain of kernel threads.
# It is also the target type when checking permissions in the system class.
@@ -24,7 +32,7 @@
general_proc_read_access(kernel_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/crond.te policy-1.25.4/domains/program/crond.te
--- nsapolicy/domains/program/crond.te 2005-08-11 06:57:10.000000000 -0400
-+++ policy-1.25.4/domains/program/crond.te 2005-08-25 10:28:34.000000000 -0400
++++ policy-1.25.4/domains/program/crond.te 2005-09-09 08:59:12.000000000 -0400
@@ -44,7 +44,7 @@
read_locale(crond_t)
@@ -54,7 +62,7 @@
+can_exec(system_crond_t, httpd_modules_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/fsadm.te policy-1.25.4/domains/program/fsadm.te
--- nsapolicy/domains/program/fsadm.te 2005-08-11 06:57:12.000000000 -0400
-+++ policy-1.25.4/domains/program/fsadm.te 2005-08-25 10:28:34.000000000 -0400
++++ policy-1.25.4/domains/program/fsadm.te 2005-09-09 08:59:12.000000000 -0400
@@ -64,7 +64,7 @@
allow fsadm_t { urandom_device_t random_device_t }:chr_file { getattr read };
@@ -84,7 +92,7 @@
+allow fsadm_t device_type:chr_file getattr;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/hostname.te policy-1.25.4/domains/program/hostname.te
--- nsapolicy/domains/program/hostname.te 2005-05-02 14:06:54.000000000 -0400
-+++ policy-1.25.4/domains/program/hostname.te 2005-08-25 10:28:34.000000000 -0400
++++ policy-1.25.4/domains/program/hostname.te 2005-09-09 08:59:12.000000000 -0400
@@ -24,4 +24,5 @@
ifdef(`distro_redhat', `
allow hostname_t tmpfs_t:chr_file rw_file_perms;
@@ -94,7 +102,7 @@
+allow hostname_t initrc_t:fd use;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ifconfig.te policy-1.25.4/domains/program/ifconfig.te
--- nsapolicy/domains/program/ifconfig.te 2005-08-11 06:57:13.000000000 -0400
-+++ policy-1.25.4/domains/program/ifconfig.te 2005-08-25 10:28:34.000000000 -0400
++++ policy-1.25.4/domains/program/ifconfig.te 2005-09-09 08:59:12.000000000 -0400
@@ -34,7 +34,7 @@
allow ifconfig_t self:socket create_socket_perms;
@@ -116,7 +124,7 @@
allow ifconfig_t tun_tap_device_t:chr_file { read write };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/initrc.te policy-1.25.4/domains/program/initrc.te
--- nsapolicy/domains/program/initrc.te 2005-08-11 06:57:13.000000000 -0400
-+++ policy-1.25.4/domains/program/initrc.te 2005-08-29 08:07:06.000000000 -0400
++++ policy-1.25.4/domains/program/initrc.te 2005-09-09 08:59:12.000000000 -0400
@@ -214,7 +214,15 @@
allow initrc_t file_type:{ dir_file_class_set socket_class_set } getattr;
allow initrc_t self:capability sys_admin;
@@ -146,7 +154,7 @@
+r_dir_file(initrc_t, cert_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ldconfig.te policy-1.25.4/domains/program/ldconfig.te
--- nsapolicy/domains/program/ldconfig.te 2005-05-25 11:28:09.000000000 -0400
-+++ policy-1.25.4/domains/program/ldconfig.te 2005-08-25 10:28:34.000000000 -0400
++++ policy-1.25.4/domains/program/ldconfig.te 2005-09-09 08:59:12.000000000 -0400
@@ -16,7 +16,8 @@
domain_auto_trans({ sysadm_t initrc_t }, ldconfig_exec_t, ldconfig_t)
@@ -159,7 +167,7 @@
uses_shlib(ldconfig_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/load_policy.te policy-1.25.4/domains/program/load_policy.te
--- nsapolicy/domains/program/load_policy.te 2005-05-02 14:06:54.000000000 -0400
-+++ policy-1.25.4/domains/program/load_policy.te 2005-08-25 10:28:34.000000000 -0400
++++ policy-1.25.4/domains/program/load_policy.te 2005-09-09 08:59:12.000000000 -0400
@@ -45,11 +45,9 @@
allow load_policy_t root_t:dir search;
allow load_policy_t etc_t:dir search;
@@ -176,7 +184,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/login.te policy-1.25.4/domains/program/login.te
--- nsapolicy/domains/program/login.te 2005-07-12 08:50:42.000000000 -0400
-+++ policy-1.25.4/domains/program/login.te 2005-08-25 10:28:34.000000000 -0400
++++ policy-1.25.4/domains/program/login.te 2005-09-09 08:59:12.000000000 -0400
@@ -62,6 +62,7 @@
ifdef(`pamconsole.te', `
@@ -213,9 +221,18 @@
')
allow remote_login_t ptyfile:chr_file { getattr relabelfrom relabelto ioctl };
+@@ -225,3 +223,8 @@
+ # Allow remote login to resolve host names (passed in via the -h switch)
+ can_resolve(remote_login_t)
+
++ifdef(`use_mcs', `
++ifdef(`getty.te', `
++range_transition getty_t login_exec_t s0 - s0:c0.c127;
++')
++')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/modutil.te policy-1.25.4/domains/program/modutil.te
--- nsapolicy/domains/program/modutil.te 2005-08-11 06:57:13.000000000 -0400
-+++ policy-1.25.4/domains/program/modutil.te 2005-08-25 10:28:34.000000000 -0400
++++ policy-1.25.4/domains/program/modutil.te 2005-09-09 08:59:12.000000000 -0400
@@ -59,7 +59,8 @@
allow depmod_t modules_object_t:file unlink;
@@ -268,7 +285,7 @@
allow update_modules_t urandom_device_t:chr_file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/mount.te policy-1.25.4/domains/program/mount.te
--- nsapolicy/domains/program/mount.te 2005-07-06 17:15:06.000000000 -0400
-+++ policy-1.25.4/domains/program/mount.te 2005-08-25 10:28:34.000000000 -0400
++++ policy-1.25.4/domains/program/mount.te 2005-09-09 08:59:12.000000000 -0400
@@ -16,7 +16,8 @@
role sysadm_r types mount_t;
role system_r types mount_t;
@@ -281,7 +298,7 @@
allow mount_t init_t:fd use;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/netutils.te policy-1.25.4/domains/program/netutils.te
--- nsapolicy/domains/program/netutils.te 2005-07-12 08:50:42.000000000 -0400
-+++ policy-1.25.4/domains/program/netutils.te 2005-08-25 10:28:34.000000000 -0400
++++ policy-1.25.4/domains/program/netutils.te 2005-09-09 08:59:12.000000000 -0400
@@ -55,7 +55,8 @@
# Access terminals.
@@ -294,7 +311,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/passwd.te policy-1.25.4/domains/program/passwd.te
--- nsapolicy/domains/program/passwd.te 2005-07-12 08:50:43.000000000 -0400
-+++ policy-1.25.4/domains/program/passwd.te 2005-08-25 10:28:34.000000000 -0400
++++ policy-1.25.4/domains/program/passwd.te 2005-09-09 08:59:12.000000000 -0400
@@ -64,6 +64,7 @@
dontaudit $1_t { proc_t device_t }:dir { search read };
@@ -312,7 +329,7 @@
')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/restorecon.te policy-1.25.4/domains/program/restorecon.te
--- nsapolicy/domains/program/restorecon.te 2005-08-11 06:57:13.000000000 -0400
-+++ policy-1.25.4/domains/program/restorecon.te 2005-08-25 10:28:34.000000000 -0400
++++ policy-1.25.4/domains/program/restorecon.te 2005-09-09 08:59:12.000000000 -0400
@@ -19,7 +19,7 @@
role sysadm_r types restorecon_t;
role secadm_r types restorecon_t;
@@ -334,7 +351,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/setfiles.te policy-1.25.4/domains/program/setfiles.te
--- nsapolicy/domains/program/setfiles.te 2005-05-25 11:28:09.000000000 -0400
-+++ policy-1.25.4/domains/program/setfiles.te 2005-08-25 10:28:34.000000000 -0400
++++ policy-1.25.4/domains/program/setfiles.te 2005-09-09 08:59:12.000000000 -0400
@@ -22,7 +22,7 @@
ifdef(`distro_redhat', `
domain_auto_trans(initrc_t, setfiles_exec_t, setfiles_t)
@@ -346,7 +363,7 @@
allow setfiles_t self:unix_dgram_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ssh.te policy-1.25.4/domains/program/ssh.te
--- nsapolicy/domains/program/ssh.te 2005-07-12 08:50:43.000000000 -0400
-+++ policy-1.25.4/domains/program/ssh.te 2005-08-25 10:28:34.000000000 -0400
++++ policy-1.25.4/domains/program/ssh.te 2005-09-09 08:59:12.000000000 -0400
@@ -114,6 +114,14 @@
can_create_pty($1, `, server_pty')
allow $1_t $1_devpts_t:chr_file { setattr getattr relabelfrom };
@@ -391,15 +408,44 @@
allow { sshd_t sshd_extern_t } self:capability net_bind_service;
allow { sshd_t sshd_extern_t } ssh_port_t:tcp_socket name_bind;
-@@ -228,5 +232,3 @@
+@@ -228,5 +232,6 @@
allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
allow ssh_keygen_t sysadm_tty_device_t:chr_file { read write };
allow ssh_keygen_t urandom_device_t:chr_file { getattr read };
-allow sshd_t faillog_t:file { append getattr };
-allow sshd_t sbin_t:file getattr;
++ifdef(`use_mcs', `
++range_transition initrc_t sshd_exec_t s0 - s0:c0.c127;
++')
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/su.te policy-1.25.4/domains/program/su.te
+--- nsapolicy/domains/program/su.te 2005-04-27 10:28:49.000000000 -0400
++++ policy-1.25.4/domains/program/su.te 2005-09-09 11:38:50.000000000 -0400
+@@ -12,3 +12,10 @@
+
+ # Everything else is in the su_domain macro in
+ # macros/program/su_macros.te.
++
++ifdef(`use_mcs', `
++ifdef(`targeted_policy', `
++range_transition unconfined_t su_exec_t s0 - s0:c0.c127;
++domain_auto_trans(unconfined_t, su_exec_t, sysadm_su_t)
++')
++')
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/syslogd.te policy-1.25.4/domains/program/syslogd.te
+--- nsapolicy/domains/program/syslogd.te 2005-07-06 17:15:06.000000000 -0400
++++ policy-1.25.4/domains/program/syslogd.te 2005-09-09 08:59:12.000000000 -0400
+@@ -33,7 +33,7 @@
+ tmp_domain(syslogd)
+
+ # read files in /etc
+-allow syslogd_t etc_t:file r_file_perms;
++allow syslogd_t { etc_runtime_t etc_t }:file r_file_perms;
+
+ # Use capabilities.
+ allow syslogd_t self:capability { dac_override net_admin net_bind_service sys_resource sys_tty_config };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/acct.te policy-1.25.4/domains/program/unused/acct.te
--- nsapolicy/domains/program/unused/acct.te 2005-07-06 17:15:06.000000000 -0400
-+++ policy-1.25.4/domains/program/unused/acct.te 2005-08-25 10:28:34.000000000 -0400
++++ policy-1.25.4/domains/program/unused/acct.te 2005-09-09 08:59:12.000000000 -0400
@@ -23,10 +23,11 @@
type acct_data_t, file_type, logfile, sysadmfile;
@@ -441,7 +487,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/alsa.te policy-1.25.4/domains/program/unused/alsa.te
--- nsapolicy/domains/program/unused/alsa.te 2005-07-05 15:25:45.000000000 -0400
-+++ policy-1.25.4/domains/program/unused/alsa.te 2005-08-25 10:28:34.000000000 -0400
++++ policy-1.25.4/domains/program/unused/alsa.te 2005-09-09 08:59:12.000000000 -0400
@@ -6,12 +6,19 @@
type alsa_t, domain, privlog, daemon;
type alsa_exec_t, file_type, sysadmfile, exec_type;
@@ -466,7 +512,7 @@
+read_locale(alsa_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/amanda.te policy-1.25.4/domains/program/unused/amanda.te
--- nsapolicy/domains/program/unused/amanda.te 2005-07-06 17:15:06.000000000 -0400
-+++ policy-1.25.4/domains/program/unused/amanda.te 2005-08-29 11:43:44.000000000 -0400
++++ policy-1.25.4/domains/program/unused/amanda.te 2005-09-09 08:59:12.000000000 -0400
@@ -84,7 +84,6 @@
# configuration files -> read only
@@ -567,9 +613,24 @@
-dontaudit amanda_t usbfs_t:dir getattr;
+#amanda wants to check attributes on fifo_files
+allow amanda_t file_type:fifo_file getattr;
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/anaconda.te policy-1.25.4/domains/program/unused/anaconda.te
+--- nsapolicy/domains/program/unused/anaconda.te 2005-05-25 11:28:09.000000000 -0400
++++ policy-1.25.4/domains/program/unused/anaconda.te 2005-09-09 13:11:37.000000000 -0400
+@@ -17,11 +17,6 @@
+ role system_r types ldconfig_t;
+ domain_auto_trans(anaconda_t, ldconfig_exec_t, ldconfig_t)
+
+-ifdef(`su.te', `
+-role system_r types sysadm_su_t;
+-domain_auto_trans(anaconda_t, su_exec_t, sysadm_su_t)
+-')
+-
+ # Run other rc scripts in the anaconda_t domain.
+ domain_auto_trans(anaconda_t, initrc_exec_t, initrc_t)
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.25.4/domains/program/unused/apache.te
--- nsapolicy/domains/program/unused/apache.te 2005-07-12 08:50:43.000000000 -0400
-+++ policy-1.25.4/domains/program/unused/apache.te 2005-08-25 10:28:34.000000000 -0400
++++ policy-1.25.4/domains/program/unused/apache.te 2005-09-09 08:59:12.000000000 -0400
@@ -113,9 +113,12 @@
can_network_server(httpd_t)
can_kerberos(httpd_t)
@@ -606,7 +667,7 @@
')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apmd.te policy-1.25.4/domains/program/unused/apmd.te
--- nsapolicy/domains/program/unused/apmd.te 2005-08-11 06:57:15.000000000 -0400
-+++ policy-1.25.4/domains/program/unused/apmd.te 2005-08-29 11:30:30.000000000 -0400
++++ policy-1.25.4/domains/program/unused/apmd.te 2005-09-09 08:59:12.000000000 -0400
@@ -16,7 +16,9 @@
type apm_t, domain, privlog;
@@ -629,7 +690,7 @@
+allow apmd_t security_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/auditd.te policy-1.25.4/domains/program/unused/auditd.te
--- nsapolicy/domains/program/unused/auditd.te 2005-07-06 17:15:06.000000000 -0400
-+++ policy-1.25.4/domains/program/unused/auditd.te 2005-08-29 11:35:53.000000000 -0400
++++ policy-1.25.4/domains/program/unused/auditd.te 2005-09-09 08:59:12.000000000 -0400
@@ -65,3 +65,5 @@
allow auditctl_t privfd:fd use;
@@ -638,7 +699,7 @@
+can_exec(auditd_t, sbin_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/automount.te policy-1.25.4/domains/program/unused/automount.te
--- nsapolicy/domains/program/unused/automount.te 2005-06-01 06:11:22.000000000 -0400
-+++ policy-1.25.4/domains/program/unused/automount.te 2005-08-25 10:28:34.000000000 -0400
++++ policy-1.25.4/domains/program/unused/automount.te 2005-09-09 08:59:12.000000000 -0400
@@ -34,7 +34,9 @@
can_exec(automount_t, { etc_t automount_etc_t })
@@ -664,7 +725,7 @@
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/backup.te policy-1.25.4/domains/program/unused/backup.te
--- nsapolicy/domains/program/unused/backup.te 2005-04-27 10:28:49.000000000 -0400
-+++ policy-1.25.4/domains/program/unused/backup.te 2005-08-25 10:28:34.000000000 -0400
++++ policy-1.25.4/domains/program/unused/backup.te 2005-09-09 08:59:12.000000000 -0400
@@ -16,7 +16,9 @@
role system_r types backup_t;
role sysadm_r types backup_t;
@@ -677,19 +738,51 @@
system_crond_entry(backup_exec_t, backup_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/bluetooth.te policy-1.25.4/domains/program/unused/bluetooth.te
--- nsapolicy/domains/program/unused/bluetooth.te 2005-07-12 08:50:43.000000000 -0400
-+++ policy-1.25.4/domains/program/unused/bluetooth.te 2005-08-25 10:28:34.000000000 -0400
-@@ -43,3 +43,8 @@
++++ policy-1.25.4/domains/program/unused/bluetooth.te 2005-09-09 08:59:12.000000000 -0400
+@@ -11,11 +11,16 @@
+ daemon_domain(bluetooth)
+
+ file_type_auto_trans(bluetooth_t, var_run_t, bluetooth_var_run_t, sock_file)
++file_type_auto_trans(bluetooth_t, bluetooth_conf_t, bluetooth_conf_rw_t)
+
+ tmp_domain(bluetooth)
+
+ # Use capabilities.
+ allow bluetooth_t self:capability { net_admin net_raw sys_tty_config };
++allow bluetooth_t self:process getsched;
++allow bluetooth_t proc_t:file { getattr read };
++
++allow bluetooth_t self:shm create_shm_perms;
+
+ lock_domain(bluetooth)
+
+@@ -35,6 +40,7 @@
+
+ # bluetooth_conf_t is the type of the /etc/bluetooth dir.
+ type bluetooth_conf_t, file_type, sysadmfile;
++type bluetooth_conf_rw_t, file_type, sysadmfile;
+
+ # Read /etc/bluetooth
+ allow bluetooth_t bluetooth_conf_t:dir search;
+@@ -43,3 +49,15 @@
allow initrc_t usbfs_t:file { getattr read };
allow bluetooth_t usbfs_t:dir r_dir_perms;
allow bluetooth_t usbfs_t:file rw_file_perms;
+allow bluetooth_t bin_t:dir search;
-+can_exec(bluetooth_t, bin_t)
++can_exec(bluetooth_t, { bin_t shell_exec_t })
++allow bluetooth_t bin_t:lnk_file read;
+
+#Handle bluetooth serial devices
+allow bluetooth_t tty_device_t:chr_file rw_file_perms;
++allow bluetooth_t self:fifo_file rw_file_perms;
++allow bluetooth_t etc_t:file { getattr read };
++r_dir_file(bluetooth_t, fonts_t)
++allow bluetooth_t urandom_device_t:chr_file r_file_perms;
++allow bluetooth_t usr_t:file { getattr read };
++
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/bootloader.te policy-1.25.4/domains/program/unused/bootloader.te
--- nsapolicy/domains/program/unused/bootloader.te 2005-04-27 10:28:49.000000000 -0400
-+++ policy-1.25.4/domains/program/unused/bootloader.te 2005-08-25 10:28:34.000000000 -0400
++++ policy-1.25.4/domains/program/unused/bootloader.te 2005-09-09 08:59:12.000000000 -0400
@@ -24,7 +24,9 @@
# for nscd
dontaudit bootloader_t var_run_t:dir search;
@@ -702,7 +795,7 @@
tmp_domain(bootloader, `, device_type', { dir file lnk_file chr_file blk_file })
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cardmgr.te policy-1.25.4/domains/program/unused/cardmgr.te
--- nsapolicy/domains/program/unused/cardmgr.te 2005-05-02 14:06:54.000000000 -0400
-+++ policy-1.25.4/domains/program/unused/cardmgr.te 2005-08-25 10:28:34.000000000 -0400
++++ policy-1.25.4/domains/program/unused/cardmgr.te 2005-09-09 08:59:12.000000000 -0400
@@ -15,7 +15,9 @@
allow cardmgr_t urandom_device_t:chr_file read;
@@ -720,7 +813,7 @@
+allow cardmgr_t device_t:lnk_file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/certwatch.te policy-1.25.4/domains/program/unused/certwatch.te
--- nsapolicy/domains/program/unused/certwatch.te 1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.25.4/domains/program/unused/certwatch.te 2005-08-25 10:28:34.000000000 -0400
++++ policy-1.25.4/domains/program/unused/certwatch.te 2005-09-09 08:59:12.000000000 -0400
@@ -0,0 +1,11 @@
+#DESC certwatch - generate SSL certificate expiry warnings
+#
@@ -735,7 +828,7 @@
+read_locale(certwatch_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/clockspeed.te policy-1.25.4/domains/program/unused/clockspeed.te
--- nsapolicy/domains/program/unused/clockspeed.te 2005-07-06 17:15:06.000000000 -0400
-+++ policy-1.25.4/domains/program/unused/clockspeed.te 2005-08-25 10:28:34.000000000 -0400
++++ policy-1.25.4/domains/program/unused/clockspeed.te 2005-09-09 08:59:12.000000000 -0400
@@ -21,5 +21,6 @@
# sysadm can play with clockspeed
@@ -746,7 +839,7 @@
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.25.4/domains/program/unused/cups.te
--- nsapolicy/domains/program/unused/cups.te 2005-07-12 08:50:43.000000000 -0400
-+++ policy-1.25.4/domains/program/unused/cups.te 2005-08-27 04:24:14.000000000 -0400
++++ policy-1.25.4/domains/program/unused/cups.te 2005-09-09 08:59:12.000000000 -0400
@@ -188,6 +188,7 @@
# Uses networking to talk to the daemons
allow hplip_t self:unix_dgram_socket create_socket_perms;
@@ -788,9 +881,17 @@
ifdef(`dbusd.te', `
dbusd_client(system, cupsd_config)
allow cupsd_config_t userdomain:dbus send_msg;
+@@ -310,3 +316,7 @@
+ r_dir_file(cupsd_lpd_t, cupsd_etc_t)
+ r_dir_file(cupsd_lpd_t, cupsd_rw_etc_t)
+ allow cupsd_lpd_t ipp_port_t:tcp_socket name_connect;
++ifdef(`use_mcs', `
++range_transition initrc_t cupsd_exec_t s0 - s0:c0.c127;
++')
++
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cvs.te policy-1.25.4/domains/program/unused/cvs.te
--- nsapolicy/domains/program/unused/cvs.te 2005-08-11 06:57:15.000000000 -0400
-+++ policy-1.25.4/domains/program/unused/cvs.te 2005-08-25 10:28:34.000000000 -0400
++++ policy-1.25.4/domains/program/unused/cvs.te 2005-09-09 08:59:12.000000000 -0400
@@ -15,12 +15,14 @@
typeattribute cvs_t privmail;
typeattribute cvs_t auth_chkpwd;
@@ -812,7 +913,7 @@
+dontaudit cvs_t krb5_conf_t:file write;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cyrus.te policy-1.25.4/domains/program/unused/cyrus.te
--- nsapolicy/domains/program/unused/cyrus.te 2005-08-11 06:57:15.000000000 -0400
-+++ policy-1.25.4/domains/program/unused/cyrus.te 2005-08-25 10:28:34.000000000 -0400
++++ policy-1.25.4/domains/program/unused/cyrus.te 2005-09-09 08:59:12.000000000 -0400
@@ -20,7 +20,7 @@
can_ypbind(cyrus_t)
can_exec(cyrus_t, bin_t)
@@ -836,7 +937,7 @@
+allow cyrus_t { urandom_device_t random_device_t }:chr_file { read getattr };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dbusd.te policy-1.25.4/domains/program/unused/dbusd.te
--- nsapolicy/domains/program/unused/dbusd.te 2005-04-27 10:28:50.000000000 -0400
-+++ policy-1.25.4/domains/program/unused/dbusd.te 2005-08-26 15:05:37.000000000 -0400
++++ policy-1.25.4/domains/program/unused/dbusd.te 2005-09-09 08:59:12.000000000 -0400
@@ -12,9 +12,16 @@
# dac_override: /var/run/dbus is owned by messagebus on Debian
@@ -857,7 +958,7 @@
+allow system_dbusd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ddclient.te policy-1.25.4/domains/program/unused/ddclient.te
--- nsapolicy/domains/program/unused/ddclient.te 2005-07-06 17:15:06.000000000 -0400
-+++ policy-1.25.4/domains/program/unused/ddclient.te 2005-08-25 10:28:34.000000000 -0400
++++ policy-1.25.4/domains/program/unused/ddclient.te 2005-09-09 08:59:12.000000000 -0400
@@ -38,5 +38,7 @@
# allow access to ddclient.conf and ddclient.cache
@@ -870,7 +971,7 @@
+dontaudit httpd_t selinux_config_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dhcpc.te policy-1.25.4/domains/program/unused/dhcpc.te
--- nsapolicy/domains/program/unused/dhcpc.te 2005-07-12 08:50:43.000000000 -0400
-+++ policy-1.25.4/domains/program/unused/dhcpc.te 2005-08-29 09:58:32.000000000 -0400
++++ policy-1.25.4/domains/program/unused/dhcpc.te 2005-09-09 11:45:30.000000000 -0400
@@ -134,7 +134,6 @@
allow dhcpc_t home_root_t:dir search;
allow initrc_t dhcpc_state_t:file { getattr read };
@@ -879,24 +980,32 @@
allow dhcpc_t self:netlink_route_socket r_netlink_socket_perms;
dontaudit dhcpc_t domain:dir getattr;
allow dhcpc_t initrc_var_run_t:file rw_file_perms;
-@@ -156,6 +155,6 @@
- domain_auto_trans(system_dbusd_t, dhcpc_exec_t, dhcpc_t)
- allow dhcpc_t system_dbusd_t:dbus { acquire_svc send_msg };
+@@ -145,6 +144,7 @@
+ ifdef(`ypbind.te', `
+ domain_auto_trans(dhcpc_t, ypbind_exec_t, ypbind_t)
+ allow dhcpc_t ypbind_var_run_t:file { r_file_perms unlink };
++allow dhcpc_t ypbind_t:process signal;
+ ')
+ ifdef(`ntpd.te', `
+ domain_auto_trans(dhcpc_t, ntpd_exec_t, ntpd_t)
+@@ -158,4 +158,8 @@
allow dhcpc_t self:dbus send_msg;
--allow { NetworkManager_t initrc_t } dhcpc_t:dbus send_msg;
--allow dhcpc_t { NetworkManager_t initrc_t }:dbus send_msg;
-+allow { unconfined_t NetworkManager_t initrc_t } dhcpc_t:dbus send_msg;
-+allow dhcpc_t { unconfined_t NetworkManager_t initrc_t }:dbus send_msg;
+ allow { NetworkManager_t initrc_t } dhcpc_t:dbus send_msg;
+ allow dhcpc_t { NetworkManager_t initrc_t }:dbus send_msg;
++ifdef(`unconfined.te', `
++allow unconfined_t dhcpc_t:dbus send_msg;
++allow dhcpc_t unconfined_t:dbus send_msg;
++')
')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dovecot.te policy-1.25.4/domains/program/unused/dovecot.te
--- nsapolicy/domains/program/unused/dovecot.te 2005-07-12 08:50:43.000000000 -0400
-+++ policy-1.25.4/domains/program/unused/dovecot.te 2005-08-25 10:28:34.000000000 -0400
++++ policy-1.25.4/domains/program/unused/dovecot.te 2005-09-09 08:59:12.000000000 -0400
@@ -43,7 +43,9 @@
can_kerberos(dovecot_t)
allow dovecot_t tmp_t:dir search;
-rw_dir_file(dovecot_t, mail_spool_t)
-+ra_dir_create_file(dovecot_t, mail_spool_t)
++rw_dir_create_file(dovecot_t, mail_spool_t)
+
+
create_dir_file(dovecot_t, dovecot_spool_t)
@@ -904,7 +1013,7 @@
allow dovecot_t mail_spool_t:lnk_file read;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dpkg.te policy-1.25.4/domains/program/unused/dpkg.te
--- nsapolicy/domains/program/unused/dpkg.te 2005-04-27 10:28:50.000000000 -0400
-+++ policy-1.25.4/domains/program/unused/dpkg.te 2005-08-25 10:28:34.000000000 -0400
++++ policy-1.25.4/domains/program/unused/dpkg.te 2005-09-09 08:59:12.000000000 -0400
@@ -178,6 +178,9 @@
type apt_rw_etc_t, file_type, sysadmfile;
tmp_domain(apt, `', `{ dir file lnk_file }')
@@ -917,7 +1026,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/firstboot.te policy-1.25.4/domains/program/unused/firstboot.te
--- nsapolicy/domains/program/unused/firstboot.te 2005-06-01 06:11:22.000000000 -0400
-+++ policy-1.25.4/domains/program/unused/firstboot.te 2005-08-25 10:28:34.000000000 -0400
++++ policy-1.25.4/domains/program/unused/firstboot.te 2005-09-09 08:59:12.000000000 -0400
@@ -57,9 +57,6 @@
# Allow write to utmp file
allow firstboot_t initrc_var_run_t:file write;
@@ -941,7 +1050,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/fs_daemon.te policy-1.25.4/domains/program/unused/fs_daemon.te
--- nsapolicy/domains/program/unused/fs_daemon.te 2005-04-27 10:28:50.000000000 -0400
-+++ policy-1.25.4/domains/program/unused/fs_daemon.te 2005-08-25 10:28:34.000000000 -0400
++++ policy-1.25.4/domains/program/unused/fs_daemon.te 2005-09-09 08:59:12.000000000 -0400
@@ -15,6 +15,8 @@
allow fsdaemon_t self:capability { setgid sys_rawio sys_admin };
allow fsdaemon_t etc_runtime_t:file { getattr read };
@@ -953,7 +1062,7 @@
can_network_udp(fsdaemon_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ftpd.te policy-1.25.4/domains/program/unused/ftpd.te
--- nsapolicy/domains/program/unused/ftpd.te 2005-07-12 08:50:43.000000000 -0400
-+++ policy-1.25.4/domains/program/unused/ftpd.te 2005-08-25 10:28:34.000000000 -0400
++++ policy-1.25.4/domains/program/unused/ftpd.te 2005-09-09 08:59:12.000000000 -0400
@@ -110,9 +110,5 @@
r_dir_file(ftpd_t, cifs_t)
}
@@ -968,7 +1077,7 @@
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hald.te policy-1.25.4/domains/program/unused/hald.te
--- nsapolicy/domains/program/unused/hald.te 2005-08-11 06:57:15.000000000 -0400
-+++ policy-1.25.4/domains/program/unused/hald.te 2005-08-25 10:28:34.000000000 -0400
++++ policy-1.25.4/domains/program/unused/hald.te 2005-09-09 08:59:12.000000000 -0400
@@ -47,6 +47,7 @@
allow hald_t printer_device_t:chr_file rw_file_perms;
allow hald_t urandom_device_t:chr_file read;
@@ -979,7 +1088,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hwclock.te policy-1.25.4/domains/program/unused/hwclock.te
--- nsapolicy/domains/program/unused/hwclock.te 2005-07-12 08:50:43.000000000 -0400
-+++ policy-1.25.4/domains/program/unused/hwclock.te 2005-08-27 04:28:02.000000000 -0400
++++ policy-1.25.4/domains/program/unused/hwclock.te 2005-09-09 08:59:12.000000000 -0400
@@ -17,9 +17,10 @@
#
daemon_base_domain(hwclock)
@@ -1000,7 +1109,7 @@
+r_dir_file(hwclock_t, etc_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/i18n_input.te policy-1.25.4/domains/program/unused/i18n_input.te
--- nsapolicy/domains/program/unused/i18n_input.te 2005-07-06 17:15:06.000000000 -0400
-+++ policy-1.25.4/domains/program/unused/i18n_input.te 2005-08-25 10:28:34.000000000 -0400
++++ policy-1.25.4/domains/program/unused/i18n_input.te 2005-09-09 08:59:12.000000000 -0400
@@ -28,6 +28,6 @@
allow i18n_input_t i18n_input_var_run_t:dir create_dir_perms;
allow i18n_input_t i18n_input_var_run_t:sock_file create_file_perms;
@@ -1011,7 +1120,7 @@
+allow i18n_input_t home_root_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ipsec.te policy-1.25.4/domains/program/unused/ipsec.te
--- nsapolicy/domains/program/unused/ipsec.te 2005-04-27 10:28:51.000000000 -0400
-+++ policy-1.25.4/domains/program/unused/ipsec.te 2005-08-25 10:28:34.000000000 -0400
++++ policy-1.25.4/domains/program/unused/ipsec.te 2005-09-09 08:59:12.000000000 -0400
@@ -60,8 +60,8 @@
# it in its own domain?)
can_exec(ipsec_mgmt_t, bin_t)
@@ -1042,7 +1151,7 @@
can_exec(ipsec_mgmt_t, consoletype_exec_t )
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/kudzu.te policy-1.25.4/domains/program/unused/kudzu.te
--- nsapolicy/domains/program/unused/kudzu.te 2005-08-11 06:57:15.000000000 -0400
-+++ policy-1.25.4/domains/program/unused/kudzu.te 2005-08-25 10:28:34.000000000 -0400
++++ policy-1.25.4/domains/program/unused/kudzu.te 2005-09-09 08:59:12.000000000 -0400
@@ -20,7 +20,7 @@
allow kudzu_t ramfs_t:dir search;
allow kudzu_t ramfs_t:sock_file write;
@@ -1064,7 +1173,7 @@
')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/lvm.te policy-1.25.4/domains/program/unused/lvm.te
--- nsapolicy/domains/program/unused/lvm.te 2005-08-11 06:57:15.000000000 -0400
-+++ policy-1.25.4/domains/program/unused/lvm.te 2005-08-25 10:28:34.000000000 -0400
++++ policy-1.25.4/domains/program/unused/lvm.te 2005-09-09 08:59:12.000000000 -0400
@@ -101,6 +101,7 @@
dontaudit lvm_t ttyfile:chr_file getattr;
dontaudit lvm_t device_t:{ fifo_file dir chr_file blk_file } getattr;
@@ -1075,7 +1184,7 @@
dontaudit lvm_t gpmctl_t:sock_file getattr;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mailman.te policy-1.25.4/domains/program/unused/mailman.te
--- nsapolicy/domains/program/unused/mailman.te 2005-04-27 10:28:51.000000000 -0400
-+++ policy-1.25.4/domains/program/unused/mailman.te 2005-08-25 10:28:34.000000000 -0400
++++ policy-1.25.4/domains/program/unused/mailman.te 2005-09-09 08:59:12.000000000 -0400
@@ -91,6 +91,8 @@
allow mta_delivery_agent mailman_data_t:dir search;
@@ -1087,7 +1196,7 @@
domain_auto_trans(sysadm_t, mailman_mail_exec_t, mailman_mail_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mta.te policy-1.25.4/domains/program/unused/mta.te
--- nsapolicy/domains/program/unused/mta.te 2005-08-11 06:57:15.000000000 -0400
-+++ policy-1.25.4/domains/program/unused/mta.te 2005-08-25 10:28:34.000000000 -0400
++++ policy-1.25.4/domains/program/unused/mta.te 2005-09-09 08:59:12.000000000 -0400
@@ -22,7 +22,7 @@
# rules are currently defined in sendmail.te, but it is not included in
# targeted policy. We could move these rules permanantly here.
@@ -1107,7 +1216,7 @@
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mysqld.te policy-1.25.4/domains/program/unused/mysqld.te
--- nsapolicy/domains/program/unused/mysqld.te 2005-07-06 17:15:07.000000000 -0400
-+++ policy-1.25.4/domains/program/unused/mysqld.te 2005-08-25 10:28:34.000000000 -0400
++++ policy-1.25.4/domains/program/unused/mysqld.te 2005-09-09 08:59:12.000000000 -0400
@@ -12,7 +12,7 @@
#
daemon_domain(mysqld, `, nscd_client_domain')
@@ -1135,7 +1244,7 @@
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/NetworkManager.te policy-1.25.4/domains/program/unused/NetworkManager.te
--- nsapolicy/domains/program/unused/NetworkManager.te 2005-08-11 06:57:14.000000000 -0400
-+++ policy-1.25.4/domains/program/unused/NetworkManager.te 2005-08-29 11:30:40.000000000 -0400
++++ policy-1.25.4/domains/program/unused/NetworkManager.te 2005-09-09 08:59:12.000000000 -0400
@@ -15,12 +15,12 @@
can_network(NetworkManager_t)
@@ -1168,7 +1277,7 @@
+allow NetworkManager_t security_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ntpd.te policy-1.25.4/domains/program/unused/ntpd.te
--- nsapolicy/domains/program/unused/ntpd.te 2005-07-06 17:15:07.000000000 -0400
-+++ policy-1.25.4/domains/program/unused/ntpd.te 2005-08-25 10:28:34.000000000 -0400
++++ policy-1.25.4/domains/program/unused/ntpd.te 2005-09-09 08:59:12.000000000 -0400
@@ -26,7 +26,7 @@
# for SSP
allow ntpd_t urandom_device_t:chr_file { getattr read };
@@ -1178,9 +1287,18 @@
dontaudit ntpd_t self:capability { net_admin };
allow ntpd_t self:process { setcap setsched };
# ntpdate wants sys_nice
+@@ -54,7 +54,7 @@
+ # for cron jobs
+ # system_crond_t is not right, cron is not doing what it should
+ ifdef(`crond.te', `
+-system_crond_entry(ntpd_exec_t, ntpd_t)
++system_crond_entry(ntpdate_exec_t, ntpd_t)
+ ')
+
+ can_exec(ntpd_t, initrc_exec_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/openct.te policy-1.25.4/domains/program/unused/openct.te
--- nsapolicy/domains/program/unused/openct.te 1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.25.4/domains/program/unused/openct.te 2005-08-25 10:28:34.000000000 -0400
++++ policy-1.25.4/domains/program/unused/openct.te 2005-09-09 08:59:12.000000000 -0400
@@ -0,0 +1,16 @@
+#DESC openct - read files in page cache
+#
@@ -1200,7 +1318,7 @@
+allow openct_t etc_t:file r_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pamconsole.te policy-1.25.4/domains/program/unused/pamconsole.te
--- nsapolicy/domains/program/unused/pamconsole.te 2005-08-11 06:57:15.000000000 -0400
-+++ policy-1.25.4/domains/program/unused/pamconsole.te 2005-08-25 10:28:34.000000000 -0400
++++ policy-1.25.4/domains/program/unused/pamconsole.te 2005-09-09 08:59:12.000000000 -0400
@@ -25,6 +25,7 @@
# for /var/run/console.lock checking
allow pam_console_t { var_t var_run_t }:dir search;
@@ -1214,9 +1332,44 @@
allow initrc_t pam_var_console_t:file unlink;
allow pam_console_t file_context_t:file { getattr read };
+nsswitch_domain(pam_console_t)
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pegasus.te policy-1.25.4/domains/program/unused/pegasus.te
+--- nsapolicy/domains/program/unused/pegasus.te 1969-12-31 19:00:00.000000000 -0500
++++ policy-1.25.4/domains/program/unused/pegasus.te 2005-09-09 08:59:12.000000000 -0400
+@@ -0,0 +1,31 @@
++#DESC pegasus - The Open Group Pegasus CIM/WBEM Server
++#
++# Author: Jason Vas Dias <jvdias at redhat.com>
++# Package: tog-pegasus
++#
++#################################
++#
++# Rules for the pegasus domain
++#
++daemon_domain(pegasus, `, nscd_client_domain')
++type pegasus_data_t, file_type, sysadmfile;
++type pegasus_conf_t, file_type, sysadmfile;
++type pegasus_mof_t, file_type, sysadmfile;
++type pegasus_conf_exec_t, file_type, exec_type, sysadmfile;
++allow pegasus_t self:capability { dac_override net_bind_service };
++can_network_tcp(pegasus_t);
++nsswitch_domain(pegasus_t);
++allow pegasus_t pegasus_var_run_t:sock_file { create setattr };
++allow pegasus_t self:unix_dgram_socket create_socket_perms;
++allow pegasus_t self:unix_stream_socket create_stream_socket_perms;
++allow pegasus_t { pegasus_http_port_t pegasus_https_port_t }:tcp_socket { name_bind name_connect };
++allow pegasus_t proc_t:file { getattr read };
++allow pegasus_t sysctl_vm_t:dir search;
++allow pegasus_t initrc_var_run_t:file { read write lock };
++allow pegasus_t urandom_device_t:chr_file { getattr read };
++r_dir_file(pegasus_t, etc_t)
++r_dir_file(pegasus_t, var_lib_t)
++r_dir_file(pegasus_t, pegasus_mof_t)
++rw_dir_create_file(pegasus_t, pegasus_conf_t)
++rw_dir_create_file(pegasus_t, pegasus_data_t)
++rw_dir_create_file(pegasus_conf_exec_t, pegasus_conf_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ping.te policy-1.25.4/domains/program/unused/ping.te
--- nsapolicy/domains/program/unused/ping.te 2005-08-11 06:57:15.000000000 -0400
-+++ policy-1.25.4/domains/program/unused/ping.te 2005-08-29 11:21:58.000000000 -0400
++++ policy-1.25.4/domains/program/unused/ping.te 2005-09-09 08:59:12.000000000 -0400
@@ -17,7 +17,9 @@
in_user_role(ping_t)
type ping_exec_t, file_type, sysadmfile, exec_type;
@@ -1261,9 +1414,22 @@
+allow ping_t init_t:fd use;
+')
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/postfix.te policy-1.25.4/domains/program/unused/postfix.te
+--- nsapolicy/domains/program/unused/postfix.te 2005-05-07 00:41:09.000000000 -0400
++++ policy-1.25.4/domains/program/unused/postfix.te 2005-09-09 08:59:12.000000000 -0400
+@@ -329,7 +329,8 @@
+ domain_auto_trans(postfix_pipe_t, procmail_exec_t, procmail_t)
+ ')
+ ifdef(`sendmail.te', `
+-allow sendmail_t postfix_etc_t:dir search;
++r_dir_file(sendmail_t, postfix_etc_t)
++allow sendmail_t postfix_spool_t:dir search;
+ ')
+
+ # Program for creating database files
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/postgresql.te policy-1.25.4/domains/program/unused/postgresql.te
--- nsapolicy/domains/program/unused/postgresql.te 2005-08-11 06:57:15.000000000 -0400
-+++ policy-1.25.4/domains/program/unused/postgresql.te 2005-08-25 10:28:34.000000000 -0400
++++ policy-1.25.4/domains/program/unused/postgresql.te 2005-09-09 08:59:12.000000000 -0400
@@ -110,8 +110,8 @@
allow postgresql_t self:sem create_sem_perms;
@@ -1277,7 +1443,7 @@
ifdef(`apache.te', `
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pppd.te policy-1.25.4/domains/program/unused/pppd.te
--- nsapolicy/domains/program/unused/pppd.te 2005-08-11 06:57:15.000000000 -0400
-+++ policy-1.25.4/domains/program/unused/pppd.te 2005-08-25 10:28:34.000000000 -0400
++++ policy-1.25.4/domains/program/unused/pppd.te 2005-09-09 08:59:14.000000000 -0400
@@ -32,12 +32,9 @@
log_domain(pppd)
@@ -1332,7 +1498,7 @@
+domain_auto_trans(pppd_t, pppd_script_exec_t, initrc_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/procmail.te policy-1.25.4/domains/program/unused/procmail.te
--- nsapolicy/domains/program/unused/procmail.te 2005-07-12 08:50:43.000000000 -0400
-+++ policy-1.25.4/domains/program/unused/procmail.te 2005-08-25 10:28:34.000000000 -0400
++++ policy-1.25.4/domains/program/unused/procmail.te 2005-09-09 08:59:14.000000000 -0400
@@ -19,8 +19,7 @@
uses_shlib(procmail_t)
allow procmail_t device_t:dir search;
@@ -1345,7 +1511,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/readahead.te policy-1.25.4/domains/program/unused/readahead.te
--- nsapolicy/domains/program/unused/readahead.te 1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.25.4/domains/program/unused/readahead.te 2005-08-25 10:28:34.000000000 -0400
++++ policy-1.25.4/domains/program/unused/readahead.te 2005-09-09 08:59:14.000000000 -0400
@@ -0,0 +1,21 @@
+#DESC readahead - read files in page cache
+#
@@ -1370,7 +1536,7 @@
+dontaudit readahead_t device_type:blk_file read;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rlogind.te policy-1.25.4/domains/program/unused/rlogind.te
--- nsapolicy/domains/program/unused/rlogind.te 2005-08-11 06:57:15.000000000 -0400
-+++ policy-1.25.4/domains/program/unused/rlogind.te 2005-08-25 10:28:34.000000000 -0400
++++ policy-1.25.4/domains/program/unused/rlogind.te 2005-09-09 08:59:14.000000000 -0400
@@ -35,4 +35,4 @@
allow rlogind_t default_t:dir search;
typealias rlogind_port_t alias rlogin_port_t;
@@ -1379,7 +1545,7 @@
+allow rlogind_t krb5_keytab_t:file r_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/roundup.te policy-1.25.4/domains/program/unused/roundup.te
--- nsapolicy/domains/program/unused/roundup.te 1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.25.4/domains/program/unused/roundup.te 2005-08-25 10:28:34.000000000 -0400
++++ policy-1.25.4/domains/program/unused/roundup.te 2005-09-09 08:59:14.000000000 -0400
@@ -0,0 +1,29 @@
+# Roundup Issue Tracking System
+#
@@ -1409,10 +1575,10 @@
+# /usr/share/mysql/charsets/Index.xml
+allow roundup_t usr_t:file { getattr read };
+allow roundup_t urandom_device_t:chr_file { getattr read };
-+
++allow roundup_t etc_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rpcd.te policy-1.25.4/domains/program/unused/rpcd.te
--- nsapolicy/domains/program/unused/rpcd.te 2005-07-19 10:57:05.000000000 -0400
-+++ policy-1.25.4/domains/program/unused/rpcd.te 2005-08-25 10:28:34.000000000 -0400
++++ policy-1.25.4/domains/program/unused/rpcd.te 2005-09-09 08:59:14.000000000 -0400
@@ -19,7 +19,7 @@
can_network($1_t)
allow $1_t port_type:tcp_socket name_connect;
@@ -1424,7 +1590,7 @@
dontaudit $1_t self:capability net_admin;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rpm.te policy-1.25.4/domains/program/unused/rpm.te
--- nsapolicy/domains/program/unused/rpm.te 2005-07-12 08:50:43.000000000 -0400
-+++ policy-1.25.4/domains/program/unused/rpm.te 2005-08-25 10:28:34.000000000 -0400
++++ policy-1.25.4/domains/program/unused/rpm.te 2005-09-09 08:59:14.000000000 -0400
@@ -114,7 +114,7 @@
allow { insmod_t depmod_t } rpm_t:fifo_file rw_file_perms;
@@ -1444,7 +1610,7 @@
domain_auto_trans(rpm_script_t, bootloader_exec_t, bootloader_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rsync.te policy-1.25.4/domains/program/unused/rsync.te
--- nsapolicy/domains/program/unused/rsync.te 2005-04-27 10:28:52.000000000 -0400
-+++ policy-1.25.4/domains/program/unused/rsync.te 2005-08-25 10:28:34.000000000 -0400
++++ policy-1.25.4/domains/program/unused/rsync.te 2005-09-09 08:59:14.000000000 -0400
@@ -14,4 +14,6 @@
inetd_child_domain(rsync)
type rsync_data_t, file_type, sysadmfile;
@@ -1455,7 +1621,7 @@
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/samba.te policy-1.25.4/domains/program/unused/samba.te
--- nsapolicy/domains/program/unused/samba.te 2005-07-12 08:50:43.000000000 -0400
-+++ policy-1.25.4/domains/program/unused/samba.te 2005-08-25 10:28:34.000000000 -0400
++++ policy-1.25.4/domains/program/unused/samba.te 2005-09-09 08:59:14.000000000 -0400
@@ -25,6 +25,9 @@
# not sure why it needs this
tmp_domain(smbd)
@@ -1507,7 +1673,7 @@
allow samba_net_t samba_etc_t:file r_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/saslauthd.te policy-1.25.4/domains/program/unused/saslauthd.te
--- nsapolicy/domains/program/unused/saslauthd.te 2005-07-19 10:57:05.000000000 -0400
-+++ policy-1.25.4/domains/program/unused/saslauthd.te 2005-08-25 10:28:34.000000000 -0400
++++ policy-1.25.4/domains/program/unused/saslauthd.te 2005-09-09 08:59:14.000000000 -0400
@@ -9,6 +9,7 @@
allow saslauthd_t self:unix_dgram_socket create_socket_perms;
allow saslauthd_t self:unix_stream_socket create_stream_socket_perms;
@@ -1531,7 +1697,7 @@
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/slocate.te policy-1.25.4/domains/program/unused/slocate.te
--- nsapolicy/domains/program/unused/slocate.te 2005-04-27 10:28:53.000000000 -0400
-+++ policy-1.25.4/domains/program/unused/slocate.te 2005-08-25 10:28:34.000000000 -0400
++++ policy-1.25.4/domains/program/unused/slocate.te 2005-09-09 08:59:14.000000000 -0400
@@ -10,7 +10,8 @@
# locate_exec_t is the type of the locate executable.
#
@@ -1550,9 +1716,32 @@
allow locate_t file_type:lnk_file r_file_perms;
allow locate_t { file_type -shadow_t }:{ lnk_file sock_file fifo_file file } getattr;
dontaudit locate_t { file_type -shadow_t }:{ lnk_file sock_file fifo_file file } read;
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/snmpd.te policy-1.25.4/domains/program/unused/snmpd.te
+--- nsapolicy/domains/program/unused/snmpd.te 2005-07-06 17:15:07.000000000 -0400
++++ policy-1.25.4/domains/program/unused/snmpd.te 2005-09-09 08:59:14.000000000 -0400
+@@ -22,8 +22,9 @@
+
+ # for the .index file
+ var_lib_domain(snmpd)
+-file_type_auto_trans(snmpd_t, var_t, snmpd_var_lib_t, dir)
++file_type_auto_trans(snmpd_t, var_t, snmpd_var_lib_t, { dir sock_file })
+ file_type_auto_trans(snmpd_t, { usr_t var_t }, snmpd_var_lib_t, file)
++allow snmpd_t snmpd_var_lib_t:sock_file create_file_perms;
+
+ log_domain(snmpd)
+ # for /usr/share/snmp/mibs
+@@ -33,7 +34,7 @@
+ can_udp_send(snmpd_t, sysadm_t)
+
+ allow snmpd_t self:unix_dgram_socket create_socket_perms;
+-allow snmpd_t self:unix_stream_socket create_socket_perms;
++allow snmpd_t self:unix_stream_socket create_stream_socket_perms;
+ allow snmpd_t etc_t:lnk_file read;
+ allow snmpd_t { etc_t etc_runtime_t }:file r_file_perms;
+ allow snmpd_t { random_device_t urandom_device_t }:chr_file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/squid.te policy-1.25.4/domains/program/unused/squid.te
--- nsapolicy/domains/program/unused/squid.te 2005-08-11 06:57:15.000000000 -0400
-+++ policy-1.25.4/domains/program/unused/squid.te 2005-08-25 10:28:34.000000000 -0400
++++ policy-1.25.4/domains/program/unused/squid.te 2005-09-09 08:59:14.000000000 -0400
@@ -60,7 +60,7 @@
can_tcp_connect(web_client_domain, squid_t)
@@ -1562,9 +1751,15 @@
allow squid_t { gopher_port_t ftp_port_t http_port_t http_cache_port_t }:tcp_socket name_connect;
# to allow running programs from /usr/lib/squid (IE unlinkd)
+@@ -81,4 +81,5 @@
+ ifdef(`winbind.te', `
+ domain_auto_trans(squid_t, winbind_helper_exec_t, winbind_helper_t)
+ allow winbind_helper_t squid_t:tcp_socket rw_socket_perms;
++allow winbind_helper_t squid_log_t:file ra_file_perms;
+ ')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/sxid.te policy-1.25.4/domains/program/unused/sxid.te
--- nsapolicy/domains/program/unused/sxid.te 2005-05-25 11:28:10.000000000 -0400
-+++ policy-1.25.4/domains/program/unused/sxid.te 2005-08-25 10:28:34.000000000 -0400
++++ policy-1.25.4/domains/program/unused/sxid.te 2005-09-09 08:59:14.000000000 -0400
@@ -32,6 +32,7 @@
allow sxid_t ttyfile:chr_file getattr;
allow sxid_t file_type:dir { getattr read search };
@@ -1575,7 +1770,7 @@
# Use the network.
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/udev.te policy-1.25.4/domains/program/unused/udev.te
--- nsapolicy/domains/program/unused/udev.te 2005-08-11 06:57:15.000000000 -0400
-+++ policy-1.25.4/domains/program/unused/udev.te 2005-08-25 10:28:34.000000000 -0400
++++ policy-1.25.4/domains/program/unused/udev.te 2005-09-09 15:23:09.000000000 -0400
@@ -33,7 +33,7 @@
allow udev_t self:unix_stream_socket {connectto create_stream_socket_perms};
allow udev_t self:unix_dgram_socket create_socket_perms;
@@ -1585,7 +1780,7 @@
allow udev_t device_t:file { unlink rw_file_perms };
allow udev_t device_t:sock_file create_file_perms;
allow udev_t device_t:lnk_file create_lnk_perms;
-@@ -140,6 +140,8 @@
+@@ -140,7 +140,13 @@
r_dir_file(udev_t, domain)
allow udev_t modules_dep_t:file r_file_perms;
@@ -1594,9 +1789,14 @@
ifdef(`unlimitedUtils', `
unconfined_domain(udev_t)
')
+ dontaudit hostname_t udev_t:fd use;
++ifdef(`use_mcs', `
++range_transition kernel_t udev_exec_t s0 - s0:c0.c127;
++range_transition initrc_t udev_exec_t s0 - s0:c0.c127;
++')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/vpnc.te policy-1.25.4/domains/program/unused/vpnc.te
--- nsapolicy/domains/program/unused/vpnc.te 2005-08-11 06:57:15.000000000 -0400
-+++ policy-1.25.4/domains/program/unused/vpnc.te 2005-08-25 10:28:34.000000000 -0400
++++ policy-1.25.4/domains/program/unused/vpnc.te 2005-09-09 08:59:14.000000000 -0400
@@ -10,9 +10,9 @@
# vpnc_t is the domain for the vpnc program.
# vpnc_exec_t is the type of the vpnc executable.
@@ -1642,7 +1842,7 @@
+allow vpnc_t fs_t:filesystem getattr;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/winbind.te policy-1.25.4/domains/program/unused/winbind.te
--- nsapolicy/domains/program/unused/winbind.te 2005-08-11 06:57:15.000000000 -0400
-+++ policy-1.25.4/domains/program/unused/winbind.te 2005-08-25 10:28:34.000000000 -0400
++++ policy-1.25.4/domains/program/unused/winbind.te 2005-09-09 08:59:14.000000000 -0400
@@ -44,6 +44,7 @@
r_dir_file(winbind_t, samba_etc_t)
allow winbind_helper_t self:unix_dgram_socket create_socket_perms;
@@ -1651,9 +1851,19 @@
allow winbind_helper_t winbind_var_run_t:dir r_dir_perms;
can_winbind(winbind_helper_t)
allow winbind_helper_t privfd:fd use;
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/xdm.te policy-1.25.4/domains/program/unused/xdm.te
+--- nsapolicy/domains/program/unused/xdm.te 2005-07-12 08:50:43.000000000 -0400
++++ policy-1.25.4/domains/program/unused/xdm.te 2005-09-09 08:59:14.000000000 -0400
+@@ -371,3 +371,6 @@
+ dontaudit xdm_t ice_tmp_t:dir { getattr setattr };
+
+ #### Also see xdm_macros.te
++ifdef(`use_mcs', `
++range_transition initrc_t xdm_exec_t s0 - s0:c0.c127;
++')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ypserv.te policy-1.25.4/domains/program/unused/ypserv.te
--- nsapolicy/domains/program/unused/ypserv.te 2005-04-27 10:28:54.000000000 -0400
-+++ policy-1.25.4/domains/program/unused/ypserv.te 2005-08-25 10:28:34.000000000 -0400
++++ policy-1.25.4/domains/program/unused/ypserv.te 2005-09-09 08:59:14.000000000 -0400
@@ -39,3 +39,4 @@
')
allow ypserv_t reserved_port_t:{ udp_socket tcp_socket } name_bind;
@@ -1661,7 +1871,7 @@
+can_exec(ypserv_t, bin_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/useradd.te policy-1.25.4/domains/program/useradd.te
--- nsapolicy/domains/program/useradd.te 2005-04-27 10:28:49.000000000 -0400
-+++ policy-1.25.4/domains/program/useradd.te 2005-08-25 10:28:34.000000000 -0400
++++ policy-1.25.4/domains/program/useradd.te 2005-09-09 08:59:14.000000000 -0400
@@ -67,6 +67,7 @@
# for when /root is the cwd
@@ -1677,7 +1887,7 @@
+allow useradd_t var_lib_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/distros.fc policy-1.25.4/file_contexts/distros.fc
--- nsapolicy/file_contexts/distros.fc 2005-08-11 06:57:15.000000000 -0400
-+++ policy-1.25.4/file_contexts/distros.fc 2005-08-25 10:28:34.000000000 -0400
++++ policy-1.25.4/file_contexts/distros.fc 2005-09-09 08:59:14.000000000 -0400
@@ -99,6 +99,7 @@
/usr/lib(64)?/.*/program/librecentfile\.so -- system_u:object_r:texrel_shlib_t
/usr/lib(64)?/.*/program/libsvx680li\.so -- system_u:object_r:texrel_shlib_t
@@ -1703,7 +1913,7 @@
+)
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/apache.fc policy-1.25.4/file_contexts/program/apache.fc
--- nsapolicy/file_contexts/program/apache.fc 2005-07-19 10:57:05.000000000 -0400
-+++ policy-1.25.4/file_contexts/program/apache.fc 2005-08-25 10:28:34.000000000 -0400
++++ policy-1.25.4/file_contexts/program/apache.fc 2005-09-09 08:59:14.000000000 -0400
@@ -7,6 +7,8 @@
/var/www/perl(/.*)? system_u:object_r:httpd_sys_script_exec_t
/var/www/icons(/.*)? system_u:object_r:httpd_sys_content_t
@@ -1733,16 +1943,26 @@
ifdef(`distro_suse', `
# suse puts shell scripts there :-(
/usr/share/apache2/[^/]* -- system_u:object_r:bin_t
+diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/bluetooth.fc policy-1.25.4/file_contexts/program/bluetooth.fc
+--- nsapolicy/file_contexts/program/bluetooth.fc 2005-05-25 11:28:10.000000000 -0400
++++ policy-1.25.4/file_contexts/program/bluetooth.fc 2005-09-09 08:59:14.000000000 -0400
+@@ -1,5 +1,6 @@
+ # bluetooth
+ /etc/bluetooth(/.*)? system_u:object_r:bluetooth_conf_t
++/etc/bluetooth/link_key system_u:object_r:bluetooth_conf_rw_t
+ /usr/bin/rfcomm -- system_u:object_r:bluetooth_exec_t
+ /usr/sbin/hcid -- system_u:object_r:bluetooth_exec_t
+ /usr/sbin/sdpd -- system_u:object_r:bluetooth_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/certwatch.fc policy-1.25.4/file_contexts/program/certwatch.fc
--- nsapolicy/file_contexts/program/certwatch.fc 1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.25.4/file_contexts/program/certwatch.fc 2005-08-25 10:28:34.000000000 -0400
++++ policy-1.25.4/file_contexts/program/certwatch.fc 2005-09-09 08:59:14.000000000 -0400
@@ -0,0 +1,3 @@
+# certwatch.fc
+/usr/bin/certwatch -- system_u:object_r:certwatch_exec_t
+
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/clamav.fc policy-1.25.4/file_contexts/program/clamav.fc
--- nsapolicy/file_contexts/program/clamav.fc 2005-04-06 06:57:44.000000000 -0400
-+++ policy-1.25.4/file_contexts/program/clamav.fc 2005-08-25 10:28:34.000000000 -0400
++++ policy-1.25.4/file_contexts/program/clamav.fc 2005-09-09 08:59:14.000000000 -0400
@@ -12,4 +12,4 @@
/var/run/clamd\.ctl -s system_u:object_r:clamd_sock_t
/var/run/clamd\.pid -- system_u:object_r:clamd_var_run_t
@@ -1751,7 +1971,7 @@
+/var/run/clamav/clamd\.sock -s system_u:object_r:clamd_sock_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/cups.fc policy-1.25.4/file_contexts/program/cups.fc
--- nsapolicy/file_contexts/program/cups.fc 2005-07-12 08:50:43.000000000 -0400
-+++ policy-1.25.4/file_contexts/program/cups.fc 2005-08-25 10:28:34.000000000 -0400
++++ policy-1.25.4/file_contexts/program/cups.fc 2005-09-09 08:59:14.000000000 -0400
@@ -5,6 +5,7 @@
/var/cache/alchemist/printconf.* system_u:object_r:cupsd_rw_etc_t
/etc/cups/client\.conf -- system_u:object_r:etc_t
@@ -1762,7 +1982,7 @@
/etc/cups/ppd/.* -- system_u:object_r:cupsd_rw_etc_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/dhcpc.fc policy-1.25.4/file_contexts/program/dhcpc.fc
--- nsapolicy/file_contexts/program/dhcpc.fc 2005-04-14 15:01:54.000000000 -0400
-+++ policy-1.25.4/file_contexts/program/dhcpc.fc 2005-08-25 10:28:34.000000000 -0400
++++ policy-1.25.4/file_contexts/program/dhcpc.fc 2005-09-09 08:59:14.000000000 -0400
@@ -4,6 +4,7 @@
/etc/dhclient.*conf -- system_u:object_r:dhcp_etc_t
/etc/dhclient-script -- system_u:object_r:dhcp_etc_t
@@ -1773,7 +1993,7 @@
/var/lib/dhcpcd(/.*)? system_u:object_r:dhcpc_state_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/dhcpd.fc policy-1.25.4/file_contexts/program/dhcpd.fc
--- nsapolicy/file_contexts/program/dhcpd.fc 2005-02-24 14:51:08.000000000 -0500
-+++ policy-1.25.4/file_contexts/program/dhcpd.fc 2005-08-25 10:28:34.000000000 -0400
++++ policy-1.25.4/file_contexts/program/dhcpd.fc 2005-09-09 08:59:14.000000000 -0400
@@ -3,7 +3,7 @@
/etc/dhcp3(/.*)? system_u:object_r:dhcp_etc_t
/usr/sbin/dhcpd.* -- system_u:object_r:dhcpd_exec_t
@@ -1785,7 +2005,7 @@
define(`dhcp_defined')
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/fsadm.fc policy-1.25.4/file_contexts/program/fsadm.fc
--- nsapolicy/file_contexts/program/fsadm.fc 2005-07-06 17:15:07.000000000 -0400
-+++ policy-1.25.4/file_contexts/program/fsadm.fc 2005-08-25 10:28:34.000000000 -0400
++++ policy-1.25.4/file_contexts/program/fsadm.fc 2005-09-09 08:59:14.000000000 -0400
@@ -37,3 +37,4 @@
/sbin/partx -- system_u:object_r:fsadm_exec_t
/usr/bin/partition_uuid -- system_u:object_r:fsadm_exec_t
@@ -1793,7 +2013,7 @@
+/usr/bin/syslinux -- system_u:object_r:fsadm_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/ipsec.fc policy-1.25.4/file_contexts/program/ipsec.fc
--- nsapolicy/file_contexts/program/ipsec.fc 2005-02-24 14:51:09.000000000 -0500
-+++ policy-1.25.4/file_contexts/program/ipsec.fc 2005-08-25 15:59:55.000000000 -0400
++++ policy-1.25.4/file_contexts/program/ipsec.fc 2005-09-09 08:59:14.000000000 -0400
@@ -21,6 +21,7 @@
/usr/lib(64)?/ipsec/spi -- system_u:object_r:ipsec_exec_t
/usr/local/lib(64)?/ipsec/spi -- system_u:object_r:ipsec_exec_t
@@ -1804,13 +2024,28 @@
/usr/sbin/racoon -- system_u:object_r:ipsec_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/openct.fc policy-1.25.4/file_contexts/program/openct.fc
--- nsapolicy/file_contexts/program/openct.fc 1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.25.4/file_contexts/program/openct.fc 2005-08-25 10:28:34.000000000 -0400
++++ policy-1.25.4/file_contexts/program/openct.fc 2005-09-09 08:59:14.000000000 -0400
@@ -0,0 +1,2 @@
+/usr/sbin/openct-control -- system_u:object_r:openct_exec_t
+/var/run/openct(/.*)? system_u:object_r:openct_var_run_t
+diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/pegasus.fc policy-1.25.4/file_contexts/program/pegasus.fc
+--- nsapolicy/file_contexts/program/pegasus.fc 1969-12-31 19:00:00.000000000 -0500
++++ policy-1.25.4/file_contexts/program/pegasus.fc 2005-09-09 08:59:14.000000000 -0400
+@@ -0,0 +1,11 @@
++# File Contexts for The Open Group Pegasus (tog-pegasus) cimserver
++/usr/sbin/cimserver -- system_u:object_r:pegasus_exec_t
++/usr/sbin/cimconfig -- system_u:object_r:pegasus_conf_exec_t
++/usr/sbin/cimuser -- system_u:object_r:pegasus_conf_exec_t
++/usr/sbin/cimauth -- system_u:object_r:pegasus_conf_exec_t
++/usr/sbin/init_repository -- system_u:object_r:pegasus_exec_t
++/usr/lib(64)?/Pegasus/providers/.*\.so.* system_u:object_r:shlib_t
++/etc/Pegasus(/.*)? system_u:object_r:pegasus_conf_t
++/var/lib/Pegasus(/.*)? system_u:object_r:pegasus_data_t
++/var/run/tog-pegasus(/.*)? system_u:object_r:pegasus_var_run_t
++/usr/share/Pegasus/mof(/.*)?/.*\.mof system_u:object_r:pegasus_mof_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/postfix.fc policy-1.25.4/file_contexts/program/postfix.fc
--- nsapolicy/file_contexts/program/postfix.fc 2005-05-25 11:28:10.000000000 -0400
-+++ policy-1.25.4/file_contexts/program/postfix.fc 2005-08-25 10:28:34.000000000 -0400
++++ policy-1.25.4/file_contexts/program/postfix.fc 2005-09-09 08:59:14.000000000 -0400
@@ -10,6 +10,7 @@
/usr/libexec/postfix/(n)?qmgr -- system_u:object_r:postfix_qmgr_exec_t
/usr/libexec/postfix/showq -- system_u:object_r:postfix_showq_exec_t
@@ -1829,7 +2064,7 @@
/usr/lib/postfix/pipe -- system_u:object_r:postfix_pipe_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/postgresql.fc policy-1.25.4/file_contexts/program/postgresql.fc
--- nsapolicy/file_contexts/program/postgresql.fc 2005-03-11 15:31:06.000000000 -0500
-+++ policy-1.25.4/file_contexts/program/postgresql.fc 2005-08-25 10:28:34.000000000 -0400
++++ policy-1.25.4/file_contexts/program/postgresql.fc 2005-09-09 08:59:14.000000000 -0400
@@ -14,3 +14,7 @@
/usr/lib/pgsql/test/regress/.*\.so -- system_u:object_r:shlib_t
/usr/lib/pgsql/test/regress/.*\.sh -- system_u:object_r:bin_t
@@ -1840,7 +2075,7 @@
+')
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/pppd.fc policy-1.25.4/file_contexts/program/pppd.fc
--- nsapolicy/file_contexts/program/pppd.fc 2005-08-11 06:57:15.000000000 -0400
-+++ policy-1.25.4/file_contexts/program/pppd.fc 2005-08-25 10:28:34.000000000 -0400
++++ policy-1.25.4/file_contexts/program/pppd.fc 2005-09-09 08:59:14.000000000 -0400
@@ -13,9 +13,13 @@
/var/run/(i)?ppp.*pid -- system_u:object_r:pppd_var_run_t
/var/log/ppp-connect-errors.* -- system_u:object_r:pppd_log_t
@@ -1857,12 +2092,12 @@
-/etc/ppp/resolv\.conf -- system_u:object_r:pppd_etc_rw_t
+/etc/ppp/resolv\.conf -- system_u:object_r:pppd_etc_rw_t
+# Fix pptp sockets
-+/var/run/pptp(/.*)? -- system_u:object_r:pptp_var_run_t
++/var/run/pptp(/.*)? system_u:object_r:pptp_var_run_t
+# Fix /etc/ppp {up,down} family scripts (see man pppd)
+/etc/ppp/(auth|ip(v6|x)?)-(up|down) -- system_u:object_r:pppd_script_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/qmail.fc policy-1.25.4/file_contexts/program/qmail.fc
--- nsapolicy/file_contexts/program/qmail.fc 2005-02-24 14:51:08.000000000 -0500
-+++ policy-1.25.4/file_contexts/program/qmail.fc 2005-08-25 10:28:34.000000000 -0400
++++ policy-1.25.4/file_contexts/program/qmail.fc 2005-09-09 08:59:14.000000000 -0400
@@ -17,7 +17,7 @@
/usr/sbin/splogger -- system_u:object_r:qmail_splogger_exec_t
/usr/sbin/qmail-getpw -- system_u:object_r:qmail_exec_t
@@ -1874,7 +2109,7 @@
/var/qmail/queue(/.*)? system_u:object_r:qmail_spool_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/radvd.fc policy-1.25.4/file_contexts/program/radvd.fc
--- nsapolicy/file_contexts/program/radvd.fc 2005-02-24 14:51:09.000000000 -0500
-+++ policy-1.25.4/file_contexts/program/radvd.fc 2005-08-25 10:28:34.000000000 -0400
++++ policy-1.25.4/file_contexts/program/radvd.fc 2005-09-09 08:59:14.000000000 -0400
@@ -2,3 +2,4 @@
/etc/radvd\.conf -- system_u:object_r:radvd_etc_t
/usr/sbin/radvd -- system_u:object_r:radvd_exec_t
@@ -1882,18 +2117,18 @@
+/var/run/radvd(/.*)? system_u:object_r:radvd_var_run_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/readahead.fc policy-1.25.4/file_contexts/program/readahead.fc
--- nsapolicy/file_contexts/program/readahead.fc 1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.25.4/file_contexts/program/readahead.fc 2005-08-25 10:28:34.000000000 -0400
++++ policy-1.25.4/file_contexts/program/readahead.fc 2005-09-09 08:59:14.000000000 -0400
@@ -0,0 +1 @@
+/usr/sbin/readahead -- system_u:object_r:readahead_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/roundup.fc policy-1.25.4/file_contexts/program/roundup.fc
--- nsapolicy/file_contexts/program/roundup.fc 1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.25.4/file_contexts/program/roundup.fc 2005-08-25 10:28:35.000000000 -0400
++++ policy-1.25.4/file_contexts/program/roundup.fc 2005-09-09 08:59:14.000000000 -0400
@@ -0,0 +1,2 @@
+/usr/bin/roundup-server -- system_u:object_r:roundup_exec_t
+/var/lib/roundup(/.*)? -- system_u:object_r:roundup_var_lib_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/xdm.fc policy-1.25.4/file_contexts/program/xdm.fc
--- nsapolicy/file_contexts/program/xdm.fc 2005-07-06 17:15:07.000000000 -0400
-+++ policy-1.25.4/file_contexts/program/xdm.fc 2005-08-25 10:28:35.000000000 -0400
++++ policy-1.25.4/file_contexts/program/xdm.fc 2005-09-09 08:59:14.000000000 -0400
@@ -3,7 +3,7 @@
/usr/X11R6/bin/[xgkw]dm -- system_u:object_r:xdm_exec_t
/opt/kde3/bin/kdm -- system_u:object_r:xdm_exec_t
@@ -1905,7 +2140,7 @@
/var/log/[kw]dm\.log -- system_u:object_r:xserver_log_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/ypserv.fc policy-1.25.4/file_contexts/program/ypserv.fc
--- nsapolicy/file_contexts/program/ypserv.fc 2005-02-24 14:51:08.000000000 -0500
-+++ policy-1.25.4/file_contexts/program/ypserv.fc 2005-08-25 10:28:35.000000000 -0400
++++ policy-1.25.4/file_contexts/program/ypserv.fc 2005-09-09 08:59:14.000000000 -0400
@@ -1,3 +1,4 @@
# ypserv
/usr/sbin/ypserv -- system_u:object_r:ypserv_exec_t
@@ -1913,7 +2148,7 @@
/etc/ypserv\.conf -- system_u:object_r:ypserv_conf_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/types.fc policy-1.25.4/file_contexts/types.fc
--- nsapolicy/file_contexts/types.fc 2005-07-12 08:50:43.000000000 -0400
-+++ policy-1.25.4/file_contexts/types.fc 2005-08-25 10:28:35.000000000 -0400
++++ policy-1.25.4/file_contexts/types.fc 2005-09-09 08:59:14.000000000 -0400
@@ -46,9 +46,9 @@
#
# Ordinary user home directories.
@@ -1939,7 +2174,7 @@
# /srv
diff --exclude-from=exclude -N -u -r nsapolicy/genfs_contexts policy-1.25.4/genfs_contexts
--- nsapolicy/genfs_contexts 2005-08-11 06:57:10.000000000 -0400
-+++ policy-1.25.4/genfs_contexts 2005-08-25 10:28:35.000000000 -0400
++++ policy-1.25.4/genfs_contexts 2005-09-09 08:59:14.000000000 -0400
@@ -95,6 +95,7 @@
genfscon inotifyfs / system_u:object_r:inotifyfs_t
genfscon hugetlbfs / system_u:object_r:hugetlbfs_t
@@ -1950,7 +2185,7 @@
genfscon eventpollfs / system_u:object_r:eventpollfs_t
diff --exclude-from=exclude -N -u -r nsapolicy/macros/base_user_macros.te policy-1.25.4/macros/base_user_macros.te
--- nsapolicy/macros/base_user_macros.te 2005-08-11 06:57:18.000000000 -0400
-+++ policy-1.25.4/macros/base_user_macros.te 2005-08-25 10:28:35.000000000 -0400
++++ policy-1.25.4/macros/base_user_macros.te 2005-09-09 08:59:14.000000000 -0400
@@ -21,8 +21,8 @@
type $1_untrusted_content_tmp_t, file_type, $1_file_type, sysadmfile, tmpfile, customizable, polymember;
@@ -1964,7 +2199,7 @@
read_content($1_t, $1)
diff --exclude-from=exclude -N -u -r nsapolicy/macros/core_macros.te policy-1.25.4/macros/core_macros.te
--- nsapolicy/macros/core_macros.te 2005-05-07 00:41:12.000000000 -0400
-+++ policy-1.25.4/macros/core_macros.te 2005-08-25 10:28:35.000000000 -0400
++++ policy-1.25.4/macros/core_macros.te 2005-09-09 08:59:14.000000000 -0400
@@ -620,6 +620,9 @@
# Label pty files with a derived type.
type_transition $1_t devpts_t:chr_file $1_devpts_t;
@@ -1977,7 +2212,7 @@
')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/global_macros.te policy-1.25.4/macros/global_macros.te
--- nsapolicy/macros/global_macros.te 2005-08-11 06:57:18.000000000 -0400
-+++ policy-1.25.4/macros/global_macros.te 2005-08-25 10:28:35.000000000 -0400
++++ policy-1.25.4/macros/global_macros.te 2005-09-09 08:59:14.000000000 -0400
@@ -157,6 +157,11 @@
r_dir_file($1, locale_t)
')
@@ -2037,7 +2272,7 @@
+')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/network_macros.te policy-1.25.4/macros/network_macros.te
--- nsapolicy/macros/network_macros.te 2005-07-12 08:50:43.000000000 -0400
-+++ policy-1.25.4/macros/network_macros.te 2005-08-29 11:49:26.000000000 -0400
++++ policy-1.25.4/macros/network_macros.te 2005-09-09 08:59:14.000000000 -0400
@@ -16,9 +16,7 @@
# Allow the domain to send or receive using any network interface.
# netif_type is a type attribute for all network interface types.
@@ -2079,7 +2314,7 @@
+')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/apache_macros.te policy-1.25.4/macros/program/apache_macros.te
--- nsapolicy/macros/program/apache_macros.te 2005-07-12 08:50:43.000000000 -0400
-+++ policy-1.25.4/macros/program/apache_macros.te 2005-08-25 10:28:35.000000000 -0400
++++ policy-1.25.4/macros/program/apache_macros.te 2005-09-09 08:59:14.000000000 -0400
@@ -23,6 +23,7 @@
domain_auto_trans(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t)
allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop };
@@ -2138,9 +2373,21 @@
')
define(`apache_user_domain', `
+@@ -189,4 +195,11 @@
+ create_dir_file($1_crond_t, httpd_$1_content_t)
+ ')
+
++ifdef(`ftpd.te', `
++if (ftp_home_dir) {
++create_dir_file(ftpd_t, httpd_$1_content_t)
++}
++')
++
++
+ ')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/cdrecord_macros.te policy-1.25.4/macros/program/cdrecord_macros.te
--- nsapolicy/macros/program/cdrecord_macros.te 2005-08-11 06:57:18.000000000 -0400
-+++ policy-1.25.4/macros/program/cdrecord_macros.te 2005-08-25 10:28:35.000000000 -0400
++++ policy-1.25.4/macros/program/cdrecord_macros.te 2005-09-09 08:59:14.000000000 -0400
@@ -27,16 +27,8 @@
can_resmgrd_connect($1_cdrecord_t)
@@ -2173,7 +2420,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/chkpwd_macros.te policy-1.25.4/macros/program/chkpwd_macros.te
--- nsapolicy/macros/program/chkpwd_macros.te 2005-07-19 10:57:05.000000000 -0400
-+++ policy-1.25.4/macros/program/chkpwd_macros.te 2005-08-25 10:28:35.000000000 -0400
++++ policy-1.25.4/macros/program/chkpwd_macros.te 2005-09-09 08:59:14.000000000 -0400
@@ -23,28 +23,15 @@
allow $1_chkpwd_t proc_t:file read;
@@ -2207,7 +2454,7 @@
allow $1_t sbin_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ethereal_macros.te policy-1.25.4/macros/program/ethereal_macros.te
--- nsapolicy/macros/program/ethereal_macros.te 2005-07-05 15:25:49.000000000 -0400
-+++ policy-1.25.4/macros/program/ethereal_macros.te 2005-08-25 10:28:35.000000000 -0400
++++ policy-1.25.4/macros/program/ethereal_macros.te 2005-09-09 08:59:14.000000000 -0400
@@ -38,11 +38,10 @@
role $1_r types $1_ethereal_t;
@@ -2225,7 +2472,7 @@
# X, GNOME
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/evolution_macros.te policy-1.25.4/macros/program/evolution_macros.te
--- nsapolicy/macros/program/evolution_macros.te 2005-08-11 06:57:18.000000000 -0400
-+++ policy-1.25.4/macros/program/evolution_macros.te 2005-08-25 10:28:35.000000000 -0400
++++ policy-1.25.4/macros/program/evolution_macros.te 2005-09-09 08:59:14.000000000 -0400
@@ -64,7 +64,7 @@
allow $1_evolution_server_t ldap_port_t:tcp_socket name_connect;
@@ -2237,7 +2484,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/gpg_macros.te policy-1.25.4/macros/program/gpg_macros.te
--- nsapolicy/macros/program/gpg_macros.te 2005-07-06 17:15:07.000000000 -0400
-+++ policy-1.25.4/macros/program/gpg_macros.te 2005-08-25 10:28:35.000000000 -0400
++++ policy-1.25.4/macros/program/gpg_macros.te 2005-09-09 08:59:14.000000000 -0400
@@ -48,7 +48,7 @@
allow { $1_t $1_gpg_t } $1_gpg_t:process signal;
@@ -2249,7 +2496,7 @@
can_ps($1_t, $1_gpg_t)
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/i18n_input_macros.te policy-1.25.4/macros/program/i18n_input_macros.te
--- nsapolicy/macros/program/i18n_input_macros.te 1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.25.4/macros/program/i18n_input_macros.te 2005-08-25 16:34:19.000000000 -0400
++++ policy-1.25.4/macros/program/i18n_input_macros.te 2005-09-09 08:59:14.000000000 -0400
@@ -0,0 +1,21 @@
+#
+# Macros for i18n_input
@@ -2274,7 +2521,7 @@
+
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mail_client_macros.te policy-1.25.4/macros/program/mail_client_macros.te
--- nsapolicy/macros/program/mail_client_macros.te 2005-08-11 06:57:18.000000000 -0400
-+++ policy-1.25.4/macros/program/mail_client_macros.te 2005-08-25 10:28:35.000000000 -0400
++++ policy-1.25.4/macros/program/mail_client_macros.te 2005-09-09 08:59:14.000000000 -0400
@@ -54,10 +54,15 @@
')
ifdef(`dbusd.te', `
@@ -2293,7 +2540,7 @@
')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.25.4/macros/program/mozilla_macros.te
--- nsapolicy/macros/program/mozilla_macros.te 2005-08-11 06:57:18.000000000 -0400
-+++ policy-1.25.4/macros/program/mozilla_macros.te 2005-08-25 10:28:35.000000000 -0400
++++ policy-1.25.4/macros/program/mozilla_macros.te 2005-09-09 08:59:14.000000000 -0400
@@ -139,7 +139,14 @@
}
allow $1_mozilla_t texrel_shlib_t:file execmod;
@@ -2311,7 +2558,16 @@
r_dir_file($1_mozilla_t, { httpd_$1_script_exec_t httpd_$1_content_t })
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mta_macros.te policy-1.25.4/macros/program/mta_macros.te
--- nsapolicy/macros/program/mta_macros.te 2005-04-27 10:28:55.000000000 -0400
-+++ policy-1.25.4/macros/program/mta_macros.te 2005-08-25 10:28:35.000000000 -0400
++++ policy-1.25.4/macros/program/mta_macros.te 2005-09-09 08:59:14.000000000 -0400
+@@ -34,7 +34,7 @@
+
+ uses_shlib($1_mail_t)
+ can_network_client_tcp($1_mail_t)
+-allow $1_mail_t port_type:tcp_socket name_connect;
++allow $1_mail_t { smtp_port_t port_type }:tcp_socket name_connect;
+ can_resolve($1_mail_t)
+ can_ypbind($1_mail_t)
+ allow $1_mail_t self:unix_dgram_socket create_socket_perms;
@@ -68,7 +68,7 @@
allow system_mail_t system_crond_tmp_t:file { read getattr ioctl };
allow mta_user_agent system_crond_tmp_t:file { read getattr };
@@ -2323,7 +2579,7 @@
# For when the user wants to send mail via port 25 localhost
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/pyzor_macros.te policy-1.25.4/macros/program/pyzor_macros.te
--- nsapolicy/macros/program/pyzor_macros.te 2005-07-06 17:15:07.000000000 -0400
-+++ policy-1.25.4/macros/program/pyzor_macros.te 2005-08-25 10:28:35.000000000 -0400
++++ policy-1.25.4/macros/program/pyzor_macros.te 2005-09-09 08:59:14.000000000 -0400
@@ -64,6 +64,6 @@
# Allow pyzor to be run by hand. Needed by any action other than
@@ -2334,7 +2590,7 @@
')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/razor_macros.te policy-1.25.4/macros/program/razor_macros.te
--- nsapolicy/macros/program/razor_macros.te 2005-07-06 17:15:07.000000000 -0400
-+++ policy-1.25.4/macros/program/razor_macros.te 2005-08-25 10:28:35.000000000 -0400
++++ policy-1.25.4/macros/program/razor_macros.te 2005-09-09 08:59:14.000000000 -0400
@@ -70,6 +70,6 @@
# Allow razor to be run by hand. Needed by any action other than
@@ -2345,7 +2601,7 @@
')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/spamassassin_macros.te policy-1.25.4/macros/program/spamassassin_macros.te
--- nsapolicy/macros/program/spamassassin_macros.te 2005-08-11 06:57:18.000000000 -0400
-+++ policy-1.25.4/macros/program/spamassassin_macros.te 2005-08-25 10:28:35.000000000 -0400
++++ policy-1.25.4/macros/program/spamassassin_macros.te 2005-09-09 08:59:14.000000000 -0400
@@ -85,7 +85,7 @@
spamassassin_agent_privs($1_spamassassin_t, $1)
@@ -2357,7 +2613,7 @@
allow $1_spamassassin_t port_type:tcp_socket name_connect;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/su_macros.te policy-1.25.4/macros/program/su_macros.te
--- nsapolicy/macros/program/su_macros.te 2005-05-25 11:28:11.000000000 -0400
-+++ policy-1.25.4/macros/program/su_macros.te 2005-08-25 10:28:35.000000000 -0400
++++ policy-1.25.4/macros/program/su_macros.te 2005-09-09 08:59:14.000000000 -0400
@@ -23,9 +23,13 @@
define(`su_restricted_domain', `
@@ -2385,7 +2641,7 @@
dontaudit $1_su_t shadow_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/thunderbird_macros.te policy-1.25.4/macros/program/thunderbird_macros.te
--- nsapolicy/macros/program/thunderbird_macros.te 2005-08-11 06:57:18.000000000 -0400
-+++ policy-1.25.4/macros/program/thunderbird_macros.te 2005-08-25 10:28:35.000000000 -0400
++++ policy-1.25.4/macros/program/thunderbird_macros.te 2005-09-09 08:59:14.000000000 -0400
@@ -38,6 +38,7 @@
x_client_domain($1_thunderbird, $1)
mail_client_domain($1_thunderbird, $1)
@@ -2407,7 +2663,7 @@
')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/uml_macros.te policy-1.25.4/macros/program/uml_macros.te
--- nsapolicy/macros/program/uml_macros.te 2005-04-27 10:28:55.000000000 -0400
-+++ policy-1.25.4/macros/program/uml_macros.te 2005-08-25 10:28:35.000000000 -0400
++++ policy-1.25.4/macros/program/uml_macros.te 2005-09-09 08:59:14.000000000 -0400
@@ -81,7 +81,7 @@
allow uml_net_t $1_uml_t:unix_stream_socket { read write };
allow uml_net_t $1_uml_t:unix_dgram_socket { read write };
@@ -2419,7 +2675,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/macros/user_macros.te policy-1.25.4/macros/user_macros.te
--- nsapolicy/macros/user_macros.te 2005-08-11 06:57:18.000000000 -0400
-+++ policy-1.25.4/macros/user_macros.te 2005-08-25 10:28:35.000000000 -0400
++++ policy-1.25.4/macros/user_macros.te 2005-09-09 08:59:14.000000000 -0400
@@ -121,6 +121,7 @@
# user domains.
ifelse($1, sysadm, `',`
@@ -2430,13 +2686,13 @@
ifdef(`lockdev.te', `lockdev_domain($1)')
diff --exclude-from=exclude -N -u -r nsapolicy/Makefile policy-1.25.4/Makefile
--- nsapolicy/Makefile 2005-07-06 17:15:06.000000000 -0400
-+++ policy-1.25.4/Makefile 2005-08-27 04:40:05.000000000 -0400
++++ policy-1.25.4/Makefile 2005-09-09 14:58:34.000000000 -0400
@@ -15,6 +15,9 @@
# Set to y if MLS is enabled in the policy.
MLS=n
+# Set to y if MCS is enabled in the policy
-+MCS=n
++MCS=y
+
FLASKDIR = flask/
PREFIX = /usr
@@ -2508,7 +2764,7 @@
+ @for file in $(USER_FILES); do \
+ echo "Converting $$file"; \
+ sed -r -e 's/\;/ level s0 range s0;/' $$file | \
-+ sed -r -e 's/(user (root|system_u).*);/\1 - s0:c0.c127;/' > $$file.new; \
++ sed -r -e 's/(user (user_u|root|system_u).*);/\1 - s0:c0.c127;/' > $$file.new; \
+ mv $$file.new $$file; \
+ done
+ @echo "Enabling MCS in the Makefile"
@@ -2518,8 +2774,8 @@
+
diff --exclude-from=exclude -N -u -r nsapolicy/mcs policy-1.25.4/mcs
--- nsapolicy/mcs 1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.25.4/mcs 2005-08-25 10:28:35.000000000 -0400
-@@ -0,0 +1,216 @@
++++ policy-1.25.4/mcs 2005-09-09 15:55:24.000000000 -0400
+@@ -0,0 +1,226 @@
+#
+# Define sensitivities
+#
@@ -2722,13 +2978,23 @@
+#
+# Only files are constrained by MCS at this stage.
+#
-+mlsconstrain file { read write setattr append unlink link rename
++mlsconstrain file { write setattr append unlink link rename
+ create ioctl lock execute } (h1 dom h2);
+
++mlsconstrain file { read } ((h1 dom h2) or
++ ( t1 == mlsfileread ));
++
++
+# new file labels must be dominated by the relabeling subject's clearance
+mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom relabelto }
+ ( h1 dom h2 );
+
++define(`nogetattr_file_perms', `{ create ioctl read lock write setattr append
++link unlink rename relabelfrom relabelto }')
++
++define(`nogetattr_dir_perms', `{ create read lock setattr ioctl link unlink
++rename search add_name remove_name reparent write rmdir relabelfrom
++relabelto }')
+
+# XXX
+#
@@ -2738,8 +3004,28 @@
+
diff --exclude-from=exclude -N -u -r nsapolicy/net_contexts policy-1.25.4/net_contexts
--- nsapolicy/net_contexts 2005-08-11 06:57:10.000000000 -0400
-+++ policy-1.25.4/net_contexts 2005-08-25 10:28:35.000000000 -0400
-@@ -223,14 +223,6 @@
++++ policy-1.25.4/net_contexts 2005-09-09 08:59:14.000000000 -0400
+@@ -50,6 +50,10 @@
+ portcon tcp 53 system_u:object_r:dns_port_t
+
+ portcon udp 67 system_u:object_r:dhcpd_port_t
++portcon udp 647 system_u:object_r:dhcpd_port_t
++portcon tcp 647 system_u:object_r:dhcpd_port_t
++portcon udp 847 system_u:object_r:dhcpd_port_t
++portcon tcp 847 system_u:object_r:dhcpd_port_t
+ portcon udp 68 system_u:object_r:dhcpc_port_t
+ portcon udp 70 system_u:object_r:gopher_port_t
+ portcon tcp 70 system_u:object_r:gopher_port_t
+@@ -164,6 +168,8 @@
+ portcon tcp 50000 system_u:object_r:hplip_port_t
+ portcon tcp 50002 system_u:object_r:hplip_port_t
+ portcon tcp 5900 system_u:object_r:vnc_port_t
++portcon tcp 5988 system_u:object_r:pegasus_http_port_t
++portcon tcp 5989 system_u:object_r:pegasus_https_port_t
+ portcon tcp 6000 system_u:object_r:xserver_port_t
+ portcon tcp 6001 system_u:object_r:xserver_port_t
+ portcon tcp 6002 system_u:object_r:xserver_port_t
+@@ -223,14 +229,6 @@
#
# interface netif_context default_msg_context
#
@@ -2756,7 +3042,7 @@
#
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/appconfig/root_default_contexts policy-1.25.4/targeted/appconfig/root_default_contexts
--- nsapolicy/targeted/appconfig/root_default_contexts 2005-02-24 14:51:10.000000000 -0500
-+++ policy-1.25.4/targeted/appconfig/root_default_contexts 2005-08-25 10:28:35.000000000 -0400
++++ policy-1.25.4/targeted/appconfig/root_default_contexts 2005-09-09 08:59:14.000000000 -0400
@@ -1,2 +1,6 @@
system_r:unconfined_t system_r:unconfined_t
system_r:initrc_t system_r:unconfined_t
@@ -2766,7 +3052,7 @@
+system_r:crond_t system_r:unconfined_t
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/assert.te policy-1.25.4/targeted/assert.te
--- nsapolicy/targeted/assert.te 2005-05-25 11:28:11.000000000 -0400
-+++ policy-1.25.4/targeted/assert.te 2005-08-25 10:28:35.000000000 -0400
++++ policy-1.25.4/targeted/assert.te 2005-09-09 08:59:14.000000000 -0400
@@ -24,7 +24,7 @@
# send SIGCHLD for child termination notifications.
neverallow { domain -unrestricted } unconfined_t:process ~sigchld;
@@ -2776,18 +3062,41 @@
neverallow { domain -unrestricted -snmpd_t } unconfined_t:dir { getattr search };
#
+diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/ssh.te policy-1.25.4/targeted/domains/program/ssh.te
+--- nsapolicy/targeted/domains/program/ssh.te 2005-07-06 17:15:07.000000000 -0400
++++ policy-1.25.4/targeted/domains/program/ssh.te 2005-09-09 08:59:14.000000000 -0400
+@@ -17,3 +17,6 @@
+ type sshd_key_t, file_type, sysadmfile;
+ type sshd_var_run_t, file_type, sysadmfile;
+ domain_auto_trans(initrc_t, sshd_exec_t, sshd_t)
++ifdef(`use_mcs', `
++range_transition initrc_t sshd_exec_t s0 - s0:c0.c127;
++')
+diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/xdm.te policy-1.25.4/targeted/domains/program/xdm.te
+--- nsapolicy/targeted/domains/program/xdm.te 2005-07-06 17:15:07.000000000 -0400
++++ policy-1.25.4/targeted/domains/program/xdm.te 2005-09-09 15:23:29.000000000 -0400
+@@ -20,3 +20,7 @@
+ type xdm_tmp_t, file_type, sysadmfile;
+ domain_auto_trans(initrc_t, xdm_exec_t, xdm_t)
+ domain_auto_trans(init_t, xdm_exec_t, xdm_t)
++ifdef(`use_mcs', `
++range_transition init_t xdm_exec_t s0 - s0:c0.c127;
++range_transition initrc_t xdm_exec_t s0 - s0:c0.c127;
++')
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/unconfined.te policy-1.25.4/targeted/domains/unconfined.te
--- nsapolicy/targeted/domains/unconfined.te 2005-07-12 08:50:44.000000000 -0400
-+++ policy-1.25.4/targeted/domains/unconfined.te 2005-08-25 10:49:37.000000000 -0400
-@@ -16,6 +16,7 @@
++++ policy-1.25.4/targeted/domains/unconfined.te 2005-09-09 11:40:35.000000000 -0400
+@@ -14,8 +14,8 @@
+
+ # Define some type aliases to help with compatibility with
# macros and domains from the "strict" policy.
- typealias bin_t alias su_exec_t;
+-typealias bin_t alias su_exec_t;
typealias unconfined_t alias { logrotate_t sendmail_t sshd_t secadm_t sysadm_t rpm_t rpm_script_t xdm_t };
+
typeattribute tty_device_t admin_tty_type;
typeattribute devpts_t admin_tty_type;
-@@ -63,6 +64,7 @@
+@@ -63,6 +63,7 @@
bool use_samba_home_dirs false;
ifdef(`samba.te', `samba_domain(user)')
@@ -2795,7 +3104,7 @@
# Allow system to run with NIS
bool allow_ypbind false;
-@@ -77,3 +79,7 @@
+@@ -77,3 +78,14 @@
allow domain self:process execmem;
}
@@ -2803,9 +3112,16 @@
+typealias bin_t alias i18n_input_exec_t;
+typealias unconfined_t alias i18n_input_t;
+typealias var_run_t alias i18n_input_var_run_t;
++# Needed to get su working
++bool secure_mode false;
++typealias unconfined_t alias { sysadm_chkpwd_t };
++typealias tmp_t alias { sysadm_tmp_t sshd_tmp_t };
++su_domain(sysadm)
++typeattribute sysadm_su_t unrestricted;
++role system_r types sysadm_su_t;
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.25.4/tunables/distro.tun
--- nsapolicy/tunables/distro.tun 2005-02-24 14:51:09.000000000 -0500
-+++ policy-1.25.4/tunables/distro.tun 2005-08-25 10:28:35.000000000 -0400
++++ policy-1.25.4/tunables/distro.tun 2005-09-09 08:59:14.000000000 -0400
@@ -5,7 +5,7 @@
# appropriate ifdefs.
@@ -2817,7 +3133,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.25.4/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun 2005-08-11 06:57:20.000000000 -0400
-+++ policy-1.25.4/tunables/tunable.tun 2005-08-25 10:28:35.000000000 -0400
++++ policy-1.25.4/tunables/tunable.tun 2005-09-09 16:04:13.000000000 -0400
@@ -1,5 +1,5 @@
# Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
@@ -2834,9 +3150,14 @@
# Allow user_r to reach sysadm_r via su, sudo, or userhelper.
# Otherwise, only staff_r can do so.
+@@ -32,3 +32,4 @@
+
+ # Enable Polyinstantiation support
+ dnl define(`support_polyinstatiation')
++
diff --exclude-from=exclude -N -u -r nsapolicy/types/file.te policy-1.25.4/types/file.te
--- nsapolicy/types/file.te 2005-08-11 06:57:20.000000000 -0400
-+++ policy-1.25.4/types/file.te 2005-08-25 10:28:35.000000000 -0400
++++ policy-1.25.4/types/file.te 2005-09-09 08:59:14.000000000 -0400
@@ -325,6 +325,9 @@
type inotifyfs_t, fs_type, sysadmfile;
allow inotifyfs_t self:filesystem associate;
@@ -2857,7 +3178,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/types/network.te policy-1.25.4/types/network.te
--- nsapolicy/types/network.te 2005-08-11 06:57:20.000000000 -0400
-+++ policy-1.25.4/types/network.te 2005-08-25 10:28:35.000000000 -0400
++++ policy-1.25.4/types/network.te 2005-09-09 08:59:14.000000000 -0400
@@ -74,15 +74,6 @@
# interfaces in net_contexts or net_contexts.mls.
#
@@ -2874,9 +3195,18 @@
#
# node_t is the default type of network nodes.
+@@ -129,6 +120,8 @@
+ type zebra_port_t, port_type;
+ type i18n_input_port_t, port_type;
+ type vnc_port_t, port_type;
++type pegasus_http_port_t, port_type;
++type pegasus_https_port_t, port_type;
+ type openvpn_port_t, port_type;
+ type clamd_port_t, port_type, reserved_port_type;
+ type transproxy_port_t, port_type;
diff --exclude-from=exclude -N -u -r nsapolicy/types/security.te policy-1.25.4/types/security.te
--- nsapolicy/types/security.te 2005-07-06 17:15:07.000000000 -0400
-+++ policy-1.25.4/types/security.te 2005-08-29 09:59:24.000000000 -0400
++++ policy-1.25.4/types/security.te 2005-09-09 08:59:14.000000000 -0400
@@ -19,6 +19,10 @@
# the security server policy configuration.
#
Index: selinux-policy-targeted.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-targeted/devel/selinux-policy-targeted.spec,v
retrieving revision 1.369
retrieving revision 1.370
diff -u -r1.369 -r1.370
--- selinux-policy-targeted.spec 29 Aug 2005 17:47:56 -0000 1.369
+++ selinux-policy-targeted.spec 14 Sep 2005 16:51:15 -0000 1.370
@@ -4,21 +4,23 @@
%define PRE_FILE_CONTEXT %{FILE_CONTEXT}.pre
%define POLICYVER 20
%define PREVPOLICYVER 19
-%define POLICYCOREUTILSVER 1.25.5-2
+%define POLICYCOREUTILSVER 1.25.9-1
%define CHECKPOLICYVER 1.25.11-2
-%define LIBSELINUXVER 1.23.5-1
+%define LIBSELINUXVER 1.26-2
Summary: SELinux %{type} policy configuration
Name: selinux-policy-%{type}
-Version: 1.25.4
-Release: 11
+Version: 1.26
+Release: 1
License: GPL
Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policy-%{version}.tgz
Source1: booleans
BuildRoot: %{_tmppath}/%{name}-buildroot
-Patch: policy-20050811.patch
+Patch: policy-20050912.patch
Patch1: policy-%{type}.patch
+Patch2: policy-mcs.patch
+Patch3: policy-mcsroot.patch
BuildArch: noarch
BuildRequires: checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils >= %{POLICYCOREUTILSVER}
@@ -45,16 +47,14 @@
%setup -q -n policy-%{version}
%patch0 -p1
%patch1 -p1
+#%patch2 -p1
-%build
mv domains/misc/*.te domains/misc/unused
cp domains/misc/unused/local.te domains/misc/
mv domains/misc/unused/kernel.te domains/misc/
mv domains/program/*.te domains/program/unused/
rm domains/*.te
-for i in acct.te anaconda.te amanda.te apache.te apmd.te arpwatch.te auditd.te bluetooth.te checkpolicy.te canna.te cardmgr.te chkpwd.te comsat.te consoletype.te cpucontrol.te cpuspeed.te cups.te cvs.te cyrus.te dbskkd.te dmidecode.te dbusd.te dhcpc.te dhcpd.te dictd.te dovecot.te fingerd.te firstboot.te fsadm.te ftpd.te getty.te hald.te hostname.te hotplug.te howl.te hwclock.te kudzu.te ifconfig.te init.te initrc.te inetd.te innd.te kerberos.te klogd.te ktalkd.te ldconfig.te load_policy.te login.te lpd.te mailman.te modutil.te mta.te mysqld.te named.te netutils.te NetworkManager.te nscd.te ntpd.te passwd.te ping.te portmap.te postfix.te postgresql.te pppd.te privoxy.te radius.te radvd.te restorecon.te rlogind.te rpcd.te rshd.te rsync.te saslauthd.te samba.te setfiles.te slapd.te snmpd.te squid.te stunnel.te syslogd.te telnetd.te tftpd.te udev.te updfstab.te uucpd.te webalizer.te winbind.te ypbind.te ypserv.te zebra.te; do
-mv domains/program/unused/$i domains/program/
-done
+(cd domains/program/unused; mv acct.te anaconda.te amanda.te apache.te apmd.te arpwatch.te auditd.te bluetooth.te checkpolicy.te canna.te cardmgr.te chkpwd.te comsat.te consoletype.te cpucontrol.te cpuspeed.te cups.te cvs.te cyrus.te dbskkd.te dmidecode.te dbusd.te dhcpc.te dhcpd.te dictd.te dovecot.te fingerd.te firstboot.te fsadm.te ftpd.te getty.te hald.te hostname.te hotplug.te howl.te hwclock.te kudzu.te ifconfig.te init.te initrc.te inetd.te innd.te kerberos.te klogd.te ktalkd.te ldconfig.te load_policy.te login.te lpd.te mailman.te modutil.te mta.te mysqld.te named.te netutils.te NetworkManager.te nscd.te ntpd.te passwd.te pegasus.te ping.te portmap.te postfix.te postgresql.te pppd.te privoxy.te radius.te radvd.te restorecon.te rlogind.te rpcd.te rshd.te rsync.te saslauthd.te samba.te setfiles.te slapd.te snmpd.te squid.te stunnel.te su.te syslogd.te telnetd.te tftpd.te udev.te updfstab.te uucpd.te webalizer.te winbind.te ypbind.te ypserv.te zebra.te ../)
rm -rf domains/program/unused
rm -rf domains/misc/unused
cp -R %{type}/* .
@@ -64,7 +64,12 @@
echo "define(\`unlimitedInetd')" >> tunables/tunable.tun
echo "define(\`unlimitedRC')" >> tunables/tunable.tun
echo "define(\`unlimitedUtils')" >> tunables/tunable.tun
+echo "define(\`use_mcs')" >> tunables/tunable.tun
+make mcsconvert
+
+%build
make policy
+make file_contexts/file_contexts
rm -rf tmp
%install
@@ -165,7 +170,8 @@
if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled && [ -e /selinux/policyvers ]; then
. /etc/selinux/config
- if [ "${SELINUXTYPE}" = "%{type}" -a ! -s %{POLICYDIR}/src/policy/Makefile ]; then
+ MLS=`cat /selinux/mls`
+ if [ "${SELINUXTYPE}" = "%{type}" -a ! -s %{POLICYDIR}/src/policy/Makefile -a ${MLS} -eq 1 ]; then
[ -x /usr/sbin/load_policy ] && /usr/sbin/load_policy %{POLICYDIR}/policy/policy.`cat /selinux/policyvers`
[ -f %{PRE_FILE_CONTEXT} ] && fixfiles -l /dev/null -C %{PRE_FILE_CONTEXT} restore && rm -f %{PRE_FILE_CONTEXT}
fi
@@ -228,16 +234,29 @@
%ghost %{_sysconfdir}/selinux/%{type}/src/policy/tmp
%post sources
-if [ -x /usr/sbin/selinuxenabled -a -f /etc/selinux/config ]; then
+if [ -x /usr/sbin/selinuxenabled -a -f /etc/selinux/config ] && /usr/sbin/selinuxenabled; then
. /etc/selinux/config
- if [ "${SELINUXTYPE}" = "%{type}" ] && /usr/sbin/selinuxenabled; then
- make -C %{POLICYDIR}/src/policy -W %{POLICYDIR}/src/policy/users load > /dev/null 2>&1
+ MLS=`cat /selinux/mls`
+ make -C %{POLICYDIR}/src/policy -W %{POLICYDIR}/src/policy/users > /dev/null 2>&1
+ if [ "${SELINUXTYPE}" = "%{type}" -a ${MLS} -eq 1 ]; then
+ make -C %{POLICYDIR}/src/policy load > /dev/null 2>&1
[ -f %{PRE_FILE_CONTEXT} ] && fixfiles -l /dev/null -C %{PRE_FILE_CONTEXT} restore && rm -f %{PRE_FILE_CONTEXT}
fi
fi
exit 0
%changelog
+* Tue Sep 13 2005 Dan Walsh <dwalsh at redhat.com> 1.26-1
+- Update to latest from NSA
+- Update to MCS policy
+
+* Tue Sep 6 2005 Dan Walsh <dwalsh at redhat.com> 1.25.4-13
+- Fix roundup policy
+
+* Thu Sep 1 2005 Dan Walsh <dwalsh at redhat.com> 1.25.4-12
+- Add MCS Policy....
+- Fixes for bluetooth
+
* Mon Aug 29 2005 Dan Walsh <dwalsh at redhat.com> 1.25.4-11
- Change can_resolv to allow tcp_socket name_connect to dns port.
@@ -435,6 +454,7 @@
* Thu Jun 9 2005 Dan Walsh <dwalsh at redhat.com> 1.23.18-3
- Add /etc/profile.d/selinux.sh /etc/profile.d/selinux.csh for strict
- move ice_tmp_t definition for mls
+- More cleanup
* Wed Jun 8 2005 Dan Walsh <dwalsh at redhat.com> 1.23.18-2
- Add alsa policy
@@ -546,7 +566,7 @@
cleanups and fixes.
-* Thu May 5 2005 Dan Walsh <dwalsh at redhat.com> 1.23.14-4
+* Thu May 5 2005 Dan Walsh <dwalsh at redhat.com> 1.23.14-3
- Add debugfs
- Add Russell fixes for restorecon, games
- Turn off user_canbe_sysadm
@@ -614,7 +634,7 @@
* Fri Apr 22 2005 Dan Walsh <dwalsh at redhat.com> 1.23.12-4
- Fix consoletype
-- Add udev, hotplug, consoletype,restorecon to targeted
+- Add kernel_t, udev, hotplug, consoletype,restorecon to targeted
* Thu Apr 21 2005 Dan Walsh <dwalsh at redhat.com> 1.23.12-2
- Fix conflicting context files
@@ -674,6 +694,11 @@
- Fix patch
- Remove unlimited tunables from strict
+* Tue Apr 12 2005 Dan Walsh <dwalsh at redhat.com> 1.23.10-2
+- Fix Makefile to load policy before installing FC
+- Fix patch
+- Remove unlimited tunables from strict
+
* Tue Apr 12 2005 Dan Walsh <dwalsh at redhat.com> 1.23.10-1
- Add dbusd.te
- Fix adobe
@@ -724,6 +749,7 @@
* Thu Mar 23 2005 Dan Walsh <dwalsh at redhat.com> 1.23.5-2
- Handle booleans.local
+- Add policy to handle ssh-keysign
* Thu Mar 23 2005 Dan Walsh <dwalsh at redhat.com> 1.23.5-1
- Update to latest from NSA
@@ -766,14 +792,14 @@
- Add gift from Ivan Gyurdiev
* Thu Mar 10 2005 Dan Walsh <dwalsh at redhat.com> 1.22.1-3
-- Add consoletype.te
+- Add consoletype.te to targeted policy
- Fix filecontext.homedirs handling
* Thu Mar 10 2005 Dan Walsh <dwalsh at redhat.com> 1.22.1-1
- Update to latest from NSA
- Dontaudit pam_timestamp calls to utmp
-* Wed Mar 9 2005 Dan Walsh <dwalsh at redhat.com> 1.21.16-4
+* Wed Mar 9 2005 Dan Walsh <dwalsh at redhat.com> 1.21.16-3
- Add in ifconfig and hostname to make dhcpc work
- Add dontaudit for some net_admin calls
- Add users directory to targeted
@@ -809,6 +835,12 @@
* Thu Feb 24 2005 Dan Walsh <dwalsh at redhat.com> 1.21.15-1
- Update from NSA
+* Wed Feb 23 2005 Dan Walsh <dwalsh at redhat.com> 1.21.14-4
+- Lots of fix patches from Ivan
+
+* Mon Feb 21 2005 Dan Walsh <dwalsh at redhat.com> 1.21.14-3
+- Lots of fix patches from Ivan
+
* Mon Feb 21 2005 Dan Walsh <dwalsh at redhat.com> 1.21.14-2
- Lots of fix patches from Ivan
Index: sources
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-targeted/devel/sources,v
retrieving revision 1.122
retrieving revision 1.123
diff -u -r1.122 -r1.123
--- sources 11 Aug 2005 11:41:23 -0000 1.122
+++ sources 14 Sep 2005 16:51:15 -0000 1.123
@@ -1 +1 @@
-c2f1b1652314ae29e3a6b3b42e69a13e policy-1.25.4.tgz
+f5dee845f597ee2a7b93d1e3cf9013fe policy-1.26.tgz
--- policy-20050606.patch DELETED ---
--- policy-20050629.patch DELETED ---
--- policy-20050706.patch DELETED ---
--- policy-20050712.patch DELETED ---
--- policy-20050719.patch DELETED ---
- Previous message (by thread): rpms/selinux-policy-strict/devel policy-20050912.patch, NONE, 1.1 .cvsignore, 1.120, 1.121 policy-20050811.patch, 1.10, 1.11 selinux-policy-strict.spec, 1.374, 1.375 sources, 1.126, 1.127 policy-20050706.patch, 1.9, NONE policy-20050712.patch, 1.5, NONE policy-20050719.patch, 1.12, NONE
- Next message (by thread): rpms/selinux-policy-strict/devel policy-mcs.patch, NONE, 1.1 policy-mcsroot.patch, NONE, 1.1
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-cvs-commits
mailing list