rpms/selinux-policy/FC-6 booleans-mls.conf, 1.4, 1.5 policy-20061106.patch, 1.6, 1.7 selinux-policy.spec, 1.331, 1.332
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Fri Dec 22 16:52:42 UTC 2006
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy/FC-6
In directory cvs.devel.redhat.com:/tmp/cvs-serv3420
Modified Files:
booleans-mls.conf policy-20061106.patch selinux-policy.spec
Log Message:
* Wed Dec 20 2006 Dan Walsh <dwalsh at redhat.com> 2.4.6-17
Index: booleans-mls.conf
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/FC-6/booleans-mls.conf,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- booleans-mls.conf 30 Oct 2006 22:26:17 -0000 1.4
+++ booleans-mls.conf 22 Dec 2006 16:52:38 -0000 1.5
@@ -215,3 +215,8 @@
# Allow mount command to mounton any directory
#
allow_mounton_anydir = true
+
+# Allow unlabeled packets to flow
+#
+allow_unlabeled_packets = true
+
policy-20061106.patch:
Rules.modular | 10
config/appconfig-strict-mcs/seusers | 1
config/appconfig-strict-mls/seusers | 1
config/appconfig-strict/seusers | 1
policy/flask/access_vectors | 2
policy/global_tunables | 48 ++-
policy/mls | 31 +
policy/modules/admin/acct.te | 1
policy/modules/admin/amanda.if | 17 +
policy/modules/admin/amanda.te | 1
policy/modules/admin/bootloader.fc | 5
policy/modules/admin/bootloader.te | 9
policy/modules/admin/consoletype.te | 10
policy/modules/admin/dmesg.te | 1
policy/modules/admin/firstboot.if | 6
policy/modules/admin/logwatch.te | 2
policy/modules/admin/netutils.te | 2
policy/modules/admin/prelink.te | 9
policy/modules/admin/quota.fc | 7
policy/modules/admin/quota.te | 20 -
policy/modules/admin/rpm.fc | 3
policy/modules/admin/rpm.if | 24 +
policy/modules/admin/rpm.te | 46 +-
policy/modules/admin/su.if | 11
policy/modules/admin/sudo.if | 5
policy/modules/admin/usermanage.te | 21 +
policy/modules/apps/gpg.if | 1
policy/modules/apps/java.fc | 2
policy/modules/apps/java.te | 2
policy/modules/apps/loadkeys.if | 17 -
policy/modules/apps/slocate.te | 2
policy/modules/kernel/corecommands.fc | 4
policy/modules/kernel/corecommands.if | 36 ++
policy/modules/kernel/corenetwork.if.in | 97 ++++++
policy/modules/kernel/corenetwork.te.in | 15
policy/modules/kernel/corenetwork.te.m4 | 4
policy/modules/kernel/devices.fc | 5
policy/modules/kernel/devices.te | 8
policy/modules/kernel/domain.te | 7
policy/modules/kernel/files.if | 180 +++++++++++
policy/modules/kernel/filesystem.te | 6
policy/modules/kernel/kernel.if | 61 +++
policy/modules/kernel/kernel.te | 4
policy/modules/kernel/mls.if | 28 +
policy/modules/kernel/mls.te | 6
policy/modules/kernel/terminal.fc | 1
policy/modules/kernel/terminal.if | 2
policy/modules/kernel/terminal.te | 1
policy/modules/services/apache.fc | 10
policy/modules/services/apache.te | 16 -
policy/modules/services/apm.te | 1
policy/modules/services/automount.fc | 1
policy/modules/services/automount.te | 9
policy/modules/services/avahi.if | 21 +
policy/modules/services/bind.fc | 1
policy/modules/services/clamav.te | 2
policy/modules/services/cron.fc | 2
policy/modules/services/cron.if | 92 +++--
policy/modules/services/cron.te | 30 +
policy/modules/services/cups.fc | 2
policy/modules/services/cups.te | 7
policy/modules/services/cvs.te | 1
policy/modules/services/dbus.fc | 1
policy/modules/services/dbus.if | 1
policy/modules/services/ftp.te | 14
policy/modules/services/hal.fc | 4
policy/modules/services/hal.if | 20 +
policy/modules/services/hal.te | 8
policy/modules/services/inetd.te | 9
policy/modules/services/irqbalance.te | 4
policy/modules/services/kerberos.if | 1
policy/modules/services/kerberos.te | 11
policy/modules/services/lpd.if | 56 +--
policy/modules/services/mta.if | 1
policy/modules/services/mta.te | 1
policy/modules/services/nis.fc | 1
policy/modules/services/nis.if | 8
policy/modules/services/nis.te | 14
policy/modules/services/nscd.if | 20 +
policy/modules/services/nscd.te | 15
policy/modules/services/oddjob.te | 3
policy/modules/services/pcscd.fc | 9
policy/modules/services/pcscd.if | 23 +
policy/modules/services/pcscd.te | 74 ++++
policy/modules/services/pegasus.if | 31 +
policy/modules/services/pegasus.te | 5
policy/modules/services/postfix.te | 13
policy/modules/services/procmail.te | 16 +
policy/modules/services/radvd.te | 2
policy/modules/services/rlogin.te | 10
policy/modules/services/rpc.te | 1
policy/modules/services/rsync.te | 1
policy/modules/services/samba.if | 2
policy/modules/services/samba.te | 8
policy/modules/services/sasl.te | 2
policy/modules/services/smartmon.te | 1
policy/modules/services/snmp.te | 4
policy/modules/services/spamassassin.te | 8
policy/modules/services/ssh.te | 7
policy/modules/services/telnet.te | 1
policy/modules/services/tftp.te | 2
policy/modules/services/uucp.fc | 1
policy/modules/services/uucp.if | 67 ++++
policy/modules/services/uucp.te | 44 ++
policy/modules/services/xserver.if | 40 ++
policy/modules/system/authlogin.if | 69 ++++
policy/modules/system/authlogin.te | 6
policy/modules/system/clock.te | 8
policy/modules/system/fstools.fc | 1
policy/modules/system/fstools.te | 2
policy/modules/system/getty.te | 3
policy/modules/system/hostname.te | 10
policy/modules/system/init.if | 3
policy/modules/system/init.te | 27 +
policy/modules/system/iptables.te | 7
policy/modules/system/libraries.fc | 28 -
policy/modules/system/libraries.te | 6
policy/modules/system/locallogin.if | 37 ++
policy/modules/system/logging.te | 9
policy/modules/system/lvm.fc | 1
policy/modules/system/lvm.te | 48 ++-
policy/modules/system/miscfiles.fc | 1
policy/modules/system/miscfiles.if | 79 +++++
policy/modules/system/modutils.te | 5
policy/modules/system/mount.te | 20 -
policy/modules/system/raid.te | 7
policy/modules/system/selinuxutil.fc | 2
policy/modules/system/selinuxutil.if | 113 +++++++
policy/modules/system/selinuxutil.te | 107 +-----
policy/modules/system/sysnetwork.te | 3
policy/modules/system/tzdata.fc | 3
policy/modules/system/tzdata.if | 23 +
policy/modules/system/tzdata.te | 34 ++
policy/modules/system/unconfined.fc | 4
policy/modules/system/unconfined.if | 19 +
policy/modules/system/unconfined.te | 19 +
policy/modules/system/userdomain.if | 504 ++++++++++++++++++++++++++++----
policy/modules/system/userdomain.te | 60 +--
policy/modules/system/xen.fc | 1
policy/modules/system/xen.te | 35 ++
140 files changed, 2383 insertions(+), 463 deletions(-)
Index: policy-20061106.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/FC-6/policy-20061106.patch,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -r1.6 -r1.7
--- policy-20061106.patch 14 Dec 2006 20:59:24 -0000 1.6
+++ policy-20061106.patch 22 Dec 2006 16:52:38 -0000 1.7
@@ -225,7 +225,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.te serefpolicy-2.4.6/policy/modules/admin/amanda.te
--- nsaserefpolicy/policy/modules/admin/amanda.te 2006-11-16 17:15:26.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/admin/amanda.te 2006-12-12 15:19:22.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/admin/amanda.te 2006-12-19 16:04:18.000000000 -0500
@@ -75,6 +75,7 @@
allow amanda_t self:unix_dgram_socket create_socket_perms;
allow amanda_t self:tcp_socket create_stream_socket_perms;
@@ -251,8 +251,17 @@
/sbin/ybin.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/bootloader.te serefpolicy-2.4.6/policy/modules/admin/bootloader.te
--- nsaserefpolicy/policy/modules/admin/bootloader.te 2006-11-16 17:15:26.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/admin/bootloader.te 2006-12-12 15:19:22.000000000 -0500
-@@ -163,9 +163,6 @@
++++ serefpolicy-2.4.6/policy/modules/admin/bootloader.te 2006-12-22 10:37:04.000000000 -0500
+@@ -93,6 +93,8 @@
+ fs_manage_dos_files(bootloader_t)
+
+ mls_file_read_up(bootloader_t)
++mls_file_write_down(bootloader_t)
++
+
+ term_getattr_all_user_ttys(bootloader_t)
+ term_dontaudit_manage_pty_dirs(bootloader_t)
+@@ -163,9 +165,6 @@
# new file system defaults to file_t, granting file_t access is still bad.
allow bootloader_t boot_runtime_t:file { r_file_perms unlink };
@@ -262,7 +271,7 @@
# new file system defaults to file_t, granting file_t access is still bad.
files_manage_isid_type_dirs(bootloader_t)
files_manage_isid_type_files(bootloader_t)
-@@ -218,3 +215,7 @@
+@@ -218,3 +217,7 @@
userdom_dontaudit_search_staff_home_dirs(bootloader_t)
userdom_dontaudit_search_sysadm_home_dirs(bootloader_t)
')
@@ -342,8 +351,8 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-2.4.6/policy/modules/admin/logwatch.te
--- nsaserefpolicy/policy/modules/admin/logwatch.te 2006-11-16 17:15:26.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/admin/logwatch.te 2006-12-12 15:19:22.000000000 -0500
-@@ -53,6 +53,7 @@
++++ serefpolicy-2.4.6/policy/modules/admin/logwatch.te 2006-12-20 09:54:52.000000000 -0500
+@@ -53,10 +53,12 @@
corecmd_exec_ls(logwatch_t)
dev_read_urand(logwatch_t)
@@ -351,9 +360,14 @@
# Read /proc/PID directories for all domains.
domain_read_all_domains_state(logwatch_t)
+
++files_list_var(logwatch_t)
+ files_read_etc_files(logwatch_t)
+ files_read_etc_runtime_files(logwatch_t)
+ files_read_usr_files(logwatch_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-2.4.6/policy/modules/admin/netutils.te
--- nsaserefpolicy/policy/modules/admin/netutils.te 2006-11-16 17:15:26.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/admin/netutils.te 2006-12-12 15:19:22.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/admin/netutils.te 2006-12-19 16:04:18.000000000 -0500
@@ -18,10 +18,12 @@
type ping_exec_t;
init_system_domain(ping_t,ping_exec_t)
@@ -503,7 +517,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-2.4.6/policy/modules/admin/rpm.te
--- nsaserefpolicy/policy/modules/admin/rpm.te 2006-11-16 17:15:26.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/admin/rpm.te 2006-12-13 11:09:03.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/admin/rpm.te 2006-12-19 16:04:18.000000000 -0500
@@ -9,6 +9,8 @@
type rpm_t;
type rpm_exec_t;
@@ -671,7 +685,7 @@
# file_type_auto_trans($1_su_t, staff_home_dir_t, staff_xauth_home_t, file)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-2.4.6/policy/modules/admin/usermanage.te
--- nsaserefpolicy/policy/modules/admin/usermanage.te 2006-11-16 17:15:26.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/admin/usermanage.te 2006-12-12 15:19:22.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/admin/usermanage.te 2006-12-21 10:04:42.000000000 -0500
@@ -112,6 +112,7 @@
files_manage_etc_files(chfn_t)
files_read_etc_runtime_files(chfn_t)
@@ -697,9 +711,51 @@
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow useradd_t self:process setfscreate;
allow useradd_t self:fd use;
+@@ -486,6 +488,8 @@
+ fs_search_auto_mountpoints(useradd_t)
+ fs_getattr_xattr_fs(useradd_t)
+
++mls_file_upgrade(useradd_t)
++
+ # Allow access to context for shadow file
+ selinux_get_fs_mount(useradd_t)
+ selinux_validate_context(useradd_t)
+@@ -517,21 +521,28 @@
+ seutil_read_config(useradd_t)
+ seutil_read_file_contexts(useradd_t)
+ seutil_read_default_contexts(useradd_t)
++seutil_domtrans_semanage(useradd_t)
++seutil_domtrans_restorecon(useradd_t)
++# Required because semanage execs these and hands them useradd_t:fd
++seutil_domtrans_setfiles(useradd_t)
++seutil_domtrans_loadpolicy(useradd_t)
+
+ userdom_use_unpriv_users_fds(useradd_t)
+ # for when /root is the cwd
+ userdom_dontaudit_search_sysadm_home_dirs(useradd_t)
+ # Add/remove user home directories
+ userdom_home_filetrans_generic_user_home_dir(useradd_t)
+-userdom_manage_generic_user_home_content_dirs(useradd_t)
+-userdom_manage_generic_user_home_content_files(useradd_t)
+-userdom_manage_generic_user_home_dirs(useradd_t)
+-userdom_manage_staff_home_dirs(useradd_t)
++userdom_manage_all_users_home_content_dirs(useradd_t)
++userdom_manage_all_users_home_content_files(useradd_t)
+ userdom_generic_user_home_dir_filetrans_generic_user_home_content(useradd_t,notdevfile_class_set)
+
+ mta_manage_spool(useradd_t)
+
+ optional_policy(`
++ apache_manage_all_content(useradd_t)
++')
++
++optional_policy(`
+ dpkg_use_fds(useradd_t)
+ dpkg_rw_pipes(useradd_t)
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-2.4.6/policy/modules/apps/gpg.if
--- nsaserefpolicy/policy/modules/apps/gpg.if 2006-11-16 17:15:07.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/apps/gpg.if 2006-12-12 15:19:22.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/apps/gpg.if 2006-12-19 16:04:18.000000000 -0500
@@ -87,6 +87,7 @@
allow $1_gpg_t $1_gpg_secret_t:dir rw_dir_perms;
allow $1_gpg_t $1_gpg_secret_t:file create_file_perms;
@@ -855,7 +911,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-2.4.6/policy/modules/kernel/corenetwork.if.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in 2006-11-16 17:15:04.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/kernel/corenetwork.if.in 2006-12-14 10:49:28.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/kernel/corenetwork.if.in 2006-12-21 15:49:10.000000000 -0500
@@ -998,9 +998,11 @@
interface(`corenet_tcp_sendrecv_reserved_port',`
gen_require(`
@@ -954,7 +1010,43 @@
## Read and write the TUN/TAP virtual network device.
## </summary>
## <param name="domain">
-@@ -1875,3 +1906,21 @@
+@@ -1494,6 +1525,35 @@
+
+ ########################################
+ ## <summary>
++## Receive Raw IP packets from a NetLabel connection.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`corenet_raw_recv_netlabel',`
++ kernel_raw_recvfrom_unlabeled($1)
++')
++
++########################################
++## <summary>
++## Do not audit attempts to receive Raw IP packets from a NetLabel
++## connection.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`corenet_dontaudit_raw_recv_netlabel',`
++ kernel_dontaudit_raw_recvfrom_unlabeled($1)
++')
++
++########################################
++## <summary>
+ ## Send generic client packets.
+ ## </summary>
+ ## <param name="domain">
+@@ -1875,3 +1935,40 @@
typeattribute $1 corenet_unconfined_type;
')
@@ -976,6 +1068,25 @@
+
+ dontaudit $1 port_type:udp_socket name_bind;
+')
++
++########################################
++## <summary>
++## Bind TCP sockets to all ports > 1024.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`corenet_tcp_bind_all_unreserved_ports',`
++ gen_require(`
++ attribute port_type;
++ ')
++
++ allow $1 { port_type -reserved_port_type }:tcp_socket name_bind;
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-2.4.6/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2006-11-16 17:15:04.000000000 -0500
+++ serefpolicy-2.4.6/policy/modules/kernel/corenetwork.te.in 2006-12-13 13:25:18.000000000 -0500
@@ -1108,7 +1219,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.4.6/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2006-11-16 17:15:04.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/kernel/files.if 2006-12-14 10:20:50.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/kernel/files.if 2006-12-20 16:22:09.000000000 -0500
@@ -353,8 +353,7 @@
########################################
@@ -1234,7 +1345,7 @@
')
########################################
-@@ -4559,3 +4615,95 @@
+@@ -4559,3 +4615,115 @@
typealias etc_runtime_t alias $1;
')
@@ -1330,6 +1441,26 @@
+
+ typealias etc_t alias $1;
+')
++
++########################################
++## <summary>
++## read all tmp files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_read_all_tmp_files',`
++ gen_require(`
++ attribute tmpfile;
++ ')
++
++ allow $1 tmpfile:dir search_dir_perms;
++ allow $1 tmpfile:file r_file_perms;
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-2.4.6/policy/modules/kernel/filesystem.te
--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2006-11-16 17:15:04.000000000 -0500
+++ serefpolicy-2.4.6/policy/modules/kernel/filesystem.te 2006-12-12 15:19:22.000000000 -0500
@@ -1360,9 +1491,80 @@
+
+# Allow me to mv from one noxattrfs to another nfs_t to dosfs_t for example
+fs_associate_noxattr(noxattrfs)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-2.4.6/policy/modules/kernel/kernel.if
+--- nsaserefpolicy/policy/modules/kernel/kernel.if 2006-11-16 17:15:04.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/kernel/kernel.if 2006-12-19 16:04:18.000000000 -0500
+@@ -2327,6 +2327,67 @@
+
+ ########################################
+ ## <summary>
++## Receive Raw IP packets from a NetLabel connection.
++## </summary>
++## <desc>
++## <p>
++## Receive Raw IP packets from a NetLabel connection, NetLabel is an
++## explicit packet labeling framework which implements CIPSO and
++## similar protocols.
++## </p>
++## <p>
++## The corenetwork interface
++## corenet_raw_recv_netlabel() should
++## be used instead of this one.
++## </p>
++## </desc>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`kernel_raw_recvfrom_unlabeled',`
++ gen_require(`
++ type unlabeled_t;
++ ')
++
++ allow $1 unlabeled_t:rawip_socket recvfrom;
++')
++
++########################################
++## <summary>
++## Do not audit attempts to receive Raw IP packets from a NetLabel
++## connection.
++## </summary>
++## <desc>
++## <p>
++## Do not audit attempts to receive Raw IP packets from a NetLabel
++## connection. NetLabel is an explicit packet labeling framework
++## which implements CIPSO and similar protocols.
++## </p>
++## <p>
++## The corenetwork interface
++## corenet_dontaudit_raw_recv_netlabel() should
++## be used instead of this one.
++## </p>
++## </desc>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`kernel_dontaudit_raw_recvfrom_unlabeled',`
++ gen_require(`
++ type unlabeled_t;
++ ')
++
++ dontaudit $1 unlabeled_t:rawip_socket recvfrom;
++')
++
++########################################
++## <summary>
+ ## Send and receive unlabeled packets.
+ ## </summary>
+ ## <desc>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-2.4.6/policy/modules/kernel/kernel.te
--- nsaserefpolicy/policy/modules/kernel/kernel.te 2006-11-16 17:15:04.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/kernel/kernel.te 2006-12-12 15:19:22.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/kernel/kernel.te 2006-12-21 11:48:37.000000000 -0500
@@ -138,6 +138,8 @@
type unlabeled_t;
sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
@@ -1372,9 +1574,18 @@
# These initial sids are no longer used, and can be removed:
sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
sid file_labels gen_context(system_u:object_r:unlabeled_t,s0)
+@@ -345,7 +347,7 @@
+ # Rules for unconfined acccess to this module
+ #
+
+-allow kern_unconfined proc_type:{ dir file } *;
++allow kern_unconfined proc_type:{ dir file lnk_file } *;
+
+ allow kern_unconfined sysctl_t:{ dir file } *;
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mls.if serefpolicy-2.4.6/policy/modules/kernel/mls.if
--- nsaserefpolicy/policy/modules/kernel/mls.if 2006-11-16 17:15:04.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/kernel/mls.if 2006-12-12 16:39:31.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/kernel/mls.if 2006-12-20 15:56:34.000000000 -0500
@@ -100,16 +100,16 @@
## </summary>
## <param name="domain">
@@ -1396,6 +1607,33 @@
')
########################################
+@@ -154,6 +154,26 @@
+ ########################################
+ ## <summary>
+ ## Make specified domain MLS trusted
++## for writing to sockets at any level
++## that is dominated by the process clearance.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mls_socket_write_to_clearance',`
++ gen_require(`
++ attribute mlsnetwritetoclr;
++ ')
++
++ typeattribute $1 mlsnetwritetoclr;
++')
++
++########################################
++## <summary>
++## Make specified domain MLS trusted
+ ## for writing to sockets at any level.
+ ## </summary>
+ ## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mls.te serefpolicy-2.4.6/policy/modules/kernel/mls.te
--- nsaserefpolicy/policy/modules/kernel/mls.te 2006-11-16 17:15:04.000000000 -0500
+++ serefpolicy-2.4.6/policy/modules/kernel/mls.te 2006-12-12 16:40:02.000000000 -0500
@@ -1581,7 +1819,7 @@
# /usr
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-2.4.6/policy/modules/services/automount.te
--- nsaserefpolicy/policy/modules/services/automount.te 2006-11-16 17:15:20.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/automount.te 2006-12-14 10:21:34.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/automount.te 2006-12-18 14:46:17.000000000 -0500
@@ -13,8 +13,7 @@
type automount_var_run_t;
files_pid_file(automount_var_run_t)
@@ -1592,6 +1830,15 @@
type automount_lock_t;
files_lock_file(automount_lock_t)
+@@ -28,7 +27,7 @@
+ # Local policy
+ #
+
+-allow automount_t self:capability { net_bind_service sys_nice sys_resource dac_override sys_admin };
++allow automount_t self:capability { net_bind_service setgid sys_nice sys_resource dac_override sys_admin };
+ dontaudit automount_t self:capability sys_tty_config;
+ allow automount_t self:process { signal_perms getpgid setpgid setsched setrlimit };
+ allow automount_t self:fifo_file rw_file_perms;
@@ -40,9 +39,6 @@
allow automount_t self:netlink_route_socket r_netlink_socket_perms;
@@ -1675,8 +1922,16 @@
/usr/sbin/fcron -- gen_context(system_u:object_r:crond_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-2.4.6/policy/modules/services/cron.if
--- nsaserefpolicy/policy/modules/services/cron.if 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/cron.if 2006-12-12 15:19:22.000000000 -0500
-@@ -54,9 +54,6 @@
++++ serefpolicy-2.4.6/policy/modules/services/cron.if 2006-12-15 17:09:05.000000000 -0500
+@@ -35,6 +35,7 @@
+ #
+ template(`cron_per_role_template',`
+ gen_require(`
++ class context contains;
+ attribute cron_spool_type;
+ type crond_t, cron_spool_t, crontab_exec_t;
+ ')
+@@ -54,9 +55,6 @@
domain_entry_file($1_crontab_t,crontab_exec_t)
role $3 types $1_crontab_t;
@@ -1686,7 +1941,65 @@
##############################
#
# $1_crond_t local policy
-@@ -138,6 +135,7 @@
+@@ -67,6 +65,7 @@
+ allow $1_crond_t self:fifo_file rw_file_perms;
+ allow $1_crond_t self:unix_stream_socket create_stream_socket_perms;
+ allow $1_crond_t self:unix_dgram_socket create_socket_perms;
++ allow $1_crond_t self:context contains;
+
+ # The entrypoint interface is not used as this is not
+ # a regular entrypoint. Since crontab files are
+@@ -114,8 +113,43 @@
+ domain_dontaudit_read_all_domains_state($1_crond_t)
+ domain_dontaudit_getattr_all_domains($1_crond_t)
+
++ files_read_etc_files($1_crond_t)
++ files_read_etc_runtime_files($1_crond_t)
+ files_read_usr_files($1_crond_t)
++ # Read directories and files with the readable_t type.
++ # This type is a general type for "world"-readable files.
++ files_list_world_readable($1_crond_t)
++ files_read_world_readable_files($1_crond_t)
++ files_read_world_readable_symlinks($1_crond_t)
++ files_read_world_readable_pipes($1_crond_t)
++ files_read_world_readable_sockets($1_crond_t)
++ # old broswer_domain():
++ files_dontaudit_list_non_security($1_crond_t)
++ files_dontaudit_getattr_non_security_files($1_crond_t)
++ files_dontaudit_getattr_non_security_symlinks($1_crond_t)
++ files_dontaudit_getattr_non_security_pipes($1_crond_t)
++ files_dontaudit_getattr_non_security_sockets($1_crond_t)
++ files_dontaudit_getattr_non_security_blk_files($1_crond_t)
++ files_dontaudit_getattr_non_security_chr_files($1_crond_t)
++
+ files_exec_etc_files($1_crond_t)
++ files_search_locks($1_crond_t)
++ # Check to see if cdrom is mounted
++ files_search_mnt($1_crond_t)
++ # cjp: perhaps should cut back on file reads:
++ files_read_var_files($1_crond_t)
++ files_read_var_symlinks($1_crond_t)
++ files_read_generic_spool($1_crond_t)
++ files_read_var_lib_files($1_crond_t)
++ # Stat lost+found.
++ files_getattr_lost_found_dirs($1_crond_t)
++
++ fs_get_all_fs_quotas($1_crond_t)
++ fs_getattr_all_fs($1_crond_t)
++ fs_getattr_all_dirs($1_crond_t)
++ fs_search_auto_mountpoints($1_crond_t)
++ fs_list_inotifyfs($1_crond_t)
++
+ # for nscd:
+ files_dontaudit_search_pids($1_crond_t)
+
+@@ -134,19 +168,22 @@
+
+ miscfiles_read_localization($1_crond_t)
+
++ mls_rangetrans_target($1_crond_t)
++
+ userdom_manage_user_tmp_files($1,$1_crond_t)
userdom_manage_user_tmp_symlinks($1,$1_crond_t)
userdom_manage_user_tmp_pipes($1,$1_crond_t)
userdom_manage_user_tmp_sockets($1,$1_crond_t)
@@ -1694,7 +2007,18 @@
# Run scripts in user home directory and access shared libs.
userdom_exec_user_home_content_files($1,$1_crond_t)
# Access user files and dirs.
-@@ -156,22 +154,13 @@
+-# userdom_manage_user_home_subdir_dirs($1,$1_crond_t)
++ userdom_manage_user_home_content_dirs($1,$1_crond_t)
+ userdom_manage_user_home_content_files($1,$1_crond_t)
+ userdom_manage_user_home_content_symlinks($1,$1_crond_t)
+ userdom_manage_user_home_content_pipes($1,$1_crond_t)
+ userdom_manage_user_home_content_sockets($1,$1_crond_t)
+-# userdom_user_home_dir_filetrans_user_home_content($1,$1_crond_t,notdevfile_class_set)
++ userdom_user_home_dir_filetrans_user_home_content($1,$1_crond_t,notdevfile_class_set)
+
+ tunable_policy(`fcron_crond', `
+ allow crond_t $1_cron_spool_t:file create_file_perms;
+@@ -156,22 +193,13 @@
nis_use_ypbind($1_crond_t)
')
@@ -1720,7 +2044,7 @@
##############################
#
-@@ -195,14 +184,11 @@
+@@ -195,14 +223,11 @@
allow $2 $1_crontab_t:process getattr;
# for ^Z
@@ -1736,7 +2060,7 @@
# create files in /var/spool/cron
allow $1_crontab_t cron_spool_t:dir rw_dir_perms;
allow $1_crontab_t $1_cron_spool_t:file manage_file_perms;
-@@ -240,10 +226,12 @@
+@@ -240,10 +265,12 @@
userdom_manage_user_tmp_dirs($1,$1_crontab_t)
userdom_manage_user_tmp_files($1,$1_crontab_t)
@@ -1749,7 +2073,7 @@
tunable_policy(`fcron_crond',`
# fcron wants an instant update of a crontab change for the administrator
-@@ -472,29 +460,6 @@
+@@ -472,29 +499,6 @@
########################################
## <summary>
@@ -1781,7 +2105,7 @@
## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-2.4.6/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/cron.te 2006-12-12 15:19:22.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/cron.te 2006-12-15 16:24:30.000000000 -0500
@@ -11,9 +11,6 @@
#
attribute cron_spool_type;
@@ -1792,7 +2116,15 @@
type cron_spool_t;
files_type(cron_spool_t)
-@@ -47,8 +44,8 @@
+@@ -33,6 +30,7 @@
+
+ type crond_tmp_t;
+ files_tmp_file(crond_tmp_t)
++files_poly_parent(crond_tmp_t)
+
+ type crond_var_run_t;
+ files_pid_file(crond_var_run_t)
+@@ -47,8 +45,8 @@
typealias crond_t alias system_crond_t;
',`
type system_crond_t;
@@ -1802,7 +2134,7 @@
corecmd_shell_entry_type(system_crond_t)
role system_r types system_crond_t;
-@@ -86,7 +83,7 @@
+@@ -86,7 +84,7 @@
allow crond_t self:sem create_sem_perms;
allow crond_t self:msgq create_msgq_perms;
allow crond_t self:msg { send receive };
@@ -1811,7 +2143,7 @@
allow crond_t crond_var_run_t:file create_file_perms;
files_pid_filetrans(crond_t,crond_var_run_t,file)
-@@ -98,6 +95,7 @@
+@@ -98,6 +96,7 @@
kernel_read_kernel_sysctls(crond_t)
kernel_search_key(crond_t)
@@ -1819,7 +2151,37 @@
dev_read_sysfs(crond_t)
selinux_get_fs_mount(crond_t)
-@@ -166,6 +164,11 @@
+@@ -121,6 +120,16 @@
+ corecmd_list_sbin(crond_t)
+ corecmd_read_sbin_symlinks(crond_t)
+
++mls_rangetrans_source(crond_t)
++mls_file_read_up(crond_t)
++mls_file_write_down(crond_t)
++mls_file_upgrade(crond_t)
++mls_file_downgrade(crond_t)
++mls_process_set_level(crond_t)
++mls_fd_share_all_levels(crond_t)
++mls_fd_share_all_levels(crond_t)
++mls_trusted_object(crond_t)
++
+ domain_use_interactive_fds(crond_t)
+
+ files_read_etc_files(crond_t)
+@@ -151,6 +160,12 @@
+
+ mta_send_mail(crond_t)
+
++tunable_policy(`allow_polyinstantiation',`
++ allow crond_t self:capability fowner;
++ files_search_tmp(crond_t)
++ files_polyinstantiate_all(crond_t)
++')
++
+ ifdef(`distro_debian',`
+ optional_policy(`
+ # Debian logcheck has the home dir set to its cache
+@@ -166,6 +181,11 @@
')
')
@@ -1845,7 +2207,7 @@
/usr/sbin/printconf-backend -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-2.4.6/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/cups.te 2006-12-12 15:19:22.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/cups.te 2006-12-19 16:04:18.000000000 -0500
@@ -118,6 +118,8 @@
allow cupsd_t cupsd_tmp_t:file create_file_perms;
allow cupsd_t cupsd_tmp_t:fifo_file create_file_perms;
@@ -1913,16 +2275,21 @@
corecmd_read_bin_files($1_dbusd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-2.4.6/policy/modules/services/ftp.te
--- nsaserefpolicy/policy/modules/services/ftp.te 2006-11-16 17:15:20.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/ftp.te 2006-12-12 15:19:22.000000000 -0500
-@@ -103,6 +103,7 @@
++++ serefpolicy-2.4.6/policy/modules/services/ftp.te 2006-12-21 15:48:39.000000000 -0500
+@@ -103,6 +103,8 @@
corenet_tcp_bind_ftp_port(ftpd_t)
corenet_tcp_bind_ftp_data_port(ftpd_t)
corenet_tcp_bind_generic_port(ftpd_t)
++corenet_tcp_bind_all_unreserved_ports(ftpd_t)
+corenet_dontaudit_tcp_bind_all_ports(ftpd_t)
corenet_tcp_connect_all_ports(ftpd_t)
corenet_sendrecv_ftp_server_packets(ftpd_t)
-@@ -127,6 +128,7 @@
+@@ -124,9 +126,11 @@
+ auth_append_login_records(ftpd_t)
+ #kerberized ftp requires the following
+ auth_write_login_records(ftpd_t)
++auth_append_faillog(ftpd_t)
init_use_fds(ftpd_t)
init_use_script_ptys(ftpd_t)
@@ -1930,7 +2297,7 @@
libs_use_ld_so(ftpd_t)
libs_use_shared_libs(ftpd_t)
-@@ -173,6 +175,11 @@
+@@ -173,6 +177,11 @@
fs_manage_nfs_files(ftpd_t)
')
@@ -1942,7 +2309,7 @@
tunable_policy(`ftp_home_dir',`
allow ftpd_t self:capability { dac_override dac_read_search };
-@@ -182,10 +189,15 @@
+@@ -182,10 +191,15 @@
userdom_manage_all_users_home_content_dirs(ftpd_t)
userdom_manage_all_users_home_content_files(ftpd_t)
userdom_manage_all_users_home_content_symlinks(ftpd_t)
@@ -2021,6 +2388,29 @@
allow hald_t hald_var_run_t:file create_file_perms;
allow hald_t hald_var_run_t:dir rw_dir_perms;
files_pid_filetrans(hald_t,hald_var_run_t,file)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.te serefpolicy-2.4.6/policy/modules/services/inetd.te
+--- nsaserefpolicy/policy/modules/services/inetd.te 2006-11-16 17:15:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/inetd.te 2006-12-19 14:46:09.000000000 -0500
+@@ -218,6 +218,13 @@
+ ')
+ ')
+
++ifdef(`enable_mls',`
++ corenet_tcp_recv_netlabel(inetd_t)
++ corenet_udp_recv_netlabel(inetd_t)
++ mls_socket_read_to_clearance(inetd_t)
++ mls_socket_write_to_clearance(inetd_t)
++')
++
+ optional_policy(`
+ tunable_policy(`ftpd_is_daemon',`
+ # Allows it to check exec privs on daemon
+@@ -236,3 +243,5 @@
+ optional_policy(`
+ nscd_socket_use(inetd_child_t)
+ ')
++
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/irqbalance.te serefpolicy-2.4.6/policy/modules/services/irqbalance.te
--- nsaserefpolicy/policy/modules/services/irqbalance.te 2006-11-16 17:15:21.000000000 -0500
+++ serefpolicy-2.4.6/policy/modules/services/irqbalance.te 2006-12-14 15:55:18.000000000 -0500
@@ -2082,7 +2472,7 @@
allow krb5kdc_t krb5kdc_conf_t:dir search;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.if serefpolicy-2.4.6/policy/modules/services/lpd.if
--- nsaserefpolicy/policy/modules/services/lpd.if 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/lpd.if 2006-12-12 15:19:22.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/lpd.if 2006-12-21 14:44:31.000000000 -0500
@@ -64,33 +64,35 @@
allow $1_lpr_t self:udp_socket create_socket_perms;
allow $1_lpr_t self:netlink_route_socket r_netlink_socket_perms;
@@ -2144,6 +2534,21 @@
dontaudit $1_lpr_t $2:unix_stream_socket { read write };
# Transition from the user domain to the derived domain.
+@@ -221,10 +223,14 @@
+ template(`lpr_admin_template',`
+ gen_require(`
+ type $1_lpr_t;
++ type print_spool_t;
+ ')
+
+ userdom_read_all_users_home_content_files($1_lpr_t)
+
++ # Read and write shared files in the spool directory.
++ allow $1_lpr_t print_spool_t:file rw_file_perms;
++
+ # Allow per user lpr domain read acces for specific user.
+ tunable_policy(`read_untrusted_content',`
+ userdom_read_all_untrusted_content($1_lpr_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-2.4.6/policy/modules/services/mta.if
--- nsaserefpolicy/policy/modules/services/mta.if 2006-11-16 17:15:21.000000000 -0500
+++ serefpolicy-2.4.6/policy/modules/services/mta.if 2006-12-12 15:19:22.000000000 -0500
@@ -2214,29 +2619,34 @@
allow ypxfr_t $1:process sigchld;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-2.4.6/policy/modules/services/nis.te
--- nsaserefpolicy/policy/modules/services/nis.te 2006-11-16 17:15:20.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/nis.te 2006-12-12 15:19:22.000000000 -0500
-@@ -329,6 +329,12 @@
++++ serefpolicy-2.4.6/policy/modules/services/nis.te 2006-12-21 14:34:44.000000000 -0500
+@@ -329,7 +329,15 @@
# ypxfr local policy
#
-+allow ypxfr_t var_yp_t:dir search_dir_perms;
-+allow ypxfr_t var_yp_t:file r_file_perms;
++allow ypxfr_t var_yp_t:dir rw_dir_perms;
++allow ypxfr_t var_yp_t:file create_file_perms;
+
+allow ypxfr_t ypserv_t:tcp_socket { read write };
+allow ypxfr_t ypserv_t:udp_socket { read write };
+
allow ypxfr_t self:unix_stream_socket create_stream_socket_perms;
++allow ypxfr_t self:tcp_socket connected_socket_perms;
++allow ypxfr_t self:udp_socket create_socket_perms;
corenet_non_ipsec_sendrecv(ypxfr_t)
-@@ -348,4 +354,8 @@
+ corenet_tcp_sendrecv_all_if(ypxfr_t)
+@@ -348,4 +356,10 @@
corenet_sendrecv_generic_server_packets(ypxfr_t)
corenet_sendrecv_all_client_packets(ypxfr_t)
++libs_use_ld_so(ypxfr_t)
+libs_use_shared_libs(ypxfr_t)
+
files_read_etc_files(ypxfr_t)
+files_search_usr(ypxfr_t)
+
++sysnet_read_config(ypxfr_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-2.4.6/policy/modules/services/nscd.if
--- nsaserefpolicy/policy/modules/services/nscd.if 2006-11-16 17:15:20.000000000 -0500
+++ serefpolicy-2.4.6/policy/modules/services/nscd.if 2006-12-12 15:19:22.000000000 -0500
@@ -2378,8 +2788,8 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-2.4.6/policy/modules/services/pcscd.te
--- nsaserefpolicy/policy/modules/services/pcscd.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/pcscd.te 2006-12-12 15:19:22.000000000 -0500
-@@ -0,0 +1,69 @@
++++ serefpolicy-2.4.6/policy/modules/services/pcscd.te 2006-12-21 16:06:10.000000000 -0500
+@@ -0,0 +1,74 @@
+policy_module(pcscd,1.0.0)
+
+########################################
@@ -2436,6 +2846,7 @@
+init_dontaudit_use_fds(pcscd_t)
+
+dev_rw_generic_usb_dev(pcscd_t)
++dev_rw_usbfs(pcscd_t)
+
+files_read_etc_runtime_files(pcscd_t)
+
@@ -2449,6 +2860,10 @@
+ term_dontaudit_use_console(pcscd_t)
+')
+
++optional_policy(`
++ rpm_use_script_fds(pcscd_t)
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.if serefpolicy-2.4.6/policy/modules/services/pegasus.if
--- nsaserefpolicy/policy/modules/services/pegasus.if 2006-11-16 17:15:21.000000000 -0500
+++ serefpolicy-2.4.6/policy/modules/services/pegasus.if 2006-12-12 15:19:22.000000000 -0500
@@ -2579,7 +2994,7 @@
userdom_dontaudit_search_staff_home_dirs(procmail_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radvd.te serefpolicy-2.4.6/policy/modules/services/radvd.te
--- nsaserefpolicy/policy/modules/services/radvd.te 2006-11-16 17:15:20.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/radvd.te 2006-12-14 15:15:51.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/radvd.te 2006-12-19 16:04:18.000000000 -0500
@@ -28,7 +28,7 @@
allow radvd_t self:tcp_socket create_stream_socket_perms;
allow radvd_t self:udp_socket create_socket_perms;
@@ -2662,7 +3077,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-2.4.6/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/samba.te 2006-12-12 15:19:22.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/samba.te 2006-12-19 16:04:18.000000000 -0500
@@ -349,7 +349,7 @@
allow nmbd_t samba_etc_t:file { getattr read };
@@ -2747,7 +3162,7 @@
storage_dontaudit_read_fixed_disk(snmpd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-2.4.6/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/spamassassin.te 2006-12-12 15:19:22.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/spamassassin.te 2006-12-18 16:15:45.000000000 -0500
@@ -8,7 +8,7 @@
# spamassassin client executable
@@ -2774,6 +3189,16 @@
corenet_udp_bind_imaze_port(spamd_t)
corenet_sendrecv_imaze_server_packets(spamd_t)
corenet_sendrecv_generic_server_packets(spamd_t)
+@@ -107,7 +108,8 @@
+ files_read_usr_files(spamd_t)
+ files_read_etc_files(spamd_t)
+ files_read_etc_runtime_files(spamd_t)
+-files_search_var_lib(spamd_t)
++# /var/lib/spamassin
++files_read_var_lib_files(spamd_t)
+
+ init_use_fds(spamd_t)
+ init_use_script_ptys(spamd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-2.4.6/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2006-11-16 17:15:20.000000000 -0500
+++ serefpolicy-2.4.6/policy/modules/services/ssh.te 2006-12-12 15:19:22.000000000 -0500
@@ -3042,7 +3467,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-2.4.6/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/authlogin.if 2006-12-12 15:19:22.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/authlogin.if 2006-12-18 15:39:03.000000000 -0500
@@ -190,6 +190,9 @@
## </param>
#
@@ -3300,8 +3725,16 @@
domain_auto_trans(initrc_t,$2,$1)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-2.4.6/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/init.te 2006-12-12 15:19:22.000000000 -0500
-@@ -189,7 +189,7 @@
++++ serefpolicy-2.4.6/policy/modules/system/init.te 2006-12-14 16:51:41.000000000 -0500
+@@ -125,6 +125,7 @@
+ # file descriptors inherited from the rootfs:
+ files_dontaudit_rw_root_files(init_t)
+ files_dontaudit_rw_root_chr_files(init_t)
++files_create_boot_flag(init_t)
+
+ # cjp: this may be related to /dev/log
+ fs_write_ramfs_sockets(init_t)
+@@ -189,7 +190,7 @@
# Init script local policy
#
@@ -3310,7 +3743,7 @@
allow initrc_t self:capability ~{ sys_admin sys_module };
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
-@@ -205,6 +205,9 @@
+@@ -205,6 +206,9 @@
allow initrc_t initrc_devpts_t:chr_file rw_term_perms;
term_create_pty(initrc_t,initrc_devpts_t)
@@ -3320,7 +3753,7 @@
can_exec(initrc_t,initrc_exec_t)
allow initrc_t initrc_state_t:dir manage_dir_perms;
-@@ -335,6 +338,8 @@
+@@ -335,6 +339,8 @@
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -3329,7 +3762,7 @@
libs_rw_ld_so_cache(initrc_t)
libs_use_ld_so(initrc_t)
-@@ -347,7 +352,11 @@
+@@ -347,7 +353,11 @@
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@@ -3342,7 +3775,7 @@
# slapd needs to read cert files from its initscript
miscfiles_read_certs(initrc_t)
-@@ -499,7 +508,17 @@
+@@ -499,7 +509,17 @@
tunable_policy(`allow_daemons_use_tty',`
term_use_unallocated_ttys(daemon)
term_use_generic_ptys(daemon)
@@ -3360,7 +3793,7 @@
',`
# cjp: require doesnt work in the else of optionals :\
# this also would result in a type transition
-@@ -710,6 +729,9 @@
+@@ -710,6 +730,9 @@
# why is this needed:
rpm_manage_db(initrc_t)
@@ -3573,7 +4006,7 @@
+/var/lib/multipath(/.*)? gen_context(system_u:object_r:lvm_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-2.4.6/policy/modules/system/lvm.te
--- nsaserefpolicy/policy/modules/system/lvm.te 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/lvm.te 2006-12-12 15:19:22.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/lvm.te 2006-12-19 16:04:18.000000000 -0500
@@ -13,6 +13,9 @@
type clvmd_var_run_t;
files_pid_file(clvmd_var_run_t)
@@ -3830,7 +4263,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-2.4.6/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/mount.te 2006-12-12 15:19:22.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/mount.te 2006-12-19 16:04:18.000000000 -0500
@@ -9,6 +9,7 @@
type mount_t;
type mount_exec_t;
@@ -3918,10 +4351,12 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-2.4.6/policy/modules/system/selinuxutil.fc
--- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/selinuxutil.fc 2006-12-12 15:19:22.000000000 -0500
-@@ -41,6 +41,7 @@
++++ serefpolicy-2.4.6/policy/modules/system/selinuxutil.fc 2006-12-19 12:36:13.000000000 -0500
+@@ -40,7 +40,9 @@
+ /usr/sbin/setfiles.* -- gen_context(system_u:object_r:setfiles_exec_t,s0)
/usr/sbin/setsebool -- gen_context(system_u:object_r:semanage_exec_t,s0)
/usr/sbin/semanage -- gen_context(system_u:object_r:semanage_exec_t,s0)
++/usr/sbin/genhomedircon -- gen_context(system_u:object_r:semanage_exec_t,s0)
/usr/sbin/semodule -- gen_context(system_u:object_r:semanage_exec_t,s0)
+/usr/share/system-config-selinux/system-config-selinux.py -- gen_context(system_u:object_r:semanage_gui_exec_t,s0)
@@ -3929,7 +4364,7 @@
# /var/run
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-2.4.6/policy/modules/system/selinuxutil.if
--- nsaserefpolicy/policy/modules/system/selinuxutil.if 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/selinuxutil.if 2006-12-13 16:33:19.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/selinuxutil.if 2006-12-20 16:22:45.000000000 -0500
@@ -713,7 +713,7 @@
')
@@ -3948,7 +4383,7 @@
allow $1 default_context_t:file manage_file_perms;
')
-@@ -1121,3 +1121,109 @@
+@@ -1121,3 +1121,112 @@
allow $1 selinux_config_t:dir search_dir_perms;
allow $1 semanage_trans_lock_t:file rw_file_perms;
')
@@ -3965,7 +4400,7 @@
+#
+interface(`seutil_semanage_domain',`
+ gen_require(`
-+ type policy_config_t, semanage_tmp_t;
++ type policy_config_t, semanage_tmp_t, semanage_exec_t;
+ ')
+
+ allow $1 self:capability { dac_override audit_write };
@@ -3982,6 +4417,7 @@
+ allow $1 semanage_tmp_t:file create_file_perms;
+ files_tmp_filetrans($1, semanage_tmp_t, { file dir })
+
++ can_exec($1,semanage_exec_t)
+ kernel_read_system_state($1)
+ kernel_read_kernel_sysctls($1)
+
@@ -4003,6 +4439,8 @@
+ files_read_etc_runtime_files($1)
+ files_read_usr_files($1)
+ files_list_pids($1)
++ # Modules often created in /tmp dir
++ files_read_all_tmp_files($1)
+
+ mls_file_write_down($1)
+ mls_rangetrans_target($1)
@@ -4302,8 +4740,8 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/tzdata.te serefpolicy-2.4.6/policy/modules/system/tzdata.te
--- nsaserefpolicy/policy/modules/system/tzdata.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/tzdata.te 2006-12-12 15:19:22.000000000 -0500
-@@ -0,0 +1,28 @@
++++ serefpolicy-2.4.6/policy/modules/system/tzdata.te 2006-12-20 16:02:55.000000000 -0500
+@@ -0,0 +1,34 @@
+policy_module(tzdata,1.0.0)
+
+########################################
@@ -4331,6 +4769,12 @@
+miscfiles_manage_localization(tzdata_t)
+miscfiles_etc_filetrans_localization(tzdata_t)
+
++term_dontaudit_list_ptys(tzdata_t)
++
++ifdef(`targeted_policy',`
++ term_dontaudit_use_unallocated_ttys(tzdata_t)
++ term_dontaudit_use_generic_ptys(tzdata_t)
++')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-2.4.6/policy/modules/system/unconfined.fc
--- nsaserefpolicy/policy/modules/system/unconfined.fc 2006-11-16 17:15:24.000000000 -0500
@@ -4437,7 +4881,7 @@
init_dbus_chat_script(unconfined_execmem_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-2.4.6/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2006-11-29 09:27:47.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/userdomain.if 2006-12-12 15:19:22.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/userdomain.if 2006-12-21 11:23:32.000000000 -0500
@@ -22,9 +22,9 @@
## <rolebase/>
#
@@ -4460,7 +4904,15 @@
# type for contents of home directory
type $1_home_t, $1_file_type, home_type;
files_type($1_home_t)
-@@ -220,6 +224,10 @@
+@@ -149,6 +153,7 @@
+ files_mountpoint($1_home_dir_t)
+ files_associate_tmp($1_home_dir_t)
+ fs_associate_tmpfs($1_home_dir_t)
++ files_poly_member($1_home_dir_t)
+
+ ##############################
+ #
+@@ -220,6 +225,10 @@
## <rolebase/>
#
template(`userdom_manage_home_template',`
@@ -4471,7 +4923,7 @@
# type for contents of home directory
type $1_home_t, $1_file_type, home_type;
files_type($1_home_t)
-@@ -319,12 +327,11 @@
+@@ -319,12 +328,11 @@
## <rolebase/>
#
template(`userdom_poly_home_template',`
@@ -4489,7 +4941,7 @@
')
#######################################
-@@ -347,6 +354,10 @@
+@@ -347,6 +355,10 @@
## <rolebase/>
#
template(`userdom_manage_tmp_template',`
@@ -4500,7 +4952,7 @@
type $1_tmp_t, $1_file_type;
files_tmp_file($1_tmp_t)
-@@ -387,9 +398,7 @@
+@@ -387,9 +399,7 @@
## <rolebase/>
#
template(`userdom_poly_tmp_template',`
@@ -4511,7 +4963,7 @@
')
#######################################
-@@ -415,6 +424,9 @@
+@@ -415,6 +425,9 @@
## <rolebase/>
#
template(`userdom_manage_tmpfs_template',`
@@ -4521,7 +4973,7 @@
type $1_tmpfs_t, $1_file_type;
files_tmpfs_file($1_tmpfs_t)
-@@ -673,6 +685,8 @@
+@@ -673,6 +686,8 @@
allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow $1_t self:process { ptrace setfscreate };
@@ -4530,7 +4982,7 @@
# evolution and gnome-session try to create a netlink socket
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
-@@ -734,6 +748,7 @@
+@@ -734,6 +749,7 @@
auth_search_pam_console_data($1_t)
auth_run_pam($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
auth_run_utempter($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
@@ -4538,7 +4990,7 @@
init_read_utmp($1_t)
# The library functions always try to open read-write first,
-@@ -1188,7 +1203,7 @@
+@@ -1188,7 +1204,7 @@
ifdef(`xserver.te', `
tunable_policy(`xdm_sysadm_login',`
allow xdm_t $1_home_t:lnk_file read;
@@ -4547,7 +4999,7 @@
')
')
') dnl endif TODO
-@@ -1859,7 +1874,7 @@
+@@ -1859,7 +1875,7 @@
')
files_search_home($2)
@@ -4556,7 +5008,7 @@
allow $2 $1_home_t:dir search_dir_perms;
allow $2 $1_home_t:file r_file_perms;
')
-@@ -1962,8 +1977,8 @@
+@@ -1962,8 +1978,8 @@
')
files_search_home($2)
@@ -4567,7 +5019,7 @@
allow $2 $1_home_t:lnk_file r_file_perms;
')
-@@ -1998,8 +2013,8 @@
+@@ -1998,8 +2014,8 @@
')
files_search_home($2)
@@ -4578,7 +5030,7 @@
can_exec($2,$1_home_t)
')
-@@ -2069,7 +2084,7 @@
+@@ -2069,7 +2085,7 @@
')
files_search_home($2)
@@ -4587,7 +5039,7 @@
allow $2 $1_home_t:dir rw_dir_perms;
allow $2 $1_home_t:file create_file_perms;
')
-@@ -2142,7 +2157,7 @@
+@@ -2142,7 +2158,7 @@
')
files_search_home($2)
@@ -4596,7 +5048,7 @@
allow $2 $1_home_t:dir rw_dir_perms;
allow $2 $1_home_t:lnk_file create_lnk_perms;
')
-@@ -2180,7 +2195,7 @@
+@@ -2180,7 +2196,7 @@
')
files_search_home($2)
@@ -4605,7 +5057,7 @@
allow $2 $1_home_t:dir rw_dir_perms;
allow $2 $1_home_t:fifo_file create_file_perms;
')
-@@ -2218,7 +2233,7 @@
+@@ -2218,7 +2234,7 @@
')
files_search_home($2)
@@ -4614,7 +5066,7 @@
allow $2 $1_home_t:dir rw_dir_perms;
allow $2 $1_home_t:sock_file create_file_perms;
')
-@@ -3977,7 +3992,7 @@
+@@ -3977,7 +3993,7 @@
')
files_search_home($1)
@@ -4623,7 +5075,7 @@
')
########################################
-@@ -3996,7 +4011,7 @@
+@@ -3996,7 +4012,7 @@
type staff_home_dir_t;
')
@@ -4632,7 +5084,7 @@
')
########################################
-@@ -4343,7 +4358,7 @@
+@@ -4343,7 +4359,7 @@
type sysadm_home_dir_t;
')
@@ -4641,7 +5093,7 @@
')
########################################
-@@ -4501,41 +4516,13 @@
+@@ -4501,41 +4517,13 @@
## </param>
#
interface(`userdom_read_sysadm_home_content_files',`
@@ -4688,7 +5140,7 @@
')
########################################
-@@ -4858,7 +4845,7 @@
+@@ -4858,7 +4846,7 @@
type user_home_t;
')
@@ -4697,7 +5149,7 @@
')
########################################
-@@ -4905,6 +4892,28 @@
+@@ -4905,6 +4893,28 @@
########################################
## <summary>
@@ -4726,7 +5178,7 @@
## Read files in generic user home directories.
## </summary>
## <param name="domain">
-@@ -5497,3 +5506,383 @@
+@@ -5497,3 +5507,383 @@
allow $1 user_home_dir_t:dir create_dir_perms;
files_home_filetrans($1,user_home_dir_t,dir)
')
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/FC-6/selinux-policy.spec,v
retrieving revision 1.331
retrieving revision 1.332
diff -u -r1.331 -r1.332
--- selinux-policy.spec 14 Dec 2006 20:59:24 -0000 1.331
+++ selinux-policy.spec 22 Dec 2006 16:52:38 -0000 1.332
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 2.4.6
-Release: 13%{?dist}
+Release: 16%{?dist}
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -351,6 +351,23 @@
%endif
%changelog
+* Wed Dec 20 2006 Dan Walsh <dwalsh at redhat.com> 2.4.6-17
+
+* Tue Dec 19 2006 Dan Walsh <dwalsh at redhat.com> 2.4.6-16
+- Allow semanage to exec it self. Label genhomedircon as semanage_exec_t
+Resolves: #219421
+- Allow sysadm_lpr_t to manage other print spool jobs
+Resolves: #220080
+
+* Mon Dec 18 2006 Dan Walsh <dwalsh at redhat.com> 2.4.6-15
+- allow automount to setgid
+Resolves: #219999
+
+* Thu Dec 14 2006 Dan Walsh <dwalsh at redhat.com> 2.4.6-14
+- Allow cron to polyinstatiate
+- Fix creation of boot flags
+Resolves: #207433
+
* Thu Dec 14 2006 Dan Walsh <dwalsh at redhat.com> 2.4.6-13
- Fixes for irqbalance
Resolves: #219606
More information about the fedora-cvs-commits
mailing list