rpms/selinux-policy/devel policy-20060608.patch, 1.10, 1.11 selinux-policy.spec, 1.214, 1.215
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Tue Jun 20 21:06:34 UTC 2006
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv30180
Modified Files:
policy-20060608.patch selinux-policy.spec
Log Message:
* Tue Jun 20 2006 Dan Walsh <dwalsh at redhat.com> 2.2.48-1
- Update to upstream
policy-20060608.patch:
global_tunables | 7 +
modules/admin/bootloader.te | 9 +
modules/admin/consoletype.te | 7 +
modules/admin/logwatch.te | 3
modules/admin/netutils.te | 1
modules/admin/prelink.fc | 3
modules/kernel/files.if | 35 ++++++
modules/kernel/filesystem.te | 5
modules/kernel/kernel.if | 38 ++++++
modules/services/apache.fc | 1
modules/services/apache.if | 79 +++++++++++++-
modules/services/apache.te | 50 +++++++--
modules/services/automount.te | 13 ++
modules/services/clamav.if | 20 +++
modules/services/cups.fc | 1
modules/services/cups.if | 2
modules/services/cups.te | 10 +
modules/services/hal.if | 20 +++
modules/services/mta.te | 5
modules/services/networkmanager.te | 1
modules/services/ntp.te | 1
modules/services/openvpn.te | 3
modules/services/pegasus.if | 31 +++++
modules/services/pegasus.te | 5
modules/services/postfix.if | 25 ++++
modules/services/postfix.te | 1
modules/services/ppp.te | 1
modules/services/procmail.te | 1
modules/services/tftp.te | 1
modules/system/authlogin.if | 1
modules/system/hostname.te | 5
modules/system/init.if | 7 -
modules/system/init.te | 1
modules/system/libraries.fc | 2
modules/system/mount.te | 1
modules/system/selinuxutil.te | 2
modules/system/unconfined.fc | 2
modules/system/userdomain.if | 204 +++++++++++++++++++++++--------------
modules/system/userdomain.te | 32 ++---
modules/system/xen.te | 12 +-
40 files changed, 518 insertions(+), 130 deletions(-)
Index: policy-20060608.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/policy-20060608.patch,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -r1.10 -r1.11
--- policy-20060608.patch 20 Jun 2006 12:58:27 -0000 1.10
+++ policy-20060608.patch 20 Jun 2006 21:06:30 -0000 1.11
@@ -1,27 +1,6 @@
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/doc/example.if serefpolicy-2.2.47/doc/example.if
---- nsaserefpolicy/doc/example.if 2006-02-01 10:22:19.000000000 -0500
-+++ serefpolicy-2.2.47/doc/example.if 2006-06-19 16:26:15.000000000 -0400
-@@ -25,7 +25,7 @@
- ## </param>
- #
- interface(`myapp_domtrans',`
-- gen_requires(`
-+ gen_require(`
- type myapp_t, myapp_exec_t;
- ')
-
-@@ -46,7 +46,7 @@
- ## </param>
- #
- interface(`myapp_read_log',`
-- gen_requires(`
-+ gen_require(`
- type myapp_log_t;
- ')
-
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-2.2.47/policy/global_tunables
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-2.2.48/policy/global_tunables
--- nsaserefpolicy/policy/global_tunables 2006-06-08 08:45:56.000000000 -0400
-+++ serefpolicy-2.2.47/policy/global_tunables 2006-06-19 16:26:15.000000000 -0400
++++ serefpolicy-2.2.48/policy/global_tunables 2006-06-20 10:16:12.000000000 -0400
@@ -89,6 +89,13 @@
## <desc>
@@ -36,9 +15,9 @@
## Allow java executable stack
## </p>
## </desc>
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/bootloader.te serefpolicy-2.2.47/policy/modules/admin/bootloader.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/bootloader.te serefpolicy-2.2.48/policy/modules/admin/bootloader.te
--- nsaserefpolicy/policy/modules/admin/bootloader.te 2006-05-02 18:59:59.000000000 -0400
-+++ serefpolicy-2.2.47/policy/modules/admin/bootloader.te 2006-06-19 16:26:15.000000000 -0400
++++ serefpolicy-2.2.48/policy/modules/admin/bootloader.te 2006-06-20 10:16:12.000000000 -0400
@@ -49,7 +49,7 @@
#
@@ -73,9 +52,9 @@
+optional_policy(`
+ kudzu_domtrans(bootloader_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-2.2.47/policy/modules/admin/consoletype.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-2.2.48/policy/modules/admin/consoletype.te
--- nsaserefpolicy/policy/modules/admin/consoletype.te 2006-05-19 10:07:51.000000000 -0400
-+++ serefpolicy-2.2.47/policy/modules/admin/consoletype.te 2006-06-19 16:26:15.000000000 -0400
++++ serefpolicy-2.2.48/policy/modules/admin/consoletype.te 2006-06-20 10:16:12.000000000 -0400
@@ -8,7 +8,12 @@
type consoletype_t;
@@ -90,9 +69,9 @@
mls_file_read_up(consoletype_t)
mls_file_write_down(consoletype_t)
role system_r types consoletype_t;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-2.2.47/policy/modules/admin/logwatch.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-2.2.48/policy/modules/admin/logwatch.te
--- nsaserefpolicy/policy/modules/admin/logwatch.te 2006-04-04 18:06:37.000000000 -0400
-+++ serefpolicy-2.2.47/policy/modules/admin/logwatch.te 2006-06-19 16:26:15.000000000 -0400
++++ serefpolicy-2.2.48/policy/modules/admin/logwatch.te 2006-06-20 10:16:12.000000000 -0400
@@ -22,8 +22,7 @@
#
# Local policy
@@ -103,9 +82,9 @@
allow logwatch_t self:fifo_file rw_file_perms;
allow logwatch_t self:unix_stream_socket create_stream_socket_perms;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-2.2.47/policy/modules/admin/netutils.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-2.2.48/policy/modules/admin/netutils.te
--- nsaserefpolicy/policy/modules/admin/netutils.te 2006-06-06 22:21:51.000000000 -0400
-+++ serefpolicy-2.2.47/policy/modules/admin/netutils.te 2006-06-19 16:26:15.000000000 -0400
++++ serefpolicy-2.2.48/policy/modules/admin/netutils.te 2006-06-20 10:16:12.000000000 -0400
@@ -54,6 +54,7 @@
corenet_udp_sendrecv_all_ports(netutils_t)
corenet_tcp_connect_all_ports(netutils_t)
@@ -114,9 +93,9 @@
fs_getattr_xattr_fs(netutils_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.fc serefpolicy-2.2.47/policy/modules/admin/prelink.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.fc serefpolicy-2.2.48/policy/modules/admin/prelink.fc
--- nsaserefpolicy/policy/modules/admin/prelink.fc 2006-06-13 07:03:39.000000000 -0400
-+++ serefpolicy-2.2.47/policy/modules/admin/prelink.fc 2006-06-19 16:26:15.000000000 -0400
++++ serefpolicy-2.2.48/policy/modules/admin/prelink.fc 2006-06-20 10:16:12.000000000 -0400
@@ -3,6 +3,5 @@
/usr/sbin/prelink(\.bin)? -- gen_context(system_u:object_r:prelink_exec_t,s0)
@@ -125,9 +104,9 @@
-
/var/log/prelink\.log -- gen_context(system_u:object_r:prelink_log_t,s0)
+/var/log/prelink(/.*)? gen_context(system_u:object_r:prelink_log_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.2.47/policy/modules/kernel/files.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.2.48/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2006-06-08 23:00:29.000000000 -0400
-+++ serefpolicy-2.2.47/policy/modules/kernel/files.if 2006-06-19 16:26:15.000000000 -0400
++++ serefpolicy-2.2.48/policy/modules/kernel/files.if 2006-06-20 10:16:12.000000000 -0400
@@ -1931,6 +1931,21 @@
')
@@ -174,9 +153,9 @@
+ allow $1 { file_type -security_file_type }:file mounton;
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-2.2.47/policy/modules/kernel/filesystem.te
---- nsaserefpolicy/policy/modules/kernel/filesystem.te 2006-06-13 07:03:42.000000000 -0400
-+++ serefpolicy-2.2.47/policy/modules/kernel/filesystem.te 2006-06-19 16:26:15.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-2.2.48/policy/modules/kernel/filesystem.te
+--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2006-06-20 09:54:01.000000000 -0400
++++ serefpolicy-2.2.48/policy/modules/kernel/filesystem.te 2006-06-20 10:16:12.000000000 -0400
@@ -48,6 +48,11 @@
files_mountpoint(binfmt_misc_fs_t)
genfscon binfmt_misc / gen_context(system_u:object_r:binfmt_misc_fs_t,s0)
@@ -189,9 +168,9 @@
type capifs_t;
fs_type(capifs_t)
genfscon capifs / gen_context(system_u:object_r:capifs_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-2.2.47/policy/modules/kernel/kernel.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-2.2.48/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2006-05-26 14:02:27.000000000 -0400
-+++ serefpolicy-2.2.47/policy/modules/kernel/kernel.if 2006-06-19 16:26:15.000000000 -0400
++++ serefpolicy-2.2.48/policy/modules/kernel/kernel.if 2006-06-20 10:16:12.000000000 -0400
@@ -2096,3 +2096,41 @@
typeattribute $1 kern_unconfined;
@@ -234,30 +213,54 @@
+ dontaudit $1 proc_type:dir list_dir_perms;
+ dontaudit $1 proc_type:file getattr;
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-2.2.47/policy/modules/services/apache.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-2.2.48/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2006-05-02 18:59:59.000000000 -0400
-+++ serefpolicy-2.2.47/policy/modules/services/apache.fc 2006-06-19 16:26:15.000000000 -0400
++++ serefpolicy-2.2.48/policy/modules/services/apache.fc 2006-06-20 10:16:12.000000000 -0400
@@ -78,3 +78,4 @@
/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
/usr/share/selinux-policy([^/]*)?/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-2.2.47/policy/modules/services/apache.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-2.2.48/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2006-06-08 08:45:57.000000000 -0400
-+++ serefpolicy-2.2.47/policy/modules/services/apache.if 2006-06-19 16:26:15.000000000 -0400
-@@ -470,6 +470,11 @@
++++ serefpolicy-2.2.48/policy/modules/services/apache.if 2006-06-20 16:00:09.000000000 -0400
+@@ -15,6 +15,7 @@
+ gen_require(`
+ attribute httpdcontent;
+ attribute httpd_exec_scripts;
++ attribute httpd_script_exec_type;
+ type httpd_t, httpd_suexec_t, httpd_log_t;
+ ')
+ # allow write access to public file transfer
+@@ -35,7 +36,7 @@
+ role system_r types httpd_$1_script_t;
+
+ # This type is used for executable scripts files
+- type httpd_$1_script_exec_t; # customizable;
++ type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable;
+ corecmd_shell_entry_type(httpd_$1_script_t)
+ domain_entry_file(httpd_$1_script_t,httpd_$1_script_exec_t)
+
+@@ -464,12 +465,17 @@
+ #
+ interface(`apache_manage_all_content',`
+ gen_require(`
+- attribute httpdcontent;
++ attribute httpdcontent, httpd_script_exec_type;
+ ')
+
allow $1 httpdcontent:dir manage_dir_perms;
allow $1 httpdcontent:file manage_file_perms;
allow $1 httpdcontent:lnk_file create_lnk_perms;
+
-+ allow $1 httpd_sys_script_exec_t:dir manage_dir_perms;
-+ allow $1 httpd_sys_script_exec_t:file manage_file_perms;
-+ allow $1 httpd_sys_script_exec_t:lnk_file create_lnk_perms;
++ allow $1 httpd_script_exec_type:dir manage_dir_perms;
++ allow $1 httpd_script_exec_type:file manage_file_perms;
++ allow $1 httpd_script_exec_type:lnk_file create_lnk_perms;
+
')
########################################
-@@ -515,6 +520,28 @@
+@@ -515,6 +521,28 @@
########################################
## <summary>
@@ -286,7 +289,7 @@
## Execute the Apache helper program with
## a domain transition.
## </summary>
-@@ -594,6 +621,28 @@
+@@ -594,6 +622,28 @@
########################################
## <summary>
@@ -315,7 +318,7 @@
## Allow the specified domain to append
## to apache log files.
## </summary>
-@@ -955,3 +1004,28 @@
+@@ -955,3 +1005,28 @@
allow $2 httpd_$1_content_t:file r_file_perms;
allow $2 httpd_$1_content_t:lnk_file { getattr read };
')
@@ -344,9 +347,9 @@
+ allow httpd_rotatelogs_t $1:process sigchld;
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-2.2.47/policy/modules/services/apache.te
---- nsaserefpolicy/policy/modules/services/apache.te 2006-06-08 08:45:57.000000000 -0400
-+++ serefpolicy-2.2.47/policy/modules/services/apache.te 2006-06-19 16:26:15.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-2.2.48/policy/modules/services/apache.te
+--- nsaserefpolicy/policy/modules/services/apache.te 2006-06-20 09:54:04.000000000 -0400
++++ serefpolicy-2.2.48/policy/modules/services/apache.te 2006-06-20 10:16:12.000000000 -0400
@@ -109,13 +109,10 @@
type squirrelmail_spool_t;
files_tmp_file(squirrelmail_spool_t)
@@ -381,7 +384,18 @@
tunable_policy(`httpd_can_network_connect',`
corenet_tcp_connect_all_ports(httpd_t)
')
-@@ -692,3 +698,29 @@
+@@ -600,6 +606,10 @@
+ allow httpd_sys_script_t httpd_suexec_t:process sigchld;
+ ')
+
++tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
++ domain_auto_trans(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
++')
++
+ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+ fs_read_nfs_files(httpd_suexec_t)
+ fs_read_nfs_symlinks(httpd_suexec_t)
+@@ -688,3 +698,29 @@
optional_policy(`
nscd_socket_use(httpd_unconfined_script_t)
')
@@ -411,9 +425,9 @@
+apache_domtrans_rotatelogs(httpd_sys_script_t)
+
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-2.2.47/policy/modules/services/automount.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-2.2.48/policy/modules/services/automount.te
--- nsaserefpolicy/policy/modules/services/automount.te 2006-06-13 07:03:42.000000000 -0400
-+++ serefpolicy-2.2.47/policy/modules/services/automount.te 2006-06-19 16:26:15.000000000 -0400
++++ serefpolicy-2.2.48/policy/modules/services/automount.te 2006-06-20 10:16:12.000000000 -0400
@@ -28,7 +28,7 @@
# Local policy
#
@@ -444,9 +458,9 @@
corecmd_exec_sbin(automount_t)
corecmd_exec_bin(automount_t)
corecmd_exec_shell(automount_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.if serefpolicy-2.2.47/policy/modules/services/clamav.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.if serefpolicy-2.2.48/policy/modules/services/clamav.if
--- nsaserefpolicy/policy/modules/services/clamav.if 2006-05-17 10:54:31.000000000 -0400
-+++ serefpolicy-2.2.47/policy/modules/services/clamav.if 2006-06-19 16:26:15.000000000 -0400
++++ serefpolicy-2.2.48/policy/modules/services/clamav.if 2006-06-20 10:16:12.000000000 -0400
@@ -84,3 +84,23 @@
allow clamscan_t $1:process sigchld;
')
@@ -471,9 +485,9 @@
+ allow $1 clamd_var_lib_t:dir search_dir_perms;
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-2.2.47/policy/modules/services/cups.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-2.2.48/policy/modules/services/cups.fc
--- nsaserefpolicy/policy/modules/services/cups.fc 2006-04-19 11:26:51.000000000 -0400
-+++ serefpolicy-2.2.47/policy/modules/services/cups.fc 2006-06-19 16:26:15.000000000 -0400
++++ serefpolicy-2.2.48/policy/modules/services/cups.fc 2006-06-20 10:16:12.000000000 -0400
@@ -24,6 +24,7 @@
/usr/sbin/cupsd -- gen_context(system_u:object_r:cupsd_exec_t,s0)
@@ -482,9 +496,9 @@
/usr/sbin/hpiod -- gen_context(system_u:object_r:hplip_exec_t,s0)
/usr/sbin/printconf-backend -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
/usr/sbin/ptal-printd -- gen_context(system_u:object_r:ptal_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.if serefpolicy-2.2.47/policy/modules/services/cups.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.if serefpolicy-2.2.48/policy/modules/services/cups.if
--- nsaserefpolicy/policy/modules/services/cups.if 2006-03-23 14:33:30.000000000 -0500
-+++ serefpolicy-2.2.47/policy/modules/services/cups.if 2006-06-19 16:26:15.000000000 -0400
++++ serefpolicy-2.2.48/policy/modules/services/cups.if 2006-06-20 10:16:12.000000000 -0400
@@ -40,7 +40,7 @@
files_search_pids($1)
@@ -494,10 +508,10 @@
allow $1 cupsd_t:unix_stream_socket connectto;
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-2.2.47/policy/modules/services/cups.te
---- nsaserefpolicy/policy/modules/services/cups.te 2006-06-13 22:41:52.000000000 -0400
-+++ serefpolicy-2.2.47/policy/modules/services/cups.te 2006-06-19 16:26:15.000000000 -0400
-@@ -298,6 +298,7 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-2.2.48/policy/modules/services/cups.te
+--- nsaserefpolicy/policy/modules/services/cups.te 2006-06-20 09:54:04.000000000 -0400
++++ serefpolicy-2.2.48/policy/modules/services/cups.te 2006-06-20 10:37:06.000000000 -0400
+@@ -313,6 +313,7 @@
allow cupsd_config_t self:unix_stream_socket create_socket_perms;
allow cupsd_config_t self:unix_dgram_socket create_socket_perms;
allow cupsd_config_t self:tcp_socket create_stream_socket_perms;
@@ -505,7 +519,7 @@
allow cupsd_config_t cupsd_t:tcp_socket { connectto recvfrom };
allow cupsd_t cupsd_config_t:tcp_socket { acceptfrom recvfrom };
-@@ -332,6 +333,7 @@
+@@ -342,6 +343,7 @@
allow cupsd_config_t cupsd_rw_etc_t:lnk_file create_lnk_perms;
files_var_filetrans(cupsd_config_t,cupsd_rw_etc_t,file)
@@ -513,7 +527,7 @@
allow cupsd_config_t cupsd_var_run_t:file { getattr read };
kernel_read_system_state(cupsd_config_t)
-@@ -349,6 +351,7 @@
+@@ -357,6 +359,7 @@
dev_read_sysfs(cupsd_config_t)
dev_read_urand(cupsd_config_t)
@@ -521,7 +535,7 @@
fs_getattr_all_fs(cupsd_config_t)
fs_search_auto_mountpoints(cupsd_config_t)
-@@ -387,6 +390,9 @@
+@@ -395,6 +398,9 @@
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
userdom_dontaudit_search_sysadm_home_dirs(cupsd_config_t)
@@ -531,7 +545,7 @@
lpd_read_config(cupsd_config_t)
ifdef(`distro_redhat',`
-@@ -422,6 +428,7 @@
+@@ -430,6 +436,7 @@
optional_policy(`
hal_domtrans(cupsd_config_t)
@@ -539,7 +553,7 @@
')
optional_policy(`
-@@ -588,6 +595,7 @@
+@@ -593,6 +600,7 @@
dev_read_sysfs(hplip_t)
dev_rw_printer(hplip_t)
dev_read_urand(hplip_t)
@@ -547,9 +561,18 @@
dev_rw_generic_usb_dev(hplip_t)
fs_getattr_all_fs(hplip_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-2.2.47/policy/modules/services/hal.if
+@@ -646,6 +654,8 @@
+ udev_read_db(hplip_t)
+ ')
+
++term_use_generic_ptys(hplip_t)
++
+ ########################################
+ #
+ # PTAL local policy
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-2.2.48/policy/modules/services/hal.if
--- nsaserefpolicy/policy/modules/services/hal.if 2006-03-23 14:33:30.000000000 -0500
-+++ serefpolicy-2.2.47/policy/modules/services/hal.if 2006-06-19 16:26:15.000000000 -0400
++++ serefpolicy-2.2.48/policy/modules/services/hal.if 2006-06-20 10:16:13.000000000 -0400
@@ -140,3 +140,23 @@
files_search_pids($1)
allow $1 hald_var_run_t:file rw_file_perms;
@@ -574,9 +597,9 @@
+ allow $1 hald_tmp_t:file r_file_perms;
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-2.2.47/policy/modules/services/mta.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-2.2.48/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2006-06-06 22:21:54.000000000 -0400
-+++ serefpolicy-2.2.47/policy/modules/services/mta.te 2006-06-19 16:26:15.000000000 -0400
++++ serefpolicy-2.2.48/policy/modules/services/mta.te 2006-06-20 10:16:13.000000000 -0400
@@ -195,8 +195,3 @@
')
')
@@ -586,9 +609,9 @@
-allow initrc_t etc_mail_t:dir rw_dir_perms;
-allow initrc_t etc_mail_t:file create_file_perms;
-')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-2.2.47/policy/modules/services/networkmanager.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-2.2.48/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2006-06-13 07:03:44.000000000 -0400
-+++ serefpolicy-2.2.47/policy/modules/services/networkmanager.te 2006-06-19 16:26:15.000000000 -0400
++++ serefpolicy-2.2.48/policy/modules/services/networkmanager.te 2006-06-20 10:16:13.000000000 -0400
@@ -92,6 +92,7 @@
logging_send_syslog_msg(NetworkManager_t)
@@ -597,9 +620,9 @@
modutils_domtrans_insmod(NetworkManager_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-2.2.47/policy/modules/services/ntp.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-2.2.48/policy/modules/services/ntp.te
--- nsaserefpolicy/policy/modules/services/ntp.te 2006-06-13 07:03:44.000000000 -0400
-+++ serefpolicy-2.2.47/policy/modules/services/ntp.te 2006-06-19 16:26:15.000000000 -0400
++++ serefpolicy-2.2.48/policy/modules/services/ntp.te 2006-06-20 10:16:13.000000000 -0400
@@ -62,6 +62,7 @@
kernel_read_kernel_sysctls(ntpd_t)
@@ -608,42 +631,10 @@
corenet_non_ipsec_sendrecv(ntpd_t)
corenet_tcp_sendrecv_all_if(ntpd_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.fc serefpolicy-2.2.47/policy/modules/services/openvpn.fc
---- nsaserefpolicy/policy/modules/services/openvpn.fc 2006-04-14 16:09:08.000000000 -0400
-+++ serefpolicy-2.2.47/policy/modules/services/openvpn.fc 2006-06-19 16:26:15.000000000 -0400
-@@ -2,6 +2,7 @@
- # /etc
- #
- /etc/openvpn(/.*)? gen_context(system_u:object_r:openvpn_etc_t,s0)
-+/etc/openvpn/openvpn-status.log -- gen_context(system_u:object_r:openvpn_etc_rw_t,s0)
-
- #
- # /usr
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-2.2.47/policy/modules/services/openvpn.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-2.2.48/policy/modules/services/openvpn.te
--- nsaserefpolicy/policy/modules/services/openvpn.te 2006-06-06 22:21:55.000000000 -0400
-+++ serefpolicy-2.2.47/policy/modules/services/openvpn.te 2006-06-19 16:26:15.000000000 -0400
-@@ -15,6 +15,10 @@
- type openvpn_etc_t;
- files_type(openvpn_etc_t)
-
-+# configuration files
-+type openvpn_etc_rw_t;
-+files_type(openvpn_etc_rw_t)
-+
- # log files
- type openvpn_var_log_t;
- logging_log_file(openvpn_var_log_t)
-@@ -38,12 +42,17 @@
- allow openvpn_t openvpn_etc_t:file r_file_perms;
- allow openvpn_t openvpn_etc_t:lnk_file { getattr read };
-
-+allow openvpn_t openvpn_etc_rw_t:file create_file_perms;
-+# Automatically label newly created files under /etc/openvpn with this type
-+type_transition openvpn_t openvpn_etc_t:file openvpn_etc_rw_t;
-+
- allow openvpn_t openvpn_var_log_t:file create_file_perms;
- logging_log_filetrans(openvpn_t,openvpn_var_log_t,file)
-
++++ serefpolicy-2.2.48/policy/modules/services/openvpn.te 2006-06-20 10:37:57.000000000 -0400
+@@ -44,6 +44,7 @@
allow openvpn_t openvpn_var_run_t:file create_file_perms;
files_pid_filetrans(openvpn_t, openvpn_var_run_t, file)
@@ -651,7 +642,7 @@
kernel_read_net_sysctls(openvpn_t)
kernel_read_network_state(openvpn_t)
kernel_read_system_state(openvpn_t)
-@@ -81,6 +90,8 @@
+@@ -81,6 +82,8 @@
sysnet_exec_ifconfig(openvpn_t)
@@ -660,9 +651,9 @@
optional_policy(`
daemontools_service_domain(openvpn_t,openvpn_exec_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.if serefpolicy-2.2.47/policy/modules/services/pegasus.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.if serefpolicy-2.2.48/policy/modules/services/pegasus.if
--- nsaserefpolicy/policy/modules/services/pegasus.if 2005-10-25 13:40:18.000000000 -0400
-+++ serefpolicy-2.2.47/policy/modules/services/pegasus.if 2006-06-19 16:26:15.000000000 -0400
++++ serefpolicy-2.2.48/policy/modules/services/pegasus.if 2006-06-20 10:16:13.000000000 -0400
@@ -1 +1,32 @@
## <summary>The Open Group Pegasus CIM/WBEM Server.</summary>
+
@@ -696,9 +687,9 @@
+ allow pegasus_t $1:fifo_file rw_file_perms;
+ allow pegasus_t $1:process sigchld;
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-2.2.47/policy/modules/services/pegasus.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-2.2.48/policy/modules/services/pegasus.te
--- nsaserefpolicy/policy/modules/services/pegasus.te 2006-06-08 08:45:58.000000000 -0400
-+++ serefpolicy-2.2.47/policy/modules/services/pegasus.te 2006-06-19 16:26:15.000000000 -0400
++++ serefpolicy-2.2.48/policy/modules/services/pegasus.te 2006-06-20 10:16:13.000000000 -0400
@@ -100,13 +100,12 @@
auth_use_nsswitch(pegasus_t)
@@ -715,9 +706,9 @@
files_read_var_lib_symlinks(pegasus_t)
hostname_exec(pegasus_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-2.2.47/policy/modules/services/postfix.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-2.2.48/policy/modules/services/postfix.if
--- nsaserefpolicy/policy/modules/services/postfix.if 2006-06-06 22:21:55.000000000 -0400
-+++ serefpolicy-2.2.47/policy/modules/services/postfix.if 2006-06-19 16:26:15.000000000 -0400
++++ serefpolicy-2.2.48/policy/modules/services/postfix.if 2006-06-20 10:16:13.000000000 -0400
@@ -459,3 +459,28 @@
typeattribute $1 postfix_user_domtrans;
@@ -747,9 +738,9 @@
+ allow postfix_smtp_t $1:fifo_file rw_file_perms;
+ allow postfix_smtp_t $1:process sigchld;
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-2.2.47/policy/modules/services/postfix.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-2.2.48/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2006-06-08 08:45:58.000000000 -0400
-+++ serefpolicy-2.2.47/policy/modules/services/postfix.te 2006-06-19 16:26:15.000000000 -0400
++++ serefpolicy-2.2.48/policy/modules/services/postfix.te 2006-06-20 10:16:13.000000000 -0400
@@ -456,6 +456,7 @@
')
@@ -758,9 +749,9 @@
cron_use_fds(postfix_postdrop_t)
cron_rw_pipes(postfix_postdrop_t)
cron_use_system_job_fds(postfix_postdrop_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-2.2.47/policy/modules/services/ppp.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-2.2.48/policy/modules/services/ppp.te
--- nsaserefpolicy/policy/modules/services/ppp.te 2006-06-06 22:21:55.000000000 -0400
-+++ serefpolicy-2.2.47/policy/modules/services/ppp.te 2006-06-19 16:26:15.000000000 -0400
++++ serefpolicy-2.2.48/policy/modules/services/ppp.te 2006-06-20 10:16:13.000000000 -0400
@@ -68,6 +68,7 @@
allow pppd_t self:tcp_socket create_stream_socket_perms;
allow pppd_t self:udp_socket { connect connected_socket_perms };
@@ -769,9 +760,9 @@
domain_auto_trans(pppd_t, pptp_exec_t, pptp_t)
allow pppd_t pptp_t:fd use;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-2.2.47/policy/modules/services/procmail.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-2.2.48/policy/modules/services/procmail.te
--- nsaserefpolicy/policy/modules/services/procmail.te 2006-06-13 07:03:44.000000000 -0400
-+++ serefpolicy-2.2.47/policy/modules/services/procmail.te 2006-06-19 16:26:15.000000000 -0400
++++ serefpolicy-2.2.48/policy/modules/services/procmail.te 2006-06-20 10:16:13.000000000 -0400
@@ -78,6 +78,7 @@
optional_policy(`
@@ -780,9 +771,9 @@
')
optional_policy(`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.te serefpolicy-2.2.47/policy/modules/services/tftp.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.te serefpolicy-2.2.48/policy/modules/services/tftp.te
--- nsaserefpolicy/policy/modules/services/tftp.te 2006-06-06 22:21:56.000000000 -0400
-+++ serefpolicy-2.2.47/policy/modules/services/tftp.te 2006-06-20 07:50:40.000000000 -0400
++++ serefpolicy-2.2.48/policy/modules/services/tftp.te 2006-06-20 10:16:13.000000000 -0400
@@ -78,6 +78,7 @@
miscfiles_read_localization(tftpd_t)
@@ -791,21 +782,9 @@
userdom_dontaudit_use_unpriv_user_fds(tftpd_t)
userdom_dontaudit_use_sysadm_ttys(tftpd_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.if serefpolicy-2.2.47/policy/modules/services/tor.if
---- nsaserefpolicy/policy/modules/services/tor.if 2006-03-07 13:08:46.000000000 -0500
-+++ serefpolicy-2.2.47/policy/modules/services/tor.if 2006-06-19 16:26:15.000000000 -0400
-@@ -11,7 +11,7 @@
- ## </param>
- #
- interface(`tor_domtrans',`
-- gen_requires(`
-+ gen_require(`
- type tor_t, tor_exec_t;
- ')
-
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-2.2.47/policy/modules/system/authlogin.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-2.2.48/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2006-06-13 07:03:45.000000000 -0400
-+++ serefpolicy-2.2.47/policy/modules/system/authlogin.if 2006-06-19 16:26:15.000000000 -0400
++++ serefpolicy-2.2.48/policy/modules/system/authlogin.if 2006-06-20 10:16:13.000000000 -0400
@@ -1292,6 +1292,7 @@
sysnet_dns_name_resolve($1)
@@ -814,9 +793,9 @@
optional_policy(`
nis_use_ypbind($1)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-2.2.47/policy/modules/system/hostname.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-2.2.48/policy/modules/system/hostname.te
--- nsaserefpolicy/policy/modules/system/hostname.te 2006-03-02 18:45:56.000000000 -0500
-+++ serefpolicy-2.2.47/policy/modules/system/hostname.te 2006-06-19 16:26:16.000000000 -0400
++++ serefpolicy-2.2.48/policy/modules/system/hostname.te 2006-06-20 10:16:13.000000000 -0400
@@ -8,7 +8,10 @@
type hostname_t;
@@ -829,9 +808,9 @@
role system_r types hostname_t;
########################################
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-2.2.47/policy/modules/system/init.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-2.2.48/policy/modules/system/init.if
--- nsaserefpolicy/policy/modules/system/init.if 2006-06-06 22:21:56.000000000 -0400
-+++ serefpolicy-2.2.47/policy/modules/system/init.if 2006-06-19 16:26:16.000000000 -0400
++++ serefpolicy-2.2.48/policy/modules/system/init.if 2006-06-20 10:16:13.000000000 -0400
@@ -158,13 +158,6 @@
allow $1 initrc_t:fifo_file rw_file_perms;
allow $1 initrc_t:process sigchld;
@@ -846,9 +825,9 @@
')
########################################
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-2.2.47/policy/modules/system/init.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-2.2.48/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2006-06-08 23:00:33.000000000 -0400
-+++ serefpolicy-2.2.47/policy/modules/system/init.te 2006-06-19 16:26:16.000000000 -0400
++++ serefpolicy-2.2.48/policy/modules/system/init.te 2006-06-20 10:16:13.000000000 -0400
@@ -345,6 +345,7 @@
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
@@ -857,9 +836,9 @@
libs_rw_ld_so_cache(initrc_t)
libs_use_ld_so(initrc_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-2.2.47/policy/modules/system/libraries.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-2.2.48/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2006-06-08 08:45:58.000000000 -0400
-+++ serefpolicy-2.2.47/policy/modules/system/libraries.fc 2006-06-19 16:26:16.000000000 -0400
++++ serefpolicy-2.2.48/policy/modules/system/libraries.fc 2006-06-20 10:16:13.000000000 -0400
@@ -121,7 +121,7 @@
/usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -869,9 +848,9 @@
/usr/lib(64)?/xorg/modules/extensions/nvidia(-[^/]*)?/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
ifdef(`distro_redhat',`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-2.2.47/policy/modules/system/mount.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-2.2.48/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2006-06-06 22:21:56.000000000 -0400
-+++ serefpolicy-2.2.47/policy/modules/system/mount.te 2006-06-19 16:26:16.000000000 -0400
++++ serefpolicy-2.2.48/policy/modules/system/mount.te 2006-06-20 10:16:13.000000000 -0400
@@ -111,6 +111,7 @@
tunable_policy(`allow_mount_anyfile',`
auth_read_all_dirs_except_shadow(mount_t)
@@ -880,9 +859,9 @@
')
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-2.2.47/policy/modules/system/selinuxutil.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-2.2.48/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2006-06-13 07:03:48.000000000 -0400
-+++ serefpolicy-2.2.47/policy/modules/system/selinuxutil.te 2006-06-19 16:26:16.000000000 -0400
++++ serefpolicy-2.2.48/policy/modules/system/selinuxutil.te 2006-06-20 10:16:13.000000000 -0400
@@ -352,6 +352,8 @@
kernel_relabelfrom_unlabeled_symlinks(restorecon_t)
kernel_relabelfrom_unlabeled_pipes(restorecon_t)
@@ -892,9 +871,9 @@
dev_relabel_all_dev_nodes(restorecon_t)
# cjp: why is this needed?
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-2.2.47/policy/modules/system/unconfined.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-2.2.48/policy/modules/system/unconfined.fc
--- nsaserefpolicy/policy/modules/system/unconfined.fc 2006-06-08 08:45:58.000000000 -0400
-+++ serefpolicy-2.2.47/policy/modules/system/unconfined.fc 2006-06-19 16:26:16.000000000 -0400
++++ serefpolicy-2.2.48/policy/modules/system/unconfined.fc 2006-06-20 10:16:13.000000000 -0400
@@ -7,4 +7,6 @@
ifdef(`targeted_policy',`
/usr/lib/openoffice.org.*/program/.*\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
@@ -902,10 +881,305 @@
+/usr/local/RealPlay/realplay.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/bin/mplayer -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-2.2.47/policy/modules/system/userdomain.if
---- nsaserefpolicy/policy/modules/system/userdomain.if 2006-06-13 07:03:49.000000000 -0400
-+++ serefpolicy-2.2.47/policy/modules/system/userdomain.if 2006-06-19 16:26:16.000000000 -0400
-@@ -4145,7 +4145,7 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-2.2.48/policy/modules/system/userdomain.if
+--- nsaserefpolicy/policy/modules/system/userdomain.if 2006-06-20 09:54:08.000000000 -0400
++++ serefpolicy-2.2.48/policy/modules/system/userdomain.if 2006-06-20 15:18:00.000000000 -0400
+@@ -8,11 +8,10 @@
+ ## <desc>
+ ## <p>
+ ## This template creates a user domain, types, and
+-## rules for the user's tty, pty, home directories,
+-## tmp, and tmpfs files.
++## rules for the user's tty, pty, tmp, and tmpfs files.
+ ## </p>
+ ## <p>
+-## This generally should not be used, rather the
++## This should only be used for new non login user roles, rather the
+ ## unpriv_user_template or admin_user_template should
+ ## be used.
+ ## </p>
+@@ -25,7 +24,9 @@
+ ## </param>
+ #
+ template(`base_user_template',`
+-
++ gen_require(`
++ attribute userdomain, unpriv_userdomain;
++ ')
+ attribute $1_file_type;
+
+ type $1_t, userdomain;
+@@ -42,44 +43,17 @@
+ term_user_pty($1_t,$1_devpts_t)
+ files_type($1_devpts_t)
+
+- # type for contents of home directory
+- type $1_home_t, $1_file_type, home_type;
+- files_type($1_home_t)
+- files_associate_tmp($1_home_t)
+- fs_associate_tmpfs($1_home_t)
+-
+- # type of home directory
+- type $1_home_dir_t, home_dir_type, home_type;
+- files_type($1_home_dir_t)
+- files_associate_tmp($1_home_dir_t)
+- fs_associate_tmpfs($1_home_dir_t)
+-
+ type $1_tmp_t, $1_file_type;
+ files_tmp_file($1_tmp_t)
+
+ type $1_tmpfs_t;
+ files_tmpfs_file($1_tmpfs_t)
+
+- # types for network-obtained content
+- type $1_untrusted_content_t, $1_file_type, untrusted_content_type; #, customizable
+- files_type($1_untrusted_content_t)
+- files_poly_member($1_untrusted_content_t)
+-
+- type $1_untrusted_content_tmp_t, $1_file_type, untrusted_content_tmp_type; # customizable
+- files_tmp_file($1_untrusted_content_tmp_t)
+-
+ type $1_tty_device_t;
+ term_tty($1_t,$1_tty_device_t)
+
+ ##############################
+ #
+- # User home directory file rules
+- #
+-
+- allow $1_file_type $1_home_t:filesystem associate;
+-
+- ##############################
+- #
+ # User domain Local policy
+ #
+
+@@ -103,19 +77,6 @@
+ dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
+ dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
+
+- # execute files in the home directory
+- can_exec($1_t,$1_home_t)
+-
+- # full control of the home directory
+- allow $1_t $1_home_t:file { create_file_perms relabelfrom relabelto entrypoint };
+- allow $1_t $1_home_t:lnk_file { create_lnk_perms relabelfrom relabelto };
+- allow $1_t $1_home_t:dir { create_dir_perms relabelfrom relabelto };
+- allow $1_t $1_home_t:sock_file { create_file_perms relabelfrom relabelto };
+- allow $1_t $1_home_t:fifo_file { create_file_perms relabelfrom relabelto };
+- allow $1_t $1_home_dir_t:dir { create_dir_perms relabelfrom relabelto };
+- type_transition $1_t $1_home_dir_t:{ dir notdevfile_class_set } $1_home_t;
+- files_search_home($1_t)
+-
+ can_exec($1_t,$1_tmp_t)
+
+ # user temporary files
+@@ -138,13 +99,13 @@
+ fs_tmpfs_filetrans($1_t,$1_tmpfs_t, { dir notdevfile_class_set } )
+
+ allow $1_t $1_tty_device_t:chr_file { setattr rw_file_perms };
+-
+- # Allow user to relabel untrusted content
+- allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:dir { create_dir_perms relabelto relabelfrom };
+- allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:file { getattr unlink relabelto relabelfrom rename };
++ allow $1_t $1_devpts_t:chr_file { setattr rw_file_perms };
++ term_create_pty($1_t,$1_devpts_t)
+
+ allow $1_t unpriv_userdomain:fd use;
+
++ kernel_read_system_state($1_t)
++ kernel_read_network_state($1_t)
+ kernel_read_kernel_sysctls($1_t)
+ kernel_read_net_sysctls($1_t)
+ kernel_dontaudit_list_unlabeled($1_t)
+@@ -165,8 +126,10 @@
+
+ corenet_non_ipsec_sendrecv($1_t)
+ corenet_tcp_sendrecv_all_if($1_t)
++ corenet_raw_sendrecv_all_if($1_t)
+ corenet_udp_sendrecv_all_if($1_t)
+ corenet_tcp_sendrecv_all_nodes($1_t)
++ corenet_raw_sendrecv_all_nodes($1_t)
+ corenet_udp_sendrecv_all_nodes($1_t)
+ corenet_tcp_sendrecv_all_ports($1_t)
+ corenet_udp_sendrecv_all_ports($1_t)
+@@ -234,6 +197,10 @@
+ files_dontaudit_getattr_non_security_sockets($1_t)
+ files_dontaudit_getattr_non_security_blk_files($1_t)
+ files_dontaudit_getattr_non_security_chr_files($1_t)
++ files_read_etc_files($1_t)
++ files_read_etc_runtime_files($1_t)
++ files_read_usr_files($1_t)
++ files_exec_usr_files($1_t)
+
+ # Caused by su - init scripts
+ init_dontaudit_use_script_ptys($1_t)
+@@ -254,16 +221,86 @@
+ seutil_read_default_contexts($1_t)
+ seutil_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
+
+- tunable_policy(`allow_execmem',`
+- # Allow loading DSOs that require executable stack.
+- allow $1_t self:process execmem;
+- ')
++')
++#######################################
++## <summary>
++## The template containing rules common to unprivileged
++## users and administrative users.
++## </summary>
++## <desc>
++## <p>
++## This template creates a user home directories,
++## </p>
++## <p>
++## This generally should not be used, rather the
++## unpriv_user_template or admin_user_template should
++## be used.
++## </p>
++## </desc>
++## <param name="userdomain_prefix">
++## <summary>
++## The prefix of the user domain (e.g., user
++## is the prefix for user_t).
++## </summary>
++## </param>
++#
++template(`base_login_user_template',`
+
+- tunable_policy(`allow_execmem && allow_execstack',`
+- # Allow making the stack executable via mprotect.
+- allow $1_t self:process execstack;
++ gen_require(`
++ attribute $1_file_type;
++ attribute home_dir_type, home_type;
++ attribute untrusted_content_type;
+ ')
+
++ # type for contents of home directory
++ type $1_home_t, $1_file_type, home_type;
++ files_type($1_home_t)
++ files_associate_tmp($1_home_t)
++ fs_associate_tmpfs($1_home_t)
++
++ # type of home directory
++ type $1_home_dir_t, home_dir_type, home_type;
++ files_type($1_home_dir_t)
++ files_associate_tmp($1_home_dir_t)
++ fs_associate_tmpfs($1_home_dir_t)
++
++ # types for network-obtained content
++ type $1_untrusted_content_t, $1_file_type, untrusted_content_type; #, customizable
++ files_type($1_untrusted_content_t)
++ files_poly_member($1_untrusted_content_t)
++
++ type $1_untrusted_content_tmp_t, $1_file_type, untrusted_content_tmp_type; # customizable
++ files_tmp_file($1_untrusted_content_tmp_t)
++
++ ##############################
++ #
++ # User home directory file rules
++ #
++
++ allow $1_file_type $1_home_t:filesystem associate;
++
++ ##############################
++ #
++ # User domain Local policy
++ #
++
++ # execute files in the home directory
++ can_exec($1_t,$1_home_t)
++
++ # full control of the home directory
++ allow $1_t $1_home_t:file { create_file_perms relabelfrom relabelto entrypoint };
++ allow $1_t $1_home_t:lnk_file { create_lnk_perms relabelfrom relabelto };
++ allow $1_t $1_home_t:dir { create_dir_perms relabelfrom relabelto };
++ allow $1_t $1_home_t:sock_file { create_file_perms relabelfrom relabelto };
++ allow $1_t $1_home_t:fifo_file { create_file_perms relabelfrom relabelto };
++ allow $1_t $1_home_dir_t:dir { create_dir_perms relabelfrom relabelto };
++ type_transition $1_t $1_home_dir_t:{ dir notdevfile_class_set } $1_home_t;
++ files_search_home($1_t)
++
++ # Allow user to relabel untrusted content
++ allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:dir { create_dir_perms relabelto relabelfrom };
++ allow $1_t { $1_untrusted_content_t $1_untrusted_content_tmp_t }:file { getattr unlink relabelto relabelfrom rename };
++
+ tunable_policy(`read_default_t',`
+ files_list_default($1_t)
+ files_read_default_files($1_t)
+@@ -501,6 +538,7 @@
+
+ # Inherit rules for ordinary users.
+ base_user_template($1)
++ base_login_user_template($1)
+
+ typeattribute $1_t unpriv_userdomain;
+ domain_interactive_fd($1_t)
+@@ -521,9 +559,6 @@
+ # Local policy
+ #
+
+- allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
+- term_create_pty($1_t,$1_devpts_t)
+-
+ # Rules used to associate a homedir as a mountpoint
+ allow $1_home_t self:filesystem associate;
+ allow $1_file_type $1_home_t:filesystem associate;
+@@ -535,10 +570,6 @@
+ allow privhome $1_home_t:sock_file create_file_perms;
+ allow privhome $1_home_t:fifo_file create_file_perms;
+ type_transition privhome $1_home_dir_t:{ dir notdevfile_class_set } $1_home_t;
+-
+- kernel_read_system_state($1_t)
+- kernel_read_network_state($1_t)
+-
+ dev_read_sysfs($1_t)
+
+ corecmd_exec_all_executables($1_t)
+@@ -546,11 +577,8 @@
+ # port access is audited even if dac would not have allowed it, so dontaudit it here
+ corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
+
+- files_read_etc_files($1_t)
+- files_read_etc_runtime_files($1_t)
++
+ files_list_home($1_t)
+- files_read_usr_files($1_t)
+- files_exec_usr_files($1_t)
+ # Read directories and files with the readable_t type.
+ # This type is a general type for "world"-readable files.
+ files_list_world_readable($1_t)
+@@ -558,8 +586,6 @@
+ files_read_world_readable_symlinks($1_t)
+ files_read_world_readable_pipes($1_t)
+ files_read_world_readable_sockets($1_t)
+- # cjp: why?
+- files_read_kernel_symbol_table($1_t)
+
+ init_read_utmp($1_t)
+ # The library functions always try to open read-write first,
+@@ -748,6 +774,7 @@
+
+ # Inherit rules for ordinary users.
+ base_user_template($1)
++ base_login_user_template($1)
+
+ typeattribute $1_t privhome;
+ domain_obj_id_change_exemption($1_t)
+@@ -783,11 +810,6 @@
+
+ allow $1_t self:netlink_audit_socket nlmsg_readpriv;
+
+- allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
+- term_create_pty($1_t,$1_devpts_t)
+-
+- kernel_read_system_state($1_t)
+- kernel_read_network_state($1_t)
+ kernel_read_software_raid_state($1_t)
+ kernel_getattr_core_if($1_t)
+ kernel_getattr_message_if($1_t)
+@@ -4128,7 +4150,7 @@
gen_require(`
type user_home_dir_t;
')
@@ -914,30 +1188,112 @@
files_home_filetrans($1,user_home_dir_t,dir)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-2.2.47/policy/modules/system/xen.if
---- nsaserefpolicy/policy/modules/system/xen.if 2006-06-08 08:45:58.000000000 -0400
-+++ serefpolicy-2.2.47/policy/modules/system/xen.if 2006-06-19 16:26:16.000000000 -0400
-@@ -11,7 +11,7 @@
- ## </param>
+@@ -4767,3 +4789,37 @@
+ allow $1 user_home_dir_t:dir create_dir_perms;
+ files_home_filetrans($1,user_home_dir_t,dir)
+ ')
++
++########################################
++## <summary>
++## The template containing rules for changing from one role to another
++## </summary>
++## <desc>
++## <p>
++## This should only be used for new non login user roles, rather the
++## unpriv_user_template or admin_user_template should
++## be used.
++## </p>
++## </desc>
++## <param name="userdomain_prefix">
++## <summary>
++## userdomain changing from
++## </summary>
++## </param>
++## <summary>
++## Unconfined access to user domains.
++## </summary>
++## <param name="userdomain_prefix">
++## <summary>
++## userdomain changing to
++## </summary>
++## </param>
++#
++template(`role_change_template',`
++ allow $1_r $2_r;
++ type_change $2_t $1_devpts_t:chr_file $2_devpts_t;
++ type_change $2_t $1_tty_device_t:chr_file $2_tty_device_t;
++ # avoid annoying messages on terminal hangup
++ dontaudit $1_t { $2_devpts_t $2_tty_device_t }:chr_file ioctl;
++')
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-2.2.48/policy/modules/system/userdomain.te
+--- nsaserefpolicy/policy/modules/system/userdomain.te 2006-06-13 07:03:49.000000000 -0400
++++ serefpolicy-2.2.48/policy/modules/system/userdomain.te 2006-06-20 15:04:12.000000000 -0400
+@@ -56,14 +56,6 @@
+ # Local policy
#
- interface(`xen_domtrans',`
-- gen_requires(`
-+ gen_require(`
- type xend_t, xend_exec_t;
+
+-define(`role_change',`
+- allow $1_r $2_r;
+- type_change $2_t $1_devpts_t:chr_file $2_devpts_t;
+- type_change $2_t $1_tty_device_t:chr_file $2_tty_device_t;
+- # avoid annoying messages on terminal hangup
+- dontaudit $1_t { $2_devpts_t $2_tty_device_t }:chr_file ioctl;
+-')
+-
+ ifdef(`targeted_policy',`
+ # Define some type aliases to help with compatibility with
+ # macros and domains from the "strict" policy.
+@@ -124,34 +116,34 @@
+
+ # user role change rules:
+ # sysadm_r can change to user roles
+- role_change(sysadm, user)
+- role_change(sysadm, staff)
++ role_change_template(sysadm, user)
++ role_change_template(sysadm, staff)
+
+ # only staff_r can change to sysadm_r
+- role_change(staff, sysadm)
++ role_change_template(staff, sysadm)
+
+ ifdef(`enable_mls',`
+ unpriv_user_template(secadm)
+ unpriv_user_template(auditadm)
+
+- role_change(staff,auditadm)
+- role_change(staff,secadm)
++ role_change_template(staff,auditadm)
++ role_change_template(staff,secadm)
+
+- role_change(sysadm,secadm)
+- role_change(sysadm,auditadm)
++ role_change_template(sysadm,secadm)
++ role_change_template(sysadm,auditadm)
+
+- role_change(auditadm,secadm)
+- role_change(auditadm,sysadm)
++ role_change_template(auditadm,secadm)
++ role_change_template(auditadm,sysadm)
+
+- role_change(secadm,auditadm)
+- role_change(secadm,sysadm)
++ role_change_template(secadm,auditadm)
++ role_change_template(secadm,sysadm)
')
-@@ -118,7 +118,7 @@
- ## </param>
- #
- interface(`xen_domtrans_xm',`
-- gen_requires(`
-+ gen_require(`
- type xm_t, xm_exec_t;
+ # this should be tunable_policy, but
+ # currently type_change and RBAC allow
+ # do not work in conditionals
+ ifdef(`user_canbe_sysadm',`
+- role_change(user,sysadm)
++ role_change_template(user,sysadm)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-2.2.47/policy/modules/system/xen.te
+ allow privhome home_root_t:dir { getattr search };
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-2.2.48/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te 2006-06-08 08:45:58.000000000 -0400
-+++ serefpolicy-2.2.47/policy/modules/system/xen.te 2006-06-19 16:26:16.000000000 -0400
++++ serefpolicy-2.2.48/policy/modules/system/xen.te 2006-06-20 10:16:13.000000000 -0400
@@ -68,7 +68,8 @@
# xend local policy
#
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.214
retrieving revision 1.215
diff -u -r1.214 -r1.215
--- selinux-policy.spec 20 Jun 2006 12:59:02 -0000 1.214
+++ selinux-policy.spec 20 Jun 2006 21:06:31 -0000 1.215
@@ -11,12 +11,12 @@
%define BUILD_MLS 1
%endif
%define POLICYVER 20
-%define POLICYCOREUTILSVER 1.30.8-1
+%define POLICYCOREUTILSVER 1.30.14-3
%define CHECKPOLICYVER 1.30.4-1
Summary: SELinux policy configuration
Name: selinux-policy
-Version: 2.2.47
-Release: 5
+Version: 2.2.48
+Release: 1
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -131,7 +131,6 @@
%define saveFileContext() \
if [ -s /etc/selinux/config ]; then \
. %{_sysconfdir}/selinux/config; \
- restorecon -R %{_sysconfdir}/selinux/%1; \
FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \
if [ "${SELINUXTYPE}" == %1 -a -f ${FILE_CONTEXT} ]; then \
cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.pre; \
@@ -342,6 +341,9 @@
%endif
%changelog
+* Tue Jun 20 2006 Dan Walsh <dwalsh at redhat.com> 2.2.48-1
+- Update to upstream
+
* Tue Jun 20 2006 Dan Walsh <dwalsh at redhat.com> 2.2.47-5
- Break out selinux-devel package
More information about the fedora-cvs-commits
mailing list