rpms/selinux-policy/devel policy-20060608.patch, NONE, 1.1 modules-targeted.conf, 1.28, 1.29 policy-20060505.patch, 1.17, 1.18 selinux-policy.spec, 1.202, 1.203
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Thu Jun 8 14:03:54 UTC 2006
- Previous message (by thread): rpms/gnome-applets/devel gnome-applets.spec,1.135,1.136
- Next message (by thread): rpms/pam/devel pam_namespace-10.patch, NONE, 1.1 pam.spec, 1.115, 1.116 pam_namespace-8.patch, 1.2, NONE pam_namespace-9.patch, 1.3, NONE pam_namespace-have-unshare.patch, 1.3, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv9904
Modified Files:
modules-targeted.conf policy-20060505.patch
selinux-policy.spec
Added Files:
policy-20060608.patch
Log Message:
* Tue Jun 6 2006 Dan Walsh <dwalsh at redhat.com> 2.2.44-1
- Update from upstream
policy-20060608.patch:
config/appconfig-strict-mls/default_type | 1
policy/modules/admin/consoletype.te | 7 ++++-
policy/modules/admin/rpm.te | 8 ++++-
policy/modules/apps/webalizer.te | 1
policy/modules/kernel/files.if | 15 ++++++++++
policy/modules/kernel/filesystem.te | 3 +-
policy/modules/kernel/kernel.te | 1
policy/modules/services/cups.te | 4 ++
policy/modules/services/hal.te | 2 +
policy/modules/services/mysql.te | 2 -
policy/modules/services/ntp.te | 2 +
policy/modules/services/pegasus.if | 31 ++++++++++++++++++++++
policy/modules/services/pegasus.te | 5 +--
policy/modules/services/procmail.te | 5 +++
policy/modules/services/pyzor.te | 4 ++
policy/modules/services/xfs.te | 2 +
policy/modules/system/hostname.te | 5 ++-
policy/modules/system/init.te | 1
policy/modules/system/libraries.fc | 3 ++
policy/modules/system/logging.fc | 6 ++--
policy/modules/system/logging.te | 10 +++----
policy/modules/system/unconfined.fc | 7 ++---
policy/modules/system/unconfined.if | 28 ++++++++++++++++++++
policy/modules/system/unconfined.te | 13 +++++++--
policy/modules/system/userdomain.if | 28 --------------------
policy/modules/system/userdomain.te | 43 +++++++++++++++++++++++++++----
policy/rolemap | 1
policy/support/misc_macros.spt | 2 -
policy/users | 6 ++--
29 files changed, 185 insertions(+), 61 deletions(-)
--- NEW FILE policy-20060608.patch ---
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-strict-mls/default_type serefpolicy-2.2.44/config/appconfig-strict-mls/default_type
--- nsaserefpolicy/config/appconfig-strict-mls/default_type 2006-01-06 17:55:17.000000000 -0500
+++ serefpolicy-2.2.44/config/appconfig-strict-mls/default_type 2006-06-08 09:43:08.000000000 -0400
@@ -2,3 +2,4 @@
secadm_r:secadm_t
staff_r:staff_t
user_r:user_t
+auditadm_r:auditadm_t
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-2.2.44/policy/modules/admin/consoletype.te
--- nsaserefpolicy/policy/modules/admin/consoletype.te 2006-05-19 10:07:51.000000000 -0400
+++ serefpolicy-2.2.44/policy/modules/admin/consoletype.te 2006-06-08 09:43:08.000000000 -0400
@@ -8,7 +8,12 @@
type consoletype_t;
type consoletype_exec_t;
-init_domain(consoletype_t,consoletype_exec_t)
+#dont transition from initrc
+#init_domain(consoletype_t,consoletype_exec_t)
+domain_type(consoletype_t)
+domain_entry_file(consoletype_t,consoletype_exec_t)
+role system_r types consoletype_t;
+
mls_file_read_up(consoletype_t)
mls_file_write_down(consoletype_t)
role system_r types consoletype_t;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-2.2.44/policy/modules/admin/rpm.te
--- nsaserefpolicy/policy/modules/admin/rpm.te 2006-06-08 08:45:57.000000000 -0400
+++ serefpolicy-2.2.44/policy/modules/admin/rpm.te 2006-06-08 09:49:46.000000000 -0400
@@ -341,12 +341,16 @@
optional_policy(`
mono_domtrans(rpm_script_t)
')
-',`
+
optional_policy(`
- bootloader_domtrans(rpm_script_t)
+ unconfined_domtrans(rpm_script_t)
')
')
+optional_policy(`
+ bootloader_domtrans(rpm_script_t)
+')
+
ifdef(`distro_redhat',`
optional_policy(`
mta_send_mail(rpm_script_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/webalizer.te serefpolicy-2.2.44/policy/modules/apps/webalizer.te
--- nsaserefpolicy/policy/modules/apps/webalizer.te 2006-06-08 08:45:57.000000000 -0400
+++ serefpolicy-2.2.44/policy/modules/apps/webalizer.te 2006-06-08 09:43:08.000000000 -0400
@@ -44,6 +44,7 @@
allow webalizer_t self:unix_dgram_socket sendto;
allow webalizer_t self:unix_stream_socket connectto;
allow webalizer_t self:tcp_socket connected_stream_socket_perms;
+allow webalizer_t self:udp_socket { connect connected_socket_perms };
allow webalizer_t self:netlink_route_socket r_netlink_socket_perms;
allow webalizer_t webalizer_etc_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.2.44/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2006-06-06 22:21:53.000000000 -0400
+++ serefpolicy-2.2.44/policy/modules/kernel/files.if 2006-06-08 09:43:08.000000000 -0400
@@ -1913,6 +1913,21 @@
')
########################################
+#
+# files_unlink_boot_flag(domain)
+#
+# /halt, /.autofsck, etc
+#
+interface(`files_unlink_boot_flag',`
+ gen_require(`
+ type root_t;
+ ')
+
+ allow $1 root_t:file unlink;
+')
+
+
+########################################
## <summary>
## Read files in /etc that are dynamically
## created on boot, such as mtab.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-2.2.44/policy/modules/kernel/filesystem.te
--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2006-06-08 08:45:57.000000000 -0400
+++ serefpolicy-2.2.44/policy/modules/kernel/filesystem.te 2006-06-08 09:43:08.000000000 -0400
@@ -23,7 +23,7 @@
# Requires that a security xattr handler exist for the filesystem.
fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr ext3 gen_context(system_u:object_r:fs_t,s0);
-fs_use_xattr gfs gen_context(system_u:object_r:fs_t,s0);
+fs_use_xattr gfs2 gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0);
@@ -174,6 +174,7 @@
genfscon hfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon hfsplus / gen_context(system_u:object_r:nfs_t,s0)
genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
+genfscon gfs / gen_context(system_u:object_r:nfs_t,s0)
########################################
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-2.2.44/policy/modules/kernel/kernel.te
--- nsaserefpolicy/policy/modules/kernel/kernel.te 2006-06-06 22:21:53.000000000 -0400
+++ serefpolicy-2.2.44/policy/modules/kernel/kernel.te 2006-06-08 09:43:08.000000000 -0400
@@ -28,6 +28,7 @@
ifdef(`enable_mls',`
role secadm_r;
+ role auditadm_r;
')
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-2.2.44/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2006-06-08 08:45:58.000000000 -0400
+++ serefpolicy-2.2.44/policy/modules/services/cups.te 2006-06-08 09:50:22.000000000 -0400
@@ -655,6 +655,10 @@
')
optional_policy(`
+ mount_send_nfs_client_request(hplip_t)
+')
+
+optional_policy(`
udev_read_db(hplip_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-2.2.44/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2006-06-06 22:21:54.000000000 -0400
+++ serefpolicy-2.2.44/policy/modules/services/hal.te 2006-06-08 09:47:42.000000000 -0400
@@ -140,6 +140,8 @@
sysnet_read_config(hald_t)
+auth_use_nsswitch(hald_t)
+
userdom_dontaudit_use_unpriv_user_fds(hald_t)
userdom_dontaudit_search_sysadm_home_dirs(hald_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-2.2.44/policy/modules/services/mysql.te
--- nsaserefpolicy/policy/modules/services/mysql.te 2006-06-08 08:45:58.000000000 -0400
+++ serefpolicy-2.2.44/policy/modules/services/mysql.te 2006-06-08 09:48:34.000000000 -0400
@@ -101,7 +101,7 @@
miscfiles_read_localization(mysqld_t)
-sysnet_use_ldap(mysqld_t)
+auth_use_nsswitch(mysqld_t)
sysnet_read_config(mysqld_t)
userdom_dontaudit_use_unpriv_user_fds(mysqld_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-2.2.44/policy/modules/services/ntp.te
--- nsaserefpolicy/policy/modules/services/ntp.te 2006-06-06 22:21:55.000000000 -0400
+++ serefpolicy-2.2.44/policy/modules/services/ntp.te 2006-06-08 09:48:01.000000000 -0400
@@ -112,6 +112,8 @@
sysnet_read_config(ntpd_t)
+auth_use_nsswitch(ntpd_t)
+
userdom_dontaudit_use_unpriv_user_fds(ntpd_t)
userdom_list_sysadm_home_dirs(ntpd_t)
userdom_dontaudit_list_sysadm_home_dirs(ntpd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.if serefpolicy-2.2.44/policy/modules/services/pegasus.if
--- nsaserefpolicy/policy/modules/services/pegasus.if 2005-10-25 13:40:18.000000000 -0400
+++ serefpolicy-2.2.44/policy/modules/services/pegasus.if 2006-06-08 09:43:08.000000000 -0400
@@ -1 +1,32 @@
## <summary>The Open Group Pegasus CIM/WBEM Server.</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run pegasus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`pegasus_domtrans',`
+ gen_require(`
+ type pegasus_t, pegasus_exec_t;
+ ')
+
+ ifdef(`targeted_policy',`
+ if(pegasus_disable_trans) {
+ can_exec($1,pegasus_exec_t)
+ } else {
+ domain_auto_trans($1,pegasus_exec_t,pegasus_t)
+ }
+ ', `
+ domain_auto_trans($1,pegasus_exec_t,pegasus_t)
+ ')
+
+ allow $1 pegasus_t:fd use;
+ allow pegasus_t $1:fd use;
+ allow pegasus_t $1:fifo_file rw_file_perms;
+ allow pegasus_t $1:process sigchld;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-2.2.44/policy/modules/services/pegasus.te
--- nsaserefpolicy/policy/modules/services/pegasus.te 2006-06-08 08:45:58.000000000 -0400
+++ serefpolicy-2.2.44/policy/modules/services/pegasus.te 2006-06-08 09:43:08.000000000 -0400
@@ -100,13 +100,12 @@
auth_use_nsswitch(pegasus_t)
auth_domtrans_chk_passwd(pegasus_t)
+auth_read_shadow(pegasus_t)
domain_use_interactive_fds(pegasus_t)
domain_read_all_domains_state(pegasus_t)
-files_read_etc_files(pegasus_t)
-files_list_var_lib(pegasus_t)
-files_read_var_lib_files(pegasus_t)
+files_read_all_files(pegasus_t)
files_read_var_lib_symlinks(pegasus_t)
hostname_exec(pegasus_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-2.2.44/policy/modules/services/procmail.te
--- nsaserefpolicy/policy/modules/services/procmail.te 2006-06-06 22:21:55.000000000 -0400
+++ serefpolicy-2.2.44/policy/modules/services/procmail.te 2006-06-08 09:43:08.000000000 -0400
@@ -109,3 +109,8 @@
spamassassin_exec(procmail_t)
spamassassin_exec_client(procmail_t)
')
+
+optional_policy(`
+ clamav_domtrans_clamscan(procmail_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-2.2.44/policy/modules/services/pyzor.te
--- nsaserefpolicy/policy/modules/services/pyzor.te 2006-06-08 08:45:58.000000000 -0400
+++ serefpolicy-2.2.44/policy/modules/services/pyzor.te 2006-06-08 09:46:23.000000000 -0400
@@ -126,3 +126,7 @@
optional_policy(`
nscd_socket_use(pyzord_t)
')
+
+ifdef(`targeted_policy',`
+ userdom_read_generic_user_home_content_files(pyzord_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xfs.te serefpolicy-2.2.44/policy/modules/services/xfs.te
--- nsaserefpolicy/policy/modules/services/xfs.te 2006-05-19 10:07:51.000000000 -0400
+++ serefpolicy-2.2.44/policy/modules/services/xfs.te 2006-06-08 09:47:04.000000000 -0400
@@ -69,6 +69,8 @@
miscfiles_read_localization(xfs_t)
miscfiles_read_fonts(xfs_t)
+auth_use_nsswitch(xfs_t)
+
userdom_dontaudit_use_unpriv_user_fds(xfs_t)
userdom_dontaudit_search_sysadm_home_dirs(xfs_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-2.2.44/policy/modules/system/hostname.te
--- nsaserefpolicy/policy/modules/system/hostname.te 2006-03-02 18:45:56.000000000 -0500
+++ serefpolicy-2.2.44/policy/modules/system/hostname.te 2006-06-08 09:43:08.000000000 -0400
@@ -8,7 +8,10 @@
type hostname_t;
type hostname_exec_t;
-init_system_domain(hostname_t,hostname_exec_t)
+
+#dont transition from initrc
+domain_type(hostname_t)
+domain_entry_file(hostname_t,hostname_exec_t)
role system_r types hostname_t;
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-2.2.44/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2006-06-06 22:21:56.000000000 -0400
+++ serefpolicy-2.2.44/policy/modules/system/init.te 2006-06-08 09:43:08.000000000 -0400
@@ -345,6 +345,7 @@
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
+files_unlink_boot_flag(initrc_t)
libs_rw_ld_so_cache(initrc_t)
libs_use_ld_so(initrc_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-2.2.44/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2006-06-08 08:45:58.000000000 -0400
+++ serefpolicy-2.2.44/policy/modules/system/libraries.fc 2006-06-08 09:43:08.000000000 -0400
@@ -48,6 +48,9 @@
/lib32/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
')
+/lib/security/pam_poldi.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/lib64/security/pam_poldi.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
#
# /opt
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-2.2.44/policy/modules/system/logging.fc
--- nsaserefpolicy/policy/modules/system/logging.fc 2006-02-02 16:12:27.000000000 -0500
+++ serefpolicy-2.2.44/policy/modules/system/logging.fc 2006-06-08 09:56:16.000000000 -0400
@@ -1,9 +1,6 @@
/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
-/etc/auditd.conf -- gen_context(system_u:object_r:auditd_etc_t,s0)
-/etc/audit.rules -- gen_context(system_u:object_r:auditd_etc_t,s0)
-
/sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0)
/sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0)
/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
@@ -39,3 +36,6 @@
/var/spool/postfix/pid -d gen_context(system_u:object_r:var_run_t,s0)
/var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+/etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,s15:c0.c255)
+
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-2.2.44/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2006-06-08 08:45:58.000000000 -0400
+++ serefpolicy-2.2.44/policy/modules/system/logging.te 2006-06-08 09:58:43.000000000 -0400
@@ -17,7 +17,7 @@
files_security_file(auditd_etc_t)
type auditd_log_t;
-files_security_file(auditd_log_t)
+fies_security_file(auditd_log_t)
type auditd_t;
# real declaration moved to mls until
@@ -123,9 +123,8 @@
files_pid_filetrans(auditd_t,auditd_var_run_t,file)
kernel_read_kernel_sysctls(auditd_t)
-# Needs to be able to run dispatcher. see /etc/audit/auditd.conf
-# Probably want a transition, and a new auditd_helper app
-kernel_read_system_state(auditd_t)
+kernel_list_proc(auditd_t)
+kernel_read_proc_symlinks(auditd_t)
dev_read_sysfs(auditd_t)
@@ -134,11 +133,12 @@
term_dontaudit_use_console(auditd_t)
+# cjp: why?
# Needs to be able to run dispatcher. see /etc/audit/auditd.conf
# Probably want a transition, and a new auditd_helper app
corecmd_exec_sbin(auditd_t)
corecmd_exec_bin(auditd_t)
-
+kernel_read_system_state(auditd_t)
domain_use_interactive_fds(auditd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-2.2.44/policy/modules/system/unconfined.fc
--- nsaserefpolicy/policy/modules/system/unconfined.fc 2006-06-08 08:45:58.000000000 -0400
+++ serefpolicy-2.2.44/policy/modules/system/unconfined.fc 2006-06-08 09:43:08.000000000 -0400
@@ -4,7 +4,6 @@
# For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t
/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_exec_t,s0)
-ifdef(`targeted_policy',`
-/usr/lib/openoffice.org.*/program/.*\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-/usr/bin/valgrind -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-')
+/usr/lib/openoffice.org.*/program/.*\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/bin/valgrind -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/bin/mplayer -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-2.2.44/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2006-05-19 13:46:37.000000000 -0400
+++ serefpolicy-2.2.44/policy/modules/system/unconfined.if 2006-06-08 09:43:08.000000000 -0400
@@ -449,3 +449,31 @@
allow $1 unconfined_t:dbus acquire_svc;
')
+
+########################################
+## <summary>
+## Execute the application that requires dexecmem program in the unconfined_execmem domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_execmem_domtrans',`
+ ifdef(`targeted_policy',`
+ gen_require(`
+ type unconfined_execmem_t, unconfined_execmem_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domain_auto_trans($1, unconfined_execmem_exec_t, unconfined_execmem_t)
+
+ allow $1 unconfined_execmem_t:fd use;
+ allow unconfined_execmem_t $1:fd use;
+ allow unconfined_execmem_t $1:fifo_file rw_file_perms;
+ allow unconfined_execmem_t $1:process sigchld;
+ ',`
+ errprint(`Warning: $0($1) has no effect in strict policy.'__endline__)
+ ')
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-2.2.44/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2006-06-08 08:45:58.000000000 -0400
+++ serefpolicy-2.2.44/policy/modules/system/unconfined.te 2006-06-08 09:43:08.000000000 -0400
@@ -33,8 +33,6 @@
allow unconfined_t self:system syslog_read;
dontaudit unconfined_t self:capability sys_module;
- domain_auto_trans(unconfined_t,unconfined_execmem_exec_t,unconfined_execmem_t)
-
files_create_boot_flag(unconfined_t)
init_domtrans_script(unconfined_t)
@@ -114,6 +112,10 @@
')
optional_policy(`
+ unconfined_execmem_domtrans(unconfined_t)
+ ')
+
+ optional_policy(`
lpd_domtrans_checkpc(unconfined_t)
')
@@ -180,11 +182,16 @@
optional_policy(`
xserver_domtrans_xdm_xserver(unconfined_t)
')
+
+ optional_policy(`
+ pegasus_domtrans(unconfined_t)
+ ')
+
')
########################################
#
-# Unconfined Execmem Local policy
+# Local policy
#
ifdef(`targeted_policy',`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-2.2.44/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2006-06-06 22:21:56.000000000 -0400
+++ serefpolicy-2.2.44/policy/modules/system/userdomain.if 2006-06-08 10:02:36.000000000 -0400
@@ -474,34 +474,6 @@
xserver_create_xdm_tmp_sockets($1_t)
')
- ifdef(`TODO',`
- #
- # Cups daemon running as user tries to write /etc/printcap
- #
- dontaudit $1_t usr_t:file setattr;
-
- # /initrd is left mounted, various programs try to look at it
- dontaudit $1_t ramfs_t:dir getattr;
-
- #
- # Running ifconfig as a user generates the following
- #
- dontaudit $1_t sysctl_net_t:dir search;
-
- r_dir_file($1_t, usercanread)
-
- # old browser_domain():
- dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir_file_class_set getattr;
- dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir search;
- dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir read;
-
- allow $1_t usbtty_device_t:chr_file read;
-
- ifdef(`xdm.te', `
- allow $1_t xdm_var_lib_t:file r_file_perms;
- ')
- ') dnl endif TODO
-
')
#######################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-2.2.44/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2006-06-08 08:45:58.000000000 -0400
+++ serefpolicy-2.2.44/policy/modules/system/userdomain.te 2006-06-08 09:43:08.000000000 -0400
@@ -1,11 +1,12 @@
-policy_module(userdomain,1.3.27)
+policy_module(userdomain,1.3.26)
gen_require(`
role sysadm_r, staff_r, user_r;
ifdef(`enable_mls',`
role secadm_r;
+ role auditadm_r;
')
')
@@ -67,6 +68,7 @@
# Define some type aliases to help with compatibility with
# macros and domains from the "strict" policy.
unconfined_alias_domain(secadm_t)
+ unconfined_alias_domain(auditadm_t)
unconfined_alias_domain(sysadm_t)
# User home directory type.
@@ -82,6 +84,7 @@
# compatibility for switching from strict
# dominance { role secadm_r { role system_r; }}
+# dominance { role auditadm_r { role system_r; }}
# dominance { role sysadm_r { role system_r; }}
# dominance { role user_r { role system_r; }}
# dominance { role staff_r { role system_r; }}
@@ -105,8 +108,10 @@
ifdef(`enable_mls',`
allow secadm_r system_r;
+ allow auditadm_r system_r;
allow secadm_r user_r;
allow staff_r secadm_r;
+ allow staff_r auditadm_r;
')
optional_policy(`
@@ -126,9 +131,21 @@
role_change(staff, sysadm)
ifdef(`enable_mls',`
- admin_user_template(secadm)
+# admin_user_template(secadm)
+# admin_user_template(auditadm)
+ unpriv_user_template(secadm)
+ unpriv_user_template(auditadm)
+
+ role_change(staff,auditadm)
role_change(staff,secadm)
+
role_change(sysadm,secadm)
+ role_change(sysadm,auditadm)
+
+ role_change(auditadm,secadm)
+ role_change(auditadm,sysadm)
+
+ role_change(secadm,auditadm)
role_change(secadm,sysadm)
')
@@ -172,19 +189,33 @@
')
ifdef(`enable_mls',`
+ allow secadm_t self:capability dac_override;
corecmd_exec_shell(secadm_t)
mls_process_read_up(secadm_t)
+ mls_file_read_up(secadm_t)
mls_file_write_down(secadm_t)
mls_file_upgrade(secadm_t)
mls_file_downgrade(secadm_t)
init_exec(secadm_t)
logging_read_audit_log(secadm_t)
- logging_run_auditctl(secadm_t,secadm_r,{ secadm_tty_device_t secadm_devpts_t })
userdom_dontaudit_append_staff_home_content_files(secadm_t)
- files_relabel_all_files(secadm_t)
+ auth_relabel_all_files_except_shadow(secadm_t)
auth_relabel_shadow(secadm_t)
+ domain_obj_id_change_exemption(secadm_t)
+ logging_read_generic_logs(secadm_t)
+
+ seutil_run_runinit(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
+ domain_kill_all_domains(auditadm_t)
+ seutil_read_bin_policy(auditadm_t)
+ corecmd_exec_shell(auditadm_t)
+ logging_read_generic_logs(auditadm_t)
+ logging_manage_audit_log(auditadm_t)
+ logging_manage_audit_config(auditadm_t)
+ logging_run_auditctl(auditadm_t,auditadm_r,{ auditadm_tty_device_t auditadm_devpts_t })
+ logging_run_auditd(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
', `
- logging_read_audit_log(sysadm_t)
+ logging_manage_audit_log(sysadm_t)
+ logging_manage_audit_config(sysadm_t)
logging_run_auditctl(sysadm_t,sysadm_r,admin_terminal)
')
@@ -252,6 +283,7 @@
ifdef(`enable_mls',`
consoletype_exec(secadm_t)
+ consoletype_exec(auditadm_t)
')
')
@@ -270,6 +302,7 @@
ifdef(`enable_mls',`
dmesg_exec(secadm_t)
+ dmesg_exec(auditadm_t)
')
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/rolemap serefpolicy-2.2.44/policy/rolemap
--- nsaserefpolicy/policy/rolemap 2006-01-26 15:38:41.000000000 -0500
+++ serefpolicy-2.2.44/policy/rolemap 2006-06-08 09:43:08.000000000 -0400
@@ -15,5 +15,6 @@
ifdef(`enable_mls',`
secadm_r secadm secadm_t
+ auditadm_r auditadm auditadm_t
')
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/misc_macros.spt serefpolicy-2.2.44/policy/support/misc_macros.spt
--- nsaserefpolicy/policy/support/misc_macros.spt 2006-05-19 10:07:51.000000000 -0400
+++ serefpolicy-2.2.44/policy/support/misc_macros.spt 2006-06-08 09:43:08.000000000 -0400
@@ -37,7 +37,7 @@
#
# gen_context(context,mls_sensitivity,[mcs_categories])
#
-define(`gen_context',`$1`'ifdef(`enable_mls',`:$2')`'ifdef(`enable_mcs',`:s0`'ifelse(`$3',,,`:$3')')')dnl
+define(`gen_context',`$1`'ifdef(`enable_mls',`:$2')`'ifdef(`enable_mcs',`:s0`'ifelse(`$3',,,`:$3')')') dnl
########################################
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-2.2.44/policy/users
--- nsaserefpolicy/policy/users 2006-02-15 17:02:30.000000000 -0500
+++ serefpolicy-2.2.44/policy/users 2006-06-08 09:43:08.000000000 -0400
@@ -29,7 +29,7 @@
gen_user(user_u, user, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
',`
gen_user(user_u, user, user_r, s0, s0)
-gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r'), s0, s0 - s15:c0.c255, c0.c255)
+gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - s15:c0.c255, c0.c255)
gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - s15:c0.c255, c0.c255)
')
@@ -44,8 +44,8 @@
gen_user(root, user, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
',`
ifdef(`direct_sysadm_daemon',`
- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r') system_r, s0, s0 - s15:c0.c255, c0.c255)
+ gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - s15:c0.c255, c0.c255)
',`
- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r'), s0, s0 - s15:c0.c255, c0.c255)
+ gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - s15:c0.c255, c0.c255)
')
')
Index: modules-targeted.conf
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/modules-targeted.conf,v
retrieving revision 1.28
retrieving revision 1.29
diff -u -r1.28 -r1.29
--- modules-targeted.conf 6 Jun 2006 21:33:13 -0000 1.28
+++ modules-targeted.conf 8 Jun 2006 14:03:38 -0000 1.29
@@ -1064,6 +1064,20 @@
#
clamav = module
+# Layer: services
+# Module: razor
+#
+# A distributed, collaborative, spam detection and filtering network.
+#
+razor = module
+
+# Layer: services
+# Module: dcc
+#
+# A distributed, collaborative, spam detection and filtering network.
+#
+dcc = module
+
# Layer: system
# Module: setrans
# Required in base
policy-20060505.patch:
config/appconfig-strict-mls/default_type | 1
policy/modules/admin/consoletype.te | 7 ++++-
policy/modules/admin/rpm.te | 8 ++++-
policy/modules/apps/webalizer.te | 1
policy/modules/kernel/files.if | 15 ++++++++++
policy/modules/kernel/filesystem.te | 3 +-
policy/modules/kernel/kernel.te | 1
policy/modules/services/cups.te | 8 ++++-
policy/modules/services/hal.te | 2 +
policy/modules/services/mysql.te | 2 -
policy/modules/services/ntp.te | 2 +
policy/modules/services/pegasus.if | 31 ++++++++++++++++++++++
policy/modules/services/pegasus.te | 5 +--
policy/modules/services/procmail.te | 5 +++
policy/modules/services/pyzor.te | 4 ++
policy/modules/services/xfs.te | 2 +
policy/modules/system/hostname.te | 5 ++-
policy/modules/system/init.te | 1
policy/modules/system/libraries.fc | 3 ++
policy/modules/system/logging.te | 12 +++++---
policy/modules/system/unconfined.fc | 7 ++---
policy/modules/system/unconfined.if | 28 ++++++++++++++++++++
policy/modules/system/unconfined.te | 13 +++++++--
policy/modules/system/userdomain.te | 43 +++++++++++++++++++++++++++----
policy/rolemap | 1
policy/support/misc_macros.spt | 2 -
policy/users | 6 ++--
27 files changed, 187 insertions(+), 31 deletions(-)
Index: policy-20060505.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/policy-20060505.patch,v
retrieving revision 1.17
retrieving revision 1.18
diff -u -r1.17 -r1.18
--- policy-20060505.patch 6 Jun 2006 21:33:13 -0000 1.17
+++ policy-20060505.patch 8 Jun 2006 14:03:38 -0000 1.18
@@ -1,47 +1,14 @@
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-strict-mls/default_type serefpolicy-2.2.43/config/appconfig-strict-mls/default_type
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-strict-mls/default_type serefpolicy-2.2.44/config/appconfig-strict-mls/default_type
--- nsaserefpolicy/config/appconfig-strict-mls/default_type 2006-01-06 17:55:17.000000000 -0500
-+++ serefpolicy-2.2.43/config/appconfig-strict-mls/default_type 2006-05-26 14:03:15.000000000 -0400
++++ serefpolicy-2.2.44/config/appconfig-strict-mls/default_type 2006-06-08 09:43:08.000000000 -0400
@@ -2,3 +2,4 @@
secadm_r:secadm_t
staff_r:staff_t
user_r:user_t
+auditadm_r:auditadm_t
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-2.2.43/policy/global_tunables
---- nsaserefpolicy/policy/global_tunables 2006-05-19 10:07:51.000000000 -0400
-+++ serefpolicy-2.2.43/policy/global_tunables 2006-05-26 14:03:15.000000000 -0400
-@@ -58,6 +58,22 @@
-
- ## <desc>
- ## <p>
-+## Allow ftp servers to use nfs
-+## used for public file transfer services.
-+## </p>
-+## </desc>
-+gen_tunable(allow_ftpd_use_nfs,false)
-+
-+## <desc>
-+## <p>
-+## Allow ftp servers to use cifs
-+## used for public file transfer services.
-+## </p>
-+## </desc>
-+gen_tunable(allow_ftpd_use_cifs,false)
-+
-+## <desc>
-+## <p>
- ## Allow gssd to read temp directory.
- ## </p>
- ## </desc>
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-2.2.43/policy/modules/admin/consoletype.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-2.2.44/policy/modules/admin/consoletype.te
--- nsaserefpolicy/policy/modules/admin/consoletype.te 2006-05-19 10:07:51.000000000 -0400
-+++ serefpolicy-2.2.43/policy/modules/admin/consoletype.te 2006-05-26 14:03:15.000000000 -0400
-@@ -1,5 +1,5 @@
-
--policy_module(consoletype,1.0.1)
-+policy_module(consoletype,1.0.0)
-
- ########################################
- #
++++ serefpolicy-2.2.44/policy/modules/admin/consoletype.te 2006-06-08 09:43:08.000000000 -0400
@@ -8,7 +8,12 @@
type consoletype_t;
@@ -56,109 +23,43 @@
mls_file_read_up(consoletype_t)
mls_file_write_down(consoletype_t)
role system_r types consoletype_t;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-2.2.43/policy/modules/admin/rpm.if
---- nsaserefpolicy/policy/modules/admin/rpm.if 2006-03-23 14:33:29.000000000 -0500
-+++ serefpolicy-2.2.43/policy/modules/admin/rpm.if 2006-06-06 11:10:50.000000000 -0400
-@@ -237,3 +237,23 @@
- dontaudit $1 rpm_var_lib_t:file create_file_perms;
- dontaudit $1 rpm_var_lib_t:lnk_file create_lnk_perms;
- ')
-+
-+########################################
-+## <summary>
-+## Execute the rpm client in the caller domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`rpm_exec',`
-+ gen_require(`
-+ type rpm_exec_t;
-+ ')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-2.2.44/policy/modules/admin/rpm.te
+--- nsaserefpolicy/policy/modules/admin/rpm.te 2006-06-08 08:45:57.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/admin/rpm.te 2006-06-08 09:49:46.000000000 -0400
+@@ -341,12 +341,16 @@
+ optional_policy(`
+ mono_domtrans(rpm_script_t)
+ ')
+-',`
+
-+ corecmd_search_bin($1)
-+ can_exec($1,rpm_exec_t)
+ optional_policy(`
+- bootloader_domtrans(rpm_script_t)
++ unconfined_domtrans(rpm_script_t)
+ ')
+ ')
+
++optional_policy(`
++ bootloader_domtrans(rpm_script_t)
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-2.2.43/policy/modules/admin/rpm.te
---- nsaserefpolicy/policy/modules/admin/rpm.te 2006-04-19 17:43:32.000000000 -0400
-+++ serefpolicy-2.2.43/policy/modules/admin/rpm.te 2006-05-26 14:03:15.000000000 -0400
-@@ -334,6 +334,15 @@
-
- ifdef(`targeted_policy',`
- unconfined_domain(rpm_script_t)
-+ optional_policy(`
-+ java_domtrans(rpm_script_t)
-+ ')
-+ optional_policy(`
-+ mono_domtrans(rpm_script_t)
-+ ')
-+ optional_policy(`
-+ unconfined_execmem_domtrans(rpm_script_t)
-+ ')
- ',`
+ ifdef(`distro_redhat',`
optional_policy(`
- bootloader_domtrans(rpm_script_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/webalizer.te serefpolicy-2.2.43/policy/modules/apps/webalizer.te
---- nsaserefpolicy/policy/modules/apps/webalizer.te 2006-03-24 11:15:44.000000000 -0500
-+++ serefpolicy-2.2.43/policy/modules/apps/webalizer.te 2006-05-26 14:03:15.000000000 -0400
-@@ -45,6 +45,7 @@
+ mta_send_mail(rpm_script_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/webalizer.te serefpolicy-2.2.44/policy/modules/apps/webalizer.te
+--- nsaserefpolicy/policy/modules/apps/webalizer.te 2006-06-08 08:45:57.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/apps/webalizer.te 2006-06-08 09:43:08.000000000 -0400
+@@ -44,6 +44,7 @@
+ allow webalizer_t self:unix_dgram_socket sendto;
allow webalizer_t self:unix_stream_socket connectto;
allow webalizer_t self:tcp_socket connected_stream_socket_perms;
- allow webalizer_t self:udp_socket { connect connected_socket_perms };
-+allow webalizer_t self:netlink_route_socket r_netlink_socket_perms;
++allow webalizer_t self:udp_socket { connect connected_socket_perms };
+ allow webalizer_t self:netlink_route_socket r_netlink_socket_perms;
allow webalizer_t webalizer_etc_t:file { getattr read };
-
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.fc serefpolicy-2.2.43/policy/modules/apps/wine.fc
---- nsaserefpolicy/policy/modules/apps/wine.fc 2006-01-19 18:02:04.000000000 -0500
-+++ serefpolicy-2.2.43/policy/modules/apps/wine.fc 2006-05-28 06:42:33.000000000 -0400
-@@ -1 +1,2 @@
- /usr/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0)
-+/opt/picasa/wine/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-2.2.43/policy/modules/apps/wine.te
---- nsaserefpolicy/policy/modules/apps/wine.te 2006-03-07 10:31:08.000000000 -0500
-+++ serefpolicy-2.2.43/policy/modules/apps/wine.te 2006-05-28 07:09:11.000000000 -0400
-@@ -22,4 +22,9 @@
- unconfined_domain_noaudit(wine_t)
- role system_r types wine_t;
- allow wine_t file_type:file execmod;
-+
-+ optional_policy(`
-+ hal_dbus_chat(wine_t)
-+ ')
-+
- ')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-2.2.43/policy/modules/kernel/corecommands.fc
---- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2006-05-17 10:54:31.000000000 -0400
-+++ serefpolicy-2.2.43/policy/modules/kernel/corecommands.fc 2006-05-26 14:03:15.000000000 -0400
-@@ -120,11 +120,6 @@
- /usr/lib/ccache/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/pgsql/test/regress/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/qt.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
--# these two lines are separate because of a
--# sorting issue with the java module
--/usr/lib/jvm/java.*/bin -d gen_context(system_u:object_r:bin_t,s0)
--/usr/lib/jvm/java.*/bin/.* gen_context(system_u:object_r:bin_t,s0)
--
- /usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0)
- /usr/lib(64)?/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0)
- /usr/lib(64)?/courier(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -135,6 +130,7 @@
- /usr/lib(64)?/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0)
- /usr/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:sbin_t,s0)
- /usr/lib(64)?/mailman/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib(64)?/mailman/mail(/.*)? gen_context(system_u:object_r:bin_t,s0)
- /usr/lib(64)?/misc/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
- /usr/lib(64)?/nagios/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
- /usr/lib(64)?/netsaint/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.2.43/policy/modules/kernel/files.if
---- nsaserefpolicy/policy/modules/kernel/files.if 2006-05-12 09:22:08.000000000 -0400
-+++ serefpolicy-2.2.43/policy/modules/kernel/files.if 2006-06-06 11:06:54.000000000 -0400
-@@ -1882,6 +1882,21 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.2.44/policy/modules/kernel/files.if
+--- nsaserefpolicy/policy/modules/kernel/files.if 2006-06-06 22:21:53.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/kernel/files.if 2006-06-08 09:43:08.000000000 -0400
+@@ -1913,6 +1913,21 @@
')
########################################
@@ -180,46 +81,29 @@
## <summary>
## Read files in /etc that are dynamically
## created on boot, such as mtab.
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-2.2.43/policy/modules/kernel/filesystem.if
---- nsaserefpolicy/policy/modules/kernel/filesystem.if 2006-05-12 09:22:08.000000000 -0400
-+++ serefpolicy-2.2.43/policy/modules/kernel/filesystem.if 2006-05-26 14:03:15.000000000 -0400
-@@ -434,6 +434,26 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-2.2.44/policy/modules/kernel/filesystem.te
+--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2006-06-08 08:45:57.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/kernel/filesystem.te 2006-06-08 09:43:08.000000000 -0400
+@@ -23,7 +23,7 @@
+ # Requires that a security xattr handler exist for the filesystem.
+ fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
+ fs_use_xattr ext3 gen_context(system_u:object_r:fs_t,s0);
+-fs_use_xattr gfs gen_context(system_u:object_r:fs_t,s0);
++fs_use_xattr gfs2 gen_context(system_u:object_r:fs_t,s0);
+ fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0);
+ fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0);
+
+@@ -174,6 +174,7 @@
+ genfscon hfs / gen_context(system_u:object_r:nfs_t,s0)
+ genfscon hfsplus / gen_context(system_u:object_r:nfs_t,s0)
+ genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
++genfscon gfs / gen_context(system_u:object_r:nfs_t,s0)
########################################
- ## <summary>
-+## Read directories of binary file types.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`fs_getattr_binfmt_misc_dirs',`
-+ gen_require(`
-+ type binfmt_misc_t;
-+ ')
-+
-+ allow $1 binfmt_misc_t:dir getattr;
-+
-+')
-+
-+
-+########################################
-+## <summary>
- ## Mount a CIFS or SMB network filesystem.
- ## </summary>
- ## <param name="domain">
-@@ -3240,3 +3260,6 @@
- allow $1 noxattrfs:blk_file { getattr relabelfrom };
- allow $1 noxattrfs:chr_file { getattr relabelfrom };
- ')
-+
-+
-+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-2.2.43/policy/modules/kernel/kernel.te
---- nsaserefpolicy/policy/modules/kernel/kernel.te 2006-05-26 14:02:27.000000000 -0400
-+++ serefpolicy-2.2.43/policy/modules/kernel/kernel.te 2006-06-06 15:30:41.000000000 -0400
+ #
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-2.2.44/policy/modules/kernel/kernel.te
+--- nsaserefpolicy/policy/modules/kernel/kernel.te 2006-06-06 22:21:53.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/kernel/kernel.te 2006-06-08 09:43:08.000000000 -0400
@@ -28,6 +28,7 @@
ifdef(`enable_mls',`
@@ -228,432 +112,66 @@
')
#
-@@ -50,6 +51,15 @@
- genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0)
-
- #
-+# Oprofilefs
-+#
-+
-+type oprofilefs_t;
-+fs_type(oprofilefs_t)
-+allow oprofilefs_t self:filesystem associate;
-+genfscon oprofilefs / gen_context(system_u:object_r:oprofilefs_t,s0)
-+
-+#
- # Procfs types
- #
-
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.fc serefpolicy-2.2.43/policy/modules/services/amavis.fc
---- nsaserefpolicy/policy/modules/services/amavis.fc 2006-05-19 10:07:51.000000000 -0400
-+++ serefpolicy-2.2.43/policy/modules/services/amavis.fc 2006-05-26 14:03:15.000000000 -0400
-@@ -7,6 +7,6 @@
- /var/amavis(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0)
- /var/lib/amavis(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0)
- /var/log/amavisd\.log -- gen_context(system_u:object_r:amavis_var_log_t,s0)
--/var/run/amavis(/.*)? gen_context(system_u:object_r:amavis_var_run_t,s0)
-+/var/run/amavis(d)?(/.*)? gen_context(system_u:object_r:amavis_var_run_t,s0)
- /var/spool/amavisd(/.*)? gen_context(system_u:object_r:amavis_spool_t,s0)
- /var/virusmails(/.*)? gen_context(system_u:object_r:amavis_quarantine_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.if serefpolicy-2.2.43/policy/modules/services/amavis.if
---- nsaserefpolicy/policy/modules/services/amavis.if 2006-03-07 16:19:28.000000000 -0500
-+++ serefpolicy-2.2.43/policy/modules/services/amavis.if 2006-05-26 14:03:15.000000000 -0400
-@@ -104,3 +104,65 @@
- allow $1 amavis_var_run_t:file setattr;
- files_search_pids($1)
- ')
-+
-+########################################
-+## <summary>
-+## Create socket files under the amavis spool
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <param name="socket_type">
-+## <summary>
-+## Type for socket file
-+## </summary>
-+## </param>
-+#
-+interface(`amavis_spool_create_socket',`
-+ gen_require(`
-+ type amavis_spool_t;
-+ ')
-+
-+ allow $1 amavis_spool_t:dir rw_dir_perms;
-+ allow $1 $2:sock_file manage_file_perms;
-+ type_transition $1 amavis_spool_t:sock_file $2;
-+')
-+
-+########################################
-+## <summary>
-+## Read amavis spool files
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`amavis_read_spool_file',`
-+ gen_require(`
-+ type amavis_spool_t;
-+ ')
-+
-+ allow $1 amavis_spool_t:file { getattr read };
-+')
-+
-+########################################
-+## <summary>
-+## Manage amavis spool files
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`amavis_manage_spool_files',`
-+ gen_require(`
-+ type amavis_spool_t;
-+ ')
-+ files_search_spool($1)
-+ allow $1 amavis_spool_t:dir create_dir_perms;
-+ allow $1 amavis_spool_t:file create_file_perms;
-+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-2.2.43/policy/modules/services/amavis.te
---- nsaserefpolicy/policy/modules/services/amavis.te 2006-05-19 10:07:51.000000000 -0400
-+++ serefpolicy-2.2.43/policy/modules/services/amavis.te 2006-05-26 14:03:15.000000000 -0400
-@@ -64,6 +64,7 @@
- # Spool Files
- allow amavis_t amavis_spool_t:dir manage_dir_perms;
- allow amavis_t amavis_spool_t:file manage_file_perms;
-+allow amavis_t amavis_spool_t:sock_file create_file_perms;
- files_spool_filetrans(amavis_t,amavis_spool_t,{ dir file })
-
- # tmp files
-@@ -93,13 +94,21 @@
- kernel_read_kernel_sysctls(amavis_t)
- # amavis tries to access /proc/self/stat, /etc/shadow and /root - perl...
- kernel_dontaudit_list_proc(amavis_t)
-+kernel_dontaudit_read_proc_symlinks(amavis_t)
- kernel_dontaudit_read_system_state(amavis_t)
-
-+# dontaudit terminal access
-+ifdef(`targeted_policy',`
-+ term_dontaudit_use_generic_ptys(amavis_t)
-+')
-+
- # find perl
- corecmd_exec_bin(amavis_t)
- corecmd_search_sbin(amavis_t)
-
- corenet_non_ipsec_sendrecv(amavis_t)
-+corenet_tcp_bind_all_nodes(amavis_t)
-+corenet_udp_bind_all_nodes(amavis_t)
- corenet_tcp_sendrecv_all_if(amavis_t)
- corenet_tcp_sendrecv_all_nodes(amavis_t)
- # amavis uses well-defined ports
-@@ -111,6 +120,7 @@
- corenet_tcp_connect_amavisd_send_port(amavis_t)
- # bind to incoming port
- corenet_tcp_bind_amavisd_recv_port(amavis_t)
-+corenet_udp_bind_generic_port(amavis_t)
-
- dev_read_rand(amavis_t)
- dev_read_urand(amavis_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-2.2.43/policy/modules/services/apache.if
---- nsaserefpolicy/policy/modules/services/apache.if 2006-05-12 16:31:53.000000000 -0400
-+++ serefpolicy-2.2.43/policy/modules/services/apache.if 2006-05-27 08:04:08.000000000 -0400
-@@ -115,6 +115,7 @@
- seutil_dontaudit_search_config(httpd_$1_script_t)
-
- tunable_policy(`httpd_enable_cgi && httpd_unified',`
-+ allow httpd_$1_script_t httpdcontent:file entrypoint;
- allow httpd_$1_script_t httpdcontent:dir create_dir_perms;
- allow httpd_$1_script_t httpdcontent:file create_file_perms;
- allow httpd_$1_script_t httpdcontent:lnk_file create_lnk_perms;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-2.2.43/policy/modules/services/bluetooth.te
---- nsaserefpolicy/policy/modules/services/bluetooth.te 2006-05-19 10:07:51.000000000 -0400
-+++ serefpolicy-2.2.43/policy/modules/services/bluetooth.te 2006-05-26 14:03:15.000000000 -0400
-@@ -129,6 +129,8 @@
-
- logging_send_syslog_msg(bluetooth_t)
-
-+locallogin_dontaudit_use_fds(bluetooth_helper_t)
-+
- miscfiles_read_localization(bluetooth_t)
- miscfiles_read_fonts(bluetooth_t)
-
-@@ -225,6 +227,9 @@
- xserver_stream_connect_xdm(bluetooth_helper_t)
- xserver_use_xdm_fds(bluetooth_helper_t)
- xserver_rw_xdm_pipes(bluetooth_helper_t)
-+ # when started via startx
-+ xserver_stream_connect(bluetooth_helper_t)
-+ xserver_write_xdm_xserver_tmp_sockets(bluetooth_helper_t)
- ')
- ')
-
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-2.2.43/policy/modules/services/clamav.te
---- nsaserefpolicy/policy/modules/services/clamav.te 2006-05-17 16:57:08.000000000 -0400
-+++ serefpolicy-2.2.43/policy/modules/services/clamav.te 2006-05-26 14:03:15.000000000 -0400
-@@ -39,6 +39,10 @@
- type clamscan_exec_t;
- init_daemon_domain(clamscan_t, clamscan_exec_t)
-
-+# tmp files
-+type clamscan_tmp_t;
-+files_tmp_file(clamscan_tmp_t)
-+
- type freshclam_t;
- type freshclam_exec_t;
- init_daemon_domain(freshclam_t, freshclam_exec_t)
-@@ -63,6 +67,13 @@
- allow clamd_t clamd_etc_t:file r_file_perms;
- allow clamd_t clamd_etc_t:lnk_file { getattr read };
-
-+# Spool Files
-+files_search_spool(clamd_t)
-+optional_policy(`
-+ amavis_spool_create_socket(clamd_t, clamd_var_run_t)
-+ amavis_read_spool_file(clamd_t)
-+')
-+
- # socket file
- allow clamd_t clamd_sock_t:file manage_file_perms;
- allow clamd_t clamd_sock_t:sock_file manage_file_perms;
-@@ -86,6 +97,7 @@
- allow clamd_t clamd_var_log_t:sock_file create_file_perms;
- allow clamd_t clamd_var_log_t:dir { rw_dir_perms setattr };
- logging_log_filetrans(clamd_t,clamd_var_log_t,file)
-+logging_send_syslog_msg(clamd_t)
-
- # pid file
- allow clamd_t clamd_var_run_t:file manage_file_perms;
-@@ -94,6 +106,10 @@
- files_pid_filetrans(clamd_t,clamd_var_run_t,file)
-
- kernel_dontaudit_list_proc(clamd_t)
-+# dontaudit terminal access
-+ifdef(`targeted_policy',`
-+ term_dontaudit_use_generic_ptys(clamd_t)
-+')
-
- corenet_non_ipsec_sendrecv(clamd_t)
- corenet_tcp_sendrecv_all_if(clamd_t)
-@@ -217,6 +233,11 @@
- allow clamscan_t clamd_var_lib_t:sock_file rw_file_perms;
- allow clamscan_t clamd_var_lib_t:dir r_dir_perms;
-
-+# tmp files
-+allow clamscan_t clamscan_tmp_t:file create_file_perms;
-+allow clamscan_t clamscan_tmp_t:dir create_dir_perms;
-+files_tmp_filetrans(clamscan_t,clamscan_tmp_t,{ file dir })
-+
- kernel_read_kernel_sysctls(clamscan_t)
-
- files_read_etc_files(clamscan_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-2.2.43/policy/modules/services/cups.te
---- nsaserefpolicy/policy/modules/services/cups.te 2006-05-26 14:02:27.000000000 -0400
-+++ serefpolicy-2.2.43/policy/modules/services/cups.te 2006-05-28 10:28:11.000000000 -0400
-@@ -74,14 +74,14 @@
- #
-
- # /usr/lib/cups/backend/serial needs sys_admin(?!)
--allow cupsd_t self:capability { sys_admin dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_tty_config audit_write };
-+allow cupsd_t self:capability { sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_tty_config audit_write };
- dontaudit cupsd_t self:capability { sys_tty_config net_admin };
- allow cupsd_t self:process { setsched signal_perms };
- allow cupsd_t self:fifo_file rw_file_perms;
- allow cupsd_t self:unix_stream_socket { create_stream_socket_perms connectto };
- allow cupsd_t self:unix_dgram_socket create_socket_perms;
- allow cupsd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
--allow cupsd_t self:netlink_route_socket { r_netlink_socket_perms };
-+allow cupsd_t self:netlink_route_socket r_netlink_socket_perms;
- allow cupsd_t self:tcp_socket { create_stream_socket_perms connectto acceptfrom recvfrom };
- allow cupsd_t self:udp_socket create_socket_perms;
- allow cupsd_t self:appletalk_socket create_socket_perms;
-@@ -565,6 +565,7 @@
- allow hplip_t self:unix_stream_socket create_socket_perms;
- allow hplip_t self:tcp_socket create_stream_socket_perms;
- allow hplip_t self:udp_socket create_socket_perms;
-+allow hplip_t self:netlink_route_socket r_netlink_socket_perms;
- # cjp: raw?
- allow hplip_t self:rawip_socket create_socket_perms;
-
-@@ -645,6 +646,10 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-2.2.44/policy/modules/services/cups.te
+--- nsaserefpolicy/policy/modules/services/cups.te 2006-06-08 08:45:58.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/services/cups.te 2006-06-08 09:43:08.000000000 -0400
+@@ -647,11 +647,15 @@
')
optional_policy(`
+- seutil_sigchld_newrole(hplip_t)
+ snmp_read_snmp_var_lib_files(hplip_t)
-+')
-+
-+optional_policy(`
- mount_send_nfs_client_request(hplip_t)
')
-@@ -658,6 +663,7 @@
-
- allow hplip_t devpts_t:dir search;
- allow hplip_t devpts_t:chr_file { getattr ioctl };
-+userdom_dontaudit_search_all_users_home_content(hplip_t)
-
- ########################################
- #
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-2.2.43/policy/modules/services/cvs.te
---- nsaserefpolicy/policy/modules/services/cvs.te 2006-03-24 11:15:50.000000000 -0500
-+++ serefpolicy-2.2.43/policy/modules/services/cvs.te 2006-05-26 14:03:15.000000000 -0400
-@@ -8,6 +8,7 @@
-
- type cvs_t;
- type cvs_exec_t;
-+corecmd_executable_file(cvs_exec_t)
- inetd_tcp_service_domain(cvs_t,cvs_exec_t)
- role system_r types cvs_t;
-
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-2.2.43/policy/modules/services/dbus.te
---- nsaserefpolicy/policy/modules/services/dbus.te 2006-04-12 12:59:10.000000000 -0400
-+++ serefpolicy-2.2.43/policy/modules/services/dbus.te 2006-05-27 07:39:54.000000000 -0400
-@@ -38,6 +38,7 @@
- allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto };
- allow system_dbusd_t self:unix_dgram_socket create_socket_perms;
- allow system_dbusd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
-+allow system_dbusd_t self:netlink_route_socket r_netlink_socket_perms;
- # Receive notifications of policy reloads and enforcing status changes.
- allow system_dbusd_t self:netlink_selinux_socket { create bind read };
-
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-2.2.43/policy/modules/services/dovecot.te
---- nsaserefpolicy/policy/modules/services/dovecot.te 2006-05-17 16:57:08.000000000 -0400
-+++ serefpolicy-2.2.43/policy/modules/services/dovecot.te 2006-05-27 07:42:52.000000000 -0400
-@@ -42,6 +42,7 @@
- allow dovecot_t self:tcp_socket create_stream_socket_perms;
- allow dovecot_t self:unix_dgram_socket create_socket_perms;
- allow dovecot_t self:unix_stream_socket { create_stream_socket_perms connectto };
-+allow dovecot_t self:netlink_route_socket r_netlink_socket_perms;
-
- domain_auto_trans(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t)
- allow dovecot_t dovecot_auth_t:fd use;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-2.2.43/policy/modules/services/ftp.te
---- nsaserefpolicy/policy/modules/services/ftp.te 2006-05-17 16:57:08.000000000 -0400
-+++ serefpolicy-2.2.43/policy/modules/services/ftp.te 2006-05-26 14:03:15.000000000 -0400
-@@ -162,15 +162,35 @@
- ')
-
- tunable_policy(`use_nfs_home_dirs && ftp_home_dir',`
-+ fs_manage_nfs_files(ftpd_t)
-+ fs_read_nfs_symlinks(ftpd_t)
-+')
-+
-+tunable_policy(`allow_ftpd_use_cifs',`
- fs_read_nfs_files(ftpd_t)
- fs_read_nfs_symlinks(ftpd_t)
- ')
-
-+tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',`
-+ fs_manage_nfs_files(ftpd_t)
-+ fs_read_nfs_symlinks(ftpd_t)
-+')
-+
- tunable_policy(`use_samba_home_dirs && ftp_home_dir',`
-+ fs_manage_cifs_files(ftpd_t)
-+ fs_read_cifs_symlinks(ftpd_t)
+ optional_policy(`
+- snmp_read_snmp_var_lib_files(hplip_t)
++ mount_send_nfs_client_request(hplip_t)
+')
+
-+tunable_policy(`allow_ftpd_use_cifs',`
- fs_read_cifs_files(ftpd_t)
- fs_read_cifs_symlinks(ftpd_t)
++optional_policy(`
++ seutil_sigchld_newrole(hplip_t)
')
-+tunable_policy(`allow_ftpd_use_cifs && allow_ftpd_anon_write',`
-+ fs_manage_cifs_files(ftpd_t)
-+ fs_read_cifs_symlinks(ftpd_t)
-+')
-+
optional_policy(`
- corecmd_exec_shell(ftpd_t)
-
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-2.2.43/policy/modules/services/hal.te
---- nsaserefpolicy/policy/modules/services/hal.te 2006-05-19 10:07:51.000000000 -0400
-+++ serefpolicy-2.2.43/policy/modules/services/hal.te 2006-06-06 11:58:26.000000000 -0400
-@@ -144,6 +144,10 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-2.2.44/policy/modules/services/hal.te
+--- nsaserefpolicy/policy/modules/services/hal.te 2006-06-06 22:21:54.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/services/hal.te 2006-06-08 09:47:42.000000000 -0400
+@@ -140,6 +140,8 @@
sysnet_read_config(hald_t)
-+# needed for nss_ldap
-+sysnet_use_ldap(hald_t)
-+miscfiles_read_certs(hald_t)
++auth_use_nsswitch(hald_t)
+
userdom_dontaudit_use_unpriv_user_fds(hald_t)
userdom_dontaudit_search_sysadm_home_dirs(hald_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.fc serefpolicy-2.2.43/policy/modules/services/ldap.fc
---- nsaserefpolicy/policy/modules/services/ldap.fc 2005-10-06 17:29:17.000000000 -0400
-+++ serefpolicy-2.2.43/policy/modules/services/ldap.fc 2006-05-26 14:03:15.000000000 -0400
-@@ -8,3 +8,4 @@
-
- /var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0)
- /var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0)
-+/var/run/openldap(/.*)? gen_context(system_u:object_r:slapd_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-2.2.43/policy/modules/services/mysql.te
---- nsaserefpolicy/policy/modules/services/mysql.te 2006-04-12 12:59:10.000000000 -0400
-+++ serefpolicy-2.2.43/policy/modules/services/mysql.te 2006-05-26 14:03:15.000000000 -0400
-@@ -33,6 +33,7 @@
- allow mysqld_t self:capability { dac_override setgid setuid sys_resource net_bind_service };
- dontaudit mysqld_t self:capability sys_tty_config;
- allow mysqld_t self:process { setsched getsched setrlimit signal_perms };
-+allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh };
- allow mysqld_t self:fifo_file { read write };
- allow mysqld_t self:netlink_route_socket r_netlink_socket_perms;
- allow mysqld_t self:unix_stream_socket create_stream_socket_perms;
-@@ -103,6 +104,7 @@
- logging_send_syslog_msg(mysqld_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-2.2.44/policy/modules/services/mysql.te
+--- nsaserefpolicy/policy/modules/services/mysql.te 2006-06-08 08:45:58.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/services/mysql.te 2006-06-08 09:48:34.000000000 -0400
+@@ -101,7 +101,7 @@
miscfiles_read_localization(mysqld_t)
-+miscfiles_read_certs(mysqld_t)
- sysnet_use_ldap(mysqld_t)
+-sysnet_use_ldap(mysqld_t)
++auth_use_nsswitch(mysqld_t)
sysnet_read_config(mysqld_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-2.2.43/policy/modules/services/networkmanager.fc
---- nsaserefpolicy/policy/modules/services/networkmanager.fc 2006-02-06 17:51:14.000000000 -0500
-+++ serefpolicy-2.2.43/policy/modules/services/networkmanager.fc 2006-05-26 14:03:15.000000000 -0400
-@@ -2,3 +2,4 @@
- /usr/(s)?bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
- /var/run/NetworkManager.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
- /var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
-+/var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-2.2.43/policy/modules/services/nscd.te
---- nsaserefpolicy/policy/modules/services/nscd.te 2006-04-12 12:59:10.000000000 -0400
-+++ serefpolicy-2.2.43/policy/modules/services/nscd.te 2006-05-26 14:03:15.000000000 -0400
-@@ -133,3 +133,8 @@
- optional_policy(`
- udev_read_db(nscd_t)
- ')
-+
-+optional_policy(`
-+ xen_dontaudit_rw_unix_stream_sockets(nscd_t)
-+ xen_append_log(nscd_t)
-+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-2.2.43/policy/modules/services/ntp.te
---- nsaserefpolicy/policy/modules/services/ntp.te 2006-04-04 18:06:38.000000000 -0400
-+++ serefpolicy-2.2.43/policy/modules/services/ntp.te 2006-05-27 07:43:26.000000000 -0400
-@@ -112,6 +112,10 @@
+
+ userdom_dontaudit_use_unpriv_user_fds(mysqld_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-2.2.44/policy/modules/services/ntp.te
+--- nsaserefpolicy/policy/modules/services/ntp.te 2006-06-06 22:21:55.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/services/ntp.te 2006-06-08 09:48:01.000000000 -0400
+@@ -112,6 +112,8 @@
sysnet_read_config(ntpd_t)
-+# nss_ldap
-+sysnet_use_ldap(ntpd_t)
-+miscfiles_read_certs(ntpd_t)
++auth_use_nsswitch(ntpd_t)
+
userdom_dontaudit_use_unpriv_user_fds(ntpd_t)
userdom_list_sysadm_home_dirs(ntpd_t)
userdom_dontaudit_list_sysadm_home_dirs(ntpd_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.if serefpolicy-2.2.43/policy/modules/services/pegasus.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.if serefpolicy-2.2.44/policy/modules/services/pegasus.if
--- nsaserefpolicy/policy/modules/services/pegasus.if 2005-10-25 13:40:18.000000000 -0400
-+++ serefpolicy-2.2.43/policy/modules/services/pegasus.if 2006-06-06 10:37:18.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/services/pegasus.if 2006-06-08 09:43:08.000000000 -0400
@@ -1 +1,32 @@
## <summary>The Open Group Pegasus CIM/WBEM Server.</summary>
+
@@ -687,35 +205,10 @@
+ allow pegasus_t $1:fifo_file rw_file_perms;
+ allow pegasus_t $1:process sigchld;
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-2.2.43/policy/modules/services/pegasus.te
---- nsaserefpolicy/policy/modules/services/pegasus.te 2006-04-26 11:23:32.000000000 -0400
-+++ serefpolicy-2.2.43/policy/modules/services/pegasus.te 2006-06-06 11:11:18.000000000 -0400
-@@ -30,7 +30,7 @@
- # Local policy
- #
-
--allow pegasus_t self:capability { dac_override net_bind_service audit_write };
-+allow pegasus_t self:capability { chown sys_nice setuid setgid dac_override net_bind_service audit_write };
- dontaudit pegasus_t self:capability sys_tty_config;
- allow pegasus_t self:process signal;
- allow pegasus_t self:fifo_file rw_file_perms;
-@@ -65,6 +65,7 @@
- kernel_read_fs_sysctls(pegasus_t)
- kernel_read_system_state(pegasus_t)
- kernel_search_vm_sysctl(pegasus_t)
-+kernel_read_net_sysctls(pegasus_t)
-
- corenet_tcp_sendrecv_all_if(pegasus_t)
- corenet_raw_sendrecv_all_if(pegasus_t)
-@@ -82,6 +83,7 @@
- corecmd_exec_sbin(pegasus_t)
- corecmd_exec_bin(pegasus_t)
- corecmd_exec_shell(pegasus_t)
-+can_exec(pegasus_t,pegasus_exec_t)
-
- dev_read_sysfs(pegasus_t)
- dev_read_urand(pegasus_t)
-@@ -94,13 +96,12 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-2.2.44/policy/modules/services/pegasus.te
+--- nsaserefpolicy/policy/modules/services/pegasus.te 2006-06-08 08:45:58.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/services/pegasus.te 2006-06-08 09:43:08.000000000 -0400
+@@ -100,13 +100,12 @@
auth_use_nsswitch(pegasus_t)
auth_domtrans_chk_passwd(pegasus_t)
@@ -731,232 +224,44 @@
files_read_var_lib_symlinks(pegasus_t)
hostname_exec(pegasus_t)
-@@ -108,6 +109,7 @@
- init_use_fds(pegasus_t)
- init_use_script_ptys(pegasus_t)
- init_rw_utmp(pegasus_t)
-+init_stream_connect_script(pegasus_t)
-
- libs_use_ld_so(pegasus_t)
- libs_use_shared_libs(pegasus_t)
-@@ -126,11 +128,16 @@
- unconfined_signull(pegasus_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-2.2.44/policy/modules/services/procmail.te
+--- nsaserefpolicy/policy/modules/services/procmail.te 2006-06-06 22:21:55.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/services/procmail.te 2006-06-08 09:43:08.000000000 -0400
+@@ -109,3 +109,8 @@
+ spamassassin_exec(procmail_t)
+ spamassassin_exec_client(procmail_t)
')
-
+
- optional_policy(`
- logging_send_syslog_msg(pegasus_t)
- ')
-
- optional_policy(`
-+ rpm_exec(pegasus_t)
++optional_policy(`
++ clamav_domtrans_clamscan(procmail_t)
+')
+
-+optional_policy(`
- nscd_socket_use(pegasus_t)
- ')
-
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-2.2.43/policy/modules/services/postfix.te
---- nsaserefpolicy/policy/modules/services/postfix.te 2006-05-12 09:22:08.000000000 -0400
-+++ serefpolicy-2.2.43/policy/modules/services/postfix.te 2006-05-26 14:03:15.000000000 -0400
-@@ -289,12 +289,12 @@
- mta_read_config(postfix_local_t)
-
- optional_policy(`
--# for postalias
-- mailman_read_data_files(postfix_local_t)
-+ procmail_domtrans(postfix_local_t)
- ')
-
- optional_policy(`
-- procmail_domtrans(postfix_local_t)
-+# for postalias
-+ mailman_manage_data_files(postfix_local_t)
- ')
-
- ########################################
-@@ -603,3 +603,4 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-2.2.44/policy/modules/services/pyzor.te
+--- nsaserefpolicy/policy/modules/services/pyzor.te 2006-06-08 08:45:58.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/services/pyzor.te 2006-06-08 09:46:23.000000000 -0400
+@@ -126,3 +126,7 @@
optional_policy(`
- sasl_connect(postfix_smtpd_t)
+ nscd_socket_use(pyzord_t)
')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-2.2.43/policy/modules/services/pyzor.te
---- nsaserefpolicy/policy/modules/services/pyzor.te 2006-05-19 10:07:51.000000000 -0400
-+++ serefpolicy-2.2.43/policy/modules/services/pyzor.te 2006-05-26 14:03:15.000000000 -0400
-@@ -35,10 +35,20 @@
- allow pyzor_t pyzor_var_lib_t:file r_file_perms;
- files_search_var_lib(pyzor_t)
-
-+corenet_udp_sendrecv_all_if(pyzor_t)
-+corenet_udp_sendrecv_all_ports(pyzor_t)
-+
- files_read_etc_files(pyzor_t)
-
- auth_use_nsswitch(pyzor_t)
-
-+dev_read_urand(pyzor_t)
-+
-+corecmd_list_bin(pyzor_t)
-+corecmd_getattr_bin_files(pyzor_t)
-+kernel_read_kernel_sysctls(pyzor_t)
-+kernel_read_system_state(pyzor_t)
-+
- libs_use_ld_so(pyzor_t)
- libs_use_shared_libs(pyzor_t)
-
-@@ -46,6 +56,7 @@
-
- optional_policy(`
- amavis_manage_lib_files(pyzor_t)
-+ amavis_manage_spool_files(pyzor_t)
- ')
-
- optional_policy(`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-2.2.43/policy/modules/services/rsync.te
---- nsaserefpolicy/policy/modules/services/rsync.te 2006-04-28 14:40:40.000000000 -0400
-+++ serefpolicy-2.2.43/policy/modules/services/rsync.te 2006-05-26 14:03:15.000000000 -0400
-@@ -8,6 +8,7 @@
-
- type rsync_t;
- type rsync_exec_t;
-+corecmd_executable_file(rsync_exec_t)
- init_daemon_domain(rsync_t,rsync_exec_t)
- role system_r types rsync_t;
-
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-2.2.43/policy/modules/services/samba.te
---- nsaserefpolicy/policy/modules/services/samba.te 2006-05-02 18:59:59.000000000 -0400
-+++ serefpolicy-2.2.43/policy/modules/services/samba.te 2006-05-26 14:03:15.000000000 -0400
-@@ -222,9 +222,13 @@
-
- allow smbd_t winbind_var_run_t:sock_file { read write getattr };
-
-+rpc_search_nfs_state_data(smbd_t)
-+fs_getattr_rpc_dirs(smbd_t)
-+
- kernel_getattr_core_if(smbd_t)
- kernel_getattr_message_if(smbd_t)
- kernel_read_network_state(smbd_t)
-+kernel_read_fs_sysctls(smbd_t)
- kernel_read_kernel_sysctls(smbd_t)
- kernel_read_software_raid_state(smbd_t)
- kernel_read_system_state(smbd_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-2.2.43/policy/modules/services/spamassassin.fc
---- nsaserefpolicy/policy/modules/services/spamassassin.fc 2006-04-19 11:26:51.000000000 -0400
-+++ serefpolicy-2.2.43/policy/modules/services/spamassassin.fc 2006-05-26 14:03:15.000000000 -0400
-@@ -5,6 +5,7 @@
-
- /usr/sbin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0)
- /usr/bin/spamassassin -- gen_context(system_u:object_r:spamassassin_exec_t,s0)
-+/var/spool/spamassassin(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
-
- ifdef(`strict_policy',`
- HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:ROLE_spamassassin_home_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-2.2.43/policy/modules/services/spamassassin.te
---- nsaserefpolicy/policy/modules/services/spamassassin.te 2006-05-05 16:44:48.000000000 -0400
-+++ serefpolicy-2.2.43/policy/modules/services/spamassassin.te 2006-05-26 14:03:15.000000000 -0400
-@@ -20,6 +20,9 @@
- type spamd_var_run_t;
- files_pid_file(spamd_var_run_t)
-
-+type spamd_spool_t;
-+files_type(spamd_spool_t)
-+
- type spamassassin_exec_t;
- corecmd_executable_file(spamassassin_exec_t)
-
-@@ -57,6 +60,10 @@
- allow spamd_t spamd_var_run_t:dir rw_dir_perms;
- files_pid_filetrans(spamd_t,spamd_var_run_t,file)
-
-+allow spamd_t spamd_spool_t:file create_file_perms;
-+allow spamd_t spamd_spool_t:dir create_dir_perms;
-+files_spool_filetrans(spamd_t,spamd_spool_t, { file dir })
-+
- kernel_read_all_sysctls(spamd_t)
- kernel_read_system_state(spamd_t)
- kernel_tcp_recvfrom(spamd_t)
-@@ -98,6 +105,7 @@
- files_read_usr_files(spamd_t)
- files_read_etc_files(spamd_t)
- files_read_etc_runtime_files(spamd_t)
-+files_search_var_lib(spamd_t)
-
- init_use_fds(spamd_t)
- init_use_script_ptys(spamd_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xfs.te serefpolicy-2.2.43/policy/modules/services/xfs.te
++ifdef(`targeted_policy',`
++ userdom_read_generic_user_home_content_files(pyzord_t)
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xfs.te serefpolicy-2.2.44/policy/modules/services/xfs.te
--- nsaserefpolicy/policy/modules/services/xfs.te 2006-05-19 10:07:51.000000000 -0400
-+++ serefpolicy-2.2.43/policy/modules/services/xfs.te 2006-05-27 07:43:52.000000000 -0400
-@@ -69,6 +69,10 @@
++++ serefpolicy-2.2.44/policy/modules/services/xfs.te 2006-06-08 09:47:04.000000000 -0400
+@@ -69,6 +69,8 @@
miscfiles_read_localization(xfs_t)
miscfiles_read_fonts(xfs_t)
-+# nss_ldap
-+sysnet_use_ldap(xfs_t)
-+miscfiles_read_certs(xfs_t)
++auth_use_nsswitch(xfs_t)
+
userdom_dontaudit_use_unpriv_user_fds(xfs_t)
userdom_dontaudit_search_sysadm_home_dirs(xfs_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-2.2.43/policy/modules/services/xserver.if
---- nsaserefpolicy/policy/modules/services/xserver.if 2006-05-17 10:54:31.000000000 -0400
-+++ serefpolicy-2.2.43/policy/modules/services/xserver.if 2006-05-26 14:03:15.000000000 -0400
-@@ -1073,6 +1073,7 @@
- allow $1 xdm_xserver_tmp_t:file { getattr read };
- ')
-
-+
- ########################################
- ## <summary>
- ## Kill XDM X servers
-@@ -1109,3 +1110,45 @@
-
- dontaudit $1 xdm_xserver_t:tcp_socket { read write };
- ')
-+
-+
-+########################################
-+## <summary>
-+## Connect to xdm_xserver over a unix domain
-+## stream socket.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`xserver_stream_connect',`
-+ gen_require(`
-+ type xdm_xserver_t;
-+ ')
-+
-+ allow $1 xdm_xserver_t:unix_stream_socket connectto;
-+')
-+
-+
-+
-+########################################
-+## <summary>
-+## write xdm temporary socket files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit
-+## </summary>
-+## </param>
-+#
-+interface(`xserver_write_xdm_xserver_tmp_sockets',`
-+ gen_require(`
-+ type xdm_xserver_tmp_t;
-+ ')
-+
-+ allow $1 xdm_xserver_tmp_t:sock_file write;
-+')
-+
-+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-2.2.43/policy/modules/system/hostname.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-2.2.44/policy/modules/system/hostname.te
--- nsaserefpolicy/policy/modules/system/hostname.te 2006-03-02 18:45:56.000000000 -0500
-+++ serefpolicy-2.2.43/policy/modules/system/hostname.te 2006-05-26 14:03:15.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/system/hostname.te 2006-06-08 09:43:08.000000000 -0400
@@ -8,7 +8,10 @@
type hostname_t;
@@ -969,10 +274,10 @@
role system_r types hostname_t;
########################################
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-2.2.43/policy/modules/system/init.te
---- nsaserefpolicy/policy/modules/system/init.te 2006-05-19 13:46:37.000000000 -0400
-+++ serefpolicy-2.2.43/policy/modules/system/init.te 2006-05-26 14:03:15.000000000 -0400
-@@ -348,6 +348,7 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-2.2.44/policy/modules/system/init.te
+--- nsaserefpolicy/policy/modules/system/init.te 2006-06-06 22:21:56.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/system/init.te 2006-06-08 09:43:08.000000000 -0400
+@@ -345,6 +345,7 @@
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -980,23 +285,10 @@
libs_rw_ld_so_cache(initrc_t)
libs_use_ld_so(initrc_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-2.2.43/policy/modules/system/libraries.fc
---- nsaserefpolicy/policy/modules/system/libraries.fc 2006-05-19 10:07:51.000000000 -0400
-+++ serefpolicy-2.2.43/policy/modules/system/libraries.fc 2006-06-06 15:41:44.000000000 -0400
-@@ -34,8 +34,10 @@
- #
- /lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
- /lib64(/.*)? gen_context(system_u:object_r:lib_t,s0)
--/lib(64)?/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
--/lib(64)?(/.*)?/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
-+/lib/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
-+/lib64/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
-+/lib/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
-+/lib64/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
-
- ifdef(`distro_gentoo',`
- /lib32(/.*)? gen_context(system_u:object_r:lib_t,s0)
-@@ -43,6 +45,9 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-2.2.44/policy/modules/system/libraries.fc
+--- nsaserefpolicy/policy/modules/system/libraries.fc 2006-06-08 08:45:58.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/system/libraries.fc 2006-06-08 09:43:08.000000000 -0400
+@@ -48,6 +48,9 @@
/lib32/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
')
@@ -1006,45 +298,9 @@
#
# /opt
#
-@@ -56,6 +61,7 @@
- /opt/(.*/)?jre.*/libjvm.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /opt/(.*/)?jre.*/libawt.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /opt/netbeans(.*/)?jdk.*/linux/.*.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/opt/cisco-vpnclient/lib/libvpnapi.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-
- ifdef(`distro_gentoo',`
- /opt/netscape/plugins/libflashplayer.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -115,6 +121,7 @@
-
- /usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib(64)?/xorg/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib(64)?/xorg/modules/drivers/fglx_drv\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib(64)?/xorg/modules/extensions/nvidia(-[^/]*)?/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-
- ifdef(`distro_redhat',`
-@@ -226,7 +233,14 @@
- /usr/(local/)?Adobe/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/(local/)?acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/(local/)?Adobe/.*\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/local/matlab.*/bin/glnx86/libmwlapack.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
-+/usr/lib/acroread/(.*/)?sidecars/* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/acroread/(.*/)?nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/acroread/.*\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- ') dnl end distro_redhat
-
- #
-@@ -248,3 +262,4 @@
- /var/spool/postfix/lib(64)?/lib.*\.so.* -- gen_context(system_u:object_r:shlib_t,s0)
- /var/spool/postfix/lib(64)?/[^/]*/lib.*\.so.* -- gen_context(system_u:object_r:shlib_t,s0)
- /var/spool/postfix/lib(64)?/devfsd/.*\.so.* -- gen_context(system_u:object_r:shlib_t,s0)
-+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-2.2.43/policy/modules/system/logging.te
---- nsaserefpolicy/policy/modules/system/logging.te 2006-05-17 10:54:31.000000000 -0400
-+++ serefpolicy-2.2.43/policy/modules/system/logging.te 2006-05-26 14:03:15.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-2.2.44/policy/modules/system/logging.te
+--- nsaserefpolicy/policy/modules/system/logging.te 2006-06-08 08:45:58.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/system/logging.te 2006-06-08 09:43:08.000000000 -0400
@@ -14,10 +14,14 @@
role system_r types auditctl_t;
@@ -1060,32 +316,49 @@
type auditd_t;
# real declaration moved to mls until
-@@ -134,7 +138,11 @@
+@@ -123,9 +127,8 @@
+ files_pid_filetrans(auditd_t,auditd_var_run_t,file)
+
+ kernel_read_kernel_sysctls(auditd_t)
+-# Needs to be able to run dispatcher. see /etc/audit/auditd.conf
+-# Probably want a transition, and a new auditd_helper app
+-kernel_read_system_state(auditd_t)
++kernel_list_proc(auditd_t)
++kernel_read_proc_symlinks(auditd_t)
+
+ dev_read_sysfs(auditd_t)
+
+@@ -134,11 +137,12 @@
+
term_dontaudit_use_console(auditd_t)
- # cjp: why?
-+# Needs to be able to run dispatcher. see /etc/audit/auditd.conf
-+# Probably want a transition, and a new auditd_helper app
++# cjp: why?
+ # Needs to be able to run dispatcher. see /etc/audit/auditd.conf
+ # Probably want a transition, and a new auditd_helper app
corecmd_exec_sbin(auditd_t)
-+corecmd_exec_bin(auditd_t)
+ corecmd_exec_bin(auditd_t)
+-
+kernel_read_system_state(auditd_t)
domain_use_interactive_fds(auditd_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-2.2.43/policy/modules/system/unconfined.fc
---- nsaserefpolicy/policy/modules/system/unconfined.fc 2006-01-06 17:55:18.000000000 -0500
-+++ serefpolicy-2.2.43/policy/modules/system/unconfined.fc 2006-06-06 12:30:30.000000000 -0400
-@@ -3,3 +3,7 @@
- # /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-2.2.44/policy/modules/system/unconfined.fc
+--- nsaserefpolicy/policy/modules/system/unconfined.fc 2006-06-08 08:45:58.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/system/unconfined.fc 2006-06-08 09:43:08.000000000 -0400
+@@ -4,7 +4,6 @@
# For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t
/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_exec_t,s0)
-+
+
+-ifdef(`targeted_policy',`
+-/usr/lib/openoffice.org.*/program/.*\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+-/usr/bin/valgrind -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+-')
+/usr/lib/openoffice.org.*/program/.*\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/bin/valgrind -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/bin/mplayer -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-2.2.43/policy/modules/system/unconfined.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-2.2.44/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2006-05-19 13:46:37.000000000 -0400
-+++ serefpolicy-2.2.43/policy/modules/system/unconfined.if 2006-06-06 12:30:13.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/system/unconfined.if 2006-06-08 09:43:08.000000000 -0400
@@ -449,3 +449,31 @@
allow $1 unconfined_t:dbus acquire_svc;
@@ -1118,23 +391,19 @@
+ errprint(`Warning: $0($1) has no effect in strict policy.'__endline__)
+ ')
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-2.2.43/policy/modules/system/unconfined.te
---- nsaserefpolicy/policy/modules/system/unconfined.te 2006-05-17 10:54:31.000000000 -0400
-+++ serefpolicy-2.2.43/policy/modules/system/unconfined.te 2006-06-06 12:29:22.000000000 -0400
-@@ -13,7 +13,11 @@
- ')
- type unconfined_exec_t;
- init_system_domain(unconfined_t,unconfined_exec_t)
--role system_r types unconfined_t;
-+
-+type unconfined_execmem_t;
-+type unconfined_execmem_exec_t;
-+init_system_domain(unconfined_execmem_t,unconfined_execmem_exec_t)
-+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-2.2.44/policy/modules/system/unconfined.te
+--- nsaserefpolicy/policy/modules/system/unconfined.te 2006-06-08 08:45:58.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/system/unconfined.te 2006-06-08 09:43:08.000000000 -0400
+@@ -33,8 +33,6 @@
+ allow unconfined_t self:system syslog_read;
+ dontaudit unconfined_t self:capability sys_module;
- ########################################
- #
-@@ -107,6 +111,10 @@
+- domain_auto_trans(unconfined_t,unconfined_execmem_exec_t,unconfined_execmem_t)
+-
+ files_create_boot_flag(unconfined_t)
+
+ init_domtrans_script(unconfined_t)
+@@ -114,6 +112,10 @@
')
optional_policy(`
@@ -1145,7 +414,7 @@
lpd_domtrans_checkpc(unconfined_t)
')
-@@ -173,4 +181,19 @@
+@@ -180,11 +182,16 @@
optional_policy(`
xserver_domtrans_xdm_xserver(unconfined_t)
')
@@ -1154,21 +423,25 @@
+ pegasus_domtrans(unconfined_t)
+ ')
+
-+')
-+
-+########################################
-+#
-+# Local policy
-+#
-+
-+ifdef(`targeted_policy',`
-+ allow unconfined_execmem_t self:process { execstack execmem };
-+ unconfined_domain_noaudit(unconfined_execmem_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-2.2.43/policy/modules/system/userdomain.te
---- nsaserefpolicy/policy/modules/system/userdomain.te 2006-05-17 10:54:31.000000000 -0400
-+++ serefpolicy-2.2.43/policy/modules/system/userdomain.te 2006-05-26 14:03:15.000000000 -0400
-@@ -6,6 +6,7 @@
+
+ ########################################
+ #
+-# Unconfined Execmem Local policy
++# Local policy
+ #
+
+ ifdef(`targeted_policy',`
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-2.2.44/policy/modules/system/userdomain.te
+--- nsaserefpolicy/policy/modules/system/userdomain.te 2006-06-08 08:45:58.000000000 -0400
++++ serefpolicy-2.2.44/policy/modules/system/userdomain.te 2006-06-08 09:43:08.000000000 -0400
+@@ -1,11 +1,12 @@
+
+-policy_module(userdomain,1.3.27)
++policy_module(userdomain,1.3.26)
+
+ gen_require(`
+ role sysadm_r, staff_r, user_r;
ifdef(`enable_mls',`
role secadm_r;
@@ -1263,7 +536,7 @@
logging_run_auditctl(sysadm_t,sysadm_r,admin_terminal)
')
-@@ -248,6 +279,7 @@
+@@ -252,6 +283,7 @@
ifdef(`enable_mls',`
consoletype_exec(secadm_t)
@@ -1271,7 +544,7 @@
')
')
-@@ -266,6 +298,7 @@
+@@ -270,6 +302,7 @@
ifdef(`enable_mls',`
dmesg_exec(secadm_t)
@@ -1279,106 +552,9 @@
')
')
-@@ -428,6 +461,7 @@
- optional_policy(`
- sysnet_run_ifconfig(sysadm_t,sysadm_r,admin_terminal)
- sysnet_run_dhcpc(sysadm_t,sysadm_r,admin_terminal)
-+ consoletype_run(sysadm_t,sysadm_r,admin_terminal)
- ')
-
- optional_policy(`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.fc serefpolicy-2.2.43/policy/modules/system/xen.fc
---- nsaserefpolicy/policy/modules/system/xen.fc 2006-05-19 10:07:51.000000000 -0400
-+++ serefpolicy-2.2.43/policy/modules/system/xen.fc 2006-05-26 14:03:15.000000000 -0400
-@@ -16,3 +16,4 @@
- /var/run/xend\.pid -- gen_context(system_u:object_r:xend_var_run_t,s0)
- /var/run/xenstore\.pid -- gen_context(system_u:object_r:xenstored_var_run_t,s0)
- /var/run/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_run_t,s0)
-+/xen(/.*)? gen_context(system_u:object_r:xen_image_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-2.2.43/policy/modules/system/xen.if
---- nsaserefpolicy/policy/modules/system/xen.if 2006-05-03 16:01:26.000000000 -0400
-+++ serefpolicy-2.2.43/policy/modules/system/xen.if 2006-05-26 14:03:15.000000000 -0400
-@@ -124,6 +124,6 @@
-
- domain_auto_trans($1,xm_exec_t,xm_t)
- allow xm_t $1:fd use;
-- allow xm_t:$1:fifo_file rw_file_perms;
-+ allow xm_t $1:fifo_file rw_file_perms;
- allow xm_t $1:process sigchld;
- ')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-2.2.43/policy/modules/system/xen.te
---- nsaserefpolicy/policy/modules/system/xen.te 2006-05-19 10:07:51.000000000 -0400
-+++ serefpolicy-2.2.43/policy/modules/system/xen.te 2006-05-26 14:03:15.000000000 -0400
-@@ -50,6 +50,10 @@
- domain_entry_file(xenconsoled_t,xenconsoled_exec_t)
- role system_r types xenconsoled_t;
-
-+# Xen Image files
-+type xen_image_t; # customizable
-+files_type(xen_image_t)
-+
- # pid files
- type xenconsoled_var_run_t;
- files_pid_file(xenconsoled_var_run_t)
-@@ -74,6 +78,11 @@
- allow xend_t self:tcp_socket create_stream_socket_perms;
- allow xend_t self:packet_socket create_socket_perms;
-
-+files_etc_filetrans_etc_runtime(xend_t,file)
-+
-+allow xend_t xen_image_t:dir r_dir_perms;
-+allow xend_t xen_image_t:file r_file_perms;
-+
- # pid file
- allow xend_t xend_var_run_t:file manage_file_perms;
- allow xend_t xend_var_run_t:sock_file manage_file_perms;
-@@ -89,8 +98,9 @@
- # var/lib files for xend
- allow xend_t xend_var_lib_t:file create_file_perms;
- allow xend_t xend_var_lib_t:sock_file create_file_perms;
-+allow xend_t xend_var_lib_t:fifo_file create_file_perms;
- allow xend_t xend_var_lib_t:dir create_dir_perms;
--files_var_lib_filetrans(xend_t,xend_var_lib_t,{ file dir sock_file })
-+files_var_lib_filetrans(xend_t,xend_var_lib_t,{ file dir })
-
- # transition to store
- domain_auto_trans(xend_t, xenstored_exec_t, xenstored_t)
-@@ -113,6 +123,7 @@
- corecmd_exec_bin(xend_t)
- corecmd_exec_shell(xend_t)
-
-+corenet_tcp_bind_all_nodes(xend_t)
- corenet_tcp_sendrecv_all_if(xend_t)
- corenet_tcp_sendrecv_all_nodes(xend_t)
- corenet_tcp_sendrecv_all_ports(xend_t)
-@@ -242,7 +253,7 @@
- # xm local policy
- #
-
--allow xm_t self:capability dac_override;
-+allow xm_t self:capability { dac_override ipc_lock };
- # internal communication is often done using fifo and unix sockets.
- allow xm_t self:fifo_file { read write };
- allow xm_t self:unix_stream_socket create_stream_socket_perms;
-@@ -270,3 +281,15 @@
- xen_append_log(xm_t)
- xen_stream_connect(xm_t)
- xen_stream_connect_xenstore(xm_t)
-+
-+files_list_mnt(xm_t)
-+
-+init_rw_script_stream_sockets(xm_t)
-+
-+files_read_etc_runtime_files(xm_t)
-+files_read_usr_files(xm_t)
-+
-+files_search_var_lib(xm_t)
-+allow xm_t xend_var_lib_t:dir rw_dir_perms;
-+allow xm_t xend_var_lib_t:fifo_file create_file_perms;
-+allow xm_t xend_var_lib_t:file create_file_perms;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/rolemap serefpolicy-2.2.43/policy/rolemap
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/rolemap serefpolicy-2.2.44/policy/rolemap
--- nsaserefpolicy/policy/rolemap 2006-01-26 15:38:41.000000000 -0500
-+++ serefpolicy-2.2.43/policy/rolemap 2006-05-26 14:03:15.000000000 -0400
++++ serefpolicy-2.2.44/policy/rolemap 2006-06-08 09:43:08.000000000 -0400
@@ -15,5 +15,6 @@
ifdef(`enable_mls',`
@@ -1386,9 +562,9 @@
+ auditadm_r auditadm auditadm_t
')
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/misc_macros.spt serefpolicy-2.2.43/policy/support/misc_macros.spt
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/misc_macros.spt serefpolicy-2.2.44/policy/support/misc_macros.spt
--- nsaserefpolicy/policy/support/misc_macros.spt 2006-05-19 10:07:51.000000000 -0400
-+++ serefpolicy-2.2.43/policy/support/misc_macros.spt 2006-05-26 14:03:15.000000000 -0400
++++ serefpolicy-2.2.44/policy/support/misc_macros.spt 2006-06-08 09:43:08.000000000 -0400
@@ -37,7 +37,7 @@
#
# gen_context(context,mls_sensitivity,[mcs_categories])
@@ -1398,9 +574,9 @@
########################################
#
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-2.2.43/policy/users
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-2.2.44/policy/users
--- nsaserefpolicy/policy/users 2006-02-15 17:02:30.000000000 -0500
-+++ serefpolicy-2.2.43/policy/users 2006-05-26 14:03:15.000000000 -0400
++++ serefpolicy-2.2.44/policy/users 2006-06-08 09:43:08.000000000 -0400
@@ -29,7 +29,7 @@
gen_user(user_u, user, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
',`
@@ -1421,15 +597,3 @@
+ gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - s15:c0.c255, c0.c255)
')
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-2.2.43/Rules.modular
---- nsaserefpolicy/Rules.modular 2006-05-26 14:02:26.000000000 -0400
-+++ serefpolicy-2.2.43/Rules.modular 2006-05-26 14:03:15.000000000 -0400
-@@ -31,7 +31,7 @@
- vpath %.if $(ALL_LAYERS)
- vpath %.fc $(ALL_LAYERS)
-
--.SECONDARY:
-+#.SECONDARY:
-
- ########################################
- #
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.202
retrieving revision 1.203
diff -u -r1.202 -r1.203
--- selinux-policy.spec 6 Jun 2006 21:33:13 -0000 1.202
+++ selinux-policy.spec 8 Jun 2006 14:03:38 -0000 1.203
@@ -15,12 +15,12 @@
%define CHECKPOLICYVER 1.30.4-1
Summary: SELinux policy configuration
Name: selinux-policy
-Version: 2.2.43
-Release: 4
+Version: 2.2.44
+Release: 1
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
-patch: policy-20060505.patch
+patch: policy-20060608.patch
Source1: modules-targeted.conf
Source2: booleans-targeted.conf
Source3: Makefile.devel
@@ -335,6 +335,9 @@
%endif
%changelog
+* Tue Jun 6 2006 Dan Walsh <dwalsh at redhat.com> 2.2.44-1
+- Update from upstream
+
* Tue Jun 6 2006 Dan Walsh <dwalsh at redhat.com> 2.2.43-4
- Add oprofilefs
- Previous message (by thread): rpms/gnome-applets/devel gnome-applets.spec,1.135,1.136
- Next message (by thread): rpms/pam/devel pam_namespace-10.patch, NONE, 1.1 pam.spec, 1.115, 1.116 pam_namespace-8.patch, 1.2, NONE pam_namespace-9.patch, 1.3, NONE pam_namespace-have-unshare.patch, 1.3, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-cvs-commits
mailing list