rpms/selinux-policy/devel policy-20060207.patch, 1.44, 1.45 selinux-policy.spec, 1.145, 1.146
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Thu Mar 9 15:34:54 UTC 2006
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv21674
Modified Files:
policy-20060207.patch selinux-policy.spec
Log Message:
* Thu Mar 9 2006 Dan Walsh <dwalsh at redhat.com> 2.2.23-12
- Fixes for Xen
- enableaudit should not be the same as base.pp
- Allow ps to work for all process
policy-20060207.patch:
Rules.modular | 2
policy/mcs | 4
policy/modules/admin/readahead.te | 2
policy/modules/admin/rpm.fc | 2
policy/modules/admin/su.fc | 1
policy/modules/admin/su.if | 6
policy/modules/admin/vbetool.te | 5
policy/modules/kernel/corenetwork.te.in | 3
policy/modules/kernel/devices.fc | 1
policy/modules/kernel/devices.if | 20 ++-
policy/modules/kernel/files.fc | 8 -
policy/modules/kernel/files.if | 20 ++-
policy/modules/kernel/filesystem.te | 1
policy/modules/kernel/kernel.if | 102 +++++++++++++++
policy/modules/kernel/kernel.te | 3
policy/modules/services/apache.fc | 2
policy/modules/services/apache.if | 5
policy/modules/services/apm.fc | 2
policy/modules/services/apm.te | 4
policy/modules/services/bluetooth.te | 19 +-
policy/modules/services/cron.te | 3
policy/modules/services/cups.fc | 2
policy/modules/services/cups.if | 22 +++
policy/modules/services/cups.te | 7 -
policy/modules/services/cvs.te | 2
policy/modules/services/hal.if | 41 ++++++
policy/modules/services/hal.te | 8 +
policy/modules/services/ktalk.fc | 1
policy/modules/services/ktalk.te | 6
policy/modules/services/mailman.if | 25 +++
policy/modules/services/nscd.if | 2
policy/modules/services/postfix.te | 4
policy/modules/services/samba.te | 2
policy/modules/system/fstools.te | 1
policy/modules/system/init.te | 5
policy/modules/system/libraries.fc | 2
policy/modules/system/locallogin.te | 1
policy/modules/system/lvm.fc | 1
policy/modules/system/lvm.te | 3
policy/modules/system/selinuxutil.fc | 6
policy/modules/system/selinuxutil.te | 4
policy/modules/system/sysnetwork.te | 3
policy/modules/system/udev.te | 2
policy/modules/system/unconfined.te | 8 -
policy/modules/system/xend.fc | 22 +++
policy/modules/system/xend.if | 71 +++++++++++
policy/modules/system/xend.te | 206 ++++++++++++++++++++++++++++++++
support/Makefile.devel | 5
48 files changed, 629 insertions(+), 48 deletions(-)
Index: policy-20060207.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/policy-20060207.patch,v
retrieving revision 1.44
retrieving revision 1.45
diff -u -r1.44 -r1.45
--- policy-20060207.patch 9 Mar 2006 05:09:45 -0000 1.44
+++ policy-20060207.patch 9 Mar 2006 15:34:49 -0000 1.45
@@ -1,6 +1,20 @@
-diff -urN nsarefpolicy/policy/modules/admin/readahead.te serefpolicy/policy/modules/admin/readahead.te
---- nsarefpolicy/policy/modules/admin/readahead.te 2006-03-04 00:06:50.000000000 -0500
-+++ serefpolicy/policy/modules/admin/readahead.te 2006-03-08 19:11:33.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-2.2.23/policy/mcs
+--- nsaserefpolicy/policy/mcs 2006-02-16 14:46:56.000000000 -0500
++++ serefpolicy-2.2.23/policy/mcs 2006-03-09 10:26:36.000000000 -0500
+@@ -141,9 +141,7 @@
+
+ mlsconstrain file { create relabelto } ((h1 dom h2) and (l2 eq h2));
+
+-mlsconstrain file { read } ((h1 dom h2) or
+- ( t1 == mlsfileread ));
+-
++mlsconstrain file { read } ((h1 dom h2) or ( t2 == domain ) or ( t1 == mlsfileread ));
+
+ # new file labels must be dominated by the relabeling subject clearance
+ mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom }
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-2.2.23/policy/modules/admin/readahead.te
+--- nsaserefpolicy/policy/modules/admin/readahead.te 2006-03-04 00:06:33.000000000 -0500
++++ serefpolicy-2.2.23/policy/modules/admin/readahead.te 2006-03-07 13:42:37.000000000 -0500
@@ -18,7 +18,7 @@
# Local policy
#
@@ -10,9 +24,9 @@
allow readahead_t self:process signal_perms;
allow readahead_t readahead_var_run_t:file create_file_perms;
-diff -urN nsarefpolicy/policy/modules/admin/rpm.fc serefpolicy/policy/modules/admin/rpm.fc
---- nsarefpolicy/policy/modules/admin/rpm.fc 2006-03-04 00:06:50.000000000 -0500
-+++ serefpolicy/policy/modules/admin/rpm.fc 2006-03-08 19:11:33.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-2.2.23/policy/modules/admin/rpm.fc
+--- nsaserefpolicy/policy/modules/admin/rpm.fc 2006-01-27 21:35:04.000000000 -0500
++++ serefpolicy-2.2.23/policy/modules/admin/rpm.fc 2006-03-07 15:39:28.000000000 -0500
@@ -25,7 +25,7 @@
/var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
@@ -22,17 +36,17 @@
# SuSE
ifdef(`distro_suse', `
-diff -urN nsarefpolicy/policy/modules/admin/su.fc serefpolicy/policy/modules/admin/su.fc
---- nsarefpolicy/policy/modules/admin/su.fc 2006-03-04 00:06:50.000000000 -0500
-+++ serefpolicy/policy/modules/admin/su.fc 2006-03-08 19:11:33.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.fc serefpolicy-2.2.23/policy/modules/admin/su.fc
+--- nsaserefpolicy/policy/modules/admin/su.fc 2005-11-14 18:24:06.000000000 -0500
++++ serefpolicy-2.2.23/policy/modules/admin/su.fc 2006-03-07 13:42:37.000000000 -0500
@@ -2,3 +2,4 @@
/bin/su -- gen_context(system_u:object_r:su_exec_t,s0)
/usr(/local)?/bin/ksu -- gen_context(system_u:object_r:su_exec_t,s0)
+/usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0)
-diff -urN nsarefpolicy/policy/modules/admin/su.if serefpolicy/policy/modules/admin/su.if
---- nsarefpolicy/policy/modules/admin/su.if 2006-03-04 00:06:50.000000000 -0500
-+++ serefpolicy/policy/modules/admin/su.if 2006-03-08 19:11:33.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-2.2.23/policy/modules/admin/su.if
+--- nsaserefpolicy/policy/modules/admin/su.if 2006-03-04 00:06:33.000000000 -0500
++++ serefpolicy-2.2.23/policy/modules/admin/su.if 2006-03-07 13:42:37.000000000 -0500
@@ -141,10 +141,10 @@
# By default, revert to the calling domain when a shell is executed.
@@ -47,9 +61,9 @@
kernel_read_system_state($1_su_t)
kernel_read_kernel_sysctls($1_su_t)
-diff -urN nsarefpolicy/policy/modules/admin/vbetool.te serefpolicy/policy/modules/admin/vbetool.te
---- nsarefpolicy/policy/modules/admin/vbetool.te 2006-03-04 00:06:50.000000000 -0500
-+++ serefpolicy/policy/modules/admin/vbetool.te 2006-03-08 19:11:33.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-2.2.23/policy/modules/admin/vbetool.te
+--- nsaserefpolicy/policy/modules/admin/vbetool.te 2006-02-01 08:23:27.000000000 -0500
++++ serefpolicy-2.2.23/policy/modules/admin/vbetool.te 2006-03-07 13:42:37.000000000 -0500
@@ -15,6 +15,7 @@
# Local policy
#
@@ -66,9 +80,9 @@
+optional_policy(`hal',`
+ hal_rw_var_run(vbetool_t)
+')
-diff -urN nsarefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy/policy/modules/kernel/corenetwork.te.in
---- nsarefpolicy/policy/modules/kernel/corenetwork.te.in 2006-03-04 00:06:50.000000000 -0500
-+++ serefpolicy/policy/modules/kernel/corenetwork.te.in 2006-03-08 19:11:33.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-2.2.23/policy/modules/kernel/corenetwork.te.in
+--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2006-02-20 14:07:36.000000000 -0500
++++ serefpolicy-2.2.23/policy/modules/kernel/corenetwork.te.in 2006-03-07 13:42:37.000000000 -0500
@@ -66,7 +66,7 @@
network_port(giftd, tcp,1213,s0)
network_port(gopher, tcp,70,s0, udp,70,s0)
@@ -86,9 +100,20 @@
network_port(zebra, tcp,2601,s0)
network_port(zope, tcp,8021,s0)
-diff -urN nsarefpolicy/policy/modules/kernel/devices.if serefpolicy/policy/modules/kernel/devices.if
---- nsarefpolicy/policy/modules/kernel/devices.if 2006-03-04 00:06:50.000000000 -0500
-+++ serefpolicy/policy/modules/kernel/devices.if 2006-03-08 19:11:33.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-2.2.23/policy/modules/kernel/devices.fc
+--- nsaserefpolicy/policy/modules/kernel/devices.fc 2006-02-27 17:17:23.000000000 -0500
++++ serefpolicy-2.2.23/policy/modules/kernel/devices.fc 2006-03-08 17:34:22.000000000 -0500
+@@ -33,6 +33,7 @@
+ /dev/par.* -c gen_context(system_u:object_r:printer_device_t,s0)
+ /dev/patmgr[01] -c gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/pmu -c gen_context(system_u:object_r:power_device_t,s0)
++/dev/smu -c gen_context(system_u:object_r:power_device_t,s0)
+ /dev/port -c gen_context(system_u:object_r:memory_device_t,s15:c0.c255)
+ /dev/(misc/)?psaux -c gen_context(system_u:object_r:mouse_device_t,s0)
+ /dev/rmidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-2.2.23/policy/modules/kernel/devices.if
+--- nsaserefpolicy/policy/modules/kernel/devices.if 2006-02-23 09:25:08.000000000 -0500
++++ serefpolicy-2.2.23/policy/modules/kernel/devices.if 2006-03-08 10:58:05.000000000 -0500
@@ -2384,7 +2384,7 @@
')
@@ -120,9 +145,9 @@
+ dontaudit $1 device_node:dir_file_class_set getattr;
+')
+
-diff -urN nsarefpolicy/policy/modules/kernel/files.fc serefpolicy/policy/modules/kernel/files.fc
---- nsarefpolicy/policy/modules/kernel/files.fc 2006-03-04 00:06:50.000000000 -0500
-+++ serefpolicy/policy/modules/kernel/files.fc 2006-03-08 19:11:33.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-2.2.23/policy/modules/kernel/files.fc
+--- nsaserefpolicy/policy/modules/kernel/files.fc 2006-03-04 00:06:34.000000000 -0500
++++ serefpolicy-2.2.23/policy/modules/kernel/files.fc 2006-03-08 16:26:29.000000000 -0500
@@ -45,7 +45,7 @@
/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
/etc/\.fstab\.hal\..+ -- gen_context(system_u:object_r:etc_runtime_t,s0)
@@ -159,9 +184,9 @@
HOME_ROOT/\.journal <<none>>
HOME_ROOT/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c255)
HOME_ROOT/lost\+found/.* <<none>>
-diff -urN nsarefpolicy/policy/modules/kernel/files.if serefpolicy/policy/modules/kernel/files.if
---- nsarefpolicy/policy/modules/kernel/files.if 2006-03-04 00:06:50.000000000 -0500
-+++ serefpolicy/policy/modules/kernel/files.if 2006-03-08 19:11:33.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.2.23/policy/modules/kernel/files.if
+--- nsaserefpolicy/policy/modules/kernel/files.if 2006-03-04 00:06:34.000000000 -0500
++++ serefpolicy-2.2.23/policy/modules/kernel/files.if 2006-03-07 13:42:37.000000000 -0500
@@ -1648,6 +1648,21 @@
')
@@ -200,17 +225,17 @@
')
########################################
-diff -urN nsarefpolicy/policy/modules/kernel/filesystem.te serefpolicy/policy/modules/kernel/filesystem.te
---- nsarefpolicy/policy/modules/kernel/filesystem.te 2006-03-04 00:06:50.000000000 -0500
-+++ serefpolicy/policy/modules/kernel/filesystem.te 2006-03-08 19:11:33.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-2.2.23/policy/modules/kernel/filesystem.te
+--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2006-02-14 07:20:25.000000000 -0500
++++ serefpolicy-2.2.23/policy/modules/kernel/filesystem.te 2006-03-08 11:55:28.000000000 -0500
@@ -167,3 +167,4 @@
genfscon nfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon nfs4 / gen_context(system_u:object_r:nfs_t,s0)
genfscon afs / gen_context(system_u:object_r:nfs_t,s0)
+genfscon hfsplus / gen_context(system_u:object_r:nfs_t,s0)
-diff -urN nsarefpolicy/policy/modules/kernel/kernel.if serefpolicy/policy/modules/kernel/kernel.if
---- nsarefpolicy/policy/modules/kernel/kernel.if 2006-03-04 00:06:50.000000000 -0500
-+++ serefpolicy/policy/modules/kernel/kernel.if 2006-03-08 19:11:33.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-2.2.23/policy/modules/kernel/kernel.if
+--- nsaserefpolicy/policy/modules/kernel/kernel.if 2006-03-04 00:06:34.000000000 -0500
++++ serefpolicy-2.2.23/policy/modules/kernel/kernel.if 2006-03-07 14:00:35.000000000 -0500
@@ -1044,6 +1044,7 @@
allow $1 proc_t:dir search;
@@ -331,9 +356,9 @@
+ allow $1 proc_xen_t:dir r_dir_perms;
+ allow $1 proc_xen_t:file write;
+')
-diff -urN nsarefpolicy/policy/modules/kernel/kernel.te serefpolicy/policy/modules/kernel/kernel.te
---- nsarefpolicy/policy/modules/kernel/kernel.te 2006-03-04 00:06:50.000000000 -0500
-+++ serefpolicy/policy/modules/kernel/kernel.te 2006-03-08 19:11:33.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-2.2.23/policy/modules/kernel/kernel.te
+--- nsaserefpolicy/policy/modules/kernel/kernel.te 2006-02-07 10:43:26.000000000 -0500
++++ serefpolicy-2.2.23/policy/modules/kernel/kernel.te 2006-03-07 13:42:37.000000000 -0500
@@ -75,6 +75,9 @@
type proc_net_t, proc_type;
genfscon proc /net gen_context(system_u:object_r:proc_net_t,s0)
@@ -344,9 +369,9 @@
#
# Sysctl types
#
-diff -urN nsarefpolicy/policy/modules/services/apache.fc serefpolicy/policy/modules/services/apache.fc
---- nsarefpolicy/policy/modules/services/apache.fc 2006-03-04 00:06:50.000000000 -0500
-+++ serefpolicy/policy/modules/services/apache.fc 2006-03-08 19:11:33.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-2.2.23/policy/modules/services/apache.fc
+--- nsaserefpolicy/policy/modules/services/apache.fc 2006-02-27 17:17:23.000000000 -0500
++++ serefpolicy-2.2.23/policy/modules/services/apache.fc 2006-03-07 13:42:37.000000000 -0500
@@ -15,6 +15,7 @@
/etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0)
@@ -360,9 +385,9 @@
/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/share/selinux-policy([^/]*)?/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-diff -urN nsarefpolicy/policy/modules/services/apache.if serefpolicy/policy/modules/services/apache.if
---- nsarefpolicy/policy/modules/services/apache.if 2006-03-04 00:06:50.000000000 -0500
-+++ serefpolicy/policy/modules/services/apache.if 2006-03-08 19:11:33.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-2.2.23/policy/modules/services/apache.if
+--- nsaserefpolicy/policy/modules/services/apache.if 2006-03-04 00:06:35.000000000 -0500
++++ serefpolicy-2.2.23/policy/modules/services/apache.if 2006-03-07 13:42:37.000000000 -0500
@@ -12,6 +12,11 @@
## </param>
#
@@ -375,9 +400,9 @@
# allow write access to public file transfer
# services files.
gen_tunable(allow_httpd_$1_script_anon_write,false)
-diff -urN nsarefpolicy/policy/modules/services/apm.fc serefpolicy/policy/modules/services/apm.fc
---- nsarefpolicy/policy/modules/services/apm.fc 2006-03-04 00:06:50.000000000 -0500
-+++ serefpolicy/policy/modules/services/apm.fc 2006-03-08 19:11:33.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.fc serefpolicy-2.2.23/policy/modules/services/apm.fc
+--- nsaserefpolicy/policy/modules/services/apm.fc 2005-11-14 18:24:08.000000000 -0500
++++ serefpolicy-2.2.23/policy/modules/services/apm.fc 2006-03-07 15:38:20.000000000 -0500
@@ -11,7 +11,7 @@
#
# /var
@@ -387,9 +412,9 @@
/var/run/\.?acpid\.socket -s gen_context(system_u:object_r:apmd_var_run_t,s0)
/var/run/apmd\.pid -- gen_context(system_u:object_r:apmd_var_run_t,s0)
-diff -urN nsarefpolicy/policy/modules/services/apm.te serefpolicy/policy/modules/services/apm.te
---- nsarefpolicy/policy/modules/services/apm.te 2006-03-04 00:06:50.000000000 -0500
-+++ serefpolicy/policy/modules/services/apm.te 2006-03-08 19:11:33.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.te serefpolicy-2.2.23/policy/modules/services/apm.te
+--- nsaserefpolicy/policy/modules/services/apm.te 2006-03-04 00:06:35.000000000 -0500
++++ serefpolicy-2.2.23/policy/modules/services/apm.te 2006-03-08 13:36:37.000000000 -0500
@@ -225,6 +225,10 @@
pcmcia_domtrans_cardctl(apmd_t)
')
@@ -401,9 +426,9 @@
optional_policy(`selinuxutil',`
seutil_sigchld_newrole(apmd_t)
')
-diff -urN nsarefpolicy/policy/modules/services/bluetooth.te serefpolicy/policy/modules/services/bluetooth.te
---- nsarefpolicy/policy/modules/services/bluetooth.te 2006-03-04 00:06:50.000000000 -0500
-+++ serefpolicy/policy/modules/services/bluetooth.te 2006-03-08 19:11:33.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-2.2.23/policy/modules/services/bluetooth.te
+--- nsaserefpolicy/policy/modules/services/bluetooth.te 2006-03-04 00:06:35.000000000 -0500
++++ serefpolicy-2.2.23/policy/modules/services/bluetooth.te 2006-03-08 11:35:36.000000000 -0500
@@ -115,6 +115,7 @@
corecmd_exec_shell(bluetooth_t)
@@ -463,9 +488,9 @@
+
+ xserver_stream_connect_xdm(bluetooth_helper_t)
')
-diff -urN nsarefpolicy/policy/modules/services/cron.te serefpolicy/policy/modules/services/cron.te
---- nsarefpolicy/policy/modules/services/cron.te 2006-03-04 00:06:50.000000000 -0500
-+++ serefpolicy/policy/modules/services/cron.te 2006-03-08 19:11:33.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-2.2.23/policy/modules/services/cron.te
+--- nsaserefpolicy/policy/modules/services/cron.te 2006-03-04 00:06:35.000000000 -0500
++++ serefpolicy-2.2.23/policy/modules/services/cron.te 2006-03-07 13:42:37.000000000 -0500
@@ -166,6 +166,9 @@
allow crond_t unconfined_t:dbus send_msg;
@@ -476,9 +501,9 @@
',`
allow crond_t crond_tmp_t:dir create_dir_perms;
allow crond_t crond_tmp_t:file create_file_perms;
-diff -urN nsarefpolicy/policy/modules/services/cups.fc serefpolicy/policy/modules/services/cups.fc
---- nsarefpolicy/policy/modules/services/cups.fc 2006-03-04 00:06:50.000000000 -0500
-+++ serefpolicy/policy/modules/services/cups.fc 2006-03-08 19:11:33.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-2.2.23/policy/modules/services/cups.fc
+--- nsaserefpolicy/policy/modules/services/cups.fc 2005-11-14 18:24:08.000000000 -0500
++++ serefpolicy-2.2.23/policy/modules/services/cups.fc 2006-03-07 13:42:37.000000000 -0500
@@ -43,7 +43,7 @@
/var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0)
/var/log/turboprint_cups\.log.* -- gen_context(system_u:object_r:cupsd_log_t,s0)
@@ -488,9 +513,9 @@
/var/run/hp.*\.pid -- gen_context(system_u:object_r:hplip_var_run_t,s0)
/var/run/hp.*\.port -- gen_context(system_u:object_r:hplip_var_run_t,s0)
/var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
-diff -urN nsarefpolicy/policy/modules/services/cups.if serefpolicy/policy/modules/services/cups.if
---- nsarefpolicy/policy/modules/services/cups.if 2006-03-04 00:06:50.000000000 -0500
-+++ serefpolicy/policy/modules/services/cups.if 2006-03-08 19:11:33.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.if serefpolicy-2.2.23/policy/modules/services/cups.if
+--- nsaserefpolicy/policy/modules/services/cups.if 2006-02-23 09:25:09.000000000 -0500
++++ serefpolicy-2.2.23/policy/modules/services/cups.if 2006-03-07 13:42:37.000000000 -0500
@@ -226,3 +226,25 @@
allow cupsd_t $1:tcp_socket { acceptfrom recvfrom };
kernel_tcp_recvfrom($1)
@@ -517,9 +542,9 @@
+ allow $1 cupsd_t:unix_stream_socket connectto;
+')
+
-diff -urN nsarefpolicy/policy/modules/services/cups.te serefpolicy/policy/modules/services/cups.te
---- nsarefpolicy/policy/modules/services/cups.te 2006-03-04 00:06:50.000000000 -0500
-+++ serefpolicy/policy/modules/services/cups.te 2006-03-08 19:11:33.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-2.2.23/policy/modules/services/cups.te
+--- nsaserefpolicy/policy/modules/services/cups.te 2006-03-04 00:06:35.000000000 -0500
++++ serefpolicy-2.2.23/policy/modules/services/cups.te 2006-03-07 13:42:37.000000000 -0500
@@ -77,7 +77,7 @@
dontaudit cupsd_t self:capability { sys_tty_config net_admin };
allow cupsd_t self:process { setsched signal_perms };
@@ -562,9 +587,9 @@
')
########################################
-diff -urN nsarefpolicy/policy/modules/services/cvs.te serefpolicy/policy/modules/services/cvs.te
---- nsarefpolicy/policy/modules/services/cvs.te 2006-03-04 00:06:50.000000000 -0500
-+++ serefpolicy/policy/modules/services/cvs.te 2006-03-08 19:11:33.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-2.2.23/policy/modules/services/cvs.te
+--- nsaserefpolicy/policy/modules/services/cvs.te 2006-03-04 00:06:35.000000000 -0500
++++ serefpolicy-2.2.23/policy/modules/services/cvs.te 2006-03-07 13:42:37.000000000 -0500
@@ -11,7 +11,7 @@
inetd_tcp_service_domain(cvs_t,cvs_exec_t)
role system_r types cvs_t;
@@ -574,9 +599,9 @@
files_type(cvs_data_t)
type cvs_tmp_t;
-diff -urN nsarefpolicy/policy/modules/services/hal.if serefpolicy/policy/modules/services/hal.if
---- nsarefpolicy/policy/modules/services/hal.if 2006-03-04 00:06:50.000000000 -0500
-+++ serefpolicy/policy/modules/services/hal.if 2006-03-08 19:11:33.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-2.2.23/policy/modules/services/hal.if
+--- nsaserefpolicy/policy/modules/services/hal.if 2006-03-04 00:06:36.000000000 -0500
++++ serefpolicy-2.2.23/policy/modules/services/hal.if 2006-03-07 13:42:37.000000000 -0500
@@ -100,3 +100,44 @@
allow $1 hald_t:dbus send_msg;
allow hald_t $1:dbus send_msg;
@@ -622,9 +647,9 @@
+ allow $1 hald_var_run_t:file rw_file_perms;
+')
+
-diff -urN nsarefpolicy/policy/modules/services/hal.te serefpolicy/policy/modules/services/hal.te
---- nsarefpolicy/policy/modules/services/hal.te 2006-03-04 00:06:50.000000000 -0500
-+++ serefpolicy/policy/modules/services/hal.te 2006-03-08 19:11:33.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-2.2.23/policy/modules/services/hal.te
+--- nsaserefpolicy/policy/modules/services/hal.te 2006-03-04 00:06:36.000000000 -0500
++++ serefpolicy-2.2.23/policy/modules/services/hal.te 2006-03-08 15:25:53.000000000 -0500
@@ -48,6 +48,7 @@
kernel_read_network_state(hald_t)
kernel_read_kernel_sysctls(hald_t)
@@ -661,17 +686,17 @@
optional_policy(`mount',`
mount_domtrans(hald_t)
')
-diff -urN nsarefpolicy/policy/modules/services/ktalk.fc serefpolicy/policy/modules/services/ktalk.fc
---- nsarefpolicy/policy/modules/services/ktalk.fc 2006-03-04 00:06:50.000000000 -0500
-+++ serefpolicy/policy/modules/services/ktalk.fc 2006-03-08 19:11:33.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ktalk.fc serefpolicy-2.2.23/policy/modules/services/ktalk.fc
+--- nsaserefpolicy/policy/modules/services/ktalk.fc 2006-02-20 14:07:37.000000000 -0500
++++ serefpolicy-2.2.23/policy/modules/services/ktalk.fc 2006-03-07 13:42:37.000000000 -0500
@@ -1,3 +1,4 @@
/usr/bin/in.talkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0)
/usr/bin/ktalkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0)
+/var/log/talkd.* -- gen_context(system_u:object_r:ktalkd_log_t,s0)
-diff -urN nsarefpolicy/policy/modules/services/ktalk.te serefpolicy/policy/modules/services/ktalk.te
---- nsarefpolicy/policy/modules/services/ktalk.te 2006-03-04 00:06:50.000000000 -0500
-+++ serefpolicy/policy/modules/services/ktalk.te 2006-03-08 19:11:33.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ktalk.te serefpolicy-2.2.23/policy/modules/services/ktalk.te
+--- nsaserefpolicy/policy/modules/services/ktalk.te 2006-03-04 00:06:36.000000000 -0500
++++ serefpolicy-2.2.23/policy/modules/services/ktalk.te 2006-03-07 13:42:37.000000000 -0500
@@ -14,6 +14,9 @@
type ktalkd_tmp_t;
files_tmp_file(ktalkd_tmp_t)
@@ -695,9 +720,9 @@
miscfiles_read_localization(ktalkd_t)
-diff -urN nsarefpolicy/policy/modules/services/mailman.if serefpolicy/policy/modules/services/mailman.if
---- nsarefpolicy/policy/modules/services/mailman.if 2006-03-04 00:06:50.000000000 -0500
-+++ serefpolicy/policy/modules/services/mailman.if 2006-03-08 19:11:33.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.if serefpolicy-2.2.23/policy/modules/services/mailman.if
+--- nsaserefpolicy/policy/modules/services/mailman.if 2006-03-04 00:06:36.000000000 -0500
++++ serefpolicy-2.2.23/policy/modules/services/mailman.if 2006-03-08 16:59:01.000000000 -0500
@@ -275,3 +275,28 @@
allow $1 mailman_archive_t:file r_file_perms;
allow $1 mailman_archive_t:lnk_file { getattr read };
@@ -727,9 +752,9 @@
+ allow mailman_queue_t $1:process sigchld;
+')
+
-diff -urN nsarefpolicy/policy/modules/services/nscd.if serefpolicy/policy/modules/services/nscd.if
---- nsarefpolicy/policy/modules/services/nscd.if 2006-03-04 00:06:50.000000000 -0500
-+++ serefpolicy/policy/modules/services/nscd.if 2006-03-08 19:11:33.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-2.2.23/policy/modules/services/nscd.if
+--- nsaserefpolicy/policy/modules/services/nscd.if 2006-02-10 21:34:14.000000000 -0500
++++ serefpolicy-2.2.23/policy/modules/services/nscd.if 2006-03-07 13:42:37.000000000 -0500
@@ -49,8 +49,8 @@
dontaudit $1 nscd_t:nscd { shmempwd shmemgrp shmemhost };
@@ -740,9 +765,9 @@
dontaudit $1 nscd_var_run_t:file { getattr read };
')
-diff -urN nsarefpolicy/policy/modules/services/postfix.te serefpolicy/policy/modules/services/postfix.te
---- nsarefpolicy/policy/modules/services/postfix.te 2006-03-04 00:06:50.000000000 -0500
-+++ serefpolicy/policy/modules/services/postfix.te 2006-03-08 19:11:33.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-2.2.23/policy/modules/services/postfix.te
+--- nsaserefpolicy/policy/modules/services/postfix.te 2006-03-04 00:06:36.000000000 -0500
++++ serefpolicy-2.2.23/policy/modules/services/postfix.te 2006-03-08 16:58:41.000000000 -0500
@@ -406,6 +406,10 @@
procmail_domtrans(postfix_pipe_t)
')
@@ -754,9 +779,9 @@
########################################
#
# Postfix postdrop local policy
-diff -urN nsarefpolicy/policy/modules/services/samba.te serefpolicy/policy/modules/services/samba.te
---- nsarefpolicy/policy/modules/services/samba.te 2006-03-04 00:06:50.000000000 -0500
-+++ serefpolicy/policy/modules/services/samba.te 2006-03-08 19:11:33.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-2.2.23/policy/modules/services/samba.te
+--- nsaserefpolicy/policy/modules/services/samba.te 2006-03-04 00:06:36.000000000 -0500
++++ serefpolicy-2.2.23/policy/modules/services/samba.te 2006-03-07 13:42:37.000000000 -0500
@@ -32,7 +32,7 @@
type samba_secrets_t;
files_type(samba_secrets_t)
@@ -766,9 +791,9 @@
files_config_file(samba_share_t)
type samba_var_t;
-diff -urN nsarefpolicy/policy/modules/system/fstools.te serefpolicy/policy/modules/system/fstools.te
---- nsarefpolicy/policy/modules/system/fstools.te 2006-03-04 00:06:50.000000000 -0500
-+++ serefpolicy/policy/modules/system/fstools.te 2006-03-08 19:11:33.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-2.2.23/policy/modules/system/fstools.te
+--- nsaserefpolicy/policy/modules/system/fstools.te 2006-03-04 00:06:37.000000000 -0500
++++ serefpolicy-2.2.23/policy/modules/system/fstools.te 2006-03-07 16:50:14.000000000 -0500
@@ -73,6 +73,7 @@
dev_getattr_usbfs_dirs(fsadm_t)
# Access to /dev/mapper/control
@@ -777,9 +802,9 @@
fs_search_auto_mountpoints(fsadm_t)
fs_getattr_xattr_fs(fsadm_t)
-diff -urN nsarefpolicy/policy/modules/system/init.te serefpolicy/policy/modules/system/init.te
---- nsarefpolicy/policy/modules/system/init.te 2006-03-04 00:06:50.000000000 -0500
-+++ serefpolicy/policy/modules/system/init.te 2006-03-08 19:11:33.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-2.2.23/policy/modules/system/init.te
+--- nsaserefpolicy/policy/modules/system/init.te 2006-03-04 00:06:37.000000000 -0500
++++ serefpolicy-2.2.23/policy/modules/system/init.te 2006-03-07 13:42:37.000000000 -0500
@@ -349,6 +349,7 @@
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
@@ -799,9 +824,9 @@
',`
# cjp: require doesnt work in optionals :\
# this also would result in a type transition
-diff -urN nsarefpolicy/policy/modules/system/libraries.fc serefpolicy/policy/modules/system/libraries.fc
---- nsarefpolicy/policy/modules/system/libraries.fc 2006-03-04 00:06:50.000000000 -0500
-+++ serefpolicy/policy/modules/system/libraries.fc 2006-03-08 19:11:33.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-2.2.23/policy/modules/system/libraries.fc
+--- nsaserefpolicy/policy/modules/system/libraries.fc 2006-02-20 14:07:38.000000000 -0500
++++ serefpolicy-2.2.23/policy/modules/system/libraries.fc 2006-03-07 13:42:37.000000000 -0500
@@ -65,6 +65,7 @@
/usr/lib(64)?/(nvidia/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libGLU\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -818,9 +843,9 @@
ifdef(`distro_redhat',`
/usr/lib(64)?/.*/program/.*\.so.* gen_context(system_u:object_r:shlib_t,s0)
-diff -urN nsarefpolicy/policy/modules/system/locallogin.te serefpolicy/policy/modules/system/locallogin.te
---- nsarefpolicy/policy/modules/system/locallogin.te 2006-03-04 00:06:50.000000000 -0500
-+++ serefpolicy/policy/modules/system/locallogin.te 2006-03-08 19:11:33.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-2.2.23/policy/modules/system/locallogin.te
+--- nsaserefpolicy/policy/modules/system/locallogin.te 2006-03-04 00:06:37.000000000 -0500
++++ serefpolicy-2.2.23/policy/modules/system/locallogin.te 2006-03-07 13:42:37.000000000 -0500
@@ -20,6 +20,7 @@
type local_login_tmp_t;
@@ -829,9 +854,9 @@
type sulogin_t;
type sulogin_exec_t;
-diff -urN nsarefpolicy/policy/modules/system/lvm.fc serefpolicy/policy/modules/system/lvm.fc
---- nsarefpolicy/policy/modules/system/lvm.fc 2006-03-04 00:06:50.000000000 -0500
-+++ serefpolicy/policy/modules/system/lvm.fc 2006-03-08 19:11:33.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc serefpolicy-2.2.23/policy/modules/system/lvm.fc
+--- nsaserefpolicy/policy/modules/system/lvm.fc 2005-11-14 18:24:06.000000000 -0500
++++ serefpolicy-2.2.23/policy/modules/system/lvm.fc 2006-03-07 13:42:37.000000000 -0500
@@ -25,6 +25,7 @@
# /sbin
#
@@ -840,9 +865,9 @@
/sbin/dmsetup -- gen_context(system_u:object_r:lvm_exec_t,s0)
/sbin/dmsetup\.static -- gen_context(system_u:object_r:lvm_exec_t,s0)
/sbin/e2fsadm -- gen_context(system_u:object_r:lvm_exec_t,s0)
-diff -urN nsarefpolicy/policy/modules/system/lvm.te serefpolicy/policy/modules/system/lvm.te
---- nsarefpolicy/policy/modules/system/lvm.te 2006-03-04 00:06:49.000000000 -0500
-+++ serefpolicy/policy/modules/system/lvm.te 2006-03-08 19:11:33.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-2.2.23/policy/modules/system/lvm.te
+--- nsaserefpolicy/policy/modules/system/lvm.te 2006-03-04 00:06:37.000000000 -0500
++++ serefpolicy-2.2.23/policy/modules/system/lvm.te 2006-03-08 10:58:24.000000000 -0500
@@ -129,6 +129,8 @@
# DAC overrides and mknod for modifying /dev entries (vgmknodes)
@@ -860,9 +885,9 @@
fs_getattr_xattr_fs(lvm_t)
fs_search_auto_mountpoints(lvm_t)
-diff -urN nsarefpolicy/policy/modules/system/selinuxutil.fc serefpolicy/policy/modules/system/selinuxutil.fc
---- nsarefpolicy/policy/modules/system/selinuxutil.fc 2006-03-04 00:06:49.000000000 -0500
-+++ serefpolicy/policy/modules/system/selinuxutil.fc 2006-03-08 19:11:33.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-2.2.23/policy/modules/system/selinuxutil.fc
+--- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2006-02-23 09:25:09.000000000 -0500
++++ serefpolicy-2.2.23/policy/modules/system/selinuxutil.fc 2006-03-07 13:42:37.000000000 -0500
@@ -8,9 +8,9 @@
/etc/selinux/([^/]*/)?contexts/files(/.*)? gen_context(system_u:object_r:file_context_t,s0)
/etc/selinux/([^/]*/)?policy(/.*)? gen_context(system_u:object_r:policy_config_t,s15:c0.c255)
@@ -876,9 +901,9 @@
/etc/selinux/([^/]*/)?users(/.*)? -- gen_context(system_u:object_r:selinux_config_t,s15:c0.c255)
#
-diff -urN nsarefpolicy/policy/modules/system/selinuxutil.te serefpolicy/policy/modules/system/selinuxutil.te
---- nsarefpolicy/policy/modules/system/selinuxutil.te 2006-03-04 00:06:50.000000000 -0500
-+++ serefpolicy/policy/modules/system/selinuxutil.te 2006-03-08 19:11:33.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-2.2.23/policy/modules/system/selinuxutil.te
+--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2006-03-04 00:06:37.000000000 -0500
++++ serefpolicy-2.2.23/policy/modules/system/selinuxutil.te 2006-03-07 13:42:37.000000000 -0500
@@ -192,6 +192,9 @@
selinux_load_policy(load_policy_t)
selinux_set_boolean(load_policy_t)
@@ -897,9 +922,9 @@
term_use_all_user_ttys(newrole_t)
term_use_all_user_ptys(newrole_t)
term_relabel_all_user_ttys(newrole_t)
-diff -urN nsarefpolicy/policy/modules/system/sysnetwork.te serefpolicy/policy/modules/system/sysnetwork.te
---- nsarefpolicy/policy/modules/system/sysnetwork.te 2006-03-04 00:06:49.000000000 -0500
-+++ serefpolicy/policy/modules/system/sysnetwork.te 2006-03-08 19:11:33.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-2.2.23/policy/modules/system/sysnetwork.te
+--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2006-03-04 00:06:37.000000000 -0500
++++ serefpolicy-2.2.23/policy/modules/system/sysnetwork.te 2006-03-07 15:47:26.000000000 -0500
@@ -322,6 +322,9 @@
udev_dontaudit_rw_dgram_sockets(ifconfig_t)
')
@@ -910,9 +935,9 @@
ifdef(`targeted_policy',`
term_use_generic_ptys(ifconfig_t)
-diff -urN nsarefpolicy/policy/modules/system/udev.te serefpolicy/policy/modules/system/udev.te
---- nsarefpolicy/policy/modules/system/udev.te 2006-03-04 00:06:49.000000000 -0500
-+++ serefpolicy/policy/modules/system/udev.te 2006-03-08 19:11:33.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-2.2.23/policy/modules/system/udev.te
+--- nsaserefpolicy/policy/modules/system/udev.te 2006-03-04 00:06:37.000000000 -0500
++++ serefpolicy-2.2.23/policy/modules/system/udev.te 2006-03-07 13:42:37.000000000 -0500
@@ -39,7 +39,7 @@
# Local policy
#
@@ -922,9 +947,9 @@
dontaudit udev_t self:capability sys_tty_config;
allow udev_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow udev_t self:process { execmem setfscreate };
-diff -urN nsarefpolicy/policy/modules/system/unconfined.te serefpolicy/policy/modules/system/unconfined.te
---- nsarefpolicy/policy/modules/system/unconfined.te 2006-03-04 00:06:50.000000000 -0500
-+++ serefpolicy/policy/modules/system/unconfined.te 2006-03-08 19:11:33.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-2.2.23/policy/modules/system/unconfined.te
+--- nsaserefpolicy/policy/modules/system/unconfined.te 2006-02-20 14:07:38.000000000 -0500
++++ serefpolicy-2.2.23/policy/modules/system/unconfined.te 2006-03-08 12:35:43.000000000 -0500
@@ -89,10 +89,6 @@
firstboot_domtrans(unconfined_t)
')
@@ -947,10 +972,10 @@
optional_policy(`netutils',`
netutils_domtrans_ping(unconfined_t)
')
-diff -urN nsarefpolicy/policy/modules/system/xend.fc serefpolicy/policy/modules/system/xend.fc
---- nsarefpolicy/policy/modules/system/xend.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy/policy/modules/system/xend.fc 2006-03-09 00:05:09.000000000 -0500
-@@ -0,0 +1,23 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xend.fc serefpolicy-2.2.23/policy/modules/system/xend.fc
+--- nsaserefpolicy/policy/modules/system/xend.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-2.2.23/policy/modules/system/xend.fc 2006-03-09 10:11:00.000000000 -0500
+@@ -0,0 +1,22 @@
+# xend executable will have:
+# label: system_u:object_r:xend_exec_t
+# MLS sensitivity: s0
@@ -958,9 +983,6 @@
+/usr/sbin/xend -- system_u:object_r:xend_exec_t:s0
+/usr/sbin/xenconsoled -- system_u:object_r:xenconsoled_exec_t:s0
+/usr/sbin/xenstored -- system_u:object_r:xenstored_exec_t:s0
-+/usr/bin/pygrub -- system_u:object_r:xend_exec_t:s0
-+/usr/sbin/xenguest-install.py -- system_u:object_r:xend_exec_t:s0
-+/usr/lib/xen/bin/.* -- system_u:object_r:bin_t:s0
+
+/var/log/xend\.log -- system_u:object_r:xend_var_log_t:s0
+/var/log/xend-debug\.log -- system_u:object_r:xend_var_log_t:s0
@@ -973,34 +995,12 @@
+/var/run/xenconsoled\.pid -- system_u:object_r:xenconsoled_var_run_t:s0
+/etc/xen/scripts(/.*)? system_u:object_r:bin_t:s0
+/dev/evtchn -c system_u:object_r:xend_device_t:s0
-+/dev/xen/evtchn -c system_u:object_r:xend_device_t:s0
-diff -urN nsarefpolicy/policy/modules/system/xend.fc~ serefpolicy/policy/modules/system/xend.fc~
---- nsarefpolicy/policy/modules/system/xend.fc~ 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy/policy/modules/system/xend.fc~ 2006-03-08 19:13:09.000000000 -0500
-@@ -0,0 +1,20 @@
-+# xend executable will have:
-+# label: system_u:object_r:xend_exec_t
-+# MLS sensitivity: s0
-+# MCS categories: <none>
-+/usr/sbin/xend -- system_u:object_r:xend_exec_t:s0
-+/usr/sbin/xenconsoled -- system_u:object_r:xenconsoled_exec_t:s0
-+/usr/sbin/xenstored -- system_u:object_r:xenstored_exec_t:s0
++/dev/xen/evtchn -c system_u:object_r:xend_device_t:s0
++/usr/lib/xen/bin(/.*)? system_u:object_r:bin_t:s0
+
-+/var/log/xend\.log -- system_u:object_r:xend_var_log_t:s0
-+/var/log/xend-debug\.log -- system_u:object_r:xend_var_log_t:s0
-+/var/lib/xen(/.*)? system_u:object_r:xend_var_lib_t:s0
-+/var/lib/xend(/.*)? system_u:object_r:xend_var_lib_t:s0
-+/var/lib/xenstored(/.*)? system_u:object_r:xenstored_var_lib_t:s0
-+/var/run/xenstored(/.*)? system_u:object_r:xenstored_var_run_t:s0
-+/var/run/xend\.pid -- system_u:object_r:xend_var_run_t:s0
-+/var/run/xenstore\.pid -- system_u:object_r:xenstored_var_run_t:s0
-+/var/run/xenconsoled\.pid -- system_u:object_r:xenconsoled_var_run_t:s0
-+/etc/xen/scripts(/.*)? system_u:object_r:bin_t:s0
-+/dev/evtchn -c system_u:object_r:xend_device_t:s0
-+/dev/xen/evtchn -c system_u:object_r:xend_device_t:s0
-diff -urN nsarefpolicy/policy/modules/system/xend.if serefpolicy/policy/modules/system/xend.if
---- nsarefpolicy/policy/modules/system/xend.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy/policy/modules/system/xend.if 2006-03-08 19:11:33.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xend.if serefpolicy-2.2.23/policy/modules/system/xend.if
+--- nsaserefpolicy/policy/modules/system/xend.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-2.2.23/policy/modules/system/xend.if 2006-03-07 15:47:54.000000000 -0500
@@ -0,0 +1,71 @@
+## <summary>policy for xen</summary>
+
@@ -1073,10 +1073,10 @@
+ allow $1 xenstored_t:unix_stream_socket connectto;
+')
+
-diff -urN nsarefpolicy/policy/modules/system/xend.te serefpolicy/policy/modules/system/xend.te
---- nsarefpolicy/policy/modules/system/xend.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy/policy/modules/system/xend.te 2006-03-08 22:56:22.000000000 -0500
-@@ -0,0 +1,207 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xend.te serefpolicy-2.2.23/policy/modules/system/xend.te
+--- nsaserefpolicy/policy/modules/system/xend.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-2.2.23/policy/modules/system/xend.te 2006-03-09 10:13:43.000000000 -0500
+@@ -0,0 +1,206 @@
+policy_module(xend,1.0.0)
+
+########################################
@@ -1176,7 +1176,6 @@
+corenet_non_ipsec_sendrecv(xend_t)
+corenet_tcp_bind_xen_port(xend_t)
+corenet_tcp_bind_soundd_port(xend_t)
-+corenet_rw_tun_tap_dev(xend_t)
+allow xend_t self:tcp_socket create_stream_socket_perms;
+allow xend_t self:packet_socket create_socket_perms;
+allow xend_t self:unix_dgram_socket create_socket_perms;
@@ -1228,7 +1227,7 @@
+allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms;
+allow xenconsoled_t self:capability { dac_override fsetid ipc_lock };
+allow xenconsoled_t self:fifo_file { read write };
-+allow xenconsoled_t xend_device_t:chr_file { read write ioctl };
++allow xenconsoled_t xend_device_t:chr_file rw_file_perms;
+allow xenconsoled_t xen_devpts_t:chr_file rw_term_perms;
+term_create_pty(xenconsoled_t,xen_devpts_t);
+
@@ -1284,211 +1283,9 @@
+dev_create_generic_dirs(xenstored_t)
+dev_filetrans(xenstored_t, xend_device_t, chr_file)
+allow xenstored_t xend_device_t:chr_file create_file_perms;
-diff -urN nsarefpolicy/policy/modules/system/xend.te~ serefpolicy/policy/modules/system/xend.te~
---- nsarefpolicy/policy/modules/system/xend.te~ 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy/policy/modules/system/xend.te~ 2006-03-08 19:11:33.000000000 -0500
-@@ -0,0 +1,198 @@
-+policy_module(xend,1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type xend_t;
-+type xend_exec_t;
-+domain_type(xend_t)
-+init_daemon_domain(xend_t, xend_exec_t)
-+
-+# pid files
-+type xend_var_run_t;
-+files_pid_file(xend_var_run_t)
-+
-+# log files
-+type xend_var_log_t;
-+logging_log_file(xend_var_log_t)
-+
-+# var/lib files
-+type xend_var_lib_t;
-+files_type(xend_var_lib_t)
-+
-+# var/lib files
-+type xend_device_t;
-+dev_node(xend_device_t)
-+
-+type xenstored_t;
-+type xenstored_exec_t;
-+domain_type(xenstored_t)
-+domain_entry_file(xenstored_t,xenstored_exec_t)
-+
-+# pid files
-+type xenstored_var_run_t;
-+files_pid_file(xenstored_var_run_t)
-+
-+# var/lib files
-+type xenstored_var_lib_t;
-+files_type(xenstored_var_lib_t)
-+
-+type xenconsoled_t;
-+type xenconsoled_exec_t;
-+domain_type(xenconsoled_t)
-+domain_entry_file(xenconsoled_t,xenconsoled_exec_t)
-+
-+# pid files
-+type xenconsoled_var_run_t;
-+files_pid_file(xenconsoled_var_run_t)
-+
-+########################################
-+#
-+# xend local policy
-+#
-+# Check in /etc/selinux/refpolicy/include for macros to use instead of allow rules.
-+
-+# Some common macros (you might be able to remove some)
-+files_read_etc_files(xend_t)
-+libs_use_ld_so(xend_t)
-+libs_use_shared_libs(xend_t)
-+miscfiles_read_localization(xend_t)
-+## internal communication is often done using fifo and unix sockets.
-+allow xend_t self:fifo_file rw_file_perms;
-+allow xend_t self:unix_stream_socket create_stream_socket_perms;
-+allow xend_t self:process signal;
-+allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_nice sys_tty_config };
-+allow xend_t self:netlink_route_socket r_netlink_socket_perms;
-+
-+# pid file
-+allow xend_t xend_var_run_t:file manage_file_perms;
-+allow xend_t xend_var_run_t:sock_file manage_file_perms;
-+allow xend_t xend_var_run_t:dir rw_dir_perms;
-+files_pid_filetrans(xend_t,xend_var_run_t, { file sock_file })
-+
-+# log files
-+allow xend_t xend_var_log_t:file create_file_perms;
-+allow xend_t xend_var_log_t:sock_file create_file_perms;
-+allow xend_t xend_var_log_t:dir { rw_dir_perms setattr };
-+logging_log_filetrans(xend_t,xend_var_log_t,{ sock_file file dir })
-+
-+# var/lib files for xend
-+allow xend_t xend_var_lib_t:file create_file_perms;
-+allow xend_t xend_var_lib_t:sock_file create_file_perms;
-+allow xend_t xend_var_lib_t:dir create_dir_perms;
-+files_var_lib_filetrans(xend_t,xend_var_lib_t,{ file dir sock_file })
-+
-+## Networking basics (adjust to your needs!)
-+sysnet_dns_name_resolve(xend_t)
-+corenet_tcp_sendrecv_all_if(xend_t)
-+corenet_tcp_sendrecv_all_nodes(xend_t)
-+corenet_tcp_sendrecv_all_ports(xend_t)
-+corenet_non_ipsec_sendrecv(xend_t)
-+corenet_tcp_bind_xen_port(xend_t)
-+corenet_tcp_bind_soundd_port(xend_t)
-+allow xend_t self:tcp_socket create_stream_socket_perms;
-+allow xend_t self:packet_socket create_socket_perms;
-+allow xend_t self:unix_dgram_socket create_socket_perms;
-+
-+corecmd_exec_sbin(xend_t)
-+corecmd_exec_bin(xend_t)
-+corecmd_exec_shell(xend_t)
-+
-+consoletype_exec(xend_t)
-+
-+dev_read_urand(xend_t)
-+dev_filetrans(xend_t, xend_device_t, chr_file)
-+dev_rw_sysfs(xend_t)
-+
-+domain_read_all_domains_state(xend_t)
-+domain_dontaudit_read_all_domains_state(xend_t)
-+
-+init_dontaudit_use_fds(xend_t)
-+
-+kernel_read_kernel_sysctls(xend_t)
-+kernel_read_system_state(xend_t)
-+kernel_write_xen_state(xend_t)
-+kernel_read_xen_state(xend_t)
-+kernel_rw_net_sysctls(xend_t)
-+kernel_read_network_state(xend_t)
-+
-+logging_send_syslog_msg(xend_t)
-+
-+sysnet_domtrans_dhcpc(xend_t)
-+sysnet_signal_dhcpc(xend_t)
-+
-+sysnet_domtrans_ifconfig(xend_t)
-+
-+term_dontaudit_getattr_all_user_ptys(xend_t)
-+term_dontaudit_use_generic_ptys(xend_t)
-+
-+xend_store_stream_connect(xend_t)
-+
-+################################ xenconsoled_t ##########################################
-+domain_auto_trans(xend_t, xenconsoled_exec_t, xenconsoled_t)
-+role system_r types xenconsoled_t;
-+allow xenconsoled_t xend_t:fd use;
-+
-+# Some common macros (you might be able to remove some)
-+libs_use_ld_so(xenconsoled_t)
-+libs_use_shared_libs(xenconsoled_t)
-+miscfiles_read_localization(xenconsoled_t)
-+files_search_etc(xenconsoled_t)
-+allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms;
-+allow xenconsoled_t self:capability { dac_override fsetid ipc_lock };
-+allow xenconsoled_t self:fifo_file { read write };
-+
-+kernel_read_kernel_sysctls(xenconsoled_t)
-+kernel_write_xen_state(xenconsoled_t)
-+kernel_read_xen_state(xenconsoled_t)
-+
-+xend_append_log(xenconsoled_t)
-+xend_store_stream_connect(xenconsoled_t)
-+
-+# pid file
-+allow xenconsoled_t xenconsoled_var_run_t:file manage_file_perms;
-+allow xenconsoled_t xenconsoled_var_run_t:sock_file manage_file_perms;
-+allow xenconsoled_t xenconsoled_var_run_t:dir rw_dir_perms;
-+files_pid_filetrans(xenconsoled_t,xenconsoled_var_run_t, { file sock_file })
-+
-+term_dontaudit_use_generic_ptys(xenconsoled_t)
-+
-+################################ xenstored_t ##########################################
-+domain_auto_trans(xend_t, xenstored_exec_t, xenstored_t)
-+role system_r types xenstored_t;
-+allow xenstored_t xend_t:fd use;
-+
-+# Some common macros (you might be able to remove some)
-+libs_use_ld_so(xenstored_t)
-+libs_use_shared_libs(xenstored_t)
-+miscfiles_read_localization(xenstored_t)
-+files_search_etc(xenstored_t)
-+allow xenstored_t self:capability { dac_override mknod };
-+allow xenstored_t self:unix_stream_socket create_stream_socket_perms;
-+allow xenstored_t xend_t:process sigchld;
-+
-+# pid file
-+allow xenstored_t xenstored_var_run_t:file manage_file_perms;
-+allow xenstored_t xenstored_var_run_t:sock_file manage_file_perms;
-+allow xenstored_t xenstored_var_run_t:dir rw_dir_perms;
-+files_pid_filetrans(xenstored_t,xenstored_var_run_t, { file sock_file })
-+
-+# var/lib files for xenstored
-+allow xenstored_t xenstored_var_lib_t:file create_file_perms;
-+allow xenstored_t xenstored_var_lib_t:sock_file create_file_perms;
-+allow xenstored_t xenstored_var_lib_t:dir create_dir_perms;
-+files_var_lib_filetrans(xenstored_t,xenstored_var_lib_t,{ file dir sock_file })
-+
-+kernel_write_xen_state(xenstored_t)
-+kernel_read_xen_state(xenstored_t)
-+
-+term_dontaudit_use_generic_ptys(xenstored_t)
-+
-+xend_append_log(xenstored_t)
-+
-+allow xenstored_t xend_t:fifo_file write;
-+dev_create_generic_dirs(xenstored_t)
-+dev_filetrans(xenstored_t, xend_device_t, chr_file)
-+allow xenstored_t xend_device_t:chr_file create_file_perms;
-diff -urN nsarefpolicy/Rules.modular serefpolicy/Rules.modular
---- nsarefpolicy/Rules.modular 2006-03-04 00:06:50.000000000 -0500
-+++ serefpolicy/Rules.modular 2006-03-08 19:11:33.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-2.2.23/Rules.modular
+--- nsaserefpolicy/Rules.modular 2006-02-17 14:46:10.000000000 -0500
++++ serefpolicy-2.2.23/Rules.modular 2006-03-07 13:42:37.000000000 -0500
@@ -204,7 +204,7 @@
#
$(APPDIR)/customizable_types: $(BASE_CONF)
@@ -1498,9 +1295,9 @@
$(verbose) install -m 644 $(TMPDIR)/customizable_types $@
########################################
-diff -urN nsarefpolicy/support/Makefile.devel serefpolicy/support/Makefile.devel
---- nsarefpolicy/support/Makefile.devel 2006-03-04 00:06:49.000000000 -0500
-+++ serefpolicy/support/Makefile.devel 2006-03-08 19:11:33.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/support/Makefile.devel serefpolicy-2.2.23/support/Makefile.devel
+--- nsaserefpolicy/support/Makefile.devel 2006-02-22 14:09:04.000000000 -0500
++++ serefpolicy-2.2.23/support/Makefile.devel 2006-03-07 13:42:37.000000000 -0500
@@ -6,10 +6,7 @@
SED ?= sed
EINFO ?= echo
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.145
retrieving revision 1.146
diff -u -r1.145 -r1.146
--- selinux-policy.spec 9 Mar 2006 05:09:46 -0000 1.145
+++ selinux-policy.spec 9 Mar 2006 15:34:49 -0000 1.146
@@ -10,7 +10,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 2.2.23
-Release: 11
+Release: 12
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -299,6 +299,11 @@
%fileList strict
%changelog
+* Thu Mar 9 2006 Dan Walsh <dwalsh at redhat.com> 2.2.23-12
+- Fixes for Xen
+- enableaudit should not be the same as base.pp
+- Allow ps to work for all process
+
* Thu Mar 9 2006 Jeremy Katz <katzj at redhat.com> - 2.2.23-11
- more xen policy fixups
More information about the fedora-cvs-commits
mailing list