rpms/selinux-policy/devel .cvsignore, 1.61, 1.62 Makefile.devel, 1.5, 1.6 modules-targeted.conf, 1.22, 1.23 policy-20060411.patch, 1.14, 1.15 selinux-policy.spec, 1.183, 1.184 sources, 1.65, 1.66
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Thu May 4 17:39:19 UTC 2006
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv9496
Modified Files:
.cvsignore Makefile.devel modules-targeted.conf
policy-20060411.patch selinux-policy.spec sources
Log Message:
* Wed May 3 2006 Dan Walsh <dwalsh at redhat.com> 2.2.37-1
- Update to upstream
Index: .cvsignore
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/.cvsignore,v
retrieving revision 1.61
retrieving revision 1.62
diff -u -r1.61 -r1.62
--- .cvsignore 1 May 2006 18:41:55 -0000 1.61
+++ .cvsignore 4 May 2006 17:39:16 -0000 1.62
@@ -62,3 +62,4 @@
selinux-policy-2.2.35-1.src.rpm
serefpolicy-2.2.35.tgz
serefpolicy-2.2.36.tgz
+serefpolicy-2.2.37.tgz
Index: Makefile.devel
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/Makefile.devel,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -r1.5 -r1.6
--- Makefile.devel 23 Feb 2006 18:56:16 -0000 1.5
+++ Makefile.devel 4 May 2006 17:39:16 -0000 1.6
@@ -5,6 +5,10 @@
NAME ?= $(shell $(AWK) -F= '/^SELINUXTYPE/{ print $$2 }' /etc/selinux/config)
MLSENABLED := $(shell cat /selinux/mls)
+ifeq ($(MLSENABLED),)
+ MLSENABLED := 1
+endif
+
ifeq ($(MLSENABLED),1)
MCSFLAG=-mcs
endif
@@ -13,4 +17,3 @@
HEADERDIR := $(SHAREDIR)/targeted/include
include $(HEADERDIR)/Makefile
-
Index: modules-targeted.conf
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/modules-targeted.conf,v
retrieving revision 1.22
retrieving revision 1.23
diff -u -r1.22 -r1.23
--- modules-targeted.conf 29 Apr 2006 04:47:05 -0000 1.22
+++ modules-targeted.conf 4 May 2006 17:39:16 -0000 1.23
@@ -1057,3 +1057,10 @@
#
amavis = base
+# Layer: services
+# Module: clamav
+#
+# ClamAV Virus Scanner
+#
+clamav = module
+
policy-20060411.patch:
config/appconfig-strict-mls/default_type | 1
policy/global_booleans | 8 ++
policy/modules/apps/cdrecord.if | 2
policy/modules/apps/evolution.if | 2
policy/modules/apps/mono.te | 3
policy/modules/apps/mozilla.if | 2
policy/modules/apps/thunderbird.if | 2
policy/modules/kernel/corecommands.fc | 2
policy/modules/kernel/corenetwork.if.in | 75 +++++++++++++++++++++
policy/modules/kernel/corenetwork.te.in | 1
policy/modules/kernel/corenetwork.te.m4 | 6 +
policy/modules/kernel/domain.te | 1
policy/modules/kernel/files.if | 15 ++++
policy/modules/kernel/filesystem.if | 38 +++++++++-
policy/modules/kernel/kernel.if | 2
policy/modules/kernel/kernel.te | 1
policy/modules/services/amavis.te | 4 +
policy/modules/services/apache.te | 9 +-
policy/modules/services/automount.te | 1
policy/modules/services/clamav.fc | 2
policy/modules/services/clamav.if | 24 ++++++
policy/modules/services/clamav.te | 40 +++++++++++
policy/modules/services/cups.te | 1
policy/modules/services/cyrus.if | 22 ++++++
policy/modules/services/postfix.te | 8 ++
policy/modules/services/procmail.te | 6 +
policy/modules/services/pyzor.fc | 8 ++
policy/modules/services/pyzor.if | 80 ++++++++++++++++++++++
policy/modules/services/pyzor.te | 109 +++++++++++++++++++++++++++++++
policy/modules/services/rpc.te | 5 +
policy/modules/services/spamassassin.te | 19 ++---
policy/modules/system/authlogin.te | 2
policy/modules/system/init.te | 1
policy/modules/system/libraries.fc | 7 +
policy/modules/system/lvm.te | 3
policy/modules/system/mount.te | 6 +
policy/modules/system/selinuxutil.te | 8 ++
policy/modules/system/sysnetwork.te | 1
policy/modules/system/unconfined.if | 40 +++++++++++
policy/modules/system/userdomain.if | 23 ++++++
policy/modules/system/userdomain.te | 23 +++++-
policy/modules/system/xen.fc | 1
policy/modules/system/xen.if | 72 +++++++++++++++++++-
policy/modules/system/xen.te | 52 ++++++++++++++
policy/rolemap | 1
policy/users | 6 -
46 files changed, 705 insertions(+), 40 deletions(-)
Index: policy-20060411.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/policy-20060411.patch,v
retrieving revision 1.14
retrieving revision 1.15
diff -u -r1.14 -r1.15
--- policy-20060411.patch 1 May 2006 21:24:26 -0000 1.14
+++ policy-20060411.patch 4 May 2006 17:39:16 -0000 1.15
@@ -1,14 +1,29 @@
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-strict-mls/default_type serefpolicy-2.2.36/config/appconfig-strict-mls/default_type
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-strict-mls/default_type serefpolicy-2.2.37/config/appconfig-strict-mls/default_type
--- nsaserefpolicy/config/appconfig-strict-mls/default_type 2006-01-06 17:55:17.000000000 -0500
-+++ serefpolicy-2.2.36/config/appconfig-strict-mls/default_type 2006-05-01 14:42:32.000000000 -0400
++++ serefpolicy-2.2.37/config/appconfig-strict-mls/default_type 2006-05-03 11:41:20.000000000 -0400
@@ -2,3 +2,4 @@
secadm_r:secadm_t
staff_r:staff_t
user_r:user_t
+auditadm_r:auditadm_t
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cdrecord.if serefpolicy-2.2.36/policy/modules/apps/cdrecord.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_booleans serefpolicy-2.2.37/policy/global_booleans
+--- nsaserefpolicy/policy/global_booleans 2006-02-10 17:05:17.000000000 -0500
++++ serefpolicy-2.2.37/policy/global_booleans 2006-05-03 13:22:38.000000000 -0400
+@@ -28,3 +28,11 @@
+ ## </p>
+ ## </desc>
+ gen_bool(secure_mode_policyload,false)
++
++## <desc>
++## <p>
++## Allow mount to mount any file
++## </p>
++## </desc>
++gen_bool(allow_mount_anyfile,false)
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cdrecord.if serefpolicy-2.2.37/policy/modules/apps/cdrecord.if
--- nsaserefpolicy/policy/modules/apps/cdrecord.if 2006-04-18 22:49:59.000000000 -0400
-+++ serefpolicy-2.2.36/policy/modules/apps/cdrecord.if 2006-05-01 14:42:32.000000000 -0400
++++ serefpolicy-2.2.37/policy/modules/apps/cdrecord.if 2006-05-03 11:41:20.000000000 -0400
@@ -152,7 +152,7 @@
files_dontaudit_list_tmp($1_cdrecord_t)
files_dontaudit_list_home($1_cdrecord_t)
@@ -18,9 +33,9 @@
userdom_dontaudit_list_user_tmp($1,$1_cdrecord_t)
userdom_dontaudit_read_user_tmp_files($1,$1_cdrecord_t)
userdom_dontaudit_list_user_home_dirs($1,$1_cdrecord_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/evolution.if serefpolicy-2.2.36/policy/modules/apps/evolution.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/evolution.if serefpolicy-2.2.37/policy/modules/apps/evolution.if
--- nsaserefpolicy/policy/modules/apps/evolution.if 2006-04-20 08:17:35.000000000 -0400
-+++ serefpolicy-2.2.36/policy/modules/apps/evolution.if 2006-05-01 14:42:32.000000000 -0400
++++ serefpolicy-2.2.37/policy/modules/apps/evolution.if 2006-05-03 11:41:20.000000000 -0400
@@ -303,7 +303,7 @@
files_dontaudit_list_tmp($1_evolution_t)
files_dontaudit_list_home($1_evolution_t)
@@ -30,9 +45,9 @@
userdom_dontaudit_list_user_tmp($1,$1_evolution_t)
userdom_dontaudit_read_user_tmp_files($1,$1_evolution_t)
userdom_dontaudit_list_user_home_dirs($1,$1_evolution_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-2.2.36/policy/modules/apps/mono.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-2.2.37/policy/modules/apps/mono.te
--- nsaserefpolicy/policy/modules/apps/mono.te 2006-04-18 22:49:59.000000000 -0400
-+++ serefpolicy-2.2.36/policy/modules/apps/mono.te 2006-05-01 14:42:32.000000000 -0400
++++ serefpolicy-2.2.37/policy/modules/apps/mono.te 2006-05-03 11:41:20.000000000 -0400
@@ -20,8 +20,9 @@
ifdef(`targeted_policy',`
allow mono_t self:process { execheap execmem };
@@ -44,9 +59,9 @@
init_dbus_chat_script(mono_t)
optional_policy(`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-2.2.36/policy/modules/apps/mozilla.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-2.2.37/policy/modules/apps/mozilla.if
--- nsaserefpolicy/policy/modules/apps/mozilla.if 2006-03-24 11:15:44.000000000 -0500
-+++ serefpolicy-2.2.36/policy/modules/apps/mozilla.if 2006-05-01 14:42:32.000000000 -0400
++++ serefpolicy-2.2.37/policy/modules/apps/mozilla.if 2006-05-03 11:41:20.000000000 -0400
@@ -249,7 +249,7 @@
files_dontaudit_list_tmp($1_mozilla_t)
files_dontaudit_list_home($1_mozilla_t)
@@ -56,9 +71,9 @@
userdom_dontaudit_list_user_tmp($1,$1_mozilla_t)
userdom_dontaudit_read_user_tmp_files($1,$1_mozilla_t)
userdom_dontaudit_list_user_home_dirs($1,$1_mozilla_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/thunderbird.if serefpolicy-2.2.36/policy/modules/apps/thunderbird.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/thunderbird.if serefpolicy-2.2.37/policy/modules/apps/thunderbird.if
--- nsaserefpolicy/policy/modules/apps/thunderbird.if 2006-03-24 11:15:44.000000000 -0500
-+++ serefpolicy-2.2.36/policy/modules/apps/thunderbird.if 2006-05-01 14:42:32.000000000 -0400
++++ serefpolicy-2.2.37/policy/modules/apps/thunderbird.if 2006-05-03 11:41:20.000000000 -0400
@@ -216,7 +216,7 @@
files_dontaudit_list_home($1_thunderbird_t)
@@ -68,9 +83,21 @@
userdom_dontaudit_list_user_tmp($1,$1_thunderbird_t)
userdom_dontaudit_read_user_tmp_files($1,$1_thunderbird_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-2.2.36/policy/modules/kernel/corenetwork.if.in
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-2.2.37/policy/modules/kernel/corecommands.fc
+--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2006-04-27 10:31:32.000000000 -0400
++++ serefpolicy-2.2.37/policy/modules/kernel/corecommands.fc 2006-05-03 11:41:20.000000000 -0400
+@@ -76,7 +76,7 @@
+ #
+
+ /lib/udev/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
+-
++/lib/udev/scsi_id -- gen_context(system_u:object_r:sbin_t,s0)
+ ifdef(`distro_gentoo',`
+ /lib/rcscripts/addons(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /lib/rcscripts/sh(/.*)? gen_context(system_u:object_r:bin_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-2.2.37/policy/modules/kernel/corenetwork.if.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in 2006-04-27 10:31:32.000000000 -0400
-+++ serefpolicy-2.2.36/policy/modules/kernel/corenetwork.if.in 2006-05-01 14:42:32.000000000 -0400
++++ serefpolicy-2.2.37/policy/modules/kernel/corenetwork.if.in 2006-05-03 11:41:20.000000000 -0400
@@ -1259,3 +1259,78 @@
typeattribute $1 corenet_unconfined_type;
@@ -150,9 +177,9 @@
+
+ dontaudit $1 rpc_port_type:udp_socket name_bind;
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-2.2.36/policy/modules/kernel/corenetwork.te.in
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-2.2.37/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2006-04-18 22:49:59.000000000 -0400
-+++ serefpolicy-2.2.36/policy/modules/kernel/corenetwork.te.in 2006-05-01 14:42:32.000000000 -0400
++++ serefpolicy-2.2.37/policy/modules/kernel/corenetwork.te.in 2006-05-03 11:41:20.000000000 -0400
@@ -10,6 +10,7 @@
attribute node_type;
attribute port_type;
@@ -161,9 +188,9 @@
attribute corenet_unconfined_type;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.m4 serefpolicy-2.2.36/policy/modules/kernel/corenetwork.te.m4
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.m4 serefpolicy-2.2.37/policy/modules/kernel/corenetwork.te.m4
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.m4 2006-01-16 13:55:42.000000000 -0500
-+++ serefpolicy-2.2.36/policy/modules/kernel/corenetwork.te.m4 2006-05-01 14:42:32.000000000 -0400
++++ serefpolicy-2.2.37/policy/modules/kernel/corenetwork.te.m4 2006-05-03 11:41:20.000000000 -0400
@@ -46,7 +46,11 @@
') dnl end determine reserved capability depend
@@ -177,9 +204,9 @@
portcon $2 $3 gen_context(system_u:object_r:$1,$4)
ifelse(`$5',`',`',`declare_ports($1,shiftn(4,$*))')dnl
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-2.2.36/policy/modules/kernel/domain.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-2.2.37/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2006-04-20 08:17:36.000000000 -0400
-+++ serefpolicy-2.2.36/policy/modules/kernel/domain.te 2006-05-01 14:42:32.000000000 -0400
++++ serefpolicy-2.2.37/policy/modules/kernel/domain.te 2006-05-03 11:41:20.000000000 -0400
@@ -96,6 +96,7 @@
# workaround until role dominance is fixed in
# the module compiler
@@ -188,10 +215,10 @@
role sysadm_r types domain;
role user_r types domain;
role staff_r types domain;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.2.36/policy/modules/kernel/files.if
---- nsaserefpolicy/policy/modules/kernel/files.if 2006-04-28 22:50:56.000000000 -0400
-+++ serefpolicy-2.2.36/policy/modules/kernel/files.if 2006-05-01 14:42:32.000000000 -0400
-@@ -1699,6 +1699,21 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.2.37/policy/modules/kernel/files.if
+--- nsaserefpolicy/policy/modules/kernel/files.if 2006-05-03 11:38:52.000000000 -0400
++++ serefpolicy-2.2.37/policy/modules/kernel/files.if 2006-05-03 11:41:20.000000000 -0400
+@@ -1712,6 +1712,21 @@
')
########################################
@@ -213,9 +240,9 @@
## <summary>
## Read files in /etc that are dynamically
## created on boot, such as mtab.
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-2.2.36/policy/modules/kernel/filesystem.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-2.2.37/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2006-04-28 22:50:56.000000000 -0400
-+++ serefpolicy-2.2.36/policy/modules/kernel/filesystem.if 2006-05-01 14:42:32.000000000 -0400
++++ serefpolicy-2.2.37/policy/modules/kernel/filesystem.if 2006-05-03 11:41:20.000000000 -0400
@@ -609,7 +609,7 @@
attribute noxattrfs;
')
@@ -286,9 +313,21 @@
+ seutil_relabelto_bin_policy($1)
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-2.2.36/policy/modules/kernel/kernel.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-2.2.37/policy/modules/kernel/kernel.if
+--- nsaserefpolicy/policy/modules/kernel/kernel.if 2006-05-01 14:39:05.000000000 -0400
++++ serefpolicy-2.2.37/policy/modules/kernel/kernel.if 2006-05-03 14:58:19.000000000 -0400
+@@ -1413,7 +1413,7 @@
+ type proc_t, sysctl_t, sysctl_kernel_t;
+ ')
+
+- allow $1 proc_t:dir search;
++ allow $1 proc_t:dir search_dir_perms;
+ allow $1 sysctl_t:dir r_dir_perms;
+ allow $1 sysctl_kernel_t:dir r_dir_perms;
+ allow $1 sysctl_kernel_t:file r_file_perms;
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-2.2.37/policy/modules/kernel/kernel.te
--- nsaserefpolicy/policy/modules/kernel/kernel.te 2006-05-01 14:39:06.000000000 -0400
-+++ serefpolicy-2.2.36/policy/modules/kernel/kernel.te 2006-05-01 14:42:32.000000000 -0400
++++ serefpolicy-2.2.37/policy/modules/kernel/kernel.te 2006-05-03 11:41:20.000000000 -0400
@@ -28,6 +28,7 @@
ifdef(`enable_mls',`
@@ -297,9 +336,9 @@
')
#
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-2.2.36/policy/modules/services/amavis.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-2.2.37/policy/modules/services/amavis.te
--- nsaserefpolicy/policy/modules/services/amavis.te 2006-03-24 11:15:50.000000000 -0500
-+++ serefpolicy-2.2.36/policy/modules/services/amavis.te 2006-05-01 14:42:32.000000000 -0400
++++ serefpolicy-2.2.37/policy/modules/services/amavis.te 2006-05-03 11:41:20.000000000 -0400
@@ -146,3 +146,7 @@
spamassassin_exec(amavis_t)
spamassassin_exec_client(amavis_t)
@@ -308,9 +347,35 @@
+optional_policy(`
+ pyzor_domtrans(amavis_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-2.2.36/policy/modules/services/automount.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-2.2.37/policy/modules/services/apache.te
+--- nsaserefpolicy/policy/modules/services/apache.te 2006-05-03 11:38:52.000000000 -0400
++++ serefpolicy-2.2.37/policy/modules/services/apache.te 2006-05-03 14:45:08.000000000 -0400
+@@ -454,11 +454,6 @@
+ yam_read_content(httpd_t)
+ ')
+
+-ifdef(`TODO',`
+-can_tcp_connect(web_client_domain, httpd_t)
+-
+-') dnl end TODO
+-
+ ########################################
+ #
+ # Apache helper local policy
+@@ -712,6 +707,10 @@
+ mysql_rw_db_sockets(httpd_sys_script_t)
+ ')
+
++optional_policy(`
++ clamscan_domtrans(httpd_sys_script_t)
++')
++
+ ########################################
+ #
+ # Apache unconfined script local policy
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-2.2.37/policy/modules/services/automount.te
--- nsaserefpolicy/policy/modules/services/automount.te 2006-04-12 13:44:36.000000000 -0400
-+++ serefpolicy-2.2.36/policy/modules/services/automount.te 2006-05-01 14:42:32.000000000 -0400
++++ serefpolicy-2.2.37/policy/modules/services/automount.te 2006-05-03 11:41:20.000000000 -0400
@@ -86,6 +86,7 @@
# Automount execs showmount when you browse /net. This is required until
# Someone writes a showmount policy
@@ -319,9 +384,106 @@
dev_read_sysfs(automount_t)
# for SSP
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-2.2.36/policy/modules/services/cups.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.fc serefpolicy-2.2.37/policy/modules/services/clamav.fc
+--- nsaserefpolicy/policy/modules/services/clamav.fc 2006-03-07 16:19:28.000000000 -0500
++++ serefpolicy-2.2.37/policy/modules/services/clamav.fc 2006-05-03 14:34:13.000000000 -0400
+@@ -1,6 +1,8 @@
+ /etc/clamav(/.*)? gen_context(system_u:object_r:clamd_etc_t,s0)
+
+ /usr/bin/freshclam -- gen_context(system_u:object_r:freshclam_exec_t,s0)
++/usr/bin/clamscan -- gen_context(system_u:object_r:clamscan_exec_t,s0)
++/usr/bin/clamdscan -- gen_context(system_u:object_r:clamscan_exec_t,s0)
+
+ /usr/sbin/clamd -- gen_context(system_u:object_r:clamd_exec_t,s0)
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.if serefpolicy-2.2.37/policy/modules/services/clamav.if
+--- nsaserefpolicy/policy/modules/services/clamav.if 2006-03-07 16:19:28.000000000 -0500
++++ serefpolicy-2.2.37/policy/modules/services/clamav.if 2006-05-03 14:42:32.000000000 -0400
+@@ -61,3 +61,27 @@
+ files_search_etc($1)
+ allow $1 clamd_etc_t:file r_file_perms;
+ ')
++
++########################################
++## <summary>
++## Execute a domain transition to run clamscan.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`clamscan_domtrans',`
++ gen_require(`
++ type clamscan_t, clamscan_exec_t;
++ ')
++
++ domain_auto_trans($1,clamscan_exec_t,clamscan_t)
++
++ allow $1 clamscan_t:fd use;
++ allow clamscan_t $1:fd use;
++ allow clamscan_t $1:fifo_file rw_file_perms;
++ allow clamscan_t $1:process sigchld;
++')
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-2.2.37/policy/modules/services/clamav.te
+--- nsaserefpolicy/policy/modules/services/clamav.te 2006-03-24 11:15:50.000000000 -0500
++++ serefpolicy-2.2.37/policy/modules/services/clamav.te 2006-05-03 14:59:49.000000000 -0400
+@@ -39,6 +39,10 @@
+ type freshclam_exec_t;
+ init_daemon_domain(freshclam_t, freshclam_exec_t)
+
++type clamscan_t;
++type clamscan_exec_t;
++init_daemon_domain(clamscan_t, clamscan_exec_t)
++
+ # log files
+ type freshclam_var_log_t;
+ logging_log_file(freshclam_var_log_t)
+@@ -193,3 +197,39 @@
+ cron_use_fds(freshclam_t)
+ cron_use_system_job_fds(freshclam_t)
+ cron_rw_pipes(freshclam_t)
++
++########################################
++#
++# clamscam local policy
++#
++
++allow clamscan_t self:capability { setgid setuid dac_override };
++allow clamscan_t self:fifo_file rw_file_perms;
++allow clamscan_t self:unix_stream_socket create_stream_socket_perms;
++allow clamscan_t self:unix_dgram_socket create_socket_perms;
++allow clamscan_t self:tcp_socket { listen accept };
++
++# configuration files
++allow clamscan_t clamd_etc_t:dir r_dir_perms;
++allow clamscan_t clamd_etc_t:file r_file_perms;
++allow clamscan_t clamd_etc_t:lnk_file { getattr read };
++
++# var/lib files together with clamd
++allow clamscan_t clamd_var_lib_t:file r_file_perms;
++allow clamscan_t clamd_var_lib_t:sock_file rw_file_perms;
++allow clamscan_t clamd_var_lib_t:dir r_dir_perms;
++
++files_search_var_lib(clamscan_t)
++
++files_read_etc_files(clamscan_t)
++files_read_etc_runtime_files(clamscan_t)
++
++kernel_read_kernel_sysctls(clamscan_t)
++
++libs_use_ld_so(clamscan_t)
++libs_use_shared_libs(clamscan_t)
++
++miscfiles_read_localization(clamscan_t)
++
++clamav_stream_connect(clamscan_t)
++miscfiles_read_public_files(clamscan_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-2.2.37/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2006-04-12 13:44:36.000000000 -0400
-+++ serefpolicy-2.2.36/policy/modules/services/cups.te 2006-05-01 14:42:32.000000000 -0400
++++ serefpolicy-2.2.37/policy/modules/services/cups.te 2006-05-03 11:41:20.000000000 -0400
@@ -79,6 +79,7 @@
allow cupsd_t self:process { setsched signal_perms };
allow cupsd_t self:fifo_file rw_file_perms;
@@ -330,9 +492,9 @@
allow cupsd_t self:unix_dgram_socket create_socket_perms;
allow cupsd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
allow cupsd_t self:netlink_route_socket { r_netlink_socket_perms };
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.if serefpolicy-2.2.36/policy/modules/services/cyrus.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.if serefpolicy-2.2.37/policy/modules/services/cyrus.if
--- nsaserefpolicy/policy/modules/services/cyrus.if 2006-02-10 17:05:19.000000000 -0500
-+++ serefpolicy-2.2.36/policy/modules/services/cyrus.if 2006-05-01 14:42:32.000000000 -0400
++++ serefpolicy-2.2.37/policy/modules/services/cyrus.if 2006-05-03 11:41:20.000000000 -0400
@@ -20,3 +20,25 @@
allow $1 cyrus_var_lib_t:dir rw_dir_perms;
allow $1 cyrus_var_lib_t:file manage_file_perms;
@@ -359,9 +521,9 @@
+ allow $1 cyrus_var_lib_t:sock_file write;
+ allow $1 cyrus_t:unix_stream_socket connectto;
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-2.2.36/policy/modules/services/postfix.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-2.2.37/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2006-04-20 08:17:39.000000000 -0400
-+++ serefpolicy-2.2.36/policy/modules/services/postfix.te 2006-05-01 14:42:32.000000000 -0400
++++ serefpolicy-2.2.37/policy/modules/services/postfix.te 2006-05-03 11:41:20.000000000 -0400
@@ -181,6 +181,10 @@
')
@@ -398,9 +560,9 @@
allow postfix_showq_t postfix_spool_maildrop_t:dir { getattr read search };
allow postfix_showq_t postfix_spool_maildrop_t:file { read getattr };
allow postfix_showq_t postfix_spool_maildrop_t:lnk_file { getattr read };
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-2.2.36/policy/modules/services/procmail.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-2.2.37/policy/modules/services/procmail.te
--- nsaserefpolicy/policy/modules/services/procmail.te 2006-03-24 11:15:50.000000000 -0500
-+++ serefpolicy-2.2.36/policy/modules/services/procmail.te 2006-05-01 14:42:32.000000000 -0400
++++ serefpolicy-2.2.37/policy/modules/services/procmail.te 2006-05-03 11:41:20.000000000 -0400
@@ -95,16 +95,20 @@
optional_policy(`
@@ -423,20 +585,22 @@
+optional_policy(`
+ pyzor_domtrans(procmail_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-2.2.36/policy/modules/services/pyzor.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-2.2.37/policy/modules/services/pyzor.fc
--- nsaserefpolicy/policy/modules/services/pyzor.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.2.36/policy/modules/services/pyzor.fc 2006-05-01 14:42:32.000000000 -0400
-@@ -0,0 +1,6 @@
++++ serefpolicy-2.2.37/policy/modules/services/pyzor.fc 2006-05-03 11:41:20.000000000 -0400
+@@ -0,0 +1,8 @@
+/etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0)
+/usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0)
+/usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0)
+/var/lib/pyzord(/.*)? gen_context(system_u:object_r:pyzor_var_lib_t,s0)
+/var/log/pyzord.log -- gen_context(system_u:object_r:pyzord_log_t,s0)
++ifdef(`strict_policy',`
+HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:ROLE_pyzor_home_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-2.2.36/policy/modules/services/pyzor.if
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-2.2.37/policy/modules/services/pyzor.if
--- nsaserefpolicy/policy/modules/services/pyzor.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.2.36/policy/modules/services/pyzor.if 2006-05-01 14:42:32.000000000 -0400
-@@ -0,0 +1,46 @@
++++ serefpolicy-2.2.37/policy/modules/services/pyzor.if 2006-05-03 11:41:20.000000000 -0400
+@@ -0,0 +1,80 @@
+## <summary>Pyzor mail delivery agent</summary>
+
+########################################
@@ -483,9 +647,43 @@
+ corecmd_search_bin($1)
+ can_exec($1,pyzor_exec_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-2.2.36/policy/modules/services/pyzor.te
++
++#######################################
++## <summary>
++## The per user domain template for the pyzor module.
++## </summary>
++## <desc>
++## <p>
++## This template allows pyzord to manage files in
++## a user home directory, creating files with the
++## correct type.
++## </p>
++## <p>
++## This template is invoked automatically for each user, and
++## generally does not need to be invoked directly
++## by policy writers.
++## </p>
++## </desc>
++## <param name="userdomain_prefix">
++## <summary>
++## The prefix of the user domain (e.g., user
++## is the prefix for user_t).
++## </summary>
++## </param>
++#
++template(`pyzor_per_userdomain_template',`
++ type $1_pyzor_home_t;
++ files_type($1_pyzor_home_t)
++
++ userdom_search_user_home_dirs($1,pyzord_t)
++ userdom_user_home_dir_filetrans($1,pyzord_t,$1_pyzord_home_t,{ dir file lnk_file })
++ allow pyzord_t $1_pyzor_home_t:dir create_dir_perms;
++ allow pyzord_t $1_pyzor_home_t:file create_file_perms;
++ allow pyzord_t $1_pyzor_home_t:lnk_file create_lnk_perms;
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-2.2.37/policy/modules/services/pyzor.te
--- nsaserefpolicy/policy/modules/services/pyzor.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.2.36/policy/modules/services/pyzor.te 2006-05-01 14:42:32.000000000 -0400
++++ serefpolicy-2.2.37/policy/modules/services/pyzor.te 2006-05-03 11:41:20.000000000 -0400
@@ -0,0 +1,109 @@
+policy_module(pyzor,1.1.0)
+
@@ -596,9 +794,9 @@
+optional_policy(`
+ amavis_manage_lib_files(pyzor_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-2.2.36/policy/modules/services/rpc.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-2.2.37/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te 2006-04-18 22:50:00.000000000 -0400
-+++ serefpolicy-2.2.36/policy/modules/services/rpc.te 2006-05-01 15:22:55.000000000 -0400
++++ serefpolicy-2.2.37/policy/modules/services/rpc.te 2006-05-03 11:41:20.000000000 -0400
@@ -52,6 +52,9 @@
corenet_udp_bind_generic_port(rpcd_t)
corenet_udp_bind_reserved_port(rpcd_t)
@@ -618,9 +816,9 @@
seutil_dontaudit_search_config(rpcd_t)
portmap_udp_chat(rpcd_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-2.2.36/policy/modules/services/spamassassin.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-2.2.37/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2006-04-20 08:17:39.000000000 -0400
-+++ serefpolicy-2.2.36/policy/modules/services/spamassassin.te 2006-05-01 14:42:32.000000000 -0400
++++ serefpolicy-2.2.37/policy/modules/services/spamassassin.te 2006-05-03 11:41:20.000000000 -0400
@@ -128,6 +128,7 @@
userdom_manage_generic_user_home_content_files(spamd_t)
userdom_manage_generic_user_home_content_symlinks(spamd_t)
@@ -658,9 +856,9 @@
-')
-') dnl end TODO
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-2.2.36/policy/modules/system/authlogin.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-2.2.37/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te 2006-04-19 12:23:07.000000000 -0400
-+++ serefpolicy-2.2.36/policy/modules/system/authlogin.te 2006-05-01 14:42:32.000000000 -0400
++++ serefpolicy-2.2.37/policy/modules/system/authlogin.te 2006-05-03 11:41:20.000000000 -0400
@@ -188,6 +188,8 @@
storage_setattr_scsi_generic_dev(pam_console_t)
@@ -670,10 +868,10 @@
term_setattr_console(pam_console_t)
term_getattr_unallocated_ttys(pam_console_t)
term_setattr_unallocated_ttys(pam_console_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-2.2.36/policy/modules/system/init.te
---- nsaserefpolicy/policy/modules/system/init.te 2006-04-27 10:31:33.000000000 -0400
-+++ serefpolicy-2.2.36/policy/modules/system/init.te 2006-05-01 14:42:32.000000000 -0400
-@@ -348,6 +348,7 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-2.2.37/policy/modules/system/init.te
+--- nsaserefpolicy/policy/modules/system/init.te 2006-05-03 11:38:54.000000000 -0400
++++ serefpolicy-2.2.37/policy/modules/system/init.te 2006-05-03 11:41:20.000000000 -0400
+@@ -350,6 +350,7 @@
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -681,9 +879,9 @@
libs_rw_ld_so_cache(initrc_t)
libs_use_ld_so(initrc_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-2.2.36/policy/modules/system/libraries.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-2.2.37/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2006-04-27 10:31:33.000000000 -0400
-+++ serefpolicy-2.2.36/policy/modules/system/libraries.fc 2006-05-01 17:18:37.000000000 -0400
++++ serefpolicy-2.2.37/policy/modules/system/libraries.fc 2006-05-03 11:41:20.000000000 -0400
@@ -75,6 +75,7 @@
/usr/(.*/)?lib(64)?(/.*)?/nvidia/.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -717,9 +915,9 @@
/usr/(local/)?Adobe/.*\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
') dnl end distro_redhat
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-2.2.36/policy/modules/system/lvm.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-2.2.37/policy/modules/system/lvm.te
--- nsaserefpolicy/policy/modules/system/lvm.te 2006-03-24 11:15:53.000000000 -0500
-+++ serefpolicy-2.2.36/policy/modules/system/lvm.te 2006-05-01 14:42:32.000000000 -0400
++++ serefpolicy-2.2.37/policy/modules/system/lvm.te 2006-05-03 11:41:20.000000000 -0400
@@ -205,9 +205,10 @@
fs_getattr_xattr_fs(lvm_t)
fs_search_auto_mountpoints(lvm_t)
@@ -732,10 +930,10 @@
# LVM creates block devices in /dev/mapper or /dev/<vg>
# depending on its version
# LVM(2) needs to create directores (/dev/mapper, /dev/<vg>)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-2.2.36/policy/modules/system/mount.te
---- nsaserefpolicy/policy/modules/system/mount.te 2006-04-19 12:23:07.000000000 -0400
-+++ serefpolicy-2.2.36/policy/modules/system/mount.te 2006-05-01 14:42:32.000000000 -0400
-@@ -126,6 +126,8 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-2.2.37/policy/modules/system/mount.te
+--- nsaserefpolicy/policy/modules/system/mount.te 2006-05-03 11:38:54.000000000 -0400
++++ serefpolicy-2.2.37/policy/modules/system/mount.te 2006-05-03 13:22:12.000000000 -0400
+@@ -127,6 +127,8 @@
corenet_udp_bind_generic_port(mount_t)
corenet_tcp_bind_reserved_port(mount_t)
corenet_udp_bind_reserved_port(mount_t)
@@ -744,9 +942,18 @@
corenet_tcp_connect_all_ports(mount_t)
fs_search_rpc(mount_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-2.2.36/policy/modules/system/selinuxutil.te
+@@ -167,4 +169,8 @@
+ ifdef(`targeted_policy',`
+ files_etc_filetrans_etc_runtime(unconfined_mount_t,file)
+ unconfined_domain(unconfined_mount_t)
++ tunable_policy(`allow_mount_anyfile',`
++ auth_read_all_dirs_except_shadow(mount_t)
++ auth_read_all_files_except_shadow(mount_t)
++ ')
+ ')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-2.2.37/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2006-04-04 18:06:38.000000000 -0400
-+++ serefpolicy-2.2.36/policy/modules/system/selinuxutil.te 2006-05-01 14:42:32.000000000 -0400
++++ serefpolicy-2.2.37/policy/modules/system/selinuxutil.te 2006-05-03 14:06:57.000000000 -0400
@@ -393,6 +393,8 @@
userdom_use_all_users_fds(restorecon_t)
@@ -764,7 +971,18 @@
kernel_use_fds(restorecond_t)
kernel_rw_pipes(restorecond_t)
-@@ -627,6 +630,7 @@
+@@ -567,6 +570,10 @@
+ seutil_get_semanage_trans_lock(semanage_t)
+ seutil_get_semanage_read_lock(semanage_t)
+
++ifdef(`targeted_policy',`
++ userdom_read_generic_user_home_content_files(semanage_t)
++')
++
+ optional_policy(`
+ nscd_socket_use(semanage_t)
+ ')
+@@ -627,6 +634,7 @@
files_read_etc_files(setfiles_t)
files_list_all(setfiles_t)
files_relabel_all_files(setfiles_t)
@@ -772,9 +990,9 @@
logging_send_syslog_msg(setfiles_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-2.2.36/policy/modules/system/sysnetwork.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-2.2.37/policy/modules/system/sysnetwork.te
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2006-04-27 10:31:34.000000000 -0400
-+++ serefpolicy-2.2.36/policy/modules/system/sysnetwork.te 2006-05-01 14:42:32.000000000 -0400
++++ serefpolicy-2.2.37/policy/modules/system/sysnetwork.te 2006-05-03 11:41:20.000000000 -0400
@@ -286,6 +286,7 @@
kernel_read_system_state(ifconfig_t)
kernel_read_network_state(ifconfig_t)
@@ -783,9 +1001,9 @@
corenet_rw_tun_tap_dev(ifconfig_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-2.2.36/policy/modules/system/unconfined.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-2.2.37/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2006-04-27 10:31:34.000000000 -0400
-+++ serefpolicy-2.2.36/policy/modules/system/unconfined.if 2006-05-01 14:42:32.000000000 -0400
++++ serefpolicy-2.2.37/policy/modules/system/unconfined.if 2006-05-03 11:41:20.000000000 -0400
@@ -381,6 +381,27 @@
########################################
@@ -837,9 +1055,39 @@
+ allow $1 unconfined_t:sem rw_sem_perms;
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-2.2.36/policy/modules/system/userdomain.te
---- nsaserefpolicy/policy/modules/system/userdomain.te 2006-04-28 22:50:57.000000000 -0400
-+++ serefpolicy-2.2.36/policy/modules/system/userdomain.te 2006-05-01 14:42:32.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-2.2.37/policy/modules/system/userdomain.if
+--- nsaserefpolicy/policy/modules/system/userdomain.if 2006-05-03 11:38:54.000000000 -0400
++++ serefpolicy-2.2.37/policy/modules/system/userdomain.if 2006-05-03 14:05:56.000000000 -0400
+@@ -4794,3 +4794,26 @@
+ allow $1 user_home_dir_t:dir create_dir_perms;
+ files_home_filetrans($1,user_home_dir_t,dir)
+ ')
++
++########################################
++## <summary>
++## read files
++## in generic user home directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_read_generic_user_home_content_files',`
++ gen_require(`
++ type user_home_t;
++ ')
++
++ files_search_home($1)
++ allow $1 user_home_dir_t:dir search_dir_perms;
++ allow $1 user_home_t:dir r_dir_perms;
++ allow $1 user_home_t:file r_file_perms;
++')
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-2.2.37/policy/modules/system/userdomain.te
+--- nsaserefpolicy/policy/modules/system/userdomain.te 2006-05-03 11:38:54.000000000 -0400
++++ serefpolicy-2.2.37/policy/modules/system/userdomain.te 2006-05-03 11:41:20.000000000 -0400
@@ -67,6 +67,7 @@
# Define some type aliases to help with compatibility with
# macros and domains from the "strict" policy.
@@ -919,17 +1167,17 @@
')
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.fc serefpolicy-2.2.36/policy/modules/system/xen.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.fc serefpolicy-2.2.37/policy/modules/system/xen.fc
--- nsaserefpolicy/policy/modules/system/xen.fc 2006-03-23 16:08:51.000000000 -0500
-+++ serefpolicy-2.2.36/policy/modules/system/xen.fc 2006-05-01 14:42:32.000000000 -0400
++++ serefpolicy-2.2.37/policy/modules/system/xen.fc 2006-05-03 11:41:20.000000000 -0400
@@ -14,3 +14,4 @@
/var/run/xend\.pid -- gen_context(system_u:object_r:xend_var_run_t,s0)
/var/run/xenstore\.pid -- gen_context(system_u:object_r:xenstored_var_run_t,s0)
/var/run/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_run_t,s0)
+/usr/sbin/xm -- gen_context(system_u:object_r:xm_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-2.2.36/policy/modules/system/xen.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-2.2.37/policy/modules/system/xen.if
--- nsaserefpolicy/policy/modules/system/xen.if 2006-04-27 10:31:34.000000000 -0400
-+++ serefpolicy-2.2.36/policy/modules/system/xen.if 2006-05-01 14:42:32.000000000 -0400
++++ serefpolicy-2.2.37/policy/modules/system/xen.if 2006-05-03 11:41:20.000000000 -0400
@@ -47,13 +47,12 @@
########################################
@@ -1015,9 +1263,9 @@
+ allow xm_t:$1:fifo_file rw_file_perms;
+ allow xm_t $1:process sigchld;
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-2.2.36/policy/modules/system/xen.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-2.2.37/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te 2006-04-27 10:31:34.000000000 -0400
-+++ serefpolicy-2.2.36/policy/modules/system/xen.te 2006-05-01 14:42:32.000000000 -0400
++++ serefpolicy-2.2.37/policy/modules/system/xen.te 2006-05-03 11:41:20.000000000 -0400
@@ -224,3 +224,55 @@
miscfiles_read_localization(xenstored_t)
@@ -1074,9 +1322,9 @@
+# Need to relabel files for xen
+auth_read_all_files_except_shadow(xm_t)
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/rolemap serefpolicy-2.2.36/policy/rolemap
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/rolemap serefpolicy-2.2.37/policy/rolemap
--- nsaserefpolicy/policy/rolemap 2006-01-26 15:38:41.000000000 -0500
-+++ serefpolicy-2.2.36/policy/rolemap 2006-05-01 14:42:32.000000000 -0400
++++ serefpolicy-2.2.37/policy/rolemap 2006-05-03 11:41:20.000000000 -0400
@@ -15,5 +15,6 @@
ifdef(`enable_mls',`
@@ -1084,9 +1332,9 @@
+ auditadm_t auditadm auditadm_t
')
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-2.2.36/policy/users
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-2.2.37/policy/users
--- nsaserefpolicy/policy/users 2006-02-15 17:02:30.000000000 -0500
-+++ serefpolicy-2.2.36/policy/users 2006-05-01 14:42:32.000000000 -0400
++++ serefpolicy-2.2.37/policy/users 2006-05-03 11:41:20.000000000 -0400
@@ -29,7 +29,7 @@
gen_user(user_u, user, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
',`
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.183
retrieving revision 1.184
diff -u -r1.183 -r1.184
--- selinux-policy.spec 1 May 2006 21:24:26 -0000 1.183
+++ selinux-policy.spec 4 May 2006 17:39:16 -0000 1.184
@@ -15,8 +15,8 @@
%define CHECKPOLICYVER 1.30.1-2
Summary: SELinux policy configuration
Name: selinux-policy
-Version: 2.2.36
-Release: 2
+Version: 2.2.37
+Release: 1
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -267,8 +267,6 @@
%triggerpostun targeted -- selinux-policy-targeted <= 2.0.7
%rebuildpolicy targeted
-%rebuildpolicy targeted
-
%files targeted
%fileList targeted
@@ -337,6 +335,9 @@
%endif
%changelog
+* Wed May 3 2006 Dan Walsh <dwalsh at redhat.com> 2.2.37-1
+- Update to upstream
+
* Mon May 1 2006 Dan Walsh <dwalsh at redhat.com> 2.2.36-2
- Fix libjvm spec
@@ -367,7 +368,7 @@
- Add James Antill patch for xen
- Many fixes for pegasus
-* Sat Apr 14 2006 Dan Walsh <dwalsh at redhat.com> 2.2.32-2
+* Sat Apr 15 2006 Dan Walsh <dwalsh at redhat.com> 2.2.32-2
- Add unconfined_mount_t
- Allow privoxy to connect to httpd_cache
- fix cups labeleing on /var/cache/cups
@@ -375,7 +376,7 @@
* Fri Apr 14 2006 Dan Walsh <dwalsh at redhat.com> 2.2.32-1
- Update to latest from upstream
-* Thu Apr 14 2006 Dan Walsh <dwalsh at redhat.com> 2.2.31-1
+* Fri Apr 14 2006 Dan Walsh <dwalsh at redhat.com> 2.2.31-1
- Update to latest from upstream
- Allow mono and unconfined to talk to initrc_t dbus objects
@@ -412,14 +413,14 @@
- Granted xen access to /boot, allowed mounting on xend_var_lib_t, and allowed
xenstored_t rw access to the xen device node.
-* Mon Mar 30 2006 Dan Walsh <dwalsh at redhat.com> 2.2.29-4
+* Tue Apr 4 2006 Dan Walsh <dwalsh at redhat.com> 2.2.29-4
- More textrel_shlib_t file path fixes
- Add ada support
-* Mon Mar 30 2006 Dan Walsh <dwalsh at redhat.com> 2.2.29-3
+* Mon Apr 3 2006 Dan Walsh <dwalsh at redhat.com> 2.2.29-3
- Get auditctl working in MLS policy
-* Mon Mar 30 2006 Dan Walsh <dwalsh at redhat.com> 2.2.29-2
+* Mon Apr 3 2006 Dan Walsh <dwalsh at redhat.com> 2.2.29-2
- Add mono dbus support
- Lots of file_context fixes for textrel_shlib_t in FC5
- Turn off execmem auditallow since they are filling log files
Index: sources
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/sources,v
retrieving revision 1.65
retrieving revision 1.66
diff -u -r1.65 -r1.66
--- sources 1 May 2006 18:41:55 -0000 1.65
+++ sources 4 May 2006 17:39:16 -0000 1.66
@@ -1 +1 @@
-91e6d7b0f112e38801851e5bed4e627c serefpolicy-2.2.36.tgz
+8ab58718da02004bd2dca6156cf09e8d serefpolicy-2.2.37.tgz
More information about the fedora-cvs-commits
mailing list