rpms/selinux-policy/devel Makefile.devel, 1.6, 1.7 modules-targeted.conf, 1.25, 1.26 policy-20060505.patch, 1.7, 1.8 selinux-policy.spec, 1.192, 1.193
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Wed May 17 00:48:06 UTC 2006
- Previous message (by thread): rpms/glibc-kernheaders/devel glibc-kernheaders.spec, 1.134, 1.135 sources, 1.41, 1.42
- Next message (by thread): rpms/libselinux/devel .cvsignore, 1.106, 1.107 libselinux.spec, 1.192, 1.193 sources, 1.108, 1.109
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv7065
Modified Files:
Makefile.devel modules-targeted.conf policy-20060505.patch
selinux-policy.spec
Log Message:
* Tue May 16 2006 Dan Walsh <dwalsh at redhat.com> 2.2.40-1
- Update from upstream
Index: Makefile.devel
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/Makefile.devel,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -r1.6 -r1.7
--- Makefile.devel 4 May 2006 17:39:16 -0000 1.6
+++ Makefile.devel 17 May 2006 00:48:04 -0000 1.7
@@ -14,6 +14,6 @@
endif
TYPE ?= $(NAME)${MCSFLAG}
-HEADERDIR := $(SHAREDIR)/targeted/include
+HEADERDIR := $(SHAREDIR)/devel/include
include $(HEADERDIR)/Makefile
Index: modules-targeted.conf
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/modules-targeted.conf,v
retrieving revision 1.25
retrieving revision 1.26
diff -u -r1.25 -r1.26
--- modules-targeted.conf 9 May 2006 21:50:36 -0000 1.25
+++ modules-targeted.conf 17 May 2006 00:48:04 -0000 1.26
@@ -1079,3 +1079,10 @@
#
openvpn = base
+# Layer: apps
+# Module: unconfined_execmem
+#
+# unconfined_execmem executable
+#
+unconfined_execmem = base
+
policy-20060505.patch:
config/appconfig-strict-mls/default_type | 1
policy/global_booleans | 8 ++
policy/global_tunables | 8 ++
policy/modules/admin/consoletype.te | 16 ++++
policy/modules/admin/netutils.te | 3
policy/modules/admin/prelink.te | 3
policy/modules/apps/mono.te | 5 +
policy/modules/apps/unconfined_execmem.fc | 2
policy/modules/apps/unconfined_execmem.if | 29 ++++++++
policy/modules/apps/unconfined_execmem.te | 22 ++++++
policy/modules/kernel/corecommands.fc | 2
policy/modules/kernel/corenetwork.te.in | 5 -
policy/modules/kernel/domain.te | 3
policy/modules/kernel/files.if | 15 ++++
policy/modules/kernel/files.te | 4 +
policy/modules/kernel/kernel.if | 2
policy/modules/kernel/kernel.te | 1
policy/modules/kernel/mls.te | 1
policy/modules/kernel/terminal.if | 2
policy/modules/services/amavis.fc | 1
policy/modules/services/amavis.te | 17 ++++-
policy/modules/services/apache.te | 9 +-
policy/modules/services/bind.te | 3
policy/modules/services/bluetooth.te | 5 +
policy/modules/services/clamav.fc | 2
policy/modules/services/clamav.if | 24 +++++++
policy/modules/services/clamav.te | 45 +++++++++++++
policy/modules/services/cvs.if | 20 ++++++
policy/modules/services/cvs.te | 1
policy/modules/services/dovecot.te | 5 +
policy/modules/services/ftp.te | 1
policy/modules/services/hal.te | 10 ---
policy/modules/services/inn.if | 28 ++++++++
policy/modules/services/nis.te | 1
policy/modules/services/postgresql.te | 1
policy/modules/services/pyzor.fc | 4 +
policy/modules/services/pyzor.if | 34 ++++++++++
policy/modules/services/rpc.te | 10 ++-
policy/modules/services/rsync.te | 1
policy/modules/services/ssh.te | 2
policy/modules/services/xfs.if | 19 +++++
policy/modules/services/xfs.te | 5 +
policy/modules/services/xserver.if | 38 +++++++++++
policy/modules/services/xserver.te | 2
policy/modules/system/hostname.te | 5 +
policy/modules/system/init.if | 19 +++++
policy/modules/system/init.te | 1
policy/modules/system/libraries.fc | 15 +++-
policy/modules/system/logging.if | 97 ++++++++++++++++++++++++++++++
policy/modules/system/logging.te | 8 ++
policy/modules/system/mount.te | 4 +
policy/modules/system/selinuxutil.fc | 2
policy/modules/system/selinuxutil.te | 18 +++++
policy/modules/system/setrans.fc | 4 +
policy/modules/system/setrans.if | 24 +++++++
policy/modules/system/setrans.te | 71 +++++++++++++++++++++
policy/modules/system/sysnetwork.te | 7 ++
policy/modules/system/unconfined.if | 21 ++++++
policy/modules/system/unconfined.te | 12 +++
policy/modules/system/userdomain.if | 23 +++++++
policy/modules/system/userdomain.te | 52 ++++++++++++++--
policy/modules/system/xen.fc | 1
policy/modules/system/xen.if | 1
policy/modules/system/xen.te | 14 +++-
policy/rolemap | 1
policy/users | 6 -
66 files changed, 786 insertions(+), 40 deletions(-)
Index: policy-20060505.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/policy-20060505.patch,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -r1.7 -r1.8
--- policy-20060505.patch 15 May 2006 20:48:00 -0000 1.7
+++ policy-20060505.patch 17 May 2006 00:48:04 -0000 1.8
@@ -1,14 +1,14 @@
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-strict-mls/default_type serefpolicy-2.2.39/config/appconfig-strict-mls/default_type
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-strict-mls/default_type serefpolicy-2.2.40/config/appconfig-strict-mls/default_type
--- nsaserefpolicy/config/appconfig-strict-mls/default_type 2006-01-06 17:55:17.000000000 -0500
-+++ serefpolicy-2.2.39/config/appconfig-strict-mls/default_type 2006-05-15 11:10:54.000000000 -0400
++++ serefpolicy-2.2.40/config/appconfig-strict-mls/default_type 2006-05-16 10:16:11.000000000 -0400
@@ -2,3 +2,4 @@
secadm_r:secadm_t
staff_r:staff_t
user_r:user_t
+auditadm_r:auditadm_t
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_booleans serefpolicy-2.2.39/policy/global_booleans
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_booleans serefpolicy-2.2.40/policy/global_booleans
--- nsaserefpolicy/policy/global_booleans 2006-02-10 17:05:17.000000000 -0500
-+++ serefpolicy-2.2.39/policy/global_booleans 2006-05-15 11:10:54.000000000 -0400
++++ serefpolicy-2.2.40/policy/global_booleans 2006-05-16 10:16:11.000000000 -0400
@@ -28,3 +28,11 @@
## </p>
## </desc>
@@ -21,9 +21,9 @@
+## </desc>
+gen_bool(allow_mount_anyfile,false)
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-2.2.39/policy/global_tunables
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-2.2.40/policy/global_tunables
--- nsaserefpolicy/policy/global_tunables 2006-04-18 22:49:58.000000000 -0400
-+++ serefpolicy-2.2.39/policy/global_tunables 2006-05-15 13:01:41.000000000 -0400
++++ serefpolicy-2.2.40/policy/global_tunables 2006-05-16 10:16:11.000000000 -0400
@@ -73,6 +73,14 @@
## <desc>
@@ -39,9 +39,39 @@
## Allow java executable stack
## </p>
## </desc>
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-2.2.39/policy/modules/admin/netutils.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-2.2.40/policy/modules/admin/consoletype.te
+--- nsaserefpolicy/policy/modules/admin/consoletype.te 2006-04-04 18:06:37.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/admin/consoletype.te 2006-05-16 10:16:11.000000000 -0400
+@@ -8,7 +8,12 @@
+
+ type consoletype_t;
+ type consoletype_exec_t;
+-init_domain(consoletype_t,consoletype_exec_t)
++#dont transition from initrc
++#init_domain(consoletype_t,consoletype_exec_t)
++domain_type(consoletype_t)
++domain_entry_file(consoletype_t,consoletype_exec_t)
++role system_r types consoletype_t;
++
+ mls_file_read_up(consoletype_t)
+ mls_file_write_down(consoletype_t)
+ role system_r types consoletype_t;
+@@ -107,3 +112,12 @@
+ optional_policy(`
+ userdom_use_unpriv_users_fds(consoletype_t)
+ ')
++
++optional_policy(`
++ xen_append_log(consoletype_t)
++ xen_dontaudit_rw_unix_stream_sockets(consoletype_t)
++ kernel_read_xen_state(consoletype_t)
++ kernel_write_xen_state(consoletype_t)
++
++')
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-2.2.40/policy/modules/admin/netutils.te
--- nsaserefpolicy/policy/modules/admin/netutils.te 2006-04-27 10:31:31.000000000 -0400
-+++ serefpolicy-2.2.39/policy/modules/admin/netutils.te 2006-05-15 11:10:54.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/admin/netutils.te 2006-05-16 10:16:11.000000000 -0400
@@ -187,6 +187,7 @@
# traceroute needs this but not tracepath
corenet_raw_bind_all_nodes(traceroute_t)
@@ -59,31 +89,22 @@
libs_use_ld_so(traceroute_t)
libs_use_shared_libs(traceroute_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-2.2.39/policy/modules/admin/prelink.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-2.2.40/policy/modules/admin/prelink.te
--- nsaserefpolicy/policy/modules/admin/prelink.te 2006-04-20 08:17:35.000000000 -0400
-+++ serefpolicy-2.2.39/policy/modules/admin/prelink.te 2006-05-15 11:10:54.000000000 -0400
-@@ -46,6 +46,7 @@
++++ serefpolicy-2.2.40/policy/modules/admin/prelink.te 2006-05-16 16:59:39.000000000 -0400
+@@ -46,6 +46,9 @@
corecmd_manage_all_executables(prelink_t)
corecmd_relabel_all_executables(prelink_t)
corecmd_mmap_all_executables(prelink_t)
+corecmd_read_sbin_symlinks(prelink_t)
++
++domain_obj_id_change_exemption(prelink_t)
dev_read_urand(prelink_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-2.2.39/policy/modules/apps/java.fc
---- nsaserefpolicy/policy/modules/apps/java.fc 2006-04-18 22:49:59.000000000 -0400
-+++ serefpolicy-2.2.39/policy/modules/apps/java.fc 2006-05-15 15:06:08.000000000 -0400
-@@ -10,3 +10,7 @@
- /usr/lib(.*/)?bin/java([^/]*)? -- gen_context(system_u:object_r:java_exec_t,s0)
- /usr/bin/gcj-dbtool -- gen_context(system_u:object_r:java_exec_t,s0)
- /usr/bin/gij -- gen_context(system_u:object_r:java_exec_t,s0)
-+#
-+# Temporarily until we can find a better solution
-+#
-+/usr/lib(64)?/openoffice.org2.0/program/.*\.bin gen_context(system_u:object_r:java_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-2.2.39/policy/modules/apps/mono.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-2.2.40/policy/modules/apps/mono.te
--- nsaserefpolicy/policy/modules/apps/mono.te 2006-05-03 16:26:07.000000000 -0400
-+++ serefpolicy-2.2.39/policy/modules/apps/mono.te 2006-05-15 11:10:54.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/apps/mono.te 2006-05-16 10:16:11.000000000 -0400
@@ -22,6 +22,7 @@
unconfined_domain_noaudit(mono_t)
unconfined_dbus_chat(mono_t)
@@ -101,9 +122,74 @@
+ unconfined_dbus_connect_bus(mono_t)
+ ')
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-2.2.39/policy/modules/kernel/corecommands.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/unconfined_execmem.fc serefpolicy-2.2.40/policy/modules/apps/unconfined_execmem.fc
+--- nsaserefpolicy/policy/modules/apps/unconfined_execmem.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-2.2.40/policy/modules/apps/unconfined_execmem.fc 2006-05-16 17:24:40.000000000 -0400
+@@ -0,0 +1,2 @@
++/usr/lib/openoffice.org.*/program/.*\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
++/usr/bin/valgrind -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/unconfined_execmem.if serefpolicy-2.2.40/policy/modules/apps/unconfined_execmem.if
+--- nsaserefpolicy/policy/modules/apps/unconfined_execmem.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-2.2.40/policy/modules/apps/unconfined_execmem.if 2006-05-16 17:10:38.000000000 -0400
+@@ -0,0 +1,29 @@
++## <summary>Unconfined domain with execmem/execstack privs</summary>
++
++########################################
++## <summary>
++## Execute the application that requires dexecmem program in the unconfined_execmem domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`unconfined_execmem_domtrans',`
++ ifdef(`targeted_policy',`
++ gen_require(`
++ type unconfined_execmem_t, unconfined_execmem_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domain_auto_trans($1, unconfined_execmem_exec_t, unconfined_execmem_t)
++
++ allow $1 unconfined_execmem_t:fd use;
++ allow unconfined_execmem_t $1:fd use;
++ allow unconfined_execmem_t $1:fifo_file rw_file_perms;
++ allow unconfined_execmem_t $1:process sigchld;
++ ',`
++ errprint(`Warning: $0($1) has no effect in strict policy.'__endline__)
++ ')
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/unconfined_execmem.te serefpolicy-2.2.40/policy/modules/apps/unconfined_execmem.te
+--- nsaserefpolicy/policy/modules/apps/unconfined_execmem.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-2.2.40/policy/modules/apps/unconfined_execmem.te 2006-05-16 17:05:11.000000000 -0400
+@@ -0,0 +1,22 @@
++
++policy_module(unconfined_execmem,1.1.2)
++
++########################################
++#
++# Declarations
++#
++
++type unconfined_execmem_t;
++type unconfined_execmem_exec_t;
++init_system_domain(unconfined_execmem_t,unconfined_execmem_exec_t)
++
++########################################
++#
++# Local policy
++#
++
++ifdef(`targeted_policy',`
++ allow unconfined_execmem_t self:process { execstack execmem };
++ unconfined_domain_noaudit(unconfined_execmem_t)
++ role system_r types unconfined_execmem_t;
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-2.2.40/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2006-04-27 10:31:32.000000000 -0400
-+++ serefpolicy-2.2.39/policy/modules/kernel/corecommands.fc 2006-05-15 15:04:17.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/kernel/corecommands.fc 2006-05-16 10:16:11.000000000 -0400
@@ -76,7 +76,7 @@
#
@@ -113,9 +199,9 @@
ifdef(`distro_gentoo',`
/lib/rcscripts/addons(/.*)? gen_context(system_u:object_r:bin_t,s0)
/lib/rcscripts/sh(/.*)? gen_context(system_u:object_r:bin_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-2.2.39/policy/modules/kernel/corenetwork.te.in
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-2.2.40/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2006-05-03 16:26:07.000000000 -0400
-+++ serefpolicy-2.2.39/policy/modules/kernel/corenetwork.te.in 2006-05-15 11:10:54.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/kernel/corenetwork.te.in 2006-05-16 10:16:11.000000000 -0400
@@ -69,9 +69,9 @@
network_port(giftd, tcp,1213,s0)
network_port(gopher, tcp,70,s0, udp,70,s0)
@@ -136,9 +222,9 @@
network_port(transproxy, tcp,8081,s0)
type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
network_port(uucpd, tcp,540,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-2.2.39/policy/modules/kernel/domain.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-2.2.40/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2006-04-20 08:17:36.000000000 -0400
-+++ serefpolicy-2.2.39/policy/modules/kernel/domain.te 2006-05-15 11:10:54.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/kernel/domain.te 2006-05-16 10:16:11.000000000 -0400
@@ -87,6 +87,8 @@
# list the root directory
files_list_root(domain)
@@ -156,10 +242,10 @@
role sysadm_r types domain;
role user_r types domain;
role staff_r types domain;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.2.39/policy/modules/kernel/files.if
---- nsaserefpolicy/policy/modules/kernel/files.if 2006-05-03 11:38:52.000000000 -0400
-+++ serefpolicy-2.2.39/policy/modules/kernel/files.if 2006-05-15 11:10:54.000000000 -0400
-@@ -1712,6 +1712,21 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.2.40/policy/modules/kernel/files.if
+--- nsaserefpolicy/policy/modules/kernel/files.if 2006-05-16 09:44:06.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/kernel/files.if 2006-05-16 10:16:11.000000000 -0400
+@@ -1882,6 +1882,21 @@
')
########################################
@@ -181,9 +267,9 @@
## <summary>
## Read files in /etc that are dynamically
## created on boot, such as mtab.
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-2.2.39/policy/modules/kernel/files.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-2.2.40/policy/modules/kernel/files.te
--- nsaserefpolicy/policy/modules/kernel/files.te 2006-04-28 22:50:56.000000000 -0400
-+++ serefpolicy-2.2.39/policy/modules/kernel/files.te 2006-05-15 11:10:54.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/kernel/files.te 2006-05-16 10:16:11.000000000 -0400
@@ -181,6 +181,10 @@
fs_associate(file_type)
fs_associate_noxattr(file_type)
@@ -195,10 +281,10 @@
########################################
#
# Rules for all tmp file types
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-2.2.39/policy/modules/kernel/kernel.if
---- nsaserefpolicy/policy/modules/kernel/kernel.if 2006-05-01 14:39:05.000000000 -0400
-+++ serefpolicy-2.2.39/policy/modules/kernel/kernel.if 2006-05-15 11:10:54.000000000 -0400
-@@ -1413,7 +1413,7 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-2.2.40/policy/modules/kernel/kernel.if
+--- nsaserefpolicy/policy/modules/kernel/kernel.if 2006-05-16 09:44:06.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/kernel/kernel.if 2006-05-16 10:16:11.000000000 -0400
+@@ -1409,7 +1409,7 @@
type proc_t, sysctl_t, sysctl_kernel_t;
')
@@ -207,9 +293,9 @@
allow $1 sysctl_t:dir r_dir_perms;
allow $1 sysctl_kernel_t:dir r_dir_perms;
allow $1 sysctl_kernel_t:file r_file_perms;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-2.2.39/policy/modules/kernel/kernel.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-2.2.40/policy/modules/kernel/kernel.te
--- nsaserefpolicy/policy/modules/kernel/kernel.te 2006-05-01 14:39:06.000000000 -0400
-+++ serefpolicy-2.2.39/policy/modules/kernel/kernel.te 2006-05-15 11:10:54.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/kernel/kernel.te 2006-05-16 10:16:11.000000000 -0400
@@ -28,6 +28,7 @@
ifdef(`enable_mls',`
@@ -218,18 +304,18 @@
')
#
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mls.te serefpolicy-2.2.39/policy/modules/kernel/mls.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mls.te serefpolicy-2.2.40/policy/modules/kernel/mls.te
--- nsaserefpolicy/policy/modules/kernel/mls.te 2006-03-07 10:31:09.000000000 -0500
-+++ serefpolicy-2.2.39/policy/modules/kernel/mls.te 2006-05-15 11:10:54.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/kernel/mls.te 2006-05-16 10:16:11.000000000 -0400
@@ -62,4 +62,5 @@
range_transition initrc_t auditd_exec_t s15:c0.c255;
range_transition kernel_t init_exec_t s0 - s15:c0.c255;
range_transition kernel_t lvm_exec_t s0 - s15:c0.c255;
+range_transition initrc_t setrans_exec_t s15:c0.c255;
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-2.2.39/policy/modules/kernel/terminal.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-2.2.40/policy/modules/kernel/terminal.if
--- nsaserefpolicy/policy/modules/kernel/terminal.if 2006-04-27 10:31:32.000000000 -0400
-+++ serefpolicy-2.2.39/policy/modules/kernel/terminal.if 2006-05-15 14:20:35.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/kernel/terminal.if 2006-05-16 10:16:11.000000000 -0400
@@ -430,7 +430,7 @@
type devpts_t;
')
@@ -239,9 +325,17 @@
')
########################################
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-2.2.39/policy/modules/services/amavis.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.fc serefpolicy-2.2.40/policy/modules/services/amavis.fc
+--- nsaserefpolicy/policy/modules/services/amavis.fc 2006-03-07 16:19:28.000000000 -0500
++++ serefpolicy-2.2.40/policy/modules/services/amavis.fc 2006-05-16 10:16:11.000000000 -0400
+@@ -9,3 +9,4 @@
+ /var/log/amavisd\.log -- gen_context(system_u:object_r:amavis_var_log_t,s0)
+ /var/run/amavis(/.*)? gen_context(system_u:object_r:amavis_var_run_t,s0)
+ /var/virusmails(/.*)? gen_context(system_u:object_r:amavis_quarantine_t,s0)
++/var/spool/amavisd(/.*)? gen_context(system_u:object_r:amavis_spool_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-2.2.40/policy/modules/services/amavis.te
--- nsaserefpolicy/policy/modules/services/amavis.te 2006-05-08 09:53:05.000000000 -0400
-+++ serefpolicy-2.2.39/policy/modules/services/amavis.te 2006-05-15 16:46:20.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/services/amavis.te 2006-05-16 10:16:11.000000000 -0400
@@ -31,6 +31,9 @@
type amavis_tmp_t;
files_tmp_file(amavis_tmp_t)
@@ -305,10 +399,10 @@
')
optional_policy(`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-2.2.39/policy/modules/services/apache.te
---- nsaserefpolicy/policy/modules/services/apache.te 2006-05-03 11:38:52.000000000 -0400
-+++ serefpolicy-2.2.39/policy/modules/services/apache.te 2006-05-15 11:10:54.000000000 -0400
-@@ -454,11 +454,6 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-2.2.40/policy/modules/services/apache.te
+--- nsaserefpolicy/policy/modules/services/apache.te 2006-05-16 09:44:06.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/services/apache.te 2006-05-16 10:16:11.000000000 -0400
+@@ -427,11 +427,6 @@
yam_read_content(httpd_t)
')
@@ -320,7 +414,7 @@
########################################
#
# Apache helper local policy
-@@ -712,6 +707,10 @@
+@@ -672,6 +667,10 @@
mysql_rw_db_sockets(httpd_sys_script_t)
')
@@ -331,9 +425,9 @@
########################################
#
# Apache unconfined script local policy
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-2.2.39/policy/modules/services/bind.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-2.2.40/policy/modules/services/bind.te
--- nsaserefpolicy/policy/modules/services/bind.te 2006-04-28 22:50:56.000000000 -0400
-+++ serefpolicy-2.2.39/policy/modules/services/bind.te 2006-05-15 12:38:47.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/services/bind.te 2006-05-16 10:16:11.000000000 -0400
@@ -127,6 +127,8 @@
domain_use_interactive_fds(named_t)
@@ -351,9 +445,9 @@
sysnet_read_config(named_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-2.2.39/policy/modules/services/bluetooth.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-2.2.40/policy/modules/services/bluetooth.te
--- nsaserefpolicy/policy/modules/services/bluetooth.te 2006-04-12 13:44:36.000000000 -0400
-+++ serefpolicy-2.2.39/policy/modules/services/bluetooth.te 2006-05-15 13:30:50.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/services/bluetooth.te 2006-05-16 10:16:11.000000000 -0400
@@ -218,11 +218,14 @@
unconfined_stream_connect(bluetooth_helper_t)
@@ -370,9 +464,9 @@
')
optional_policy(`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.fc serefpolicy-2.2.39/policy/modules/services/clamav.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.fc serefpolicy-2.2.40/policy/modules/services/clamav.fc
--- nsaserefpolicy/policy/modules/services/clamav.fc 2006-03-07 16:19:28.000000000 -0500
-+++ serefpolicy-2.2.39/policy/modules/services/clamav.fc 2006-05-15 11:10:54.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/services/clamav.fc 2006-05-16 10:16:11.000000000 -0400
@@ -1,6 +1,8 @@
/etc/clamav(/.*)? gen_context(system_u:object_r:clamd_etc_t,s0)
@@ -382,9 +476,9 @@
/usr/sbin/clamd -- gen_context(system_u:object_r:clamd_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.if serefpolicy-2.2.39/policy/modules/services/clamav.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.if serefpolicy-2.2.40/policy/modules/services/clamav.if
--- nsaserefpolicy/policy/modules/services/clamav.if 2006-03-07 16:19:28.000000000 -0500
-+++ serefpolicy-2.2.39/policy/modules/services/clamav.if 2006-05-15 11:10:54.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/services/clamav.if 2006-05-16 10:16:11.000000000 -0400
@@ -61,3 +61,27 @@
files_search_etc($1)
allow $1 clamd_etc_t:file r_file_perms;
@@ -413,9 +507,9 @@
+ allow clamscan_t $1:process sigchld;
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-2.2.39/policy/modules/services/clamav.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-2.2.40/policy/modules/services/clamav.te
--- nsaserefpolicy/policy/modules/services/clamav.te 2006-03-24 11:15:50.000000000 -0500
-+++ serefpolicy-2.2.39/policy/modules/services/clamav.te 2006-05-15 11:10:54.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/services/clamav.te 2006-05-16 10:16:11.000000000 -0400
@@ -39,6 +39,10 @@
type freshclam_exec_t;
init_daemon_domain(freshclam_t, freshclam_exec_t)
@@ -472,9 +566,9 @@
+optional_policy(`
+ apache_read_sys_content(clamscan_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.if serefpolicy-2.2.39/policy/modules/services/cvs.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.if serefpolicy-2.2.40/policy/modules/services/cvs.if
--- nsaserefpolicy/policy/modules/services/cvs.if 2006-02-10 17:05:19.000000000 -0500
-+++ serefpolicy-2.2.39/policy/modules/services/cvs.if 2006-05-15 11:10:54.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/services/cvs.if 2006-05-16 10:16:11.000000000 -0400
@@ -17,3 +17,23 @@
allow $1 cvs_data_t:file { getattr read };
@@ -499,9 +593,9 @@
+ can_exec($1,cvs_exec_t)
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-2.2.39/policy/modules/services/cvs.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-2.2.40/policy/modules/services/cvs.te
--- nsaserefpolicy/policy/modules/services/cvs.te 2006-03-24 11:15:50.000000000 -0500
-+++ serefpolicy-2.2.39/policy/modules/services/cvs.te 2006-05-15 11:10:54.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/services/cvs.te 2006-05-16 10:16:11.000000000 -0400
@@ -8,6 +8,7 @@
type cvs_t;
@@ -510,9 +604,9 @@
inetd_tcp_service_domain(cvs_t,cvs_exec_t)
role system_r types cvs_t;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-2.2.39/policy/modules/services/dovecot.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-2.2.40/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te 2006-04-04 18:06:38.000000000 -0400
-+++ serefpolicy-2.2.39/policy/modules/services/dovecot.te 2006-05-15 11:10:54.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/services/dovecot.te 2006-05-16 10:16:11.000000000 -0400
@@ -95,6 +95,11 @@
domain_use_interactive_fds(dovecot_t)
@@ -525,9 +619,9 @@
files_search_spool(dovecot_t)
files_search_tmp(dovecot_t)
files_dontaudit_list_default(dovecot_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-2.2.39/policy/modules/services/ftp.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-2.2.40/policy/modules/services/ftp.te
--- nsaserefpolicy/policy/modules/services/ftp.te 2006-04-19 12:23:07.000000000 -0400
-+++ serefpolicy-2.2.39/policy/modules/services/ftp.te 2006-05-15 12:59:51.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/services/ftp.te 2006-05-16 10:16:11.000000000 -0400
@@ -149,6 +149,7 @@
userdom_manage_all_users_home_content_dirs(ftpd_t)
userdom_manage_all_users_home_content_files(ftpd_t)
@@ -536,9 +630,9 @@
ifdef(`targeted_policy',`
userdom_generic_user_home_dir_filetrans_generic_user_home_content(ftpd_t,{ dir file lnk_file sock_file fifo_file })
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-2.2.39/policy/modules/services/hal.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-2.2.40/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2006-04-20 08:17:39.000000000 -0400
-+++ serefpolicy-2.2.39/policy/modules/services/hal.te 2006-05-15 11:10:54.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/services/hal.te 2006-05-16 10:16:11.000000000 -0400
@@ -51,9 +51,6 @@
kernel_rw_vm_sysctls(hald_t)
kernel_write_proc_files(hald_t)
@@ -577,9 +671,9 @@
bind_search_cache(hald_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn.if serefpolicy-2.2.39/policy/modules/services/inn.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn.if serefpolicy-2.2.40/policy/modules/services/inn.if
--- nsaserefpolicy/policy/modules/services/inn.if 2006-02-10 17:05:19.000000000 -0500
-+++ serefpolicy-2.2.39/policy/modules/services/inn.if 2006-05-15 11:10:54.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/services/inn.if 2006-05-16 10:16:11.000000000 -0400
@@ -16,7 +16,7 @@
type innd_t;
')
@@ -619,9 +713,9 @@
+ allow innd_t $1:process sigchld;
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-2.2.39/policy/modules/services/nis.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-2.2.40/policy/modules/services/nis.te
--- nsaserefpolicy/policy/modules/services/nis.te 2006-05-04 12:51:36.000000000 -0400
-+++ serefpolicy-2.2.39/policy/modules/services/nis.te 2006-05-15 11:10:54.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/services/nis.te 2006-05-16 10:16:11.000000000 -0400
@@ -87,6 +87,7 @@
corenet_udp_bind_generic_port(ypbind_t)
corenet_tcp_bind_reserved_port(ypbind_t)
@@ -630,9 +724,9 @@
corenet_tcp_connect_all_ports(ypbind_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(ypbind_t)
corenet_dontaudit_udp_bind_all_reserved_ports(ypbind_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-2.2.39/policy/modules/services/postgresql.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-2.2.40/policy/modules/services/postgresql.te
--- nsaserefpolicy/policy/modules/services/postgresql.te 2006-03-24 11:15:50.000000000 -0500
-+++ serefpolicy-2.2.39/policy/modules/services/postgresql.te 2006-05-15 11:10:54.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/services/postgresql.te 2006-05-16 10:16:11.000000000 -0400
@@ -41,6 +41,7 @@
allow postgresql_t self:udp_socket create_stream_socket_perms;
allow postgresql_t self:unix_dgram_socket create_socket_perms;
@@ -641,9 +735,20 @@
dontaudit postgresql_t self:capability { sys_tty_config sys_admin };
allow postgresql_t postgresql_db_t:dir create_dir_perms;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-2.2.39/policy/modules/services/pyzor.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-2.2.40/policy/modules/services/pyzor.fc
+--- nsaserefpolicy/policy/modules/services/pyzor.fc 2006-05-16 09:44:06.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/services/pyzor.fc 2006-05-16 10:20:27.000000000 -0400
+@@ -5,3 +5,7 @@
+
+ /var/lib/pyzord(/.*)? gen_context(system_u:object_r:pyzor_var_lib_t,s0)
+ /var/log/pyzord.log -- gen_context(system_u:object_r:pyzord_log_t,s0)
++ifdef(`strict_policy',`
++HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:ROLE_pyzor_home_t,s0)
++')
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-2.2.40/policy/modules/services/pyzor.if
--- nsaserefpolicy/policy/modules/services/pyzor.if 2006-05-03 16:01:26.000000000 -0400
-+++ serefpolicy-2.2.39/policy/modules/services/pyzor.if 2006-05-15 11:10:54.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/services/pyzor.if 2006-05-16 10:16:11.000000000 -0400
@@ -44,3 +44,37 @@
corecmd_search_bin($1)
can_exec($1,pyzor_exec_t)
@@ -682,9 +787,9 @@
+ allow pyzord_t $1_pyzor_home_t:file create_file_perms;
+ allow pyzord_t $1_pyzor_home_t:lnk_file create_lnk_perms;
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-2.2.39/policy/modules/services/rpc.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-2.2.40/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te 2006-05-03 16:26:08.000000000 -0400
-+++ serefpolicy-2.2.39/policy/modules/services/rpc.te 2006-05-15 13:01:38.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/services/rpc.te 2006-05-16 10:16:11.000000000 -0400
@@ -65,6 +65,8 @@
files_manage_mounttab(rpcd_t)
@@ -716,9 +821,9 @@
tunable_policy(`nfs_export_all_rw',`
fs_read_noxattr_fs_files(nfsd_t)
auth_manage_all_files_except_shadow(nfsd_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-2.2.39/policy/modules/services/rsync.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-2.2.40/policy/modules/services/rsync.te
--- nsaserefpolicy/policy/modules/services/rsync.te 2006-04-28 22:50:57.000000000 -0400
-+++ serefpolicy-2.2.39/policy/modules/services/rsync.te 2006-05-15 11:10:54.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/services/rsync.te 2006-05-16 10:16:11.000000000 -0400
@@ -8,6 +8,7 @@
type rsync_t;
@@ -727,18 +832,10 @@
init_daemon_domain(rsync_t,rsync_exec_t)
role system_r types rsync_t;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-2.2.39/policy/modules/services/ssh.te
---- nsaserefpolicy/policy/modules/services/ssh.te 2006-05-08 09:53:08.000000000 -0400
-+++ serefpolicy-2.2.39/policy/modules/services/ssh.te 2006-05-15 11:10:54.000000000 -0400
-@@ -17,6 +17,7 @@
-
- type ssh_keysign_exec_t;
- files_type(ssh_keysign_exec_t)
-+corecmd_executable_file(ssh_keysign_exec_t)
-
- # real declaration moved to mls until
- # range_transition works in loadable modules
-@@ -73,7 +74,7 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-2.2.40/policy/modules/services/ssh.te
+--- nsaserefpolicy/policy/modules/services/ssh.te 2006-05-16 09:44:06.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/services/ssh.te 2006-05-16 10:16:11.000000000 -0400
+@@ -73,7 +73,7 @@
ifdef(`strict_policy',`
# so a tunnel can point to another ssh tunnel
allow sshd_t self:tcp_socket { acceptfrom connectto recvfrom };
@@ -747,9 +844,61 @@
allow sshd_t sshd_tmp_t:dir create_dir_perms;
allow sshd_t sshd_tmp_t:file create_file_perms;
allow sshd_t sshd_tmp_t:sock_file create_file_perms;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-2.2.39/policy/modules/services/xserver.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xfs.if serefpolicy-2.2.40/policy/modules/services/xfs.if
+--- nsaserefpolicy/policy/modules/services/xfs.if 2006-02-10 17:05:19.000000000 -0500
++++ serefpolicy-2.2.40/policy/modules/services/xfs.if 2006-05-16 10:21:41.000000000 -0400
+@@ -41,3 +41,22 @@
+ allow $1 xfs_tmp_t:sock_file write;
+ allow $1 xfs_t:unix_stream_socket connectto;
+ ')
++
++
++########################################
++## <summary>
++## Allow the specified domain to execute xfs
++## in the caller domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`xfs_exec',`
++ gen_require(`
++ type xfs_exec_t;
++ ')
++ can_exec($1,xfs_exec_t)
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xfs.te serefpolicy-2.2.40/policy/modules/services/xfs.te
+--- nsaserefpolicy/policy/modules/services/xfs.te 2006-04-04 18:06:38.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/services/xfs.te 2006-05-16 10:21:41.000000000 -0400
+@@ -34,6 +34,7 @@
+ allow xfs_t xfs_var_run_t:file create_file_perms;
+ allow xfs_t xfs_var_run_t:dir rw_dir_perms;
+ files_pid_filetrans(xfs_t,xfs_var_run_t,file)
++xfs_exec(xfs_t)
+
+ # Bind to /tmp/.font-unix/fs-1.
+ # cjp: I do not believe this has an effect.
+@@ -49,6 +50,8 @@
+
+ term_dontaudit_use_console(xfs_t)
+
++corecmd_list_bin(xfs_t)
++corecmd_list_sbin(xfs_t)
+ domain_use_interactive_fds(xfs_t)
+
+ files_read_etc_files(xfs_t)
+@@ -91,3 +94,5 @@
+ optional_policy(`
+ udev_read_db(xfs_t)
+ ')
++
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-2.2.40/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2006-05-03 11:38:54.000000000 -0400
-+++ serefpolicy-2.2.39/policy/modules/services/xserver.if 2006-05-15 11:10:54.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/services/xserver.if 2006-05-16 10:16:11.000000000 -0400
@@ -1073,3 +1073,41 @@
dontaudit $1 xdm_xserver_t:tcp_socket { read write };
@@ -792,9 +941,21 @@
+ allow $1 xdm_t:fifo_file { getattr read write };
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-2.2.39/policy/modules/system/hostname.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-2.2.40/policy/modules/services/xserver.te
+--- nsaserefpolicy/policy/modules/services/xserver.te 2006-04-20 08:17:39.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/services/xserver.te 2006-05-16 10:16:11.000000000 -0400
+@@ -311,6 +311,8 @@
+ allow xdm_t self:process { execheap execmem };
+ unconfined_domain(xdm_t)
+ unconfined_domtrans(xdm_t)
++ userdom_generic_user_home_dir_filetrans_generic_user_home_content(xdm_t, {file dir })
++
+ ')
+
+ tunable_policy(`use_nfs_home_dirs',`
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-2.2.40/policy/modules/system/hostname.te
--- nsaserefpolicy/policy/modules/system/hostname.te 2006-03-02 18:45:56.000000000 -0500
-+++ serefpolicy-2.2.39/policy/modules/system/hostname.te 2006-05-15 11:10:54.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/system/hostname.te 2006-05-16 10:16:11.000000000 -0400
@@ -8,7 +8,10 @@
type hostname_t;
@@ -807,10 +968,10 @@
role system_r types hostname_t;
########################################
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-2.2.39/policy/modules/system/init.if
---- nsaserefpolicy/policy/modules/system/init.if 2006-04-05 17:08:56.000000000 -0400
-+++ serefpolicy-2.2.39/policy/modules/system/init.if 2006-05-15 11:10:54.000000000 -0400
-@@ -690,6 +690,25 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-2.2.40/policy/modules/system/init.if
+--- nsaserefpolicy/policy/modules/system/init.if 2006-05-16 09:44:06.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/system/init.if 2006-05-16 10:16:11.000000000 -0400
+@@ -772,6 +772,25 @@
########################################
## <summary>
@@ -836,9 +997,9 @@
## Dont audit the specified domain connecting to
## init scripts with a unix domain stream socket.
## </summary>
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-2.2.39/policy/modules/system/init.te
---- nsaserefpolicy/policy/modules/system/init.te 2006-05-05 09:51:43.000000000 -0400
-+++ serefpolicy-2.2.39/policy/modules/system/init.te 2006-05-15 11:10:54.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-2.2.40/policy/modules/system/init.te
+--- nsaserefpolicy/policy/modules/system/init.te 2006-05-16 09:44:06.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/system/init.te 2006-05-16 10:16:11.000000000 -0400
@@ -350,6 +350,7 @@
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
@@ -847,9 +1008,9 @@
libs_rw_ld_so_cache(initrc_t)
libs_use_ld_so(initrc_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-2.2.39/policy/modules/system/libraries.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-2.2.40/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2006-05-03 16:26:08.000000000 -0400
-+++ serefpolicy-2.2.39/policy/modules/system/libraries.fc 2006-05-15 11:10:54.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/system/libraries.fc 2006-05-16 10:16:11.000000000 -0400
@@ -40,6 +40,8 @@
/opt/(.*/)?lib64/.*\.so\.[^/]* -- gen_context(system_u:object_r:shlib_t,s0)
/opt/(.*/)?jre.*/libdeploy.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -911,15 +1072,15 @@
+/usr/(local/)?(.*/)?jre.*/libawt.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(local/)?Adobe/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/(local/)?Adobe/(.*/)?intellinux/sidecars/* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/(local/)?Adobe/(.*/)?intellinux/sidecars/.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
/usr/(local/)?acroread/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(local/)?Adobe/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(local/)?acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-2.2.39/policy/modules/system/logging.if
---- nsaserefpolicy/policy/modules/system/logging.if 2006-04-04 18:06:38.000000000 -0400
-+++ serefpolicy-2.2.39/policy/modules/system/logging.if 2006-05-15 11:10:54.000000000 -0400
-@@ -399,3 +399,100 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-2.2.40/policy/modules/system/logging.if
+--- nsaserefpolicy/policy/modules/system/logging.if 2006-05-16 09:44:06.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/system/logging.if 2006-05-16 10:16:11.000000000 -0400
+@@ -459,3 +459,100 @@
allow $1 var_log_t:dir rw_dir_perms;
allow $1 var_log_t:file create_file_perms;
')
@@ -1020,9 +1181,9 @@
+')
+
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-2.2.39/policy/modules/system/logging.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-2.2.40/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2006-04-27 10:31:33.000000000 -0400
-+++ serefpolicy-2.2.39/policy/modules/system/logging.te 2006-05-15 11:10:54.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/system/logging.te 2006-05-16 10:16:11.000000000 -0400
@@ -14,10 +14,14 @@
role system_r types auditctl_t;
@@ -1049,9 +1210,9 @@
kernel_read_kernel_sysctls(auditctl_t)
kernel_read_proc_symlinks(auditctl_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-2.2.39/policy/modules/system/mount.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-2.2.40/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2006-05-03 16:26:08.000000000 -0400
-+++ serefpolicy-2.2.39/policy/modules/system/mount.te 2006-05-15 11:10:54.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/system/mount.te 2006-05-16 10:16:11.000000000 -0400
@@ -169,4 +169,8 @@
ifdef(`targeted_policy',`
files_etc_filetrans_etc_runtime(unconfined_mount_t,file)
@@ -1061,22 +1222,55 @@
+ auth_read_all_files_except_shadow(mount_t)
+ ')
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-2.2.39/policy/modules/system/selinuxutil.te
---- nsaserefpolicy/policy/modules/system/selinuxutil.te 2006-05-03 16:26:08.000000000 -0400
-+++ serefpolicy-2.2.39/policy/modules/system/selinuxutil.te 2006-05-15 11:10:54.000000000 -0400
-@@ -546,6 +546,8 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-2.2.40/policy/modules/system/selinuxutil.fc
+--- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2006-04-04 18:06:38.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/system/selinuxutil.fc 2006-05-16 12:45:55.000000000 -0400
+@@ -37,6 +37,8 @@
+ /usr/sbin/run_init -- gen_context(system_u:object_r:run_init_exec_t,s0)
+ /usr/sbin/setfiles.* -- gen_context(system_u:object_r:setfiles_exec_t,s0)
+ /usr/sbin/semodule -- gen_context(system_u:object_r:semanage_exec_t,s0)
++/usr/sbin/setsebool -- gen_context(system_u:object_r:semanage_exec_t,s0)
++/usr/sbin/semanage -- gen_context(system_u:object_r:semanage_exec_t,s0)
+
+ ifdef(`distro_debian', `
+ /usr/share/selinux(/.*)? gen_context(system_u:object_r:policy_src_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-2.2.40/policy/modules/system/selinuxutil.te
+--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2006-05-16 09:44:06.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/system/selinuxutil.te 2006-05-16 14:36:58.000000000 -0400
+@@ -526,6 +526,8 @@
+ #
+
+ allow semanage_t self:unix_stream_socket create_stream_socket_perms;
++allow semanage_t self:unix_dgram_socket create_socket_perms;
++allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+
+ allow semanage_t policy_config_t:file { read write };
+
+@@ -535,10 +537,18 @@
+ corecmd_exec_bin(semanage_t)
+ corecmd_exec_sbin(semanage_t)
+
++dev_read_urand(semanage_t)
++
+ files_read_etc_files(semanage_t)
files_read_usr_files(semanage_t)
files_list_pids(semanage_t)
++logging_send_syslog_msg(semanage_t)
++
+miscfiles_read_localization(semanage_t)
+
++selinux_set_boolean(semanage_t)
++
mls_file_write_down(semanage_t)
mls_rangetrans_target(semanage_t)
mls_file_read_up(semanage_t)
-@@ -570,6 +572,12 @@
+@@ -563,6 +573,14 @@
seutil_get_semanage_trans_lock(semanage_t)
seutil_get_semanage_read_lock(semanage_t)
++userdom_search_sysadm_home_dirs(semanage_t)
++
+ifdef(`targeted_policy',`
+# Handle pp files created in homedir and /tmp
+ userdom_read_generic_user_home_content_files(semanage_t)
@@ -1086,17 +1280,17 @@
optional_policy(`
nscd_socket_use(semanage_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.fc serefpolicy-2.2.39/policy/modules/system/setrans.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.fc serefpolicy-2.2.40/policy/modules/system/setrans.fc
--- nsaserefpolicy/policy/modules/system/setrans.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.2.39/policy/modules/system/setrans.fc 2006-05-15 11:10:54.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/system/setrans.fc 2006-05-16 10:16:11.000000000 -0400
@@ -0,0 +1,4 @@
+
+/sbin/mcstransd -- gen_context(system_u:object_r:setrans_exec_t,s0)
+
+/var/run/setrans(/.*)? gen_context(system_u:object_r:setrans_var_run_t,s15:c0.c255)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.if serefpolicy-2.2.39/policy/modules/system/setrans.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.if serefpolicy-2.2.40/policy/modules/system/setrans.if
--- nsaserefpolicy/policy/modules/system/setrans.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.2.39/policy/modules/system/setrans.if 2006-05-15 11:10:54.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/system/setrans.if 2006-05-16 10:16:11.000000000 -0400
@@ -0,0 +1,24 @@
+## <summary>Policy for setrans.</summary>
+
@@ -1122,9 +1316,9 @@
+ allow $1 setrans_var_run_t:sock_file rw_file_perms;
+ allow $1 setrans_var_run_t:unix_stream_socket rw_socket_perms;
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.te serefpolicy-2.2.39/policy/modules/system/setrans.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.te serefpolicy-2.2.40/policy/modules/system/setrans.te
--- nsaserefpolicy/policy/modules/system/setrans.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.2.39/policy/modules/system/setrans.te 2006-05-15 13:40:37.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/system/setrans.te 2006-05-16 10:16:11.000000000 -0400
@@ -0,0 +1,71 @@
+
+policy_module(setrans,1.0.0)
@@ -1159,7 +1353,7 @@
+kernel_read_proc_symlinks(setrans_t)
+
+allow setrans_t self:capability sys_resource;
-+allow setrans_t self:process { setcap signal_perms };
++allow setrans_t self:process { setrlimit setcap signal_perms };
+
+libs_use_ld_so(setrans_t)
+libs_use_shared_libs(setrans_t)
@@ -1197,9 +1391,9 @@
+can_exec(setrans_t, setrans_exec_t)
+
+logging_send_syslog_msg(setrans_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-2.2.39/policy/modules/system/sysnetwork.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-2.2.40/policy/modules/system/sysnetwork.te
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2006-05-03 16:26:08.000000000 -0400
-+++ serefpolicy-2.2.39/policy/modules/system/sysnetwork.te 2006-05-15 11:10:54.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/system/sysnetwork.te 2006-05-16 10:16:11.000000000 -0400
@@ -86,6 +86,8 @@
allow ifconfig_t dhcpc_t:fifo_file rw_file_perms;
allow ifconfig_t dhcpc_t:process sigchld;
@@ -1209,9 +1403,26 @@
kernel_read_system_state(dhcpc_t)
kernel_read_network_state(dhcpc_t)
kernel_read_kernel_sysctls(dhcpc_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-2.2.39/policy/modules/system/unconfined.if
+@@ -249,6 +251,9 @@
+ optional_policy(`
+ xen_append_log(dhcpc_t)
+ xen_dontaudit_rw_unix_stream_sockets(dhcpc_t)
++ kernel_read_xen_state(dhcpc_t)
++ kernel_write_xen_state(dhcpc_t)
++
+ ')
+
+ ########################################
+@@ -349,4 +354,6 @@
+ optional_policy(`
+ xen_append_log(ifconfig_t)
+ xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
++ kernel_read_xen_state(ifconfig_t)
++ kernel_write_xen_state(ifconfig_t)
+ ')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-2.2.40/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2006-05-03 16:26:08.000000000 -0400
-+++ serefpolicy-2.2.39/policy/modules/system/unconfined.if 2006-05-15 11:10:54.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/system/unconfined.if 2006-05-16 10:16:11.000000000 -0400
@@ -431,3 +431,24 @@
errprint(`Warning: $0($1) has no effect in strict policy.'__endline__)
')
@@ -1237,9 +1448,9 @@
+ allow $1 unconfined_t:dbus acquire_svc;
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-2.2.39/policy/modules/system/unconfined.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-2.2.40/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2006-05-03 16:26:08.000000000 -0400
-+++ serefpolicy-2.2.39/policy/modules/system/unconfined.te 2006-05-15 11:10:54.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/system/unconfined.te 2006-05-16 17:11:10.000000000 -0400
@@ -65,6 +65,10 @@
')
@@ -1251,7 +1462,18 @@
init_dbus_chat_script(unconfined_t)
dbus_stub(unconfined_t)
-@@ -115,6 +119,10 @@
+@@ -103,6 +107,10 @@
+ ')
+
+ optional_policy(`
++ unconfined_execmem_domtrans(unconfined_t)
++ ')
++
++ optional_policy(`
+ lpd_domtrans_checkpc(unconfined_t)
+ ')
+
+@@ -115,6 +123,10 @@
')
optional_policy(`
@@ -1262,9 +1484,9 @@
portmap_domtrans_helper(unconfined_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-2.2.39/policy/modules/system/userdomain.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-2.2.40/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2006-05-03 11:38:54.000000000 -0400
-+++ serefpolicy-2.2.39/policy/modules/system/userdomain.if 2006-05-15 11:10:54.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/system/userdomain.if 2006-05-16 16:52:56.000000000 -0400
@@ -4794,3 +4794,26 @@
allow $1 user_home_dir_t:dir create_dir_perms;
files_home_filetrans($1,user_home_dir_t,dir)
@@ -1292,9 +1514,9 @@
+ allow $1 user_home_t:file r_file_perms;
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-2.2.39/policy/modules/system/userdomain.te
---- nsaserefpolicy/policy/modules/system/userdomain.te 2006-05-05 09:51:43.000000000 -0400
-+++ serefpolicy-2.2.39/policy/modules/system/userdomain.te 2006-05-15 11:10:54.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-2.2.40/policy/modules/system/userdomain.te
+--- nsaserefpolicy/policy/modules/system/userdomain.te 2006-05-16 09:44:06.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/system/userdomain.te 2006-05-16 16:13:10.000000000 -0400
@@ -6,6 +6,7 @@
ifdef(`enable_mls',`
@@ -1331,11 +1553,15 @@
')
optional_policy(`
-@@ -128,8 +132,19 @@
+@@ -127,9 +131,22 @@
+ role_change(staff, sysadm)
ifdef(`enable_mls',`
- admin_user_template(secadm)
-+ admin_user_template(auditadm)
+- admin_user_template(secadm)
++# admin_user_template(secadm)
++# admin_user_template(auditadm)
++ unpriv_user_template(secadm)
++ unpriv_user_template(auditadm)
+
+ role_change(staff,auditadm)
role_change(staff,secadm)
@@ -1351,16 +1577,28 @@
')
# this should be tunable_policy, but
-@@ -179,12 +194,21 @@
+@@ -174,17 +191,32 @@
+ ifdef(`enable_mls',`
+ corecmd_exec_shell(secadm_t)
+ mls_process_read_up(secadm_t)
++ mls_file_read_up(secadm_t)
+ mls_file_write_down(secadm_t)
+ mls_file_upgrade(secadm_t)
mls_file_downgrade(secadm_t)
init_exec(secadm_t)
logging_read_audit_log(secadm_t)
- logging_run_auditctl(secadm_t,secadm_r,{ secadm_tty_device_t secadm_devpts_t })
userdom_dontaudit_append_staff_home_content_files(secadm_t)
- files_relabel_all_files(secadm_t)
+- files_relabel_all_files(secadm_t)
++ auth_relabel_all_files_except_shadow(secadm_t)
auth_relabel_shadow(secadm_t)
++ domain_obj_id_change_exemption(secadm_t)
++ logging_read_generic_logs(secadm_t)
+
++ domain_kill_all_domains(auditadm_t)
++ seutil_read_bin_policy(auditadm_t)
+ corecmd_exec_shell(auditadm_t)
++ logging_read_generic_logs(auditadm_t)
+ logging_manage_audit_log(auditadm_t)
+ logging_manage_audit_config(auditadm_t)
+ logging_run_auditctl(auditadm_t,auditadm_r,{ auditadm_tty_device_t auditadm_devpts_t })
@@ -1375,7 +1613,7 @@
logging_run_auditctl(sysadm_t,sysadm_r,admin_terminal)
')
-@@ -236,10 +260,19 @@
+@@ -240,10 +272,19 @@
')
optional_policy(`
@@ -1395,7 +1633,7 @@
')
')
-@@ -258,6 +291,7 @@
+@@ -262,6 +303,7 @@
ifdef(`enable_mls',`
dmesg_exec(secadm_t)
@@ -1403,9 +1641,96 @@
')
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/rolemap serefpolicy-2.2.39/policy/rolemap
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.fc serefpolicy-2.2.40/policy/modules/system/xen.fc
+--- nsaserefpolicy/policy/modules/system/xen.fc 2006-05-03 16:26:08.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/system/xen.fc 2006-05-16 10:16:11.000000000 -0400
+@@ -13,5 +13,6 @@
+
+ /var/run/xenconsoled\.pid -- gen_context(system_u:object_r:xenconsoled_var_run_t,s0)
+ /var/run/xend\.pid -- gen_context(system_u:object_r:xend_var_run_t,s0)
++/var/run/xend(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0)
+ /var/run/xenstore\.pid -- gen_context(system_u:object_r:xenstored_var_run_t,s0)
+ /var/run/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_run_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-2.2.40/policy/modules/system/xen.if
+--- nsaserefpolicy/policy/modules/system/xen.if 2006-05-03 16:26:08.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/system/xen.if 2006-05-16 10:16:11.000000000 -0400
+@@ -127,3 +127,4 @@
+ allow xm_t:$1:fifo_file rw_file_perms;
+ allow xm_t $1:process sigchld;
+ ')
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-2.2.40/policy/modules/system/xen.te
+--- nsaserefpolicy/policy/modules/system/xen.te 2006-05-03 16:26:08.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/system/xen.te 2006-05-16 10:16:11.000000000 -0400
+@@ -77,7 +77,7 @@
+ # pid file
+ allow xend_t xend_var_run_t:file manage_file_perms;
+ allow xend_t xend_var_run_t:sock_file manage_file_perms;
+-allow xend_t xend_var_run_t:dir rw_dir_perms;
++allow xend_t xend_var_run_t:dir { setattr rw_dir_perms };
+ files_pid_filetrans(xend_t,xend_var_run_t, { file sock_file })
+
+ # log files
+@@ -92,6 +92,10 @@
+ allow xend_t xend_var_lib_t:dir create_dir_perms;
+ files_var_lib_filetrans(xend_t,xend_var_lib_t,{ file dir sock_file })
+
++optional_policy(`
++ consoletype_domtrans(xend_t)
++')
++
+ # transition to store
+ domain_auto_trans(xend_t, xenstored_exec_t, xenstored_t)
+ allow xenstored_t xend_t:fd use;
+@@ -153,8 +157,6 @@
+ sysnet_delete_dhcpc_pid(xend_t)
+ sysnet_read_dhcpc_pid(xend_t)
+
+-consoletype_exec(xend_t)
+-
+ xen_stream_connect_xenstore(xend_t)
+
+ ########################################
+@@ -180,6 +182,7 @@
+
+ term_create_pty(xenconsoled_t,xen_devpts_t);
+ term_dontaudit_use_generic_ptys(xenconsoled_t)
++term_use_console(xenconsoled_t)
+
+ init_use_fds(xenconsoled_t)
+
+@@ -198,6 +201,7 @@
+
+ allow xenstored_t self:capability { dac_override mknod ipc_lock };
+ allow xenstored_t self:unix_stream_socket create_stream_socket_perms;
++allow xenstored_t self:unix_dgram_socket create_socket_perms;
+
+ # pid file
+ allow xenstored_t xenstored_var_run_t:file manage_file_perms;
+@@ -220,12 +224,15 @@
+ dev_rw_xen(xenstored_t)
+
+ term_dontaudit_use_generic_ptys(xenstored_t)
++term_dontaudit_use_console(xenconsoled_t)
+
+ init_use_fds(xenstored_t)
+
+ libs_use_ld_so(xenstored_t)
+ libs_use_shared_libs(xenstored_t)
+
++logging_send_syslog_msg(xenstored_t)
++
+ miscfiles_read_localization(xenstored_t)
+
+ xen_append_log(xenstored_t)
+@@ -263,3 +270,4 @@
+ xen_append_log(xm_t)
+ xen_stream_connect(xm_t)
+ xen_stream_connect_xenstore(xm_t)
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/rolemap serefpolicy-2.2.40/policy/rolemap
--- nsaserefpolicy/policy/rolemap 2006-01-26 15:38:41.000000000 -0500
-+++ serefpolicy-2.2.39/policy/rolemap 2006-05-15 11:10:54.000000000 -0400
++++ serefpolicy-2.2.40/policy/rolemap 2006-05-16 10:16:11.000000000 -0400
@@ -15,5 +15,6 @@
ifdef(`enable_mls',`
@@ -1413,9 +1738,9 @@
+ auditadm_r auditadm auditadm_t
')
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-2.2.39/policy/users
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-2.2.40/policy/users
--- nsaserefpolicy/policy/users 2006-02-15 17:02:30.000000000 -0500
-+++ serefpolicy-2.2.39/policy/users 2006-05-15 11:10:54.000000000 -0400
++++ serefpolicy-2.2.40/policy/users 2006-05-16 10:16:11.000000000 -0400
@@ -29,7 +29,7 @@
gen_user(user_u, user, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
',`
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.192
retrieving revision 1.193
diff -u -r1.192 -r1.193
--- selinux-policy.spec 15 May 2006 20:48:00 -0000 1.192
+++ selinux-policy.spec 17 May 2006 00:48:04 -0000 1.193
@@ -15,8 +15,8 @@
%define CHECKPOLICYVER 1.30.1-2
Summary: SELinux policy configuration
Name: selinux-policy
-Version: 2.2.39
-Release: 2
+Version: 2.2.40
+Release: 1
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -335,6 +335,9 @@
%endif
%changelog
+* Tue May 16 2006 Dan Walsh <dwalsh at redhat.com> 2.2.40-1
+- Update from upstream
+
* Mon May 15 2006 Dan Walsh <dwalsh at redhat.com> 2.2.39-2
- Fixes for amavis
- Previous message (by thread): rpms/glibc-kernheaders/devel glibc-kernheaders.spec, 1.134, 1.135 sources, 1.41, 1.42
- Next message (by thread): rpms/libselinux/devel .cvsignore, 1.106, 1.107 libselinux.spec, 1.192, 1.193 sources, 1.108, 1.109
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-cvs-commits
mailing list