rpms/selinux-policy/FC-5 .cvsignore, 1.53, 1.54 Makefile.devel, 1.5, 1.6 policy-20060505.patch, 1.1, 1.2 selinux-policy.spec, 1.167, 1.168 sources, 1.57, 1.58
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Wed May 17 13:57:50 UTC 2006
- Previous message (by thread): rpms/sound-juicer/devel .cvsignore, 1.23, 1.24 sound-juicer.spec, 1.51, 1.52 sources, 1.24, 1.25
- Next message (by thread): rpms/gdb/devel gdb-6.3-support-fopen64-20060413.patch, 1.1, 1.2 gdb.spec, 1.180, 1.181
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy/FC-5
In directory cvs.devel.redhat.com:/tmp/cvs-serv18620
Modified Files:
.cvsignore Makefile.devel policy-20060505.patch
selinux-policy.spec sources
Log Message:
* Wed May 17 2006 Dan Walsh <dwalsh at redhat.com> 2.2.40-1.fc5
- Bump for fc5
Index: .cvsignore
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/FC-5/.cvsignore,v
retrieving revision 1.53
retrieving revision 1.54
diff -u -r1.53 -r1.54
--- .cvsignore 8 May 2006 19:31:50 -0000 1.53
+++ .cvsignore 17 May 2006 13:57:47 -0000 1.54
@@ -48,9 +48,21 @@
serefpolicy-2.2.21.tgz
serefpolicy-2.2.22.tgz
serefpolicy-2.2.23.tgz
+serefpolicy-2.2.24.tgz
serefpolicy-2.2.25.tgz
+serefpolicy-2.2.26.tgz
+serefpolicy-2.2.27.tgz
+serefpolicy-2.2.28.tgz
serefpolicy-2.2.29.tgz
+serefpolicy-2.2.30.tgz
+serefpolicy-2.2.31.tgz
serefpolicy-2.2.32.tgz
+serefpolicy-2.2.33.tgz
serefpolicy-2.2.34.tgz
+selinux-policy-2.2.35-1.src.rpm
+serefpolicy-2.2.35.tgz
serefpolicy-2.2.36.tgz
+serefpolicy-2.2.37.tgz
serefpolicy-2.2.38.tgz
+serefpolicy-2.2.39.tgz
+serefpolicy-2.2.40.tgz
Index: Makefile.devel
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/FC-5/Makefile.devel,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -r1.5 -r1.6
--- Makefile.devel 23 Feb 2006 18:56:16 -0000 1.5
+++ Makefile.devel 17 May 2006 13:57:47 -0000 1.6
@@ -5,12 +5,15 @@
NAME ?= $(shell $(AWK) -F= '/^SELINUXTYPE/{ print $$2 }' /etc/selinux/config)
MLSENABLED := $(shell cat /selinux/mls)
+ifeq ($(MLSENABLED),)
+ MLSENABLED := 1
+endif
+
ifeq ($(MLSENABLED),1)
MCSFLAG=-mcs
endif
TYPE ?= $(NAME)${MCSFLAG}
-HEADERDIR := $(SHAREDIR)/targeted/include
+HEADERDIR := $(SHAREDIR)/devel/include
include $(HEADERDIR)/Makefile
-
policy-20060505.patch:
config/appconfig-strict-mls/default_type | 1
policy/global_booleans | 8 ++
policy/global_tunables | 8 ++
policy/modules/admin/consoletype.te | 16 ++++
policy/modules/admin/netutils.te | 3
policy/modules/admin/prelink.te | 3
policy/modules/apps/mono.te | 5 +
policy/modules/apps/unconfined_execmem.fc | 2
policy/modules/apps/unconfined_execmem.if | 29 ++++++++
policy/modules/apps/unconfined_execmem.te | 22 ++++++
policy/modules/kernel/corecommands.fc | 2
policy/modules/kernel/corenetwork.te.in | 5 -
policy/modules/kernel/domain.te | 3
policy/modules/kernel/files.if | 15 ++++
policy/modules/kernel/files.te | 4 +
policy/modules/kernel/kernel.if | 2
policy/modules/kernel/kernel.te | 1
policy/modules/kernel/mls.te | 1
policy/modules/kernel/terminal.if | 2
policy/modules/services/amavis.fc | 1
policy/modules/services/amavis.te | 17 ++++-
policy/modules/services/apache.te | 9 +-
policy/modules/services/bind.te | 3
policy/modules/services/bluetooth.te | 5 +
policy/modules/services/clamav.fc | 2
policy/modules/services/clamav.if | 24 +++++++
policy/modules/services/clamav.te | 45 +++++++++++++
policy/modules/services/cvs.if | 20 ++++++
policy/modules/services/cvs.te | 1
policy/modules/services/dovecot.te | 5 +
policy/modules/services/ftp.te | 1
policy/modules/services/hal.te | 11 ---
policy/modules/services/inn.if | 28 ++++++++
policy/modules/services/nis.te | 1
policy/modules/services/postgresql.te | 1
policy/modules/services/pyzor.fc | 4 +
policy/modules/services/pyzor.if | 34 ++++++++++
policy/modules/services/rpc.te | 10 ++-
policy/modules/services/rsync.te | 1
policy/modules/services/ssh.te | 2
policy/modules/services/xfs.if | 19 +++++
policy/modules/services/xfs.te | 5 +
policy/modules/services/xserver.if | 38 +++++++++++
policy/modules/services/xserver.te | 2
policy/modules/system/hostname.te | 5 +
policy/modules/system/init.if | 19 +++++
policy/modules/system/init.te | 1
policy/modules/system/libraries.fc | 15 +++-
policy/modules/system/logging.if | 97 ++++++++++++++++++++++++++++++
policy/modules/system/logging.te | 8 ++
policy/modules/system/mount.te | 4 +
policy/modules/system/selinuxutil.fc | 2
policy/modules/system/selinuxutil.te | 18 +++++
policy/modules/system/setrans.fc | 4 +
policy/modules/system/setrans.if | 24 +++++++
policy/modules/system/setrans.te | 71 +++++++++++++++++++++
policy/modules/system/sysnetwork.te | 7 ++
policy/modules/system/unconfined.if | 21 ++++++
policy/modules/system/unconfined.te | 12 +++
policy/modules/system/userdomain.if | 23 +++++++
policy/modules/system/userdomain.te | 52 ++++++++++++++--
policy/modules/system/xen.fc | 1
policy/modules/system/xen.if | 1
policy/modules/system/xen.te | 14 +++-
policy/rolemap | 1
policy/users | 6 -
66 files changed, 787 insertions(+), 40 deletions(-)
Index: policy-20060505.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/FC-5/policy-20060505.patch,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- policy-20060505.patch 8 May 2006 19:36:04 -0000 1.1
+++ policy-20060505.patch 17 May 2006 13:57:47 -0000 1.2
@@ -1,14 +1,14 @@
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-strict-mls/default_type serefpolicy-2.2.38/config/appconfig-strict-mls/default_type
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-strict-mls/default_type serefpolicy-2.2.40/config/appconfig-strict-mls/default_type
--- nsaserefpolicy/config/appconfig-strict-mls/default_type 2006-01-06 17:55:17.000000000 -0500
-+++ serefpolicy-2.2.38/config/appconfig-strict-mls/default_type 2006-05-05 10:10:12.000000000 -0400
++++ serefpolicy-2.2.40/config/appconfig-strict-mls/default_type 2006-05-16 10:16:11.000000000 -0400
@@ -2,3 +2,4 @@
secadm_r:secadm_t
staff_r:staff_t
user_r:user_t
+auditadm_r:auditadm_t
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_booleans serefpolicy-2.2.38/policy/global_booleans
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_booleans serefpolicy-2.2.40/policy/global_booleans
--- nsaserefpolicy/policy/global_booleans 2006-02-10 17:05:17.000000000 -0500
-+++ serefpolicy-2.2.38/policy/global_booleans 2006-05-05 10:10:12.000000000 -0400
++++ serefpolicy-2.2.40/policy/global_booleans 2006-05-16 10:16:11.000000000 -0400
@@ -28,3 +28,11 @@
## </p>
## </desc>
@@ -21,9 +21,90 @@
+## </desc>
+gen_bool(allow_mount_anyfile,false)
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-2.2.38/policy/modules/apps/mono.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-2.2.40/policy/global_tunables
+--- nsaserefpolicy/policy/global_tunables 2006-04-18 22:49:58.000000000 -0400
++++ serefpolicy-2.2.40/policy/global_tunables 2006-05-16 10:16:11.000000000 -0400
+@@ -73,6 +73,14 @@
+
+ ## <desc>
+ ## <p>
++## Allow nfs servers to modify public files
++## used for public file transfer services.
++## </p>
++## </desc>
++gen_tunable(allow_nfsd_anon_write,false)
++
++## <desc>
++## <p>
+ ## Allow java executable stack
+ ## </p>
+ ## </desc>
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-2.2.40/policy/modules/admin/consoletype.te
+--- nsaserefpolicy/policy/modules/admin/consoletype.te 2006-04-04 18:06:37.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/admin/consoletype.te 2006-05-16 10:16:11.000000000 -0400
+@@ -8,7 +8,12 @@
+
+ type consoletype_t;
+ type consoletype_exec_t;
+-init_domain(consoletype_t,consoletype_exec_t)
++#dont transition from initrc
++#init_domain(consoletype_t,consoletype_exec_t)
++domain_type(consoletype_t)
++domain_entry_file(consoletype_t,consoletype_exec_t)
++role system_r types consoletype_t;
++
+ mls_file_read_up(consoletype_t)
+ mls_file_write_down(consoletype_t)
+ role system_r types consoletype_t;
+@@ -107,3 +112,12 @@
+ optional_policy(`
+ userdom_use_unpriv_users_fds(consoletype_t)
+ ')
++
++optional_policy(`
++ xen_append_log(consoletype_t)
++ xen_dontaudit_rw_unix_stream_sockets(consoletype_t)
++ kernel_read_xen_state(consoletype_t)
++ kernel_write_xen_state(consoletype_t)
++
++')
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-2.2.40/policy/modules/admin/netutils.te
+--- nsaserefpolicy/policy/modules/admin/netutils.te 2006-04-27 10:31:31.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/admin/netutils.te 2006-05-16 10:16:11.000000000 -0400
+@@ -187,6 +187,7 @@
+ # traceroute needs this but not tracepath
+ corenet_raw_bind_all_nodes(traceroute_t)
+ corenet_tcp_connect_all_ports(traceroute_t)
++corenet_udp_bind_traceroute_port(traceroute_t)
+
+ fs_dontaudit_getattr_xattr_fs(traceroute_t)
+
+@@ -195,6 +196,8 @@
+ files_read_etc_files(traceroute_t)
+ files_dontaudit_search_var(traceroute_t)
+
++init_use_fds(traceroute_t)
++
+ libs_use_ld_so(traceroute_t)
+ libs_use_shared_libs(traceroute_t)
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-2.2.40/policy/modules/admin/prelink.te
+--- nsaserefpolicy/policy/modules/admin/prelink.te 2006-04-20 08:17:35.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/admin/prelink.te 2006-05-16 16:59:39.000000000 -0400
+@@ -46,6 +46,9 @@
+ corecmd_manage_all_executables(prelink_t)
+ corecmd_relabel_all_executables(prelink_t)
+ corecmd_mmap_all_executables(prelink_t)
++corecmd_read_sbin_symlinks(prelink_t)
++
++domain_obj_id_change_exemption(prelink_t)
+
+ dev_read_urand(prelink_t)
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-2.2.40/policy/modules/apps/mono.te
--- nsaserefpolicy/policy/modules/apps/mono.te 2006-05-03 16:26:07.000000000 -0400
-+++ serefpolicy-2.2.38/policy/modules/apps/mono.te 2006-05-05 10:10:12.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/apps/mono.te 2006-05-16 10:16:11.000000000 -0400
@@ -22,6 +22,7 @@
unconfined_domain_noaudit(mono_t)
unconfined_dbus_chat(mono_t)
@@ -32,9 +113,83 @@
init_dbus_chat_script(mono_t)
optional_policy(`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-2.2.38/policy/modules/kernel/corecommands.fc
+@@ -35,4 +36,8 @@
+ optional_policy(`
+ networkmanager_dbus_chat(mono_t)
+ ')
++
++ optional_policy(`
++ unconfined_dbus_connect_bus(mono_t)
++ ')
+ ')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/unconfined_execmem.fc serefpolicy-2.2.40/policy/modules/apps/unconfined_execmem.fc
+--- nsaserefpolicy/policy/modules/apps/unconfined_execmem.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-2.2.40/policy/modules/apps/unconfined_execmem.fc 2006-05-16 17:24:40.000000000 -0400
+@@ -0,0 +1,2 @@
++/usr/lib/openoffice.org.*/program/.*\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
++/usr/bin/valgrind -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/unconfined_execmem.if serefpolicy-2.2.40/policy/modules/apps/unconfined_execmem.if
+--- nsaserefpolicy/policy/modules/apps/unconfined_execmem.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-2.2.40/policy/modules/apps/unconfined_execmem.if 2006-05-16 17:10:38.000000000 -0400
+@@ -0,0 +1,29 @@
++## <summary>Unconfined domain with execmem/execstack privs</summary>
++
++########################################
++## <summary>
++## Execute the application that requires dexecmem program in the unconfined_execmem domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`unconfined_execmem_domtrans',`
++ ifdef(`targeted_policy',`
++ gen_require(`
++ type unconfined_execmem_t, unconfined_execmem_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domain_auto_trans($1, unconfined_execmem_exec_t, unconfined_execmem_t)
++
++ allow $1 unconfined_execmem_t:fd use;
++ allow unconfined_execmem_t $1:fd use;
++ allow unconfined_execmem_t $1:fifo_file rw_file_perms;
++ allow unconfined_execmem_t $1:process sigchld;
++ ',`
++ errprint(`Warning: $0($1) has no effect in strict policy.'__endline__)
++ ')
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/unconfined_execmem.te serefpolicy-2.2.40/policy/modules/apps/unconfined_execmem.te
+--- nsaserefpolicy/policy/modules/apps/unconfined_execmem.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-2.2.40/policy/modules/apps/unconfined_execmem.te 2006-05-16 17:05:11.000000000 -0400
+@@ -0,0 +1,22 @@
++
++policy_module(unconfined_execmem,1.1.2)
++
++########################################
++#
++# Declarations
++#
++
++type unconfined_execmem_t;
++type unconfined_execmem_exec_t;
++init_system_domain(unconfined_execmem_t,unconfined_execmem_exec_t)
++
++########################################
++#
++# Local policy
++#
++
++ifdef(`targeted_policy',`
++ allow unconfined_execmem_t self:process { execstack execmem };
++ unconfined_domain_noaudit(unconfined_execmem_t)
++ role system_r types unconfined_execmem_t;
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-2.2.40/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2006-04-27 10:31:32.000000000 -0400
-+++ serefpolicy-2.2.38/policy/modules/kernel/corecommands.fc 2006-05-05 10:10:12.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/kernel/corecommands.fc 2006-05-16 10:16:11.000000000 -0400
@@ -76,7 +76,7 @@
#
@@ -44,21 +199,32 @@
ifdef(`distro_gentoo',`
/lib/rcscripts/addons(/.*)? gen_context(system_u:object_r:bin_t,s0)
/lib/rcscripts/sh(/.*)? gen_context(system_u:object_r:bin_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-2.2.38/policy/modules/kernel/corenetwork.te.in
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-2.2.40/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2006-05-03 16:26:07.000000000 -0400
-+++ serefpolicy-2.2.38/policy/modules/kernel/corenetwork.te.in 2006-05-07 06:43:05.000000000 -0400
-@@ -71,7 +71,7 @@
++++ serefpolicy-2.2.40/policy/modules/kernel/corenetwork.te.in 2006-05-16 10:16:11.000000000 -0400
+@@ -69,9 +69,9 @@
+ network_port(giftd, tcp,1213,s0)
+ network_port(gopher, tcp,70,s0, udp,70,s0)
network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0) # 8118 is for privoxy
- network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0)
+-network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0)
++network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0)
network_port(howl, tcp,5335,s0, udp,5353,s0)
-network_port(hplip, tcp,50000,s0, tcp,50002,s0, tcp,9100,s0)
-+network_port(hplip, tcp,50000,s0, tcp,50002,s0, tcp,9100,s0, tcp,9280,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
++network_port(hplip, tcp,50000,s0, tcp,50002,s0, tcp,1782,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
network_port(i18n_input, tcp,9010,s0)
network_port(imaze, tcp,5323,s0, udp,5323,s0)
network_port(inetd_child, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-2.2.38/policy/modules/kernel/domain.te
+@@ -125,6 +125,7 @@
+ network_port(telnetd, tcp,23,s0)
+ network_port(tftp, udp,69,s0)
+ network_port(tor, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0)
++network_port(traceroute, udp,64000-64010,s0)
+ network_port(transproxy, tcp,8081,s0)
+ type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
+ network_port(uucpd, tcp,540,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-2.2.40/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2006-04-20 08:17:36.000000000 -0400
-+++ serefpolicy-2.2.38/policy/modules/kernel/domain.te 2006-05-05 11:40:52.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/kernel/domain.te 2006-05-16 10:16:11.000000000 -0400
@@ -87,6 +87,8 @@
# list the root directory
files_list_root(domain)
@@ -76,10 +242,10 @@
role sysadm_r types domain;
role user_r types domain;
role staff_r types domain;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.2.38/policy/modules/kernel/files.if
---- nsaserefpolicy/policy/modules/kernel/files.if 2006-05-03 11:38:52.000000000 -0400
-+++ serefpolicy-2.2.38/policy/modules/kernel/files.if 2006-05-05 10:10:12.000000000 -0400
-@@ -1712,6 +1712,21 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.2.40/policy/modules/kernel/files.if
+--- nsaserefpolicy/policy/modules/kernel/files.if 2006-05-16 09:44:06.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/kernel/files.if 2006-05-16 10:16:11.000000000 -0400
+@@ -1882,6 +1882,21 @@
')
########################################
@@ -101,10 +267,24 @@
## <summary>
## Read files in /etc that are dynamically
## created on boot, such as mtab.
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-2.2.38/policy/modules/kernel/kernel.if
---- nsaserefpolicy/policy/modules/kernel/kernel.if 2006-05-01 14:39:05.000000000 -0400
-+++ serefpolicy-2.2.38/policy/modules/kernel/kernel.if 2006-05-05 10:10:12.000000000 -0400
-@@ -1413,7 +1413,7 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-2.2.40/policy/modules/kernel/files.te
+--- nsaserefpolicy/policy/modules/kernel/files.te 2006-04-28 22:50:56.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/kernel/files.te 2006-05-16 10:16:11.000000000 -0400
+@@ -181,6 +181,10 @@
+ fs_associate(file_type)
+ fs_associate_noxattr(file_type)
+
++ifdef(`targeted_policy', `
++ fs_associate_tmpfs(file_type)
++')
++
+ ########################################
+ #
+ # Rules for all tmp file types
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-2.2.40/policy/modules/kernel/kernel.if
+--- nsaserefpolicy/policy/modules/kernel/kernel.if 2006-05-16 09:44:06.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/kernel/kernel.if 2006-05-16 10:16:11.000000000 -0400
+@@ -1409,7 +1409,7 @@
type proc_t, sysctl_t, sysctl_kernel_t;
')
@@ -113,9 +293,9 @@
allow $1 sysctl_t:dir r_dir_perms;
allow $1 sysctl_kernel_t:dir r_dir_perms;
allow $1 sysctl_kernel_t:file r_file_perms;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-2.2.38/policy/modules/kernel/kernel.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-2.2.40/policy/modules/kernel/kernel.te
--- nsaserefpolicy/policy/modules/kernel/kernel.te 2006-05-01 14:39:06.000000000 -0400
-+++ serefpolicy-2.2.38/policy/modules/kernel/kernel.te 2006-05-05 10:10:12.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/kernel/kernel.te 2006-05-16 10:16:11.000000000 -0400
@@ -28,6 +28,7 @@
ifdef(`enable_mls',`
@@ -124,19 +304,105 @@
')
#
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mls.te serefpolicy-2.2.38/policy/modules/kernel/mls.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mls.te serefpolicy-2.2.40/policy/modules/kernel/mls.te
--- nsaserefpolicy/policy/modules/kernel/mls.te 2006-03-07 10:31:09.000000000 -0500
-+++ serefpolicy-2.2.38/policy/modules/kernel/mls.te 2006-05-05 11:42:05.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/kernel/mls.te 2006-05-16 10:16:11.000000000 -0400
@@ -62,4 +62,5 @@
range_transition initrc_t auditd_exec_t s15:c0.c255;
range_transition kernel_t init_exec_t s0 - s15:c0.c255;
range_transition kernel_t lvm_exec_t s0 - s15:c0.c255;
+range_transition initrc_t setrans_exec_t s15:c0.c255;
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-2.2.38/policy/modules/services/apache.te
---- nsaserefpolicy/policy/modules/services/apache.te 2006-05-03 11:38:52.000000000 -0400
-+++ serefpolicy-2.2.38/policy/modules/services/apache.te 2006-05-05 10:10:12.000000000 -0400
-@@ -454,11 +454,6 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-2.2.40/policy/modules/kernel/terminal.if
+--- nsaserefpolicy/policy/modules/kernel/terminal.if 2006-04-27 10:31:32.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/kernel/terminal.if 2006-05-16 10:16:11.000000000 -0400
+@@ -430,7 +430,7 @@
+ type devpts_t;
+ ')
+
+- dontaudit $1 devpts_t:chr_file { getattr read write };
++ dontaudit $1 devpts_t:chr_file { getattr read write ioctl };
+ ')
+
+ ########################################
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.fc serefpolicy-2.2.40/policy/modules/services/amavis.fc
+--- nsaserefpolicy/policy/modules/services/amavis.fc 2006-03-07 16:19:28.000000000 -0500
++++ serefpolicy-2.2.40/policy/modules/services/amavis.fc 2006-05-16 10:16:11.000000000 -0400
+@@ -9,3 +9,4 @@
+ /var/log/amavisd\.log -- gen_context(system_u:object_r:amavis_var_log_t,s0)
+ /var/run/amavis(/.*)? gen_context(system_u:object_r:amavis_var_run_t,s0)
+ /var/virusmails(/.*)? gen_context(system_u:object_r:amavis_quarantine_t,s0)
++/var/spool/amavisd(/.*)? gen_context(system_u:object_r:amavis_spool_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-2.2.40/policy/modules/services/amavis.te
+--- nsaserefpolicy/policy/modules/services/amavis.te 2006-05-08 09:53:05.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/services/amavis.te 2006-05-16 10:16:11.000000000 -0400
+@@ -31,6 +31,9 @@
+ type amavis_tmp_t;
+ files_tmp_file(amavis_tmp_t)
+
++type amavis_spool_t;
++files_type(amavis_spool_t)
++
+ # virus quarantine
+ type amavis_quarantine_t;
+ files_type(amavis_quarantine_t)
+@@ -40,7 +43,7 @@
+ # amavis local policy
+ #
+
+-allow amavis_t self:capability { chown dac_override setgid setuid };
++allow amavis_t self:capability { kill chown dac_override setgid setuid };
+ dontaudit amavis_t self:capability sys_tty_config;
+ allow amavis_t self:process { signal sigchld signull };
+ allow amavis_t self:fifo_file rw_file_perms;
+@@ -70,6 +73,11 @@
+ files_var_filetrans(amavis_t,amavis_var_lib_t,{ file dir sock_file })
+ files_var_lib_filetrans(amavis_t,amavis_var_lib_t,file)
+
++# Spool Files
++files_spool_filetrans(amavis_t,amavis_spool_t,{ dir file })
++allow amavis_t amavis_spool_t:dir manage_dir_perms;
++allow amavis_t amavis_spool_t:file manage_file_perms;
++
+ # log files
+ allow amavis_t amavis_var_log_t:file create_file_perms;
+ allow amavis_t amavis_var_log_t:sock_file create_file_perms;
+@@ -84,6 +92,7 @@
+
+ # amavis tries to access /proc/self/stat, /etc/shadow and /root - perl...
+ kernel_dontaudit_list_proc(amavis_t)
++kernel_dontaudit_read_system_state(amavis_t)
+
+ # find perl
+ corecmd_exec_bin(amavis_t)
+@@ -115,6 +124,7 @@
+
+ init_use_fds(amavis_t)
+ init_use_script_ptys(amavis_t)
++init_stream_connect_script(amavis_t)
+
+ libs_use_ld_so(amavis_t)
+ libs_use_shared_libs(amavis_t)
+@@ -132,10 +142,15 @@
+ cron_use_system_job_fds(amavis_t)
+ cron_rw_pipes(amavis_t)
+
++kernel_read_kernel_sysctls(amavis_t)
++
+ mta_read_config(amavis_t)
+
++term_dontaudit_use_generic_ptys(amavis_t)
++
+ optional_policy(`
+ clamav_stream_connect(amavis_t)
++ clamscan_domtrans(amavis_t)
+ ')
+
+ optional_policy(`
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-2.2.40/policy/modules/services/apache.te
+--- nsaserefpolicy/policy/modules/services/apache.te 2006-05-16 09:44:06.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/services/apache.te 2006-05-16 10:16:11.000000000 -0400
+@@ -427,11 +427,6 @@
yam_read_content(httpd_t)
')
@@ -148,7 +414,7 @@
########################################
#
# Apache helper local policy
-@@ -712,6 +707,10 @@
+@@ -672,6 +667,10 @@
mysql_rw_db_sockets(httpd_sys_script_t)
')
@@ -159,9 +425,48 @@
########################################
#
# Apache unconfined script local policy
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.fc serefpolicy-2.2.38/policy/modules/services/clamav.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-2.2.40/policy/modules/services/bind.te
+--- nsaserefpolicy/policy/modules/services/bind.te 2006-04-28 22:50:56.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/services/bind.te 2006-05-16 10:16:11.000000000 -0400
+@@ -127,6 +127,8 @@
+
+ domain_use_interactive_fds(named_t)
+
++dev_read_urand(named_t)
++
+ files_read_etc_files(named_t)
+ files_read_etc_runtime_files(named_t)
+
+@@ -139,6 +141,7 @@
+ logging_send_syslog_msg(named_t)
+
+ miscfiles_read_localization(named_t)
++miscfiles_read_certs(named_t)
+
+ sysnet_read_config(named_t)
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-2.2.40/policy/modules/services/bluetooth.te
+--- nsaserefpolicy/policy/modules/services/bluetooth.te 2006-04-12 13:44:36.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/services/bluetooth.te 2006-05-16 10:16:11.000000000 -0400
+@@ -218,11 +218,14 @@
+
+ unconfined_stream_connect(bluetooth_helper_t)
+
+- userdom_read_all_users_home_content_files(bluetooth_helper_t)
++ userdom_manage_generic_user_home_content_files(bluetooth_helper_t)
+
+ optional_policy(`
+ xserver_stream_connect_xdm(bluetooth_helper_t)
++ xserver_use_xdm_fds(bluetooth_helper_t)
++ xserver_rw_xdm_pipes(bluetooth_helper_t)
+ ')
++ files_manage_generic_tmp_files(bluetooth_helper_t)
+ ')
+
+ optional_policy(`
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.fc serefpolicy-2.2.40/policy/modules/services/clamav.fc
--- nsaserefpolicy/policy/modules/services/clamav.fc 2006-03-07 16:19:28.000000000 -0500
-+++ serefpolicy-2.2.38/policy/modules/services/clamav.fc 2006-05-05 10:10:12.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/services/clamav.fc 2006-05-16 10:16:11.000000000 -0400
@@ -1,6 +1,8 @@
/etc/clamav(/.*)? gen_context(system_u:object_r:clamd_etc_t,s0)
@@ -171,9 +476,9 @@
/usr/sbin/clamd -- gen_context(system_u:object_r:clamd_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.if serefpolicy-2.2.38/policy/modules/services/clamav.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.if serefpolicy-2.2.40/policy/modules/services/clamav.if
--- nsaserefpolicy/policy/modules/services/clamav.if 2006-03-07 16:19:28.000000000 -0500
-+++ serefpolicy-2.2.38/policy/modules/services/clamav.if 2006-05-05 10:10:12.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/services/clamav.if 2006-05-16 10:16:11.000000000 -0400
@@ -61,3 +61,27 @@
files_search_etc($1)
allow $1 clamd_etc_t:file r_file_perms;
@@ -202,9 +507,9 @@
+ allow clamscan_t $1:process sigchld;
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-2.2.38/policy/modules/services/clamav.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-2.2.40/policy/modules/services/clamav.te
--- nsaserefpolicy/policy/modules/services/clamav.te 2006-03-24 11:15:50.000000000 -0500
-+++ serefpolicy-2.2.38/policy/modules/services/clamav.te 2006-05-05 10:10:12.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/services/clamav.te 2006-05-16 10:16:11.000000000 -0400
@@ -39,6 +39,10 @@
type freshclam_exec_t;
init_daemon_domain(freshclam_t, freshclam_exec_t)
@@ -261,9 +566,168 @@
+optional_policy(`
+ apache_read_sys_content(clamscan_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-2.2.38/policy/modules/services/postgresql.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.if serefpolicy-2.2.40/policy/modules/services/cvs.if
+--- nsaserefpolicy/policy/modules/services/cvs.if 2006-02-10 17:05:19.000000000 -0500
++++ serefpolicy-2.2.40/policy/modules/services/cvs.if 2006-05-16 10:16:11.000000000 -0400
+@@ -17,3 +17,23 @@
+
+ allow $1 cvs_data_t:file { getattr read };
+ ')
++
++########################################
++## <summary>
++## Allow the specified domain to execute cvs
++## in the caller domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`cvs_exec',`
++ gen_require(`
++ type cvs_exec_t;
++ ')
++
++ can_exec($1,cvs_exec_t)
++')
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-2.2.40/policy/modules/services/cvs.te
+--- nsaserefpolicy/policy/modules/services/cvs.te 2006-03-24 11:15:50.000000000 -0500
++++ serefpolicy-2.2.40/policy/modules/services/cvs.te 2006-05-16 10:16:11.000000000 -0400
+@@ -8,6 +8,7 @@
+
+ type cvs_t;
+ type cvs_exec_t;
++corecmd_executable_file(cvs_exec_t)
+ inetd_tcp_service_domain(cvs_t,cvs_exec_t)
+ role system_r types cvs_t;
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-2.2.40/policy/modules/services/dovecot.te
+--- nsaserefpolicy/policy/modules/services/dovecot.te 2006-04-04 18:06:38.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/services/dovecot.te 2006-05-16 10:16:11.000000000 -0400
+@@ -95,6 +95,11 @@
+ domain_use_interactive_fds(dovecot_t)
+
+ files_read_etc_files(dovecot_t)
++
++# Dovecot now has quota support and it uses getmntent() to find the mountpoints.
++files_read_etc_runtime_files(dovecot_t)
++files_getattr_all_mountpoints(dovecot_t)
++
+ files_search_spool(dovecot_t)
+ files_search_tmp(dovecot_t)
+ files_dontaudit_list_default(dovecot_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-2.2.40/policy/modules/services/ftp.te
+--- nsaserefpolicy/policy/modules/services/ftp.te 2006-04-19 12:23:07.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/services/ftp.te 2006-05-16 10:16:11.000000000 -0400
+@@ -149,6 +149,7 @@
+ userdom_manage_all_users_home_content_dirs(ftpd_t)
+ userdom_manage_all_users_home_content_files(ftpd_t)
+ userdom_manage_all_users_home_content_symlinks(ftpd_t)
++ allow ftpd_t self:capability { dac_override dac_read_search };
+
+ ifdef(`targeted_policy',`
+ userdom_generic_user_home_dir_filetrans_generic_user_home_content(ftpd_t,{ dir file lnk_file sock_file fifo_file })
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-2.2.40/policy/modules/services/hal.te
+--- nsaserefpolicy/policy/modules/services/hal.te 2006-04-20 08:17:39.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/services/hal.te 2006-05-17 09:37:05.000000000 -0400
+@@ -51,9 +51,6 @@
+ kernel_rw_vm_sysctls(hald_t)
+ kernel_write_proc_files(hald_t)
+
+-files_search_boot(hald_t)
+-files_getattr_home_dir(hald_t)
+-
+ auth_read_pam_console_data(hald_t)
+
+ corecmd_exec_all_executables(hald_t)
+@@ -95,7 +92,8 @@
+ files_read_usr_files(hald_t)
+ # hal is now execing pm-suspend
+ files_create_boot_flag(hald_t)
+-files_getattr_default_dirs(hald_t)
++files_getattr_all_dirs(hald_t)
++files_read_kernel_img(hald_t)
+
+ fs_getattr_all_fs(hald_t)
+ fs_search_all(hald_t)
+@@ -154,7 +152,6 @@
+ term_dontaudit_use_unallocated_ttys(hald_t)
+ term_dontaudit_use_generic_ptys(hald_t)
+ files_dontaudit_read_root_files(hald_t)
+- files_dontaudit_getattr_home_dir(hald_t)
+ ')
+
+ optional_policy(`
+@@ -164,10 +161,6 @@
+ ')
+
+ optional_policy(`
+- automount_dontaudit_getattr_tmp_dirs(hald_t)
+-')
+-
+-optional_policy(`
+ bind_search_cache(hald_t)
+ ')
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn.if serefpolicy-2.2.40/policy/modules/services/inn.if
+--- nsaserefpolicy/policy/modules/services/inn.if 2006-02-10 17:05:19.000000000 -0500
++++ serefpolicy-2.2.40/policy/modules/services/inn.if 2006-05-16 10:16:11.000000000 -0400
+@@ -16,7 +16,7 @@
+ type innd_t;
+ ')
+
+- can_exec($1,innd_t)
++ can_exec($1,innd_exec_t)
+ ')
+
+ ########################################
+@@ -156,3 +156,29 @@
+
+ allow $1 innd_t:unix_dgram_socket sendto;
+ ')
++
++
++########################################
++## <summary>
++## Execute inn in the inn domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`inn_domtrans',`
++ gen_require(`
++ type innd_t, innd_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domain_auto_trans($1,innd_exec_t,innd_t)
++
++ allow $1 innd_t:fd use;
++ allow innd_t $1:fd use;
++ allow innd_t $1:fifo_file rw_file_perms;
++ allow innd_t $1:process sigchld;
++')
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-2.2.40/policy/modules/services/nis.te
+--- nsaserefpolicy/policy/modules/services/nis.te 2006-05-04 12:51:36.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/services/nis.te 2006-05-16 10:16:11.000000000 -0400
+@@ -87,6 +87,7 @@
+ corenet_udp_bind_generic_port(ypbind_t)
+ corenet_tcp_bind_reserved_port(ypbind_t)
+ corenet_udp_bind_reserved_port(ypbind_t)
++corenet_tcp_bind_all_rpc_ports(ypbind_t)
+ corenet_tcp_connect_all_ports(ypbind_t)
+ corenet_dontaudit_tcp_bind_all_reserved_ports(ypbind_t)
+ corenet_dontaudit_udp_bind_all_reserved_ports(ypbind_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-2.2.40/policy/modules/services/postgresql.te
--- nsaserefpolicy/policy/modules/services/postgresql.te 2006-03-24 11:15:50.000000000 -0500
-+++ serefpolicy-2.2.38/policy/modules/services/postgresql.te 2006-05-05 12:30:26.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/services/postgresql.te 2006-05-16 10:16:11.000000000 -0400
@@ -41,6 +41,7 @@
allow postgresql_t self:udp_socket create_stream_socket_perms;
allow postgresql_t self:unix_dgram_socket create_socket_perms;
@@ -272,9 +736,20 @@
dontaudit postgresql_t self:capability { sys_tty_config sys_admin };
allow postgresql_t postgresql_db_t:dir create_dir_perms;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-2.2.38/policy/modules/services/pyzor.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-2.2.40/policy/modules/services/pyzor.fc
+--- nsaserefpolicy/policy/modules/services/pyzor.fc 2006-05-16 09:44:06.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/services/pyzor.fc 2006-05-16 10:20:27.000000000 -0400
+@@ -5,3 +5,7 @@
+
+ /var/lib/pyzord(/.*)? gen_context(system_u:object_r:pyzor_var_lib_t,s0)
+ /var/log/pyzord.log -- gen_context(system_u:object_r:pyzord_log_t,s0)
++ifdef(`strict_policy',`
++HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:ROLE_pyzor_home_t,s0)
++')
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-2.2.40/policy/modules/services/pyzor.if
--- nsaserefpolicy/policy/modules/services/pyzor.if 2006-05-03 16:01:26.000000000 -0400
-+++ serefpolicy-2.2.38/policy/modules/services/pyzor.if 2006-05-05 10:10:12.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/services/pyzor.if 2006-05-16 10:16:11.000000000 -0400
@@ -44,3 +44,37 @@
corecmd_search_bin($1)
can_exec($1,pyzor_exec_t)
@@ -313,9 +788,175 @@
+ allow pyzord_t $1_pyzor_home_t:file create_file_perms;
+ allow pyzord_t $1_pyzor_home_t:lnk_file create_lnk_perms;
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-2.2.38/policy/modules/system/hostname.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-2.2.40/policy/modules/services/rpc.te
+--- nsaserefpolicy/policy/modules/services/rpc.te 2006-05-03 16:26:08.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/services/rpc.te 2006-05-16 10:16:11.000000000 -0400
+@@ -65,6 +65,8 @@
+ files_manage_mounttab(rpcd_t)
+
+ miscfiles_read_certs(rpcd_t)
++dev_read_urand(rpcd_t)
++dev_read_rand(rpcd_t)
+
+ seutil_dontaudit_search_config(rpcd_t)
+
+@@ -83,7 +85,7 @@
+ # NFSD local policy
+ #
+
+-allow nfsd_t self:capability { sys_admin sys_resource };
++allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource };
+
+ allow nfsd_t exports_t:file { getattr read };
+ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir r_dir_perms;
+@@ -114,6 +116,12 @@
+ portmap_tcp_connect(nfsd_t)
+ portmap_udp_chat(nfsd_t)
+
++# Access to public_content_t and public_content_rw_t
++miscfiles_read_public_files(nfsd_t)
++tunable_policy(`allow_nfsd_anon_write',`
++ miscfiles_manage_public_files(nfsd_t)
++')
++
+ tunable_policy(`nfs_export_all_rw',`
+ fs_read_noxattr_fs_files(nfsd_t)
+ auth_manage_all_files_except_shadow(nfsd_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-2.2.40/policy/modules/services/rsync.te
+--- nsaserefpolicy/policy/modules/services/rsync.te 2006-04-28 22:50:57.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/services/rsync.te 2006-05-16 10:16:11.000000000 -0400
+@@ -8,6 +8,7 @@
+
+ type rsync_t;
+ type rsync_exec_t;
++corecmd_executable_file(rsync_exec_t)
+ init_daemon_domain(rsync_t,rsync_exec_t)
+ role system_r types rsync_t;
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-2.2.40/policy/modules/services/ssh.te
+--- nsaserefpolicy/policy/modules/services/ssh.te 2006-05-16 09:44:06.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/services/ssh.te 2006-05-16 10:16:11.000000000 -0400
+@@ -73,7 +73,7 @@
+ ifdef(`strict_policy',`
+ # so a tunnel can point to another ssh tunnel
+ allow sshd_t self:tcp_socket { acceptfrom connectto recvfrom };
+-
++ allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
+ allow sshd_t sshd_tmp_t:dir create_dir_perms;
+ allow sshd_t sshd_tmp_t:file create_file_perms;
+ allow sshd_t sshd_tmp_t:sock_file create_file_perms;
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xfs.if serefpolicy-2.2.40/policy/modules/services/xfs.if
+--- nsaserefpolicy/policy/modules/services/xfs.if 2006-02-10 17:05:19.000000000 -0500
++++ serefpolicy-2.2.40/policy/modules/services/xfs.if 2006-05-16 10:21:41.000000000 -0400
+@@ -41,3 +41,22 @@
+ allow $1 xfs_tmp_t:sock_file write;
+ allow $1 xfs_t:unix_stream_socket connectto;
+ ')
++
++
++########################################
++## <summary>
++## Allow the specified domain to execute xfs
++## in the caller domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`xfs_exec',`
++ gen_require(`
++ type xfs_exec_t;
++ ')
++ can_exec($1,xfs_exec_t)
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xfs.te serefpolicy-2.2.40/policy/modules/services/xfs.te
+--- nsaserefpolicy/policy/modules/services/xfs.te 2006-04-04 18:06:38.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/services/xfs.te 2006-05-16 10:21:41.000000000 -0400
+@@ -34,6 +34,7 @@
+ allow xfs_t xfs_var_run_t:file create_file_perms;
+ allow xfs_t xfs_var_run_t:dir rw_dir_perms;
+ files_pid_filetrans(xfs_t,xfs_var_run_t,file)
++xfs_exec(xfs_t)
+
+ # Bind to /tmp/.font-unix/fs-1.
+ # cjp: I do not believe this has an effect.
+@@ -49,6 +50,8 @@
+
+ term_dontaudit_use_console(xfs_t)
+
++corecmd_list_bin(xfs_t)
++corecmd_list_sbin(xfs_t)
+ domain_use_interactive_fds(xfs_t)
+
+ files_read_etc_files(xfs_t)
+@@ -91,3 +94,5 @@
+ optional_policy(`
+ udev_read_db(xfs_t)
+ ')
++
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-2.2.40/policy/modules/services/xserver.if
+--- nsaserefpolicy/policy/modules/services/xserver.if 2006-05-03 11:38:54.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/services/xserver.if 2006-05-16 10:16:11.000000000 -0400
+@@ -1073,3 +1073,41 @@
+
+ dontaudit $1 xdm_xserver_t:tcp_socket { read write };
+ ')
++
++
++########################################
++## <summary>
++## Use file descriptors for xdm.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`xserver_use_xdm_fds',`
++ gen_require(`
++ type xdm_t;
++ ')
++
++ allow $1 xdm_t:fd use;
++')
++
++########################################
++## <summary>
++## Use file descriptors for xdm.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`xserver_rw_xdm_pipes',`
++ gen_require(`
++ type xdm_t;
++ ')
++
++ allow $1 xdm_t:fifo_file { getattr read write };
++')
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-2.2.40/policy/modules/services/xserver.te
+--- nsaserefpolicy/policy/modules/services/xserver.te 2006-04-20 08:17:39.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/services/xserver.te 2006-05-16 10:16:11.000000000 -0400
+@@ -311,6 +311,8 @@
+ allow xdm_t self:process { execheap execmem };
+ unconfined_domain(xdm_t)
+ unconfined_domtrans(xdm_t)
++ userdom_generic_user_home_dir_filetrans_generic_user_home_content(xdm_t, {file dir })
++
+ ')
+
+ tunable_policy(`use_nfs_home_dirs',`
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-2.2.40/policy/modules/system/hostname.te
--- nsaserefpolicy/policy/modules/system/hostname.te 2006-03-02 18:45:56.000000000 -0500
-+++ serefpolicy-2.2.38/policy/modules/system/hostname.te 2006-05-05 12:32:08.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/system/hostname.te 2006-05-16 10:16:11.000000000 -0400
@@ -8,7 +8,10 @@
type hostname_t;
@@ -328,9 +969,38 @@
role system_r types hostname_t;
########################################
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-2.2.38/policy/modules/system/init.te
---- nsaserefpolicy/policy/modules/system/init.te 2006-05-05 09:51:43.000000000 -0400
-+++ serefpolicy-2.2.38/policy/modules/system/init.te 2006-05-05 10:10:12.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-2.2.40/policy/modules/system/init.if
+--- nsaserefpolicy/policy/modules/system/init.if 2006-05-16 09:44:06.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/system/init.if 2006-05-16 10:16:11.000000000 -0400
+@@ -772,6 +772,25 @@
+
+ ########################################
+ ## <summary>
++## Allow the specified domain to read/write to
++## init scripts with a unix socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`init_stream_rw_script',`
++ gen_require(`
++ type initrc_t;
++ ')
++
++ allow $1 initrc_t:unix_stream_socket { read write };
++')
++
++########################################
++## <summary>
+ ## Dont audit the specified domain connecting to
+ ## init scripts with a unix domain stream socket.
+ ## </summary>
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-2.2.40/policy/modules/system/init.te
+--- nsaserefpolicy/policy/modules/system/init.te 2006-05-16 09:44:06.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/system/init.te 2006-05-16 10:16:11.000000000 -0400
@@ -350,6 +350,7 @@
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
@@ -339,10 +1009,19 @@
libs_rw_ld_so_cache(initrc_t)
libs_use_ld_so(initrc_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-2.2.38/policy/modules/system/libraries.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-2.2.40/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2006-05-03 16:26:08.000000000 -0400
-+++ serefpolicy-2.2.38/policy/modules/system/libraries.fc 2006-05-07 06:24:48.000000000 -0400
-@@ -55,6 +55,7 @@
++++ serefpolicy-2.2.40/policy/modules/system/libraries.fc 2006-05-16 10:16:11.000000000 -0400
+@@ -40,6 +40,8 @@
+ /opt/(.*/)?lib64/.*\.so\.[^/]* -- gen_context(system_u:object_r:shlib_t,s0)
+ /opt/(.*/)?jre.*/libdeploy.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /opt/(.*/)?jre.*/libjvm.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/opt/(.*/)?jre.*/libawt.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/opt/netbeans(.*/)?jdk.*/linux/.*.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+ ifdef(`distro_gentoo',`
+ /opt/netscape/plugins/libflashplayer.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+@@ -55,6 +57,7 @@
# /usr
#
/usr/(.*/)?/HelixPlayer/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -350,7 +1029,36 @@
/usr/(.*/)?java/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(.*/)?java/.*\.jar -- gen_context(system_u:object_r:shlib_t,s0)
-@@ -183,6 +184,7 @@
+@@ -73,6 +76,7 @@
+
+ /usr/lib/win32/.* -- gen_context(system_u:object_r:shlib_t,s0)
+
++/usr/lib(64)?/xulrunner-[^/]*/libxul.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/(.*/)?lib(64)?(/.*)?/nvidia/.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/libsipphoneapi\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/ati-fglrx/.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+@@ -121,6 +125,7 @@
+ /usr/lib(64)?/helix/codecs/colorcvt\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/helix/codecs/cvt1\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/xorg/modules/dri/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/X11R6/lib/modules/dri/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/dri/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/X11R6/lib/libOSMesa\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+@@ -172,9 +177,9 @@
+ # Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
+ /usr/lib(64)?.*/libmpg123\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/libpostproc\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/libavformat-.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/libavcodec-.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/libavutil-.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/libavformat-.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/libavcodec-.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/libavutil-.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/libxvidcore\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/xine/plugins/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/libgsm\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+@@ -183,6 +188,7 @@
# Flash plugin, Macromedia
HOME_DIR/.*/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/.*/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -358,10 +1066,22 @@
# Jai, Sun Microsystems (Jpackage SPRM)
/usr/lib(64)?/libmlib_jai\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-2.2.38/policy/modules/system/logging.if
---- nsaserefpolicy/policy/modules/system/logging.if 2006-04-04 18:06:38.000000000 -0400
-+++ serefpolicy-2.2.38/policy/modules/system/logging.if 2006-05-05 10:18:03.000000000 -0400
-@@ -399,3 +399,24 @@
+@@ -197,8 +203,11 @@
+ # Java, Sun Microsystems (JPackage SRPM)
+ /usr/(.*/)?jre.*/libdeploy.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/(local/)?(.*/)?jre.*/libjvm.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/(local/)?(.*/)?jre.*/libawt.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+ /usr/(local/)?Adobe/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/(local/)?Adobe/(.*/)?intellinux/sidecars/.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
+ /usr/(local/)?acroread/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/(local/)?Adobe/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/(local/)?acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-2.2.40/policy/modules/system/logging.if
+--- nsaserefpolicy/policy/modules/system/logging.if 2006-05-16 09:44:06.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/system/logging.if 2006-05-16 10:16:11.000000000 -0400
+@@ -459,3 +459,100 @@
allow $1 var_log_t:dir rw_dir_perms;
allow $1 var_log_t:file create_file_perms;
')
@@ -386,9 +1106,85 @@
+ allow $1 auditd_log_t:file create_file_perms;
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-2.2.38/policy/modules/system/logging.te
++
++
++########################################
++## <summary>
++## Manage the auditd configuration files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`logging_manage_audit_config',`
++ gen_require(`
++ type auditd_etc_t;
++ ')
++
++ files_search_etc($1)
++ allow $1 auditd_etc_t:file create_file_perms;
++')
++
++########################################
++## <summary>
++## Execute auditd in the auditd domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`logging_domtrans_auditd',`
++ gen_require(`
++ type auditd_t, auditd_exec_t;
++ ')
++
++ domain_auto_trans($1,auditd_exec_t,auditd_t)
++
++ allow $1 auditd_t:fd use;
++ allow auditd_t $1:fd use;
++ allow auditd_t $1:fifo_file rw_file_perms;
++ allow auditd_t $1:process sigchld;
++')
++
++########################################
++## <summary>
++## Execute auditd in the auditd domain, and
++## allow the specified role the auditd domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to be allowed the auditd domain.
++## </summary>
++## </param>
++## <param name="terminal">
++## <summary>
++## The type of the terminal allow the auditd domain to use.
++## </summary>
++## </param>
++#
++interface(`logging_run_auditd',`
++ gen_require(`
++ type auditd_t;
++ ')
++
++ logging_domtrans_auditd($1)
++ role $2 types auditd_t;
++ allow auditd_t $3:chr_file rw_term_perms;
++')
++
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-2.2.40/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2006-04-27 10:31:33.000000000 -0400
-+++ serefpolicy-2.2.38/policy/modules/system/logging.te 2006-05-05 10:10:12.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/system/logging.te 2006-05-16 10:16:11.000000000 -0400
@@ -14,10 +14,14 @@
role system_r types auditctl_t;
@@ -404,9 +1200,20 @@
type auditd_t;
# real declaration moved to mls until
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-2.2.38/policy/modules/system/mount.te
+@@ -72,6 +76,10 @@
+
+ allow auditctl_t auditd_etc_t:file r_file_perms;
+
++# Needed for adding watches
++files_getattr_all_dirs(auditctl_t)
++files_read_etc_files(auditctl_t)
++
+ kernel_read_kernel_sysctls(auditctl_t)
+ kernel_read_proc_symlinks(auditctl_t)
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-2.2.40/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2006-05-03 16:26:08.000000000 -0400
-+++ serefpolicy-2.2.38/policy/modules/system/mount.te 2006-05-05 10:10:12.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/system/mount.te 2006-05-16 10:16:11.000000000 -0400
@@ -169,4 +169,8 @@
ifdef(`targeted_policy',`
files_etc_filetrans_etc_runtime(unconfined_mount_t,file)
@@ -416,13 +1223,55 @@
+ auth_read_all_files_except_shadow(mount_t)
+ ')
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-2.2.38/policy/modules/system/selinuxutil.te
---- nsaserefpolicy/policy/modules/system/selinuxutil.te 2006-05-03 16:26:08.000000000 -0400
-+++ serefpolicy-2.2.38/policy/modules/system/selinuxutil.te 2006-05-05 10:58:47.000000000 -0400
-@@ -570,6 +570,12 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-2.2.40/policy/modules/system/selinuxutil.fc
+--- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2006-04-04 18:06:38.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/system/selinuxutil.fc 2006-05-16 12:45:55.000000000 -0400
+@@ -37,6 +37,8 @@
+ /usr/sbin/run_init -- gen_context(system_u:object_r:run_init_exec_t,s0)
+ /usr/sbin/setfiles.* -- gen_context(system_u:object_r:setfiles_exec_t,s0)
+ /usr/sbin/semodule -- gen_context(system_u:object_r:semanage_exec_t,s0)
++/usr/sbin/setsebool -- gen_context(system_u:object_r:semanage_exec_t,s0)
++/usr/sbin/semanage -- gen_context(system_u:object_r:semanage_exec_t,s0)
+
+ ifdef(`distro_debian', `
+ /usr/share/selinux(/.*)? gen_context(system_u:object_r:policy_src_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-2.2.40/policy/modules/system/selinuxutil.te
+--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2006-05-16 09:44:06.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/system/selinuxutil.te 2006-05-16 14:36:58.000000000 -0400
+@@ -526,6 +526,8 @@
+ #
+
+ allow semanage_t self:unix_stream_socket create_stream_socket_perms;
++allow semanage_t self:unix_dgram_socket create_socket_perms;
++allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+
+ allow semanage_t policy_config_t:file { read write };
+
+@@ -535,10 +537,18 @@
+ corecmd_exec_bin(semanage_t)
+ corecmd_exec_sbin(semanage_t)
+
++dev_read_urand(semanage_t)
++
+ files_read_etc_files(semanage_t)
+ files_read_usr_files(semanage_t)
+ files_list_pids(semanage_t)
+
++logging_send_syslog_msg(semanage_t)
++
++miscfiles_read_localization(semanage_t)
++
++selinux_set_boolean(semanage_t)
++
+ mls_file_write_down(semanage_t)
+ mls_rangetrans_target(semanage_t)
+ mls_file_read_up(semanage_t)
+@@ -563,6 +573,14 @@
seutil_get_semanage_trans_lock(semanage_t)
seutil_get_semanage_read_lock(semanage_t)
++userdom_search_sysadm_home_dirs(semanage_t)
++
+ifdef(`targeted_policy',`
+# Handle pp files created in homedir and /tmp
+ userdom_read_generic_user_home_content_files(semanage_t)
@@ -432,17 +1281,17 @@
optional_policy(`
nscd_socket_use(semanage_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.fc serefpolicy-2.2.38/policy/modules/system/setrans.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.fc serefpolicy-2.2.40/policy/modules/system/setrans.fc
--- nsaserefpolicy/policy/modules/system/setrans.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.2.38/policy/modules/system/setrans.fc 2006-05-05 12:08:58.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/system/setrans.fc 2006-05-16 10:16:11.000000000 -0400
@@ -0,0 +1,4 @@
+
+/sbin/mcstransd -- gen_context(system_u:object_r:setrans_exec_t,s0)
+
+/var/run/setrans(/.*)? gen_context(system_u:object_r:setrans_var_run_t,s15:c0.c255)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.if serefpolicy-2.2.38/policy/modules/system/setrans.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.if serefpolicy-2.2.40/policy/modules/system/setrans.if
--- nsaserefpolicy/policy/modules/system/setrans.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.2.38/policy/modules/system/setrans.if 2006-05-05 12:21:52.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/system/setrans.if 2006-05-16 10:16:11.000000000 -0400
@@ -0,0 +1,24 @@
+## <summary>Policy for setrans.</summary>
+
@@ -468,10 +1317,10 @@
+ allow $1 setrans_var_run_t:sock_file rw_file_perms;
+ allow $1 setrans_var_run_t:unix_stream_socket rw_socket_perms;
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.te serefpolicy-2.2.38/policy/modules/system/setrans.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.te serefpolicy-2.2.40/policy/modules/system/setrans.te
--- nsaserefpolicy/policy/modules/system/setrans.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.2.38/policy/modules/system/setrans.te 2006-05-05 11:51:50.000000000 -0400
-@@ -0,0 +1,65 @@
++++ serefpolicy-2.2.40/policy/modules/system/setrans.te 2006-05-16 10:16:11.000000000 -0400
+@@ -0,0 +1,71 @@
+
+policy_module(setrans,1.0.0)
+
@@ -499,9 +1348,13 @@
+#
+
+init_use_fds(setrans_t)
++init_dontaudit_use_script_ptys(setrans_t)
++
+kernel_read_kernel_sysctls(setrans_t)
+kernel_read_proc_symlinks(setrans_t)
-+allow setrans_t self:process signal_perms;
++
++allow setrans_t self:capability sys_resource;
++allow setrans_t self:process { setrlimit setcap signal_perms };
+
+libs_use_ld_so(setrans_t)
+libs_use_shared_libs(setrans_t)
@@ -525,6 +1378,8 @@
+
+selinux_compute_access_vector(setrans_t)
+
++term_dontaudit_use_generic_ptys(setrans_t)
++
+files_read_etc_runtime_files(setrans_t)
+
+# allow performing getpidcon() on all processes
@@ -537,9 +1392,102 @@
+can_exec(setrans_t, setrans_exec_t)
+
+logging_send_syslog_msg(setrans_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-2.2.38/policy/modules/system/userdomain.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-2.2.40/policy/modules/system/sysnetwork.te
+--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2006-05-03 16:26:08.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/system/sysnetwork.te 2006-05-16 10:16:11.000000000 -0400
+@@ -86,6 +86,8 @@
+ allow ifconfig_t dhcpc_t:fifo_file rw_file_perms;
+ allow ifconfig_t dhcpc_t:process sigchld;
+
++dev_read_urand(ifconfig_t)
++
+ kernel_read_system_state(dhcpc_t)
+ kernel_read_network_state(dhcpc_t)
+ kernel_read_kernel_sysctls(dhcpc_t)
+@@ -249,6 +251,9 @@
+ optional_policy(`
+ xen_append_log(dhcpc_t)
+ xen_dontaudit_rw_unix_stream_sockets(dhcpc_t)
++ kernel_read_xen_state(dhcpc_t)
++ kernel_write_xen_state(dhcpc_t)
++
+ ')
+
+ ########################################
+@@ -349,4 +354,6 @@
+ optional_policy(`
+ xen_append_log(ifconfig_t)
+ xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
++ kernel_read_xen_state(ifconfig_t)
++ kernel_write_xen_state(ifconfig_t)
+ ')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-2.2.40/policy/modules/system/unconfined.if
+--- nsaserefpolicy/policy/modules/system/unconfined.if 2006-05-03 16:26:08.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/system/unconfined.if 2006-05-16 10:16:11.000000000 -0400
+@@ -431,3 +431,24 @@
+ errprint(`Warning: $0($1) has no effect in strict policy.'__endline__)
+ ')
+ ')
++
++########################################
++## <summary>
++## Connect to the the unconfined DBUS
++## for service (acquire_svc).
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`unconfined_dbus_connect_bus',`
++ gen_require(`
++ type unconfined_t;
++ class dbus acquire_svc;
++ ')
++
++ allow $1 unconfined_t:dbus acquire_svc;
++')
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-2.2.40/policy/modules/system/unconfined.te
+--- nsaserefpolicy/policy/modules/system/unconfined.te 2006-05-03 16:26:08.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/system/unconfined.te 2006-05-16 17:11:10.000000000 -0400
+@@ -65,6 +65,10 @@
+ ')
+
+ optional_policy(`
++ inn_domtrans(unconfined_t)
++ ')
++
++ optional_policy(`
+ init_dbus_chat_script(unconfined_t)
+
+ dbus_stub(unconfined_t)
+@@ -103,6 +107,10 @@
+ ')
+
+ optional_policy(`
++ unconfined_execmem_domtrans(unconfined_t)
++ ')
++
++ optional_policy(`
+ lpd_domtrans_checkpc(unconfined_t)
+ ')
+
+@@ -115,6 +123,10 @@
+ ')
+
+ optional_policy(`
++ prelink_domtrans(unconfined_t)
++ ')
++
++ optional_policy(`
+ portmap_domtrans_helper(unconfined_t)
+ ')
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-2.2.40/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2006-05-03 11:38:54.000000000 -0400
-+++ serefpolicy-2.2.38/policy/modules/system/userdomain.if 2006-05-05 10:10:12.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/system/userdomain.if 2006-05-16 16:52:56.000000000 -0400
@@ -4794,3 +4794,26 @@
allow $1 user_home_dir_t:dir create_dir_perms;
files_home_filetrans($1,user_home_dir_t,dir)
@@ -567,10 +1515,18 @@
+ allow $1 user_home_t:file r_file_perms;
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-2.2.38/policy/modules/system/userdomain.te
---- nsaserefpolicy/policy/modules/system/userdomain.te 2006-05-05 09:51:43.000000000 -0400
-+++ serefpolicy-2.2.38/policy/modules/system/userdomain.te 2006-05-05 10:18:16.000000000 -0400
-@@ -67,6 +67,7 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-2.2.40/policy/modules/system/userdomain.te
+--- nsaserefpolicy/policy/modules/system/userdomain.te 2006-05-16 09:44:06.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/system/userdomain.te 2006-05-16 16:13:10.000000000 -0400
+@@ -6,6 +6,7 @@
+
+ ifdef(`enable_mls',`
+ role secadm_r;
++ role auditadm_r;
+ ')
+ ')
+
+@@ -67,6 +68,7 @@
# Define some type aliases to help with compatibility with
# macros and domains from the "strict" policy.
unconfined_alias_domain(secadm_t)
@@ -578,7 +1534,7 @@
unconfined_alias_domain(sysadm_t)
# User home directory type.
-@@ -82,6 +83,7 @@
+@@ -82,6 +84,7 @@
# compatibility for switching from strict
# dominance { role secadm_r { role system_r; }}
@@ -586,7 +1542,7 @@
# dominance { role sysadm_r { role system_r; }}
# dominance { role user_r { role system_r; }}
# dominance { role staff_r { role system_r; }}
-@@ -105,9 +107,10 @@
+@@ -105,9 +108,10 @@
ifdef(`enable_mls',`
allow secadm_r system_r;
@@ -598,11 +1554,15 @@
')
optional_policy(`
-@@ -128,8 +131,19 @@
+@@ -127,9 +131,22 @@
+ role_change(staff, sysadm)
ifdef(`enable_mls',`
- admin_user_template(secadm)
-+ admin_user_template(auditadm)
+- admin_user_template(secadm)
++# admin_user_template(secadm)
++# admin_user_template(auditadm)
++ unpriv_user_template(secadm)
++ unpriv_user_template(auditadm)
+
+ role_change(staff,auditadm)
role_change(staff,secadm)
@@ -618,22 +1578,55 @@
')
# this should be tunable_policy, but
-@@ -179,10 +193,13 @@
+@@ -174,17 +191,32 @@
+ ifdef(`enable_mls',`
+ corecmd_exec_shell(secadm_t)
+ mls_process_read_up(secadm_t)
++ mls_file_read_up(secadm_t)
+ mls_file_write_down(secadm_t)
+ mls_file_upgrade(secadm_t)
mls_file_downgrade(secadm_t)
init_exec(secadm_t)
logging_read_audit_log(secadm_t)
- logging_run_auditctl(secadm_t,secadm_r,{ secadm_tty_device_t secadm_devpts_t })
userdom_dontaudit_append_staff_home_content_files(secadm_t)
- files_relabel_all_files(secadm_t)
+- files_relabel_all_files(secadm_t)
++ auth_relabel_all_files_except_shadow(secadm_t)
auth_relabel_shadow(secadm_t)
++ domain_obj_id_change_exemption(secadm_t)
++ logging_read_generic_logs(secadm_t)
+
++ domain_kill_all_domains(auditadm_t)
++ seutil_read_bin_policy(auditadm_t)
+ corecmd_exec_shell(auditadm_t)
++ logging_read_generic_logs(auditadm_t)
+ logging_manage_audit_log(auditadm_t)
++ logging_manage_audit_config(auditadm_t)
+ logging_run_auditctl(auditadm_t,auditadm_r,{ auditadm_tty_device_t auditadm_devpts_t })
++ logging_run_auditd(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
++ init_exec_script_files(auditadm_t)
++ files_manage_generic_locks(auditadm_t)
++ mls_file_write_down(auditadm_t)
', `
- logging_read_audit_log(sysadm_t)
+- logging_read_audit_log(sysadm_t)
++ logging_manage_audit_log(sysadm_t)
++ logging_manage_audit_config(sysadm_t)
logging_run_auditctl(sysadm_t,sysadm_r,admin_terminal)
-@@ -240,6 +257,7 @@
+ ')
+
+@@ -240,10 +272,19 @@
+ ')
+
+ optional_policy(`
++ rsync_exec(sysadm_t)
++ ')
++
++ optional_policy(`
++ cvs_exec(sysadm_t)
++ ')
++
++ optional_policy(`
+ consoletype_exec(sysadm_t)
ifdef(`enable_mls',`
consoletype_exec(secadm_t)
@@ -641,7 +1634,7 @@
')
')
-@@ -258,6 +276,7 @@
+@@ -262,6 +303,7 @@
ifdef(`enable_mls',`
dmesg_exec(secadm_t)
@@ -649,19 +1642,106 @@
')
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/rolemap serefpolicy-2.2.38/policy/rolemap
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.fc serefpolicy-2.2.40/policy/modules/system/xen.fc
+--- nsaserefpolicy/policy/modules/system/xen.fc 2006-05-03 16:26:08.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/system/xen.fc 2006-05-16 10:16:11.000000000 -0400
+@@ -13,5 +13,6 @@
+
+ /var/run/xenconsoled\.pid -- gen_context(system_u:object_r:xenconsoled_var_run_t,s0)
+ /var/run/xend\.pid -- gen_context(system_u:object_r:xend_var_run_t,s0)
++/var/run/xend(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0)
+ /var/run/xenstore\.pid -- gen_context(system_u:object_r:xenstored_var_run_t,s0)
+ /var/run/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_run_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-2.2.40/policy/modules/system/xen.if
+--- nsaserefpolicy/policy/modules/system/xen.if 2006-05-03 16:26:08.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/system/xen.if 2006-05-16 10:16:11.000000000 -0400
+@@ -127,3 +127,4 @@
+ allow xm_t:$1:fifo_file rw_file_perms;
+ allow xm_t $1:process sigchld;
+ ')
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-2.2.40/policy/modules/system/xen.te
+--- nsaserefpolicy/policy/modules/system/xen.te 2006-05-03 16:26:08.000000000 -0400
++++ serefpolicy-2.2.40/policy/modules/system/xen.te 2006-05-16 10:16:11.000000000 -0400
+@@ -77,7 +77,7 @@
+ # pid file
+ allow xend_t xend_var_run_t:file manage_file_perms;
+ allow xend_t xend_var_run_t:sock_file manage_file_perms;
+-allow xend_t xend_var_run_t:dir rw_dir_perms;
++allow xend_t xend_var_run_t:dir { setattr rw_dir_perms };
+ files_pid_filetrans(xend_t,xend_var_run_t, { file sock_file })
+
+ # log files
+@@ -92,6 +92,10 @@
+ allow xend_t xend_var_lib_t:dir create_dir_perms;
+ files_var_lib_filetrans(xend_t,xend_var_lib_t,{ file dir sock_file })
+
++optional_policy(`
++ consoletype_domtrans(xend_t)
++')
++
+ # transition to store
+ domain_auto_trans(xend_t, xenstored_exec_t, xenstored_t)
+ allow xenstored_t xend_t:fd use;
+@@ -153,8 +157,6 @@
+ sysnet_delete_dhcpc_pid(xend_t)
+ sysnet_read_dhcpc_pid(xend_t)
+
+-consoletype_exec(xend_t)
+-
+ xen_stream_connect_xenstore(xend_t)
+
+ ########################################
+@@ -180,6 +182,7 @@
+
+ term_create_pty(xenconsoled_t,xen_devpts_t);
+ term_dontaudit_use_generic_ptys(xenconsoled_t)
++term_use_console(xenconsoled_t)
+
+ init_use_fds(xenconsoled_t)
+
+@@ -198,6 +201,7 @@
+
+ allow xenstored_t self:capability { dac_override mknod ipc_lock };
+ allow xenstored_t self:unix_stream_socket create_stream_socket_perms;
++allow xenstored_t self:unix_dgram_socket create_socket_perms;
+
+ # pid file
+ allow xenstored_t xenstored_var_run_t:file manage_file_perms;
+@@ -220,12 +224,15 @@
+ dev_rw_xen(xenstored_t)
+
+ term_dontaudit_use_generic_ptys(xenstored_t)
++term_dontaudit_use_console(xenconsoled_t)
+
+ init_use_fds(xenstored_t)
+
+ libs_use_ld_so(xenstored_t)
+ libs_use_shared_libs(xenstored_t)
+
++logging_send_syslog_msg(xenstored_t)
++
+ miscfiles_read_localization(xenstored_t)
+
+ xen_append_log(xenstored_t)
+@@ -263,3 +270,4 @@
+ xen_append_log(xm_t)
+ xen_stream_connect(xm_t)
+ xen_stream_connect_xenstore(xm_t)
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/rolemap serefpolicy-2.2.40/policy/rolemap
--- nsaserefpolicy/policy/rolemap 2006-01-26 15:38:41.000000000 -0500
-+++ serefpolicy-2.2.38/policy/rolemap 2006-05-05 10:10:12.000000000 -0400
++++ serefpolicy-2.2.40/policy/rolemap 2006-05-16 10:16:11.000000000 -0400
@@ -15,5 +15,6 @@
ifdef(`enable_mls',`
secadm_r secadm secadm_t
-+ auditadm_t auditadm auditadm_t
++ auditadm_r auditadm auditadm_t
')
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-2.2.38/policy/users
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-2.2.40/policy/users
--- nsaserefpolicy/policy/users 2006-02-15 17:02:30.000000000 -0500
-+++ serefpolicy-2.2.38/policy/users 2006-05-05 10:10:12.000000000 -0400
++++ serefpolicy-2.2.40/policy/users 2006-05-16 10:16:11.000000000 -0400
@@ -29,7 +29,7 @@
gen_user(user_u, user, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
',`
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/FC-5/selinux-policy.spec,v
retrieving revision 1.167
retrieving revision 1.168
diff -u -r1.167 -r1.168
--- selinux-policy.spec 8 May 2006 19:32:05 -0000 1.167
+++ selinux-policy.spec 17 May 2006 13:57:47 -0000 1.168
@@ -15,7 +15,7 @@
%define CHECKPOLICYVER 1.30.3-1
Summary: SELinux policy configuration
Name: selinux-policy
-Version: 2.2.38
+Version: 2.2.40
Release: 1.fc5
License: GPL
Group: System Environment/Base
@@ -34,7 +34,7 @@
Source13: policygentool
Url: http://serefpolicy.sourceforge.net
-BuildRoot: %{_tmppath}/serefpolicy-buildroot
+BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildArch: noarch
BuildRequires: checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils >= %{POLICYCOREUTILSVER}
PreReq: policycoreutils >= %{POLICYCOREUTILSVER}
@@ -68,25 +68,25 @@
%define installCmds() \
make NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%3 base.pp \
make NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%3 modules \
-make NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=$RPM_BUILD_ROOT POLY=%3 install \
-make NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=$RPM_BUILD_ROOT POLY=%3 install-appconfig \
-#%{__cp} *.pp $RPM_BUILD_ROOT/%{_usr}/share/selinux/%1/ \
-%{__mkdir} -p $RPM_BUILD_ROOT/%{_sysconfdir}/selinux/%1/policy \
-%{__mkdir} -p $RPM_BUILD_ROOT/%{_sysconfdir}/selinux/%1/modules/active \
-%{__mkdir} -p $RPM_BUILD_ROOT/%{_sysconfdir}/selinux/%1/contexts/files \
-touch $RPM_BUILD_ROOT/%{_sysconfdir}/selinux/%1/modules/semanage.read.LOCK \
-touch $RPM_BUILD_ROOT/%{_sysconfdir}/selinux/%1/modules/semanage.trans.LOCK \
+make NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} POLY=%3 install \
+make NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} POLY=%3 install-appconfig \
+#%{__cp} *.pp %{buildroot}/%{_usr}/share/selinux/%1/ \
+%{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/policy \
+%{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/modules/active \
+%{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/contexts/files \
+touch %{buildroot}/%{_sysconfdir}/selinux/%1/modules/semanage.read.LOCK \
+touch %{buildroot}/%{_sysconfdir}/selinux/%1/modules/semanage.trans.LOCK \
make NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%3 enableaudit \
make -W base.conf NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%3 base.pp \
-install -m0644 base.pp ${RPM_BUILD_ROOT}%{_usr}/share/selinux/%1/enableaudit.pp \
-rm -rf $RPM_BUILD_ROOT%{_sysconfdir}/selinux/%1/booleans \
-touch $RPM_BUILD_ROOT%{_sysconfdir}/selinux/%1/seusers \
-touch $RPM_BUILD_ROOT%{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} \
-touch $RPM_BUILD_ROOT%{_sysconfdir}/selinux/%1/contexts/files/file_contexts \
-touch $RPM_BUILD_ROOT%{_sysconfdir}/selinux/%1/contexts/files/homedir_template \
-touch $RPM_BUILD_ROOT%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs \
-install -m0644 ${RPM_SOURCE_DIR}/setrans-%1.conf ${RPM_BUILD_ROOT}%{_sysconfdir}/selinux/%1/setrans.conf \
-ln -sf ../devel/include ${RPM_BUILD_ROOT}%{_usr}/share/selinux/%1/include \
+install -m0644 base.pp %{buildroot}%{_usr}/share/selinux/%1/enableaudit.pp \
+rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/booleans \
+touch %{buildroot}%{_sysconfdir}/selinux/%1/seusers \
+touch %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} \
+touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts \
+touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/homedir_template \
+touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs \
+install -m0644 ${RPM_SOURCE_DIR}/setrans-%1.conf %{buildroot}%{_sysconfdir}/selinux/%1/setrans.conf \
+ln -sf ../devel/include %{buildroot}%{_usr}/share/selinux/%1/include \
%nil
%define fileList() \
@@ -153,25 +153,25 @@
%install
# Build targeted policy
-%{__rm} -fR $RPM_BUILD_ROOT
-mkdir -p ${RPM_BUILD_ROOT}%{_mandir}/man8/
-install -m 644 man/man8/*.8 ${RPM_BUILD_ROOT}%{_mandir}/man8/
-mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/selinux
-mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig
-touch $RPM_BUILD_ROOT%{_sysconfdir}/selinux/config
-touch $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/selinux
+%{__rm} -fR %{buildroot}
+mkdir -p %{buildroot}%{_mandir}/man8/
+install -m 644 man/man8/*.8 %{buildroot}%{_mandir}/man8/
+mkdir -p %{buildroot}%{_sysconfdir}/selinux
+mkdir -p %{buildroot}%{_sysconfdir}/sysconfig
+touch %{buildroot}%{_sysconfdir}/selinux/config
+touch %{buildroot}%{_sysconfdir}/sysconfig/selinux
# Install devel
make clean
-make NAME=targeted TYPE=targeted-mcs DISTRO=%{distro} DIRECT_INITRC=y MONOLITHIC=%{monolithic} DESTDIR=$RPM_BUILD_ROOT PKGNAME=%{name}-%{version} POLY=%3 install-headers install-docs
-mkdir ${RPM_BUILD_ROOT}%{_usr}/share/selinux/devel/
-mv ${RPM_BUILD_ROOT}%{_usr}/share/selinux/targeted/include ${RPM_BUILD_ROOT}%{_usr}/share/selinux/devel/include
-rm -f ${RPM_BUILD_ROOT}%{_usr}/share/selinux/devel/include/include
-install -m 755 ${RPM_SOURCE_DIR}/policygentool ${RPM_BUILD_ROOT}%{_usr}/share/selinux/devel/
-install -m 644 ${RPM_SOURCE_DIR}/Makefile.devel ${RPM_BUILD_ROOT}%{_usr}/share/selinux/devel/Makefile
-install -m 644 doc/example.* ${RPM_BUILD_ROOT}%{_usr}/share/selinux/devel/
-echo "htmlview file:///usr/share/doc/selinux-policy-%{version}/html/index.html"> ${RPM_BUILD_ROOT}%{_usr}/share/selinux/devel/policyhelp
-chmod +x ${RPM_BUILD_ROOT}%{_usr}/share/selinux/devel/policyhelp
+make NAME=targeted TYPE=targeted-mcs DISTRO=%{distro} DIRECT_INITRC=y MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} POLY=%3 install-headers install-docs
+mkdir %{buildroot}%{_usr}/share/selinux/devel/
+mv %{buildroot}%{_usr}/share/selinux/targeted/include %{buildroot}%{_usr}/share/selinux/devel/include
+rm -f %{buildroot}%{_usr}/share/selinux/devel/include/include
+install -m 755 ${RPM_SOURCE_DIR}/policygentool %{buildroot}%{_usr}/share/selinux/devel/
+install -m 644 ${RPM_SOURCE_DIR}/Makefile.devel %{buildroot}%{_usr}/share/selinux/devel/Makefile
+install -m 644 doc/example.* %{buildroot}%{_usr}/share/selinux/devel/
+echo "htmlview file:///usr/share/doc/selinux-policy-%{version}/html/index.html"> %{buildroot}%{_usr}/share/selinux/devel/policyhelp
+chmod +x %{buildroot}%{_usr}/share/selinux/devel/policyhelp
%if %{BUILD_TARGETED}
# Build targeted policy
@@ -196,7 +196,7 @@
%endif
%clean
-%{__rm} -fR $RPM_BUILD_ROOT
+%{__rm} -fR %{buildroot}
%post
if [ ! -s /etc/selinux/config ]; then
@@ -326,6 +326,35 @@
%endif
%changelog
+* Wed May 17 2006 Dan Walsh <dwalsh at redhat.com> 2.2.40-1.fc5
+- Bump for fc5
+
+* Tue May 16 2006 Dan Walsh <dwalsh at redhat.com> 2.2.40-1
+- Update from upstream
+
+* Mon May 15 2006 Dan Walsh <dwalsh at redhat.com> 2.2.39-2
+- Fixes for amavis
+
+* Mon May 15 2006 Dan Walsh <dwalsh at redhat.com> 2.2.39-1
+- Update from upstream
+
+* Fri May 12 2006 Dan Walsh <dwalsh at redhat.com> 2.2.38-6
+- Allow auditctl to search all directories
+
+* Thu May 11 2006 Dan Walsh <dwalsh at redhat.com> 2.2.38-5
+- Add acquire service for mono.
+
+* Thu May 11 2006 Dan Walsh <dwalsh at redhat.com> 2.2.38-4
+- Turn off allow_execmem boolean
+- Allow ftp dac_override when allowed to access users homedirs
+
+* Wed May 10 2006 Dan Walsh <dwalsh at redhat.com> 2.2.38-3
+- Clean up spec file
+- Transition from unconfined_t to prelink_t
+
+* Mon May 8 2006 Dan Walsh <dwalsh at redhat.com> 2.2.38-2
+- Allow execution of cvs command
+
* Mon May 8 2006 Dan Walsh <dwalsh at redhat.com> 2.2.38-1.fc5
- Bump for fc5
Index: sources
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/FC-5/sources,v
retrieving revision 1.57
retrieving revision 1.58
diff -u -r1.57 -r1.58
--- sources 8 May 2006 19:32:05 -0000 1.57
+++ sources 17 May 2006 13:57:47 -0000 1.58
@@ -1 +1 @@
-0e1819ee29c22abaf3d0a4434739ceeb serefpolicy-2.2.38.tgz
+d2a0babbbb7cbf1d8bcb051d5972bb50 serefpolicy-2.2.40.tgz
- Previous message (by thread): rpms/sound-juicer/devel .cvsignore, 1.23, 1.24 sound-juicer.spec, 1.51, 1.52 sources, 1.24, 1.25
- Next message (by thread): rpms/gdb/devel gdb-6.3-support-fopen64-20060413.patch, 1.1, 1.2 gdb.spec, 1.180, 1.181
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-cvs-commits
mailing list