rpms/selinux-policy/devel modules-mls.conf, 1.19, 1.20 policy-20061106.patch, 1.1, 1.2 selinux-policy.spec, 1.331, 1.332
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Tue Nov 7 20:38:49 UTC 2006
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv15714
Modified Files:
modules-mls.conf policy-20061106.patch selinux-policy.spec
Log Message:
* Tue Nov 7 2006 Dan Walsh <dwalsh at redhat.com> 2.4.3-2
- Fix rpc_port_types
- Add aide policy for mls
Index: modules-mls.conf
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/modules-mls.conf,v
retrieving revision 1.19
retrieving revision 1.20
diff -u -r1.19 -r1.20
--- modules-mls.conf 17 Oct 2006 18:43:08 -0000 1.19
+++ modules-mls.conf 7 Nov 2006 20:38:46 -0000 1.20
@@ -1009,3 +1009,10 @@
#
netlabel = base
+# Layer: services
+# Module: aide
+#
+# Policy for aide
+#
+aide = base
+
policy-20061106.patch:
Rules.modular | 10
policy/flask/access_vectors | 3
policy/global_tunables | 36 ++
policy/mls | 3
policy/modules/admin/acct.te | 1
policy/modules/admin/amanda.te | 1
policy/modules/admin/consoletype.te | 8
policy/modules/admin/dmesg.te | 1
policy/modules/admin/logwatch.te | 1
policy/modules/admin/netutils.te | 2
policy/modules/admin/prelink.te | 5
policy/modules/admin/rpm.fc | 3
policy/modules/admin/rpm.if | 24 +
policy/modules/admin/rpm.te | 5
policy/modules/apps/java.fc | 2
policy/modules/kernel/corecommands.if | 17 +
policy/modules/kernel/corenetwork.if.in | 12
policy/modules/kernel/corenetwork.te.in | 17 -
policy/modules/kernel/corenetwork.te.m4 | 4
policy/modules/kernel/devices.fc | 3
policy/modules/kernel/devices.te | 6
policy/modules/kernel/domain.te | 7
policy/modules/kernel/files.if | 66 ++++
policy/modules/kernel/filesystem.te | 6
policy/modules/kernel/terminal.fc | 1
policy/modules/kernel/terminal.te | 1
policy/modules/services/aide.fc | 3
policy/modules/services/aide.if | 56 +++
policy/modules/services/aide.te | 52 +++
policy/modules/services/apache.fc | 10
policy/modules/services/apache.te | 10
policy/modules/services/automount.te | 1
policy/modules/services/ccs.fc | 10
policy/modules/services/ccs.if | 83 +++++
policy/modules/services/ccs.te | 89 +++++
policy/modules/services/cron.if | 26 -
policy/modules/services/cron.te | 5
policy/modules/services/cups.fc | 2
policy/modules/services/cups.te | 4
policy/modules/services/cvs.te | 1
policy/modules/services/dbus.fc | 1
policy/modules/services/dbus.if | 1
policy/modules/services/lpd.if | 52 +--
policy/modules/services/mta.te | 1
policy/modules/services/nscd.if | 20 +
policy/modules/services/nscd.te | 3
policy/modules/services/oddjob.te | 1
policy/modules/services/pegasus.if | 31 ++
policy/modules/services/pegasus.te | 5
policy/modules/services/procmail.te | 16 +
policy/modules/services/ricci.fc | 20 +
policy/modules/services/ricci.if | 184 ++++++++++++
policy/modules/services/ricci.te | 477 ++++++++++++++++++++++++++++++++
policy/modules/services/rsync.te | 1
policy/modules/services/samba.te | 6
policy/modules/services/sasl.te | 2
policy/modules/services/snmp.te | 1
policy/modules/services/spamassassin.te | 4
policy/modules/services/squid.te | 7
policy/modules/services/ssh.te | 2
policy/modules/services/telnet.te | 1
policy/modules/services/xserver.if | 40 ++
policy/modules/system/authlogin.if | 2
policy/modules/system/authlogin.te | 1
policy/modules/system/fstools.fc | 1
policy/modules/system/fstools.te | 2
policy/modules/system/getty.te | 3
policy/modules/system/hostname.te | 6
policy/modules/system/init.fc | 3
policy/modules/system/init.te | 14
policy/modules/system/iscsi.if | 2
policy/modules/system/libraries.fc | 6
policy/modules/system/locallogin.if | 37 ++
policy/modules/system/logging.te | 1
policy/modules/system/mount.te | 11
policy/modules/system/raid.te | 7
policy/modules/system/selinuxutil.if | 4
policy/modules/system/selinuxutil.te | 10
policy/modules/system/unconfined.if | 19 +
policy/modules/system/unconfined.te | 11
policy/modules/system/userdomain.if | 201 +++++++++++++
policy/modules/system/userdomain.te | 10
policy/modules/system/xen.fc | 1
policy/modules/system/xen.te | 22 +
84 files changed, 1763 insertions(+), 84 deletions(-)
Index: policy-20061106.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/policy-20061106.patch,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- policy-20061106.patch 6 Nov 2006 21:18:56 -0000 1.1
+++ policy-20061106.patch 7 Nov 2006 20:38:46 -0000 1.2
@@ -1,6 +1,6 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors serefpolicy-2.4.3/policy/flask/access_vectors
--- nsaserefpolicy/policy/flask/access_vectors 2006-10-23 16:14:53.000000000 -0400
-+++ serefpolicy-2.4.3/policy/flask/access_vectors 2006-11-06 16:07:57.000000000 -0500
++++ serefpolicy-2.4.3/policy/flask/access_vectors 2006-11-06 16:45:08.000000000 -0500
@@ -619,6 +619,8 @@
send
recv
@@ -18,7 +18,7 @@
}
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-2.4.3/policy/global_tunables
--- nsaserefpolicy/policy/global_tunables 2006-11-06 11:13:22.000000000 -0500
-+++ serefpolicy-2.4.3/policy/global_tunables 2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/global_tunables 2006-11-06 16:45:08.000000000 -0500
@@ -574,6 +574,13 @@
gen_tunable(xdm_sysadm_login,false)
')
@@ -76,7 +76,7 @@
+gen_tunable(use_lpd_server,false)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mls serefpolicy-2.4.3/policy/mls
--- nsaserefpolicy/policy/mls 2006-11-06 11:13:22.000000000 -0500
-+++ serefpolicy-2.4.3/policy/mls 2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/mls 2006-11-06 16:45:08.000000000 -0500
@@ -597,4 +597,7 @@
mlsconstrain context translate
(( h1 dom h2 ) or ( t1 == mlstranslate ));
@@ -87,7 +87,7 @@
') dnl end enable_mls
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/acct.te serefpolicy-2.4.3/policy/modules/admin/acct.te
--- nsaserefpolicy/policy/modules/admin/acct.te 2006-07-14 17:04:46.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/admin/acct.te 2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/admin/acct.te 2006-11-06 16:45:08.000000000 -0500
@@ -9,6 +9,7 @@
type acct_t;
type acct_exec_t;
@@ -98,7 +98,7 @@
logging_log_file(acct_data_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.te serefpolicy-2.4.3/policy/modules/admin/amanda.te
--- nsaserefpolicy/policy/modules/admin/amanda.te 2006-11-06 11:13:21.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/admin/amanda.te 2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/admin/amanda.te 2006-11-06 16:45:08.000000000 -0500
@@ -75,6 +75,7 @@
allow amanda_t self:unix_dgram_socket create_socket_perms;
allow amanda_t self:tcp_socket create_stream_socket_perms;
@@ -109,7 +109,7 @@
allow amanda_t amanda_amandates_t:file { getattr lock read write };
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-2.4.3/policy/modules/admin/consoletype.te
--- nsaserefpolicy/policy/modules/admin/consoletype.te 2006-10-19 11:47:40.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/admin/consoletype.te 2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/admin/consoletype.te 2006-11-06 16:45:08.000000000 -0500
@@ -8,7 +8,12 @@
type consoletype_t;
@@ -134,7 +134,7 @@
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.te serefpolicy-2.4.3/policy/modules/admin/dmesg.te
--- nsaserefpolicy/policy/modules/admin/dmesg.te 2006-07-14 17:04:46.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/admin/dmesg.te 2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/admin/dmesg.te 2006-11-06 16:45:08.000000000 -0500
@@ -10,6 +10,7 @@
type dmesg_t;
type dmesg_exec_t;
@@ -145,7 +145,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-2.4.3/policy/modules/admin/logwatch.te
--- nsaserefpolicy/policy/modules/admin/logwatch.te 2006-10-19 11:47:40.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/admin/logwatch.te 2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/admin/logwatch.te 2006-11-06 16:45:08.000000000 -0500
@@ -53,6 +53,7 @@
corecmd_exec_ls(logwatch_t)
@@ -156,7 +156,7 @@
domain_read_all_domains_state(logwatch_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-2.4.3/policy/modules/admin/netutils.te
--- nsaserefpolicy/policy/modules/admin/netutils.te 2006-11-06 11:13:22.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/admin/netutils.te 2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/admin/netutils.te 2006-11-06 16:45:08.000000000 -0500
@@ -18,10 +18,12 @@
type ping_exec_t;
init_system_domain(ping_t,ping_exec_t)
@@ -172,7 +172,7 @@
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-2.4.3/policy/modules/admin/prelink.te
--- nsaserefpolicy/policy/modules/admin/prelink.te 2006-11-06 11:13:21.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/admin/prelink.te 2006-11-06 14:12:02.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/admin/prelink.te 2006-11-06 16:45:08.000000000 -0500
@@ -57,6 +57,7 @@
files_write_non_security_dirs(prelink_t)
files_read_etc_files(prelink_t)
@@ -195,7 +195,7 @@
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-2.4.3/policy/modules/admin/rpm.fc
--- nsaserefpolicy/policy/modules/admin/rpm.fc 2006-09-22 14:07:08.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/admin/rpm.fc 2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/admin/rpm.fc 2006-11-06 16:45:08.000000000 -0500
@@ -21,6 +21,9 @@
/usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -208,7 +208,7 @@
/var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-2.4.3/policy/modules/admin/rpm.if
--- nsaserefpolicy/policy/modules/admin/rpm.if 2006-11-06 11:13:21.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/admin/rpm.if 2006-11-06 15:24:48.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/admin/rpm.if 2006-11-06 16:45:08.000000000 -0500
@@ -278,3 +278,27 @@
dontaudit $1 rpm_var_lib_t:file create_file_perms;
dontaudit $1 rpm_var_lib_t:lnk_file create_lnk_perms;
@@ -239,7 +239,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-2.4.3/policy/modules/admin/rpm.te
--- nsaserefpolicy/policy/modules/admin/rpm.te 2006-11-06 11:13:22.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/admin/rpm.te 2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/admin/rpm.te 2006-11-06 16:45:08.000000000 -0500
@@ -9,6 +9,8 @@
type rpm_t;
type rpm_exec_t;
@@ -261,7 +261,7 @@
# ideally we would not need this
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-2.4.3/policy/modules/apps/java.fc
--- nsaserefpolicy/policy/modules/apps/java.fc 2006-11-06 11:13:17.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/apps/java.fc 2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/apps/java.fc 2006-11-06 16:45:08.000000000 -0500
@@ -1,7 +1,7 @@
#
# /opt
@@ -273,7 +273,7 @@
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-2.4.3/policy/modules/kernel/corecommands.if
--- nsaserefpolicy/policy/modules/kernel/corecommands.if 2006-10-27 10:27:56.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/kernel/corecommands.if 2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/kernel/corecommands.if 2006-11-06 16:45:08.000000000 -0500
@@ -928,7 +928,19 @@
type bin_t, sbin_t;
')
@@ -317,10 +317,103 @@
allow $1 exec_type:file { getattr read execute };
+ userdom_mmap_all_executables($1)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-2.4.3/policy/modules/kernel/corenetwork.if.in
+--- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in 2006-10-17 13:47:44.000000000 -0400
++++ serefpolicy-2.4.3/policy/modules/kernel/corenetwork.if.in 2006-11-07 11:31:40.000000000 -0500
+@@ -998,9 +998,11 @@
+ interface(`corenet_tcp_sendrecv_reserved_port',`
+ gen_require(`
+ type reserved_port_t;
++ type hi_reserved_port_t;
+ ')
+
+ allow $1 reserved_port_t:tcp_socket { send_msg recv_msg };
++ allow $1 hi_reserved_port_t:tcp_socket { send_msg recv_msg };
+ ')
+
+ ########################################
+@@ -1016,9 +1018,11 @@
+ interface(`corenet_udp_send_reserved_port',`
+ gen_require(`
+ type reserved_port_t;
++ type hi_reserved_port_t;
+ ')
+
+ allow $1 reserved_port_t:udp_socket send_msg;
++ allow $1 hi_reserved_port_t:udp_socket send_msg;
+ ')
+
+ ########################################
+@@ -1034,9 +1038,11 @@
+ interface(`corenet_udp_receive_reserved_port',`
+ gen_require(`
+ type reserved_port_t;
++ type hi_reserved_port_t;
+ ')
+
+ allow $1 reserved_port_t:udp_socket recv_msg;
++ allow $1 hi_reserved_port_t:udp_socket recv_msg;
+ ')
+
+ ########################################
+@@ -1067,9 +1073,11 @@
+ interface(`corenet_tcp_bind_reserved_port',`
+ gen_require(`
+ type reserved_port_t;
++ type hi_reserved_port_t;
+ ')
+
+ allow $1 reserved_port_t:tcp_socket name_bind;
++ allow $1 hi_reserved_port_t:tcp_socket name_bind;
+ allow $1 self:capability net_bind_service;
+ ')
+
+@@ -1086,9 +1094,11 @@
+ interface(`corenet_udp_bind_reserved_port',`
+ gen_require(`
+ type reserved_port_t;
++ type hi_reserved_port_t;
+ ')
+
+ allow $1 reserved_port_t:udp_socket name_bind;
++ allow $1 hi_reserved_port_t:udp_socket name_bind;
+ allow $1 self:capability net_bind_service;
+ ')
+
+@@ -1105,9 +1115,11 @@
+ interface(`corenet_tcp_connect_reserved_port',`
+ gen_require(`
+ type reserved_port_t;
++ type hi_reserved_port_t;
+ ')
+
+ allow $1 reserved_port_t:tcp_socket name_connect;
++ allow $1 hi_reserved_port_t:tcp_socket name_connect;
+ ')
+
+ ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-2.4.3/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2006-11-06 11:13:17.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/kernel/corenetwork.te.in 2006-11-06 12:11:58.000000000 -0500
-@@ -67,6 +67,7 @@
++++ serefpolicy-2.4.3/policy/modules/kernel/corenetwork.te.in 2006-11-07 11:32:22.000000000 -0500
+@@ -43,11 +43,16 @@
+ sid port gen_context(system_u:object_r:port_t,s0)
+
+ #
+-# reserved_port_t is the type of INET port numbers below 1024.
++# reserved_port_t is the type of INET port numbers below 512.
+ #
+ type reserved_port_t, port_type, reserved_port_type;
+
+ #
++# hi_reserved_port_t is the type of INET port numbers between 600-1023.
++#
++type hi_reserved_port_t, port_type, reserved_port_type, rpc_port_type;
++
++#
+ # server_packet_t is the default type of IPv4 and IPv6 server packets.
+ #
+ type server_packet_t, packet_type, server_packet_type;
+@@ -67,6 +72,7 @@
network_port(clamd, tcp,3310,s0)
network_port(clockspeed, udp,4041,s0)
network_port(comsat, udp,512,s0)
@@ -328,7 +421,7 @@
network_port(cvs, tcp,2401,s0, udp,2401,s0)
network_port(dcc, udp,6276,s0, udp,6277,s0)
network_port(dbskkd, tcp,1178,s0)
-@@ -122,6 +123,8 @@
+@@ -122,6 +128,8 @@
network_port(radacct, udp,1646,s0, udp,1813,s0)
network_port(radius, udp,1645,s0, udp,1812,s0)
network_port(razor, tcp,2703,s0)
@@ -337,9 +430,78 @@
network_port(rlogind, tcp,513,s0)
network_port(rndc, tcp,953,s0)
network_port(router, udp,520,s0)
+@@ -152,8 +160,11 @@
+
+ # Defaults for reserved ports. Earlier portcon entries take precedence;
+ # these entries just cover any remaining reserved ports not otherwise declared.
+-portcon tcp 1-1023 gen_context(system_u:object_r:reserved_port_t, s0)
+-portcon udp 1-1023 gen_context(system_u:object_r:reserved_port_t, s0)
++
++portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
++portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
++portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
++portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
+
+ ########################################
+ #
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.m4 serefpolicy-2.4.3/policy/modules/kernel/corenetwork.te.m4
+--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.m4 2006-09-29 14:28:01.000000000 -0400
++++ serefpolicy-2.4.3/policy/modules/kernel/corenetwork.te.m4 2006-11-07 11:08:36.000000000 -0500
+@@ -55,8 +55,8 @@
+ define(`declare_ports',`dnl
+ ifelse(eval($3 < 1024),1,`
+ typeattribute $1 reserved_port_type;
+-#bindresvport in glibc starts searching for reserved ports at 600
+-ifelse(eval($3 >= 600),1,`typeattribute $1 rpc_port_type;',`dnl')
++#bindresvport in glibc starts searching for reserved ports at 512
++ifelse(eval($3 >= 512),1,`typeattribute $1 rpc_port_type;',`dnl')
+ ',`dnl')
+ portcon $2 $3 gen_context(system_u:object_r:$1,$4)
+ ifelse(`$5',`',`',`declare_ports($1,shiftn(4,$*))')dnl
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-2.4.3/policy/modules/kernel/devices.fc
+--- nsaserefpolicy/policy/modules/kernel/devices.fc 2006-11-06 11:13:17.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/kernel/devices.fc 2006-11-07 12:52:47.000000000 -0500
+@@ -20,11 +20,13 @@
+ /dev/fb[0-9]* -c gen_context(system_u:object_r:framebuf_device_t,s0)
+ /dev/full -c gen_context(system_u:object_r:null_device_t,s0)
+ /dev/hiddev.* -c gen_context(system_u:object_r:usb_device_t,s0)
++/dev/hpet -c gen_context(system_u:object_r:clock_device_t,s0)
+ /dev/hw_random -c gen_context(system_u:object_r:random_device_t,s0)
+ /dev/hwrng -c gen_context(system_u:object_r:random_device_t,s0)
+ /dev/i915 -c gen_context(system_u:object_r:dri_device_t,s0)
+ /dev/irlpt[0-9]+ -c gen_context(system_u:object_r:printer_device_t,s0)
+ /dev/js.* -c gen_context(system_u:object_r:mouse_device_t,s0)
++/dev/kmsg -c gen_context(system_u:object_r:printk_device_t,mls_systemhigh)
+ /dev/kmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
+ /dev/logibm -c gen_context(system_u:object_r:mouse_device_t,s0)
+ /dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
+@@ -55,6 +57,7 @@
+ /dev/smu -c gen_context(system_u:object_r:power_device_t,s0)
+ /dev/srnd[0-7] -c gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/sndstat -c gen_context(system_u:object_r:sound_device_t,s0)
++/dev/snapshot -c gen_context(system_u:object_r:apm_bios_t,s0)
+ /dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0)
+ /dev/urandom -c gen_context(system_u:object_r:urandom_device_t,s0)
+ /dev/usbdev.* -c gen_context(system_u:object_r:usb_device_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-2.4.3/policy/modules/kernel/devices.te
+--- nsaserefpolicy/policy/modules/kernel/devices.te 2006-11-06 11:13:17.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/kernel/devices.te 2006-11-07 12:43:22.000000000 -0500
+@@ -27,6 +27,12 @@
+ dev_node(agp_device_t)
+
+ #
++# Type for /dev/kmsg
++#
++type printk_device_t;
++dev_node(printk_device_t)
++
++#
+ # Type for /dev/apm_bios
+ #
+ type apm_bios_t;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-2.4.3/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2006-10-19 11:47:35.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/kernel/domain.te 2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/kernel/domain.te 2006-11-06 16:45:08.000000000 -0500
@@ -144,3 +144,10 @@
# act on all domains keys
@@ -353,7 +515,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.4.3/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2006-09-29 14:28:01.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/kernel/files.if 2006-11-06 14:11:54.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/kernel/files.if 2006-11-06 16:45:08.000000000 -0500
@@ -353,8 +353,7 @@
########################################
@@ -452,7 +614,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-2.4.3/policy/modules/kernel/filesystem.te
--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2006-11-06 11:13:17.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/kernel/filesystem.te 2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/kernel/filesystem.te 2006-11-06 16:45:08.000000000 -0500
@@ -21,9 +21,11 @@
# Use xattrs for the following filesystem types.
@@ -482,7 +644,7 @@
+fs_associate_noxattr(noxattrfs)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.fc serefpolicy-2.4.3/policy/modules/kernel/terminal.fc
--- nsaserefpolicy/policy/modules/kernel/terminal.fc 2006-10-16 12:20:16.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/kernel/terminal.fc 2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/kernel/terminal.fc 2006-11-06 16:45:08.000000000 -0500
@@ -11,6 +11,7 @@
/dev/ircomm[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/ip2[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
@@ -493,7 +655,7 @@
/dev/tty -c gen_context(system_u:object_r:devtty_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.te serefpolicy-2.4.3/policy/modules/kernel/terminal.te
--- nsaserefpolicy/policy/modules/kernel/terminal.te 2006-11-06 11:13:17.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/kernel/terminal.te 2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/kernel/terminal.te 2006-11-06 16:45:08.000000000 -0500
@@ -28,6 +28,7 @@
type devpts_t;
files_mountpoint(devpts_t)
@@ -502,9 +664,132 @@
fs_type(devpts_t)
fs_use_trans devpts gen_context(system_u:object_r:devpts_t,s0);
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aide.fc serefpolicy-2.4.3/policy/modules/services/aide.fc
+--- nsaserefpolicy/policy/modules/services/aide.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/aide.fc 2006-11-07 14:05:35.000000000 -0500
+@@ -0,0 +1,3 @@
++/usr/sbin/aide -- gen_context(system_u:object_r:aide_exec_t,mls_systemhigh)
++/var/lib/aide(/.*) gen_context(system_u:object_r:aide_db_t,mls_systemhigh)
++/var/log/aide.log -- gen_context(system_u:object_r:aide_log_t,mls_systemhigh)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aide.if serefpolicy-2.4.3/policy/modules/services/aide.if
+--- nsaserefpolicy/policy/modules/services/aide.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/aide.if 2006-11-07 14:05:35.000000000 -0500
+@@ -0,0 +1,56 @@
++## <summary>Aide filesystem integrity checker</summary>
++
++########################################
++## <summary>
++## Execute aide in the aide domain
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`aide_domtrans',`
++ gen_require(`
++ type aide_t, aide_exec_t;
++ ')
++
++ corecmd_search_sbin($1)
++ domain_auto_trans($1,aide_exec_t,aide_t)
++
++ allow $1 aide_t:fd use;
++ allow aide_t $1:fd use;
++ allow aide_t $1:fifo_file rw_file_perms;
++ allow aide_t $1:process sigchld;
++')
++
++
++########################################
++## <summary>
++## Execute aide programs in the AIDE domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to allow the AIDE domain.
++## </summary>
++## </param>
++## <param name="terminal">
++## <summary>
++## The type of the terminal allow the AIDE domain to use.
++## </summary>
++## </param>
++#
++interface(`aide_run',`
++ gen_require(`
++ type aide_t;
++ ')
++
++ aide_domtrans($1)
++ role $2 types aide_t;
++ allow aide_t $3:chr_file rw_file_perms;
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aide.te serefpolicy-2.4.3/policy/modules/services/aide.te
+--- nsaserefpolicy/policy/modules/services/aide.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/aide.te 2006-11-07 14:05:35.000000000 -0500
+@@ -0,0 +1,52 @@
++
++policy_module(aide,1.0)
++
++########################################
++#
++# Declarations
++#
++
++type aide_t;
++type aide_exec_t;
++
++domain_type(aide_t)
++domain_entry_file(aide_t,aide_exec_t)
++
++# log files
++type aide_log_t;
++logging_log_file(aide_log_t)
++
++# aide database
++type aide_db_t;
++files_type(aide_db_t)
++
++########################################
++#
++# aide local policy
++#
++seutil_use_newrole_fds(aide_t)
++
++# database actions
++allow aide_t aide_db_t:dir rw_dir_perms;
++allow aide_t aide_db_t:file create_file_perms;
++
++# logs
++logging_log_filetrans(aide_t,aide_log_t,file)
++allow aide_t aide_log_t:file create_file_perms;
++
++# audit
++allow aide_t self:capability audit_write;
++allow aide_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
++
++
++########################################
++#
++# Local policy
++#
++
++allow aide_t self:capability { dac_override fowner };
++
++files_read_all_files(aide_t)
++
++libs_use_shared_libs(aide_t)
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-2.4.3/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2006-08-02 10:34:07.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/services/apache.fc 2006-11-06 12:57:50.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/apache.fc 2006-11-06 16:45:08.000000000 -0500
@@ -45,6 +45,7 @@
/var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
/var/cache/mason(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
@@ -528,7 +813,7 @@
+/opt/fortitude/run(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-2.4.3/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2006-11-06 11:13:19.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/services/apache.te 2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/apache.te 2006-11-06 16:45:08.000000000 -0500
@@ -143,6 +143,8 @@
allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow httpd_t self:tcp_socket create_stream_socket_perms;
@@ -576,7 +861,7 @@
ifdef(`targeted_policy',`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-2.4.3/policy/modules/services/automount.te
--- nsaserefpolicy/policy/modules/services/automount.te 2006-11-06 11:13:19.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/services/automount.te 2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/automount.te 2006-11-06 16:45:08.000000000 -0500
@@ -76,6 +76,7 @@
files_mounton_all_mountpoints(automount_t)
files_mount_all_file_type_fs(automount_t)
@@ -587,7 +872,7 @@
fs_unmount_all_fs(automount_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.fc serefpolicy-2.4.3/policy/modules/services/ccs.fc
--- nsaserefpolicy/policy/modules/services/ccs.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/services/ccs.fc 2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/ccs.fc 2006-11-06 16:45:08.000000000 -0500
@@ -0,0 +1,10 @@
+# ccs executable will have:
+# label: system_u:object_r:ccs_exec_t
@@ -601,7 +886,7 @@
+/var/run/cman_.* -s gen_context(system_u:object_r:ccs_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.if serefpolicy-2.4.3/policy/modules/services/ccs.if
--- nsaserefpolicy/policy/modules/services/ccs.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/services/ccs.if 2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/ccs.if 2006-11-06 16:45:08.000000000 -0500
@@ -0,0 +1,83 @@
+## <summary>policy for ccs</summary>
+
@@ -688,7 +973,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.te serefpolicy-2.4.3/policy/modules/services/ccs.te
--- nsaserefpolicy/policy/modules/services/ccs.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/services/ccs.te 2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/ccs.te 2006-11-06 16:45:08.000000000 -0500
@@ -0,0 +1,89 @@
+policy_module(ccs,1.0.0)
+
@@ -781,7 +1066,7 @@
+dev_read_urand(ccs_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-2.4.3/policy/modules/services/cron.if
--- nsaserefpolicy/policy/modules/services/cron.if 2006-09-15 13:14:25.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/services/cron.if 2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/cron.if 2006-11-06 16:45:08.000000000 -0500
@@ -54,9 +54,6 @@
domain_entry_file($1_crontab_t,crontab_exec_t)
role $3 types $1_crontab_t;
@@ -857,7 +1142,7 @@
# fcron wants an instant update of a crontab change for the administrator
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-2.4.3/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te 2006-11-06 11:13:19.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/services/cron.te 2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/cron.te 2006-11-06 16:45:08.000000000 -0500
@@ -166,6 +166,11 @@
')
')
@@ -872,7 +1157,7 @@
allow crond_t system_crond_tmp_t:file create_file_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-2.4.3/policy/modules/services/cups.fc
--- nsaserefpolicy/policy/modules/services/cups.fc 2006-11-06 11:13:19.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/services/cups.fc 2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/cups.fc 2006-11-06 16:45:08.000000000 -0500
@@ -23,7 +23,7 @@
/usr/libexec/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
@@ -884,7 +1169,7 @@
/usr/sbin/printconf-backend -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-2.4.3/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2006-11-06 11:13:19.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/services/cups.te 2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/cups.te 2006-11-06 16:45:08.000000000 -0500
@@ -161,6 +161,7 @@
dev_read_urand(cupsd_t)
dev_read_sysfs(cupsd_t)
@@ -905,7 +1190,7 @@
ifdef(`targeted_policy',`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-2.4.3/policy/modules/services/cvs.te
--- nsaserefpolicy/policy/modules/services/cvs.te 2006-10-19 11:47:39.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/services/cvs.te 2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/cvs.te 2006-11-06 16:45:08.000000000 -0500
@@ -9,6 +9,7 @@
type cvs_t;
type cvs_exec_t;
@@ -916,7 +1201,7 @@
type cvs_data_t; # customizable
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.fc serefpolicy-2.4.3/policy/modules/services/dbus.fc
--- nsaserefpolicy/policy/modules/services/dbus.fc 2006-07-14 17:04:41.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/services/dbus.fc 2006-11-06 13:42:10.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/dbus.fc 2006-11-06 16:45:08.000000000 -0500
@@ -4,3 +4,4 @@
/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:system_dbusd_exec_t,s0)
/bin/dbus-daemon -- gen_context(system_u:object_r:system_dbusd_exec_t,s0)
@@ -924,7 +1209,7 @@
+/var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-2.4.3/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if 2006-09-15 13:14:24.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/services/dbus.if 2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/dbus.if 2006-11-06 16:45:08.000000000 -0500
@@ -123,6 +123,7 @@
selinux_compute_relabel_context($1_dbusd_t)
selinux_compute_user_contexts($1_dbusd_t)
@@ -935,7 +1220,7 @@
corecmd_read_bin_files($1_dbusd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.if serefpolicy-2.4.3/policy/modules/services/lpd.if
--- nsaserefpolicy/policy/modules/services/lpd.if 2006-11-06 11:13:19.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/services/lpd.if 2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/lpd.if 2006-11-06 16:45:08.000000000 -0500
@@ -64,33 +64,35 @@
allow $1_lpr_t self:udp_socket create_socket_perms;
allow $1_lpr_t self:netlink_route_socket r_netlink_socket_perms;
@@ -999,7 +1284,7 @@
# Transition from the user domain to the derived domain.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-2.4.3/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2006-10-19 11:47:39.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/services/mta.te 2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/mta.te 2006-11-06 16:45:08.000000000 -0500
@@ -27,6 +27,7 @@
type sendmail_exec_t;
@@ -1010,7 +1295,7 @@
role system_r types system_mail_t;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-2.4.3/policy/modules/services/nscd.if
--- nsaserefpolicy/policy/modules/services/nscd.if 2006-08-07 18:55:18.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/services/nscd.if 2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/nscd.if 2006-11-06 16:45:08.000000000 -0500
@@ -181,3 +181,23 @@
allow $1 nscd_t:nscd *;
@@ -1037,7 +1322,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-2.4.3/policy/modules/services/nscd.te
--- nsaserefpolicy/policy/modules/services/nscd.te 2006-10-19 11:47:39.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/services/nscd.te 2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/nscd.te 2006-11-06 16:45:08.000000000 -0500
@@ -120,6 +120,9 @@
term_dontaudit_use_unallocated_ttys(nscd_t)
term_dontaudit_use_generic_ptys(nscd_t)
@@ -1050,7 +1335,7 @@
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.te serefpolicy-2.4.3/policy/modules/services/oddjob.te
--- nsaserefpolicy/policy/modules/services/oddjob.te 2006-11-06 11:13:19.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/services/oddjob.te 2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/oddjob.te 2006-11-06 16:45:08.000000000 -0500
@@ -10,6 +10,7 @@
type oddjob_exec_t;
domain_type(oddjob_t)
@@ -1061,7 +1346,7 @@
type oddjob_mkhomedir_exec_t;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.if serefpolicy-2.4.3/policy/modules/services/pegasus.if
--- nsaserefpolicy/policy/modules/services/pegasus.if 2006-07-14 17:04:41.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/services/pegasus.if 2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/pegasus.if 2006-11-06 16:45:08.000000000 -0500
@@ -1 +1,32 @@
## <summary>The Open Group Pegasus CIM/WBEM Server.</summary>
+
@@ -1097,7 +1382,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-2.4.3/policy/modules/services/pegasus.te
--- nsaserefpolicy/policy/modules/services/pegasus.te 2006-10-19 11:47:39.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/services/pegasus.te 2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/pegasus.te 2006-11-06 16:45:08.000000000 -0500
@@ -100,13 +100,12 @@
auth_use_nsswitch(pegasus_t)
@@ -1116,7 +1401,7 @@
hostname_exec(pegasus_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-2.4.3/policy/modules/services/procmail.te
--- nsaserefpolicy/policy/modules/services/procmail.te 2006-11-06 11:13:19.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/services/procmail.te 2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/procmail.te 2006-11-06 16:45:08.000000000 -0500
@@ -10,6 +10,7 @@
type procmail_exec_t;
domain_type(procmail_t)
@@ -1149,7 +1434,7 @@
userdom_dontaudit_search_staff_home_dirs(procmail_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.fc serefpolicy-2.4.3/policy/modules/services/ricci.fc
--- nsaserefpolicy/policy/modules/services/ricci.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/services/ricci.fc 2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/ricci.fc 2006-11-06 16:45:08.000000000 -0500
@@ -0,0 +1,20 @@
+# ricci executable will have:
+# label: system_u:object_r:ricci_exec_t
@@ -1173,7 +1458,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.if serefpolicy-2.4.3/policy/modules/services/ricci.if
--- nsaserefpolicy/policy/modules/services/ricci.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/services/ricci.if 2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/ricci.if 2006-11-06 16:45:08.000000000 -0500
@@ -0,0 +1,184 @@
+## <summary>policy for ricci</summary>
+
@@ -1361,7 +1646,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-2.4.3/policy/modules/services/ricci.te
--- nsaserefpolicy/policy/modules/services/ricci.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/services/ricci.te 2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/ricci.te 2006-11-06 16:45:08.000000000 -0500
@@ -0,0 +1,477 @@
+policy_module(ricci,1.0.0)
+
@@ -1842,7 +2127,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-2.4.3/policy/modules/services/rsync.te
--- nsaserefpolicy/policy/modules/services/rsync.te 2006-10-19 11:47:39.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/services/rsync.te 2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/rsync.te 2006-11-06 16:45:08.000000000 -0500
@@ -9,6 +9,7 @@
type rsync_t;
type rsync_exec_t;
@@ -1853,7 +2138,7 @@
type rsync_data_t;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-2.4.3/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2006-11-06 11:13:19.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/services/samba.te 2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/samba.te 2006-11-06 16:45:08.000000000 -0500
@@ -525,7 +525,8 @@
allow swat_t self:netlink_audit_socket create;
allow swat_t self:tcp_socket create_stream_socket_perms;
@@ -1883,7 +2168,7 @@
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-2.4.3/policy/modules/services/sasl.te
--- nsaserefpolicy/policy/modules/services/sasl.te 2006-10-19 11:47:39.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/services/sasl.te 2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/sasl.te 2006-11-06 16:45:08.000000000 -0500
@@ -47,6 +47,8 @@
fs_getattr_all_fs(saslauthd_t)
fs_search_auto_mountpoints(saslauthd_t)
@@ -1895,7 +2180,7 @@
auth_domtrans_chk_passwd(saslauthd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-2.4.3/policy/modules/services/snmp.te
--- nsaserefpolicy/policy/modules/services/snmp.te 2006-11-06 11:13:19.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/services/snmp.te 2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/snmp.te 2006-11-06 16:45:08.000000000 -0500
@@ -87,6 +87,7 @@
files_read_etc_runtime_files(snmpd_t)
files_search_home(snmpd_t)
@@ -1906,7 +2191,7 @@
fs_getattr_rpc_dirs(snmpd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-2.4.3/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2006-11-06 11:13:19.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/services/spamassassin.te 2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/spamassassin.te 2006-11-06 16:45:08.000000000 -0500
@@ -8,7 +8,7 @@
# spamassassin client executable
@@ -1927,7 +2212,7 @@
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-2.4.3/policy/modules/services/squid.te
--- nsaserefpolicy/policy/modules/services/squid.te 2006-10-19 11:47:39.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/services/squid.te 2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/squid.te 2006-11-06 16:45:08.000000000 -0500
@@ -98,6 +98,9 @@
fs_getattr_all_fs(squid_t)
@@ -1948,7 +2233,7 @@
-') dnl end TODO
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-2.4.3/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2006-11-06 11:13:19.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/services/ssh.te 2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/ssh.te 2006-11-06 16:45:08.000000000 -0500
@@ -10,7 +10,7 @@
# ssh client executable.
@@ -1960,7 +2245,7 @@
type ssh_keygen_exec_t;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/telnet.te serefpolicy-2.4.3/policy/modules/services/telnet.te
--- nsaserefpolicy/policy/modules/services/telnet.te 2006-10-19 11:47:39.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/services/telnet.te 2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/telnet.te 2006-11-06 16:45:08.000000000 -0500
@@ -32,6 +32,7 @@
allow telnetd_t self:udp_socket create_socket_perms;
# for identd; cjp: this should probably only be inetd_child rules?
@@ -1971,7 +2256,7 @@
allow telnetd_t telnetd_devpts_t:chr_file { rw_file_perms setattr };
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-2.4.3/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2006-09-15 13:14:25.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/services/xserver.if 2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/xserver.if 2006-11-06 16:45:08.000000000 -0500
@@ -898,10 +898,12 @@
domain_auto_trans($1,xserver_exec_t,xdm_xserver_t)
@@ -2029,7 +2314,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-2.4.3/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2006-11-06 11:13:21.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/system/authlogin.if 2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/system/authlogin.if 2006-11-06 16:45:08.000000000 -0500
@@ -1258,7 +1258,7 @@
type wtmp_t;
')
@@ -2041,7 +2326,7 @@
#######################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-2.4.3/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te 2006-11-06 11:13:21.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/system/authlogin.te 2006-11-06 15:47:00.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/system/authlogin.te 2006-11-06 16:45:08.000000000 -0500
@@ -141,6 +141,7 @@
allow pam_console_t pam_var_console_t:lnk_file { getattr read };
allow pam_console_t pam_var_console_t:file r_file_perms;
@@ -2052,7 +2337,7 @@
kernel_use_fds(pam_console_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-2.4.3/policy/modules/system/fstools.fc
--- nsaserefpolicy/policy/modules/system/fstools.fc 2006-09-05 07:41:01.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/system/fstools.fc 2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/system/fstools.fc 2006-11-06 16:45:08.000000000 -0500
@@ -19,7 +19,6 @@
/sbin/mkfs.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
@@ -2063,7 +2348,7 @@
/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-2.4.3/policy/modules/system/fstools.te
--- nsaserefpolicy/policy/modules/system/fstools.te 2006-11-06 11:13:21.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/system/fstools.te 2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/system/fstools.te 2006-11-06 16:45:08.000000000 -0500
@@ -9,7 +9,7 @@
type fsadm_t;
type fsadm_exec_t;
@@ -2075,7 +2360,7 @@
type fsadm_log_t;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.te serefpolicy-2.4.3/policy/modules/system/getty.te
--- nsaserefpolicy/policy/modules/system/getty.te 2006-10-19 11:47:40.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/system/getty.te 2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/system/getty.te 2006-11-06 16:45:08.000000000 -0500
@@ -33,7 +33,8 @@
#
@@ -2088,7 +2373,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-2.4.3/policy/modules/system/hostname.te
--- nsaserefpolicy/policy/modules/system/hostname.te 2006-10-19 11:47:40.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/system/hostname.te 2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/system/hostname.te 2006-11-06 16:45:08.000000000 -0500
@@ -8,8 +8,12 @@
type hostname_t;
@@ -2105,7 +2390,7 @@
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-2.4.3/policy/modules/system/init.fc
--- nsaserefpolicy/policy/modules/system/init.fc 2006-08-25 13:29:58.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/system/init.fc 2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/system/init.fc 2006-11-06 16:45:08.000000000 -0500
@@ -66,3 +66,6 @@
/var/run/sysconfig(/.*)? gen_context(system_u:object_r:initrc_var_run_t,s0)
')
@@ -2115,7 +2400,7 @@
+/var/run/pcscd\.pid -- gen_context(system_u:object_r:initrc_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-2.4.3/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2006-11-06 11:13:21.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/system/init.te 2006-11-06 15:28:30.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/system/init.te 2006-11-06 16:45:08.000000000 -0500
@@ -347,7 +347,8 @@
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@@ -2153,7 +2438,7 @@
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.if serefpolicy-2.4.3/policy/modules/system/iscsi.if
--- nsaserefpolicy/policy/modules/system/iscsi.if 2006-11-06 11:13:21.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/system/iscsi.if 2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/system/iscsi.if 2006-11-06 16:45:08.000000000 -0500
@@ -16,6 +16,8 @@
')
@@ -2165,8 +2450,22 @@
allow iscsid_t $1:process sigchld;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-2.4.3/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2006-11-06 11:13:21.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/system/libraries.fc 2006-11-06 15:51:12.000000000 -0500
-@@ -170,6 +170,8 @@
++++ serefpolicy-2.4.3/policy/modules/system/libraries.fc 2006-11-07 09:28:47.000000000 -0500
+@@ -1,3 +1,4 @@
++
+ #
+ # /emul
+ #
+@@ -144,7 +145,7 @@
+ /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-
++/usr/lib(64)?/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/(local/)?.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
+ /usr/(local/)?lib(64)?/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/(local/)?lib(64)?/(sse2/)?libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+@@ -170,6 +171,8 @@
/usr/lib(64)?/gstreamer-.*/libgstffmpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/gstreamer-.*/libgsthermescolorspace\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/gstreamer-.*/libgstmms\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -2175,7 +2474,7 @@
/usr/lib(64)?/libstdc\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libg\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libglide3\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -262,6 +264,7 @@
+@@ -262,6 +265,7 @@
/usr/(local/)?(.*/)?jre.*/libjvm\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(local/)?(.*/)?jre.*/libawt\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(local/)?(.*/)?jre.*/libjavaplugin_ojigcc3\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -2185,7 +2484,7 @@
/usr/(local/)?Adobe/(.*/)?intellinux/sidecars/* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.if serefpolicy-2.4.3/policy/modules/system/locallogin.if
--- nsaserefpolicy/policy/modules/system/locallogin.if 2006-10-16 12:20:18.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/system/locallogin.if 2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/system/locallogin.if 2006-11-06 16:45:08.000000000 -0500
@@ -75,3 +75,40 @@
allow $1 local_login_t:process signull;
@@ -2229,7 +2528,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-2.4.3/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2006-11-06 11:13:21.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/system/logging.te 2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/system/logging.te 2006-11-06 16:45:08.000000000 -0500
@@ -53,6 +53,7 @@
type var_log_t;
@@ -2240,7 +2539,7 @@
init_ranged_daemon_domain(auditd_t,auditd_exec_t,mls_systemhigh)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-2.4.3/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2006-11-06 11:13:21.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/system/mount.te 2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/system/mount.te 2006-11-06 16:45:08.000000000 -0500
@@ -9,6 +9,7 @@
type mount_t;
type mount_exec_t;
@@ -2278,7 +2577,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-2.4.3/policy/modules/system/raid.te
--- nsaserefpolicy/policy/modules/system/raid.te 2006-11-06 11:13:21.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/system/raid.te 2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/system/raid.te 2006-11-06 16:45:08.000000000 -0500
@@ -38,12 +38,15 @@
dev_dontaudit_getattr_all_blk_files(mdadm_t)
dev_dontaudit_getattr_all_chr_files(mdadm_t)
@@ -2305,7 +2604,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-2.4.3/policy/modules/system/selinuxutil.if
--- nsaserefpolicy/policy/modules/system/selinuxutil.if 2006-10-27 10:27:56.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/system/selinuxutil.if 2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/system/selinuxutil.if 2006-11-06 16:45:08.000000000 -0500
@@ -713,7 +713,7 @@
')
@@ -2326,7 +2625,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-2.4.3/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2006-11-06 11:13:21.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/system/selinuxutil.te 2006-11-06 13:09:23.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/system/selinuxutil.te 2006-11-06 16:45:08.000000000 -0500
@@ -107,6 +107,11 @@
type semanage_exec_t;
domain_entry_file(semanage_t, semanage_exec_t)
@@ -2367,7 +2666,7 @@
init_dontaudit_use_script_ptys(restorecond_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-2.4.3/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2006-10-19 11:47:40.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/system/unconfined.if 2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/system/unconfined.if 2006-11-06 16:45:08.000000000 -0500
@@ -31,6 +31,7 @@
allow $1 self:nscd *;
allow $1 self:dbus *;
@@ -2403,8 +2702,18 @@
## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-2.4.3/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2006-11-06 11:13:21.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/system/unconfined.te 2006-11-06 15:26:09.000000000 -0500
-@@ -138,6 +138,8 @@
++++ serefpolicy-2.4.3/policy/modules/system/unconfined.te 2006-11-06 16:45:21.000000000 -0500
+@@ -83,6 +83,9 @@
+ optional_policy(`
+ networkmanager_dbus_chat(unconfined_t)
+ ')
++ optional_policy(`
++ oddjob_dbus_chat(unconfined_t)
++ ')
+ ')
+
+ optional_policy(`
+@@ -138,6 +141,8 @@
optional_policy(`
rpm_domtrans(unconfined_t)
@@ -2413,7 +2722,7 @@
')
optional_policy(`
-@@ -173,6 +175,8 @@
+@@ -173,6 +178,8 @@
optional_policy(`
xserver_domtrans_xdm_xserver(unconfined_t)
')
@@ -2422,7 +2731,7 @@
')
########################################
-@@ -181,6 +185,10 @@
+@@ -181,6 +188,10 @@
#
ifdef(`targeted_policy',`
@@ -2435,7 +2744,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-2.4.3/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2006-11-06 11:13:21.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/system/userdomain.if 2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/system/userdomain.if 2006-11-06 16:45:08.000000000 -0500
@@ -22,6 +22,10 @@
## <rolebase/>
#
@@ -2692,7 +3001,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-2.4.3/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2006-11-06 11:13:21.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/system/userdomain.te 2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/system/userdomain.te 2006-11-07 14:07:54.000000000 -0500
@@ -24,6 +24,9 @@
# users home directory contents
attribute home_type;
@@ -2703,7 +3012,23 @@
# The privhome attribute identifies every domain that can create files under
# regular user home directories in the regular context (IE act on behalf of
# a user in writing regular files)
-@@ -428,6 +431,9 @@
+@@ -155,11 +158,15 @@
+ init_exec(secadm_t)
+ logging_read_audit_log(secadm_t)
+ logging_read_generic_logs(secadm_t)
++ logging_read_audit_config(secadm_t)
+ userdom_dontaudit_append_staff_home_content_files(secadm_t)
+ userdom_dontaudit_read_sysadm_home_content_files(secadm_t)
+ optional_policy(`
+ netlabel_run_mgmt(secadm_t,secadm_r, { secadm_tty_device_t secadm_devpts_t })
+ ')
++ optional_policy(`
++ aide_run(secadm_t,secadm_r, { secadm_tty_device_t secadm_devpts_t })
++ ')
+ ',`
+ logging_manage_audit_log(sysadm_t)
+ logging_manage_audit_config(sysadm_t)
+@@ -428,6 +435,9 @@
')
optional_policy(`
@@ -2715,7 +3040,7 @@
usermanage_run_useradd(sysadm_t,sysadm_r,admin_terminal)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.fc serefpolicy-2.4.3/policy/modules/system/xen.fc
--- nsaserefpolicy/policy/modules/system/xen.fc 2006-11-06 11:13:21.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/system/xen.fc 2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/system/xen.fc 2006-11-06 16:45:08.000000000 -0500
@@ -8,6 +8,7 @@
/usr/sbin/xm -- gen_context(system_u:object_r:xm_exec_t,s0)
@@ -2726,7 +3051,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-2.4.3/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te 2006-11-06 11:13:21.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/system/xen.te 2006-11-06 12:20:00.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/system/xen.te 2006-11-06 16:45:08.000000000 -0500
@@ -152,6 +152,7 @@
dev_manage_xen(xend_t)
dev_filetrans_xen(xend_t)
@@ -2783,7 +3108,7 @@
+fs_read_nfs_files(xend_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-2.4.3/Rules.modular
--- nsaserefpolicy/Rules.modular 2006-10-16 12:20:19.000000000 -0400
-+++ serefpolicy-2.4.3/Rules.modular 2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/Rules.modular 2006-11-06 16:45:08.000000000 -0500
@@ -219,6 +219,16 @@
########################################
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.331
retrieving revision 1.332
diff -u -r1.331 -r1.332
--- selinux-policy.spec 6 Nov 2006 21:15:56 -0000 1.331
+++ selinux-policy.spec 7 Nov 2006 20:38:46 -0000 1.332
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 2.4.3
-Release: 1
+Release: 2
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -133,7 +133,7 @@
%ghost %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs \
%config %{_sysconfdir}/selinux/%1/contexts/files/media \
%dir %{_sysconfdir}/selinux/%1/contexts/users \
-%{_sysconfdir}/selinux/%1/contexts/users/root
+%{_sysconfdir}/selinux/%1/contexts/users/root
%define saveFileContext() \
if [ -s /etc/selinux/config ]; then \
@@ -351,7 +351,11 @@
%endif
%changelog
-* Fri Nov 3 2006 Dan Walsh <dwalsh at redhat.com> 2.4.3-1
+* Tue Nov 7 2006 Dan Walsh <dwalsh at redhat.com> 2.4.3-2
+- Fix rpc_port_types
+- Add aide policy for mls
+
+* Mon Nov 6 2006 Dan Walsh <dwalsh at redhat.com> 2.4.3-1
- Merge with upstream
* Fri Nov 3 2006 Dan Walsh <dwalsh at redhat.com> 2.4.2-8
More information about the fedora-cvs-commits
mailing list