rpms/selinux-policy/devel modules-mls.conf, 1.19, 1.20 policy-20061106.patch, 1.1, 1.2 selinux-policy.spec, 1.331, 1.332

fedora-cvs-commits at redhat.com fedora-cvs-commits at redhat.com
Tue Nov 7 20:38:49 UTC 2006


Author: dwalsh

Update of /cvs/dist/rpms/selinux-policy/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv15714

Modified Files:
	modules-mls.conf policy-20061106.patch selinux-policy.spec 
Log Message:
* Tue Nov 7 2006 Dan Walsh <dwalsh at redhat.com> 2.4.3-2
- Fix rpc_port_types
- Add aide policy for mls



Index: modules-mls.conf
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/modules-mls.conf,v
retrieving revision 1.19
retrieving revision 1.20
diff -u -r1.19 -r1.20
--- modules-mls.conf	17 Oct 2006 18:43:08 -0000	1.19
+++ modules-mls.conf	7 Nov 2006 20:38:46 -0000	1.20
@@ -1009,3 +1009,10 @@
 # 
 netlabel = base
 
+# Layer: services
+# Module: aide
+#
+# Policy for aide
+# 
+aide = base
+

policy-20061106.patch:
 Rules.modular                           |   10 
 policy/flask/access_vectors             |    3 
 policy/global_tunables                  |   36 ++
 policy/mls                              |    3 
 policy/modules/admin/acct.te            |    1 
 policy/modules/admin/amanda.te          |    1 
 policy/modules/admin/consoletype.te     |    8 
 policy/modules/admin/dmesg.te           |    1 
 policy/modules/admin/logwatch.te        |    1 
 policy/modules/admin/netutils.te        |    2 
 policy/modules/admin/prelink.te         |    5 
 policy/modules/admin/rpm.fc             |    3 
 policy/modules/admin/rpm.if             |   24 +
 policy/modules/admin/rpm.te             |    5 
 policy/modules/apps/java.fc             |    2 
 policy/modules/kernel/corecommands.if   |   17 +
 policy/modules/kernel/corenetwork.if.in |   12 
 policy/modules/kernel/corenetwork.te.in |   17 -
 policy/modules/kernel/corenetwork.te.m4 |    4 
 policy/modules/kernel/devices.fc        |    3 
 policy/modules/kernel/devices.te        |    6 
 policy/modules/kernel/domain.te         |    7 
 policy/modules/kernel/files.if          |   66 ++++
 policy/modules/kernel/filesystem.te     |    6 
 policy/modules/kernel/terminal.fc       |    1 
 policy/modules/kernel/terminal.te       |    1 
 policy/modules/services/aide.fc         |    3 
 policy/modules/services/aide.if         |   56 +++
 policy/modules/services/aide.te         |   52 +++
 policy/modules/services/apache.fc       |   10 
 policy/modules/services/apache.te       |   10 
 policy/modules/services/automount.te    |    1 
 policy/modules/services/ccs.fc          |   10 
 policy/modules/services/ccs.if          |   83 +++++
 policy/modules/services/ccs.te          |   89 +++++
 policy/modules/services/cron.if         |   26 -
 policy/modules/services/cron.te         |    5 
 policy/modules/services/cups.fc         |    2 
 policy/modules/services/cups.te         |    4 
 policy/modules/services/cvs.te          |    1 
 policy/modules/services/dbus.fc         |    1 
 policy/modules/services/dbus.if         |    1 
 policy/modules/services/lpd.if          |   52 +--
 policy/modules/services/mta.te          |    1 
 policy/modules/services/nscd.if         |   20 +
 policy/modules/services/nscd.te         |    3 
 policy/modules/services/oddjob.te       |    1 
 policy/modules/services/pegasus.if      |   31 ++
 policy/modules/services/pegasus.te      |    5 
 policy/modules/services/procmail.te     |   16 +
 policy/modules/services/ricci.fc        |   20 +
 policy/modules/services/ricci.if        |  184 ++++++++++++
 policy/modules/services/ricci.te        |  477 ++++++++++++++++++++++++++++++++
 policy/modules/services/rsync.te        |    1 
 policy/modules/services/samba.te        |    6 
 policy/modules/services/sasl.te         |    2 
 policy/modules/services/snmp.te         |    1 
 policy/modules/services/spamassassin.te |    4 
 policy/modules/services/squid.te        |    7 
 policy/modules/services/ssh.te          |    2 
 policy/modules/services/telnet.te       |    1 
 policy/modules/services/xserver.if      |   40 ++
 policy/modules/system/authlogin.if      |    2 
 policy/modules/system/authlogin.te      |    1 
 policy/modules/system/fstools.fc        |    1 
 policy/modules/system/fstools.te        |    2 
 policy/modules/system/getty.te          |    3 
 policy/modules/system/hostname.te       |    6 
 policy/modules/system/init.fc           |    3 
 policy/modules/system/init.te           |   14 
 policy/modules/system/iscsi.if          |    2 
 policy/modules/system/libraries.fc      |    6 
 policy/modules/system/locallogin.if     |   37 ++
 policy/modules/system/logging.te        |    1 
 policy/modules/system/mount.te          |   11 
 policy/modules/system/raid.te           |    7 
 policy/modules/system/selinuxutil.if    |    4 
 policy/modules/system/selinuxutil.te    |   10 
 policy/modules/system/unconfined.if     |   19 +
 policy/modules/system/unconfined.te     |   11 
 policy/modules/system/userdomain.if     |  201 +++++++++++++
 policy/modules/system/userdomain.te     |   10 
 policy/modules/system/xen.fc            |    1 
 policy/modules/system/xen.te            |   22 +
 84 files changed, 1763 insertions(+), 84 deletions(-)

Index: policy-20061106.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/policy-20061106.patch,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- policy-20061106.patch	6 Nov 2006 21:18:56 -0000	1.1
+++ policy-20061106.patch	7 Nov 2006 20:38:46 -0000	1.2
@@ -1,6 +1,6 @@
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors serefpolicy-2.4.3/policy/flask/access_vectors
 --- nsaserefpolicy/policy/flask/access_vectors	2006-10-23 16:14:53.000000000 -0400
-+++ serefpolicy-2.4.3/policy/flask/access_vectors	2006-11-06 16:07:57.000000000 -0500
++++ serefpolicy-2.4.3/policy/flask/access_vectors	2006-11-06 16:45:08.000000000 -0500
 @@ -619,6 +619,8 @@
  	send
  	recv
@@ -18,7 +18,7 @@
  }
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-2.4.3/policy/global_tunables
 --- nsaserefpolicy/policy/global_tunables	2006-11-06 11:13:22.000000000 -0500
-+++ serefpolicy-2.4.3/policy/global_tunables	2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/global_tunables	2006-11-06 16:45:08.000000000 -0500
 @@ -574,6 +574,13 @@
  gen_tunable(xdm_sysadm_login,false)
  ')
@@ -76,7 +76,7 @@
 +gen_tunable(use_lpd_server,false)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mls serefpolicy-2.4.3/policy/mls
 --- nsaserefpolicy/policy/mls	2006-11-06 11:13:22.000000000 -0500
-+++ serefpolicy-2.4.3/policy/mls	2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/mls	2006-11-06 16:45:08.000000000 -0500
 @@ -597,4 +597,7 @@
  mlsconstrain context translate
  	(( h1 dom h2 ) or ( t1 == mlstranslate ));
@@ -87,7 +87,7 @@
  ') dnl end enable_mls
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/acct.te serefpolicy-2.4.3/policy/modules/admin/acct.te
 --- nsaserefpolicy/policy/modules/admin/acct.te	2006-07-14 17:04:46.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/admin/acct.te	2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/admin/acct.te	2006-11-06 16:45:08.000000000 -0500
 @@ -9,6 +9,7 @@
  type acct_t;
  type acct_exec_t;
@@ -98,7 +98,7 @@
  logging_log_file(acct_data_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.te serefpolicy-2.4.3/policy/modules/admin/amanda.te
 --- nsaserefpolicy/policy/modules/admin/amanda.te	2006-11-06 11:13:21.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/admin/amanda.te	2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/admin/amanda.te	2006-11-06 16:45:08.000000000 -0500
 @@ -75,6 +75,7 @@
  allow amanda_t self:unix_dgram_socket create_socket_perms;
  allow amanda_t self:tcp_socket create_stream_socket_perms;
@@ -109,7 +109,7 @@
  allow amanda_t amanda_amandates_t:file { getattr lock read write };
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-2.4.3/policy/modules/admin/consoletype.te
 --- nsaserefpolicy/policy/modules/admin/consoletype.te	2006-10-19 11:47:40.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/admin/consoletype.te	2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/admin/consoletype.te	2006-11-06 16:45:08.000000000 -0500
 @@ -8,7 +8,12 @@
  
  type consoletype_t;
@@ -134,7 +134,7 @@
  #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.te serefpolicy-2.4.3/policy/modules/admin/dmesg.te
 --- nsaserefpolicy/policy/modules/admin/dmesg.te	2006-07-14 17:04:46.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/admin/dmesg.te	2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/admin/dmesg.te	2006-11-06 16:45:08.000000000 -0500
 @@ -10,6 +10,7 @@
  	type dmesg_t;
  	type dmesg_exec_t;
@@ -145,7 +145,7 @@
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-2.4.3/policy/modules/admin/logwatch.te
 --- nsaserefpolicy/policy/modules/admin/logwatch.te	2006-10-19 11:47:40.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/admin/logwatch.te	2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/admin/logwatch.te	2006-11-06 16:45:08.000000000 -0500
 @@ -53,6 +53,7 @@
  corecmd_exec_ls(logwatch_t)
  
@@ -156,7 +156,7 @@
  domain_read_all_domains_state(logwatch_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-2.4.3/policy/modules/admin/netutils.te
 --- nsaserefpolicy/policy/modules/admin/netutils.te	2006-11-06 11:13:22.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/admin/netutils.te	2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/admin/netutils.te	2006-11-06 16:45:08.000000000 -0500
 @@ -18,10 +18,12 @@
  type ping_exec_t;
  init_system_domain(ping_t,ping_exec_t)
@@ -172,7 +172,7 @@
  ########################################
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-2.4.3/policy/modules/admin/prelink.te
 --- nsaserefpolicy/policy/modules/admin/prelink.te	2006-11-06 11:13:21.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/admin/prelink.te	2006-11-06 14:12:02.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/admin/prelink.te	2006-11-06 16:45:08.000000000 -0500
 @@ -57,6 +57,7 @@
  files_write_non_security_dirs(prelink_t)
  files_read_etc_files(prelink_t)
@@ -195,7 +195,7 @@
  optional_policy(`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-2.4.3/policy/modules/admin/rpm.fc
 --- nsaserefpolicy/policy/modules/admin/rpm.fc	2006-09-22 14:07:08.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/admin/rpm.fc	2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/admin/rpm.fc	2006-11-06 16:45:08.000000000 -0500
 @@ -21,6 +21,9 @@
  /usr/sbin/pup			--	gen_context(system_u:object_r:rpm_exec_t,s0)
  /usr/sbin/rhn_check		--	gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -208,7 +208,7 @@
  /var/lib/alternatives(/.*)?		gen_context(system_u:object_r:rpm_var_lib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-2.4.3/policy/modules/admin/rpm.if
 --- nsaserefpolicy/policy/modules/admin/rpm.if	2006-11-06 11:13:21.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/admin/rpm.if	2006-11-06 15:24:48.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/admin/rpm.if	2006-11-06 16:45:08.000000000 -0500
 @@ -278,3 +278,27 @@
  	dontaudit $1 rpm_var_lib_t:file create_file_perms;
  	dontaudit $1 rpm_var_lib_t:lnk_file create_lnk_perms;
@@ -239,7 +239,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-2.4.3/policy/modules/admin/rpm.te
 --- nsaserefpolicy/policy/modules/admin/rpm.te	2006-11-06 11:13:22.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/admin/rpm.te	2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/admin/rpm.te	2006-11-06 16:45:08.000000000 -0500
 @@ -9,6 +9,8 @@
  type rpm_t;
  type rpm_exec_t;
@@ -261,7 +261,7 @@
  # ideally we would not need this
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-2.4.3/policy/modules/apps/java.fc
 --- nsaserefpolicy/policy/modules/apps/java.fc	2006-11-06 11:13:17.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/apps/java.fc	2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/apps/java.fc	2006-11-06 16:45:08.000000000 -0500
 @@ -1,7 +1,7 @@
  #
  # /opt
@@ -273,7 +273,7 @@
  #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-2.4.3/policy/modules/kernel/corecommands.if
 --- nsaserefpolicy/policy/modules/kernel/corecommands.if	2006-10-27 10:27:56.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/kernel/corecommands.if	2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/kernel/corecommands.if	2006-11-06 16:45:08.000000000 -0500
 @@ -928,7 +928,19 @@
  		type bin_t, sbin_t;
  	')
@@ -317,10 +317,103 @@
  	allow $1 exec_type:file { getattr read execute };
 +	userdom_mmap_all_executables($1)
  ')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-2.4.3/policy/modules/kernel/corenetwork.if.in
+--- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in	2006-10-17 13:47:44.000000000 -0400
++++ serefpolicy-2.4.3/policy/modules/kernel/corenetwork.if.in	2006-11-07 11:31:40.000000000 -0500
+@@ -998,9 +998,11 @@
+ interface(`corenet_tcp_sendrecv_reserved_port',`
+ 	gen_require(`
+ 		type reserved_port_t;
++		type hi_reserved_port_t;
+ 	')
+ 
+ 	allow $1 reserved_port_t:tcp_socket { send_msg recv_msg };
++	allow $1 hi_reserved_port_t:tcp_socket { send_msg recv_msg };
+ ')
+ 
+ ########################################
+@@ -1016,9 +1018,11 @@
+ interface(`corenet_udp_send_reserved_port',`
+ 	gen_require(`
+ 		type reserved_port_t;
++		type hi_reserved_port_t;
+ 	')
+ 
+ 	allow $1 reserved_port_t:udp_socket send_msg;
++	allow $1 hi_reserved_port_t:udp_socket send_msg;
+ ')
+ 
+ ########################################
+@@ -1034,9 +1038,11 @@
+ interface(`corenet_udp_receive_reserved_port',`
+ 	gen_require(`
+ 		type reserved_port_t;
++		type hi_reserved_port_t;
+ 	')
+ 
+ 	allow $1 reserved_port_t:udp_socket recv_msg;
++	allow $1 hi_reserved_port_t:udp_socket recv_msg;
+ ')
+ 
+ ########################################
+@@ -1067,9 +1073,11 @@
+ interface(`corenet_tcp_bind_reserved_port',`
+ 	gen_require(`
+ 		type reserved_port_t;
++		type hi_reserved_port_t;
+ 	')
+ 
+ 	allow $1 reserved_port_t:tcp_socket name_bind;
++	allow $1 hi_reserved_port_t:tcp_socket name_bind;
+ 	allow $1 self:capability net_bind_service;
+ ')
+ 
+@@ -1086,9 +1094,11 @@
+ interface(`corenet_udp_bind_reserved_port',`
+ 	gen_require(`
+ 		type reserved_port_t;
++		type hi_reserved_port_t;
+ 	')
+ 
+ 	allow $1 reserved_port_t:udp_socket name_bind;
++	allow $1 hi_reserved_port_t:udp_socket name_bind;
+ 	allow $1 self:capability net_bind_service;
+ ')
+ 
+@@ -1105,9 +1115,11 @@
+ interface(`corenet_tcp_connect_reserved_port',`
+ 	gen_require(`
+ 		type reserved_port_t;
++		type hi_reserved_port_t;
+ 	')
+ 
+ 	allow $1 reserved_port_t:tcp_socket name_connect;
++	allow $1 hi_reserved_port_t:tcp_socket name_connect;
+ ')
+ 
+ ########################################
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-2.4.3/policy/modules/kernel/corenetwork.te.in
 --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in	2006-11-06 11:13:17.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/kernel/corenetwork.te.in	2006-11-06 12:11:58.000000000 -0500
-@@ -67,6 +67,7 @@
++++ serefpolicy-2.4.3/policy/modules/kernel/corenetwork.te.in	2006-11-07 11:32:22.000000000 -0500
+@@ -43,11 +43,16 @@
+ sid port gen_context(system_u:object_r:port_t,s0)
+ 
+ #
+-# reserved_port_t is the type of INET port numbers below 1024.
++# reserved_port_t is the type of INET port numbers below 512.
+ #
+ type reserved_port_t, port_type, reserved_port_type;
+ 
+ #
++# hi_reserved_port_t is the type of INET port numbers between 600-1023.
++#
++type hi_reserved_port_t, port_type, reserved_port_type, rpc_port_type;
++
++#
+ # server_packet_t is the default type of IPv4 and IPv6 server packets.
+ #
+ type server_packet_t, packet_type, server_packet_type;
+@@ -67,6 +72,7 @@
  network_port(clamd, tcp,3310,s0)
  network_port(clockspeed, udp,4041,s0)
  network_port(comsat, udp,512,s0)
@@ -328,7 +421,7 @@
  network_port(cvs, tcp,2401,s0, udp,2401,s0)
  network_port(dcc, udp,6276,s0, udp,6277,s0)
  network_port(dbskkd, tcp,1178,s0)
-@@ -122,6 +123,8 @@
+@@ -122,6 +128,8 @@
  network_port(radacct, udp,1646,s0, udp,1813,s0)
  network_port(radius, udp,1645,s0, udp,1812,s0)
  network_port(razor, tcp,2703,s0)
@@ -337,9 +430,78 @@
  network_port(rlogind, tcp,513,s0)
  network_port(rndc, tcp,953,s0)
  network_port(router, udp,520,s0)
+@@ -152,8 +160,11 @@
+ 
+ # Defaults for reserved ports.  Earlier portcon entries take precedence;
+ # these entries just cover any remaining reserved ports not otherwise declared.
+-portcon tcp 1-1023 gen_context(system_u:object_r:reserved_port_t, s0)
+-portcon udp 1-1023 gen_context(system_u:object_r:reserved_port_t, s0)
++
++portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
++portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
++portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
++portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
+ 
+ ########################################
+ #
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.m4 serefpolicy-2.4.3/policy/modules/kernel/corenetwork.te.m4
+--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.m4	2006-09-29 14:28:01.000000000 -0400
++++ serefpolicy-2.4.3/policy/modules/kernel/corenetwork.te.m4	2006-11-07 11:08:36.000000000 -0500
+@@ -55,8 +55,8 @@
+ define(`declare_ports',`dnl
+ ifelse(eval($3 < 1024),1,`
+ typeattribute $1 reserved_port_type;
+-#bindresvport in glibc starts searching for reserved ports at 600
+-ifelse(eval($3 >= 600),1,`typeattribute $1 rpc_port_type;',`dnl')
++#bindresvport in glibc starts searching for reserved ports at 512
++ifelse(eval($3 >= 512),1,`typeattribute $1 rpc_port_type;',`dnl')
+ ',`dnl')
+ portcon $2 $3 gen_context(system_u:object_r:$1,$4)
+ ifelse(`$5',`',`',`declare_ports($1,shiftn(4,$*))')dnl
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-2.4.3/policy/modules/kernel/devices.fc
+--- nsaserefpolicy/policy/modules/kernel/devices.fc	2006-11-06 11:13:17.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/kernel/devices.fc	2006-11-07 12:52:47.000000000 -0500
+@@ -20,11 +20,13 @@
+ /dev/fb[0-9]*		-c	gen_context(system_u:object_r:framebuf_device_t,s0)
+ /dev/full		-c	gen_context(system_u:object_r:null_device_t,s0)
+ /dev/hiddev.*		-c	gen_context(system_u:object_r:usb_device_t,s0)
++/dev/hpet		-c	gen_context(system_u:object_r:clock_device_t,s0)
+ /dev/hw_random		-c	gen_context(system_u:object_r:random_device_t,s0)
+ /dev/hwrng		-c	gen_context(system_u:object_r:random_device_t,s0)
+ /dev/i915		-c	gen_context(system_u:object_r:dri_device_t,s0)
+ /dev/irlpt[0-9]+	-c	gen_context(system_u:object_r:printer_device_t,s0)
+ /dev/js.*		-c	gen_context(system_u:object_r:mouse_device_t,s0)
++/dev/kmsg		-c	gen_context(system_u:object_r:printk_device_t,mls_systemhigh)
+ /dev/kmem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
+ /dev/logibm		-c	gen_context(system_u:object_r:mouse_device_t,s0)
+ /dev/lp.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
+@@ -55,6 +57,7 @@
+ /dev/smu		-c	gen_context(system_u:object_r:power_device_t,s0)
+ /dev/srnd[0-7]		-c	gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/sndstat		-c	gen_context(system_u:object_r:sound_device_t,s0)
++/dev/snapshot		-c	gen_context(system_u:object_r:apm_bios_t,s0)
+ /dev/tlk[0-3]		-c	gen_context(system_u:object_r:v4l_device_t,s0)
+ /dev/urandom		-c	gen_context(system_u:object_r:urandom_device_t,s0)
+ /dev/usbdev.*		-c	gen_context(system_u:object_r:usb_device_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-2.4.3/policy/modules/kernel/devices.te
+--- nsaserefpolicy/policy/modules/kernel/devices.te	2006-11-06 11:13:17.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/kernel/devices.te	2006-11-07 12:43:22.000000000 -0500
+@@ -27,6 +27,12 @@
+ dev_node(agp_device_t)
+ 
+ #
++# Type for /dev/kmsg
++#
++type printk_device_t;
++dev_node(printk_device_t)
++
++#
+ # Type for /dev/apm_bios
+ #
+ type apm_bios_t;
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-2.4.3/policy/modules/kernel/domain.te
 --- nsaserefpolicy/policy/modules/kernel/domain.te	2006-10-19 11:47:35.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/kernel/domain.te	2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/kernel/domain.te	2006-11-06 16:45:08.000000000 -0500
 @@ -144,3 +144,10 @@
  
  # act on all domains keys
@@ -353,7 +515,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.4.3/policy/modules/kernel/files.if
 --- nsaserefpolicy/policy/modules/kernel/files.if	2006-09-29 14:28:01.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/kernel/files.if	2006-11-06 14:11:54.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/kernel/files.if	2006-11-06 16:45:08.000000000 -0500
 @@ -353,8 +353,7 @@
  
  ########################################
@@ -452,7 +614,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-2.4.3/policy/modules/kernel/filesystem.te
 --- nsaserefpolicy/policy/modules/kernel/filesystem.te	2006-11-06 11:13:17.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/kernel/filesystem.te	2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/kernel/filesystem.te	2006-11-06 16:45:08.000000000 -0500
 @@ -21,9 +21,11 @@
  
  # Use xattrs for the following filesystem types.
@@ -482,7 +644,7 @@
 +fs_associate_noxattr(noxattrfs)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.fc serefpolicy-2.4.3/policy/modules/kernel/terminal.fc
 --- nsaserefpolicy/policy/modules/kernel/terminal.fc	2006-10-16 12:20:16.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/kernel/terminal.fc	2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/kernel/terminal.fc	2006-11-06 16:45:08.000000000 -0500
 @@ -11,6 +11,7 @@
  /dev/ircomm[0-9]+	-c	gen_context(system_u:object_r:tty_device_t,s0)
  /dev/ip2[^/]*		-c	gen_context(system_u:object_r:tty_device_t,s0)
@@ -493,7 +655,7 @@
  /dev/tty			-c	gen_context(system_u:object_r:devtty_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.te serefpolicy-2.4.3/policy/modules/kernel/terminal.te
 --- nsaserefpolicy/policy/modules/kernel/terminal.te	2006-11-06 11:13:17.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/kernel/terminal.te	2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/kernel/terminal.te	2006-11-06 16:45:08.000000000 -0500
 @@ -28,6 +28,7 @@
  type devpts_t;
  files_mountpoint(devpts_t)
@@ -502,9 +664,132 @@
  fs_type(devpts_t)
  fs_use_trans devpts gen_context(system_u:object_r:devpts_t,s0);
  
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aide.fc serefpolicy-2.4.3/policy/modules/services/aide.fc
+--- nsaserefpolicy/policy/modules/services/aide.fc	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/aide.fc	2006-11-07 14:05:35.000000000 -0500
+@@ -0,0 +1,3 @@
++/usr/sbin/aide	--	gen_context(system_u:object_r:aide_exec_t,mls_systemhigh)
++/var/lib/aide(/.*)	gen_context(system_u:object_r:aide_db_t,mls_systemhigh)
++/var/log/aide.log	--	gen_context(system_u:object_r:aide_log_t,mls_systemhigh)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aide.if serefpolicy-2.4.3/policy/modules/services/aide.if
+--- nsaserefpolicy/policy/modules/services/aide.if	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/aide.if	2006-11-07 14:05:35.000000000 -0500
+@@ -0,0 +1,56 @@
++## <summary>Aide filesystem integrity checker</summary>
++
++########################################
++## <summary>
++##      Execute aide in the aide domain
++## </summary>
++## <param name="domain">
++##      <summary>
++##      The type of the process performing this action.
++##      </summary>
++## </param>
++#
++interface(`aide_domtrans',`
++        gen_require(`
++                type aide_t, aide_exec_t;
++        ')
++
++	corecmd_search_sbin($1)
++        domain_auto_trans($1,aide_exec_t,aide_t)
++
++	allow $1 aide_t:fd use;
++	allow aide_t $1:fd use;
++	allow aide_t $1:fifo_file rw_file_perms;
++	allow aide_t $1:process sigchld;
++')
++
++
++########################################
++## <summary>
++##	Execute aide programs in the AIDE domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="role">
++##	<summary>
++##	The role to allow the AIDE domain.
++##	</summary>
++## </param>
++## <param name="terminal">
++##	<summary>
++##	The type of the terminal allow the AIDE domain to use.
++##	</summary>
++## </param>
++#
++interface(`aide_run',`
++	gen_require(`
++		type aide_t;
++	')
++
++	aide_domtrans($1)
++	role $2 types aide_t;
++	allow aide_t $3:chr_file rw_file_perms;
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aide.te serefpolicy-2.4.3/policy/modules/services/aide.te
+--- nsaserefpolicy/policy/modules/services/aide.te	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/aide.te	2006-11-07 14:05:35.000000000 -0500
+@@ -0,0 +1,52 @@
++
++policy_module(aide,1.0)
++
++########################################
++#
++# Declarations
++#
++
++type aide_t;
++type aide_exec_t;
++
++domain_type(aide_t)
++domain_entry_file(aide_t,aide_exec_t)
++
++# log files
++type aide_log_t;
++logging_log_file(aide_log_t)
++
++# aide database
++type aide_db_t;
++files_type(aide_db_t)
++
++########################################
++#
++# aide local policy
++#
++seutil_use_newrole_fds(aide_t)
++
++# database actions
++allow aide_t aide_db_t:dir rw_dir_perms;
++allow aide_t aide_db_t:file create_file_perms;
++
++# logs
++logging_log_filetrans(aide_t,aide_log_t,file)
++allow aide_t aide_log_t:file create_file_perms;
++
++# audit
++allow aide_t self:capability audit_write;
++allow aide_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
++
++
++########################################
++#
++# Local policy
++#
++
++allow aide_t self:capability { dac_override fowner };
++
++files_read_all_files(aide_t)
++
++libs_use_shared_libs(aide_t)
++
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-2.4.3/policy/modules/services/apache.fc
 --- nsaserefpolicy/policy/modules/services/apache.fc	2006-08-02 10:34:07.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/services/apache.fc	2006-11-06 12:57:50.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/apache.fc	2006-11-06 16:45:08.000000000 -0500
 @@ -45,6 +45,7 @@
  /var/cache/httpd(/.*)?			gen_context(system_u:object_r:httpd_cache_t,s0)
  /var/cache/mason(/.*)?			gen_context(system_u:object_r:httpd_cache_t,s0)
@@ -528,7 +813,7 @@
 +/opt/fortitude/run(/.*)?		gen_context(system_u:object_r:httpd_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-2.4.3/policy/modules/services/apache.te
 --- nsaserefpolicy/policy/modules/services/apache.te	2006-11-06 11:13:19.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/services/apache.te	2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/apache.te	2006-11-06 16:45:08.000000000 -0500
 @@ -143,6 +143,8 @@
  allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
  allow httpd_t self:tcp_socket create_stream_socket_perms;
@@ -576,7 +861,7 @@
  ifdef(`targeted_policy',`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-2.4.3/policy/modules/services/automount.te
 --- nsaserefpolicy/policy/modules/services/automount.te	2006-11-06 11:13:19.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/services/automount.te	2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/automount.te	2006-11-06 16:45:08.000000000 -0500
 @@ -76,6 +76,7 @@
  files_mounton_all_mountpoints(automount_t)
  files_mount_all_file_type_fs(automount_t)
@@ -587,7 +872,7 @@
  fs_unmount_all_fs(automount_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.fc serefpolicy-2.4.3/policy/modules/services/ccs.fc
 --- nsaserefpolicy/policy/modules/services/ccs.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/services/ccs.fc	2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/ccs.fc	2006-11-06 16:45:08.000000000 -0500
 @@ -0,0 +1,10 @@
 +# ccs executable will have:
 +# label: system_u:object_r:ccs_exec_t
@@ -601,7 +886,7 @@
 +/var/run/cman_.*	-s	gen_context(system_u:object_r:ccs_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.if serefpolicy-2.4.3/policy/modules/services/ccs.if
 --- nsaserefpolicy/policy/modules/services/ccs.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/services/ccs.if	2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/ccs.if	2006-11-06 16:45:08.000000000 -0500
 @@ -0,0 +1,83 @@
 +## <summary>policy for ccs</summary>
 +
@@ -688,7 +973,7 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.te serefpolicy-2.4.3/policy/modules/services/ccs.te
 --- nsaserefpolicy/policy/modules/services/ccs.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/services/ccs.te	2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/ccs.te	2006-11-06 16:45:08.000000000 -0500
 @@ -0,0 +1,89 @@
 +policy_module(ccs,1.0.0)
 +
@@ -781,7 +1066,7 @@
 +dev_read_urand(ccs_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-2.4.3/policy/modules/services/cron.if
 --- nsaserefpolicy/policy/modules/services/cron.if	2006-09-15 13:14:25.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/services/cron.if	2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/cron.if	2006-11-06 16:45:08.000000000 -0500
 @@ -54,9 +54,6 @@
  	domain_entry_file($1_crontab_t,crontab_exec_t)
  	role $3 types $1_crontab_t;
@@ -857,7 +1142,7 @@
  		# fcron wants an instant update of a crontab change for the administrator
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-2.4.3/policy/modules/services/cron.te
 --- nsaserefpolicy/policy/modules/services/cron.te	2006-11-06 11:13:19.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/services/cron.te	2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/cron.te	2006-11-06 16:45:08.000000000 -0500
 @@ -166,6 +166,11 @@
  	')
  ')
@@ -872,7 +1157,7 @@
  	allow crond_t system_crond_tmp_t:file create_file_perms;
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-2.4.3/policy/modules/services/cups.fc
 --- nsaserefpolicy/policy/modules/services/cups.fc	2006-11-06 11:13:19.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/services/cups.fc	2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/cups.fc	2006-11-06 16:45:08.000000000 -0500
 @@ -23,7 +23,7 @@
  
  /usr/libexec/hal_lpadmin --	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
@@ -884,7 +1169,7 @@
  /usr/sbin/printconf-backend --	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-2.4.3/policy/modules/services/cups.te
 --- nsaserefpolicy/policy/modules/services/cups.te	2006-11-06 11:13:19.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/services/cups.te	2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/cups.te	2006-11-06 16:45:08.000000000 -0500
 @@ -161,6 +161,7 @@
  dev_read_urand(cupsd_t)
  dev_read_sysfs(cupsd_t)
@@ -905,7 +1190,7 @@
  ifdef(`targeted_policy',`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-2.4.3/policy/modules/services/cvs.te
 --- nsaserefpolicy/policy/modules/services/cvs.te	2006-10-19 11:47:39.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/services/cvs.te	2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/cvs.te	2006-11-06 16:45:08.000000000 -0500
 @@ -9,6 +9,7 @@
  type cvs_t;
  type cvs_exec_t;
@@ -916,7 +1201,7 @@
  type cvs_data_t; # customizable
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.fc serefpolicy-2.4.3/policy/modules/services/dbus.fc
 --- nsaserefpolicy/policy/modules/services/dbus.fc	2006-07-14 17:04:41.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/services/dbus.fc	2006-11-06 13:42:10.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/dbus.fc	2006-11-06 16:45:08.000000000 -0500
 @@ -4,3 +4,4 @@
  /usr/bin/dbus-daemon(-1)? --	gen_context(system_u:object_r:system_dbusd_exec_t,s0)
  /bin/dbus-daemon 	--	gen_context(system_u:object_r:system_dbusd_exec_t,s0)
@@ -924,7 +1209,7 @@
 +/var/named/chroot/var/run/dbus(/.*)?	gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-2.4.3/policy/modules/services/dbus.if
 --- nsaserefpolicy/policy/modules/services/dbus.if	2006-09-15 13:14:24.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/services/dbus.if	2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/dbus.if	2006-11-06 16:45:08.000000000 -0500
 @@ -123,6 +123,7 @@
  	selinux_compute_relabel_context($1_dbusd_t)
  	selinux_compute_user_contexts($1_dbusd_t)
@@ -935,7 +1220,7 @@
  	corecmd_read_bin_files($1_dbusd_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.if serefpolicy-2.4.3/policy/modules/services/lpd.if
 --- nsaserefpolicy/policy/modules/services/lpd.if	2006-11-06 11:13:19.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/services/lpd.if	2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/lpd.if	2006-11-06 16:45:08.000000000 -0500
 @@ -64,33 +64,35 @@
  	allow $1_lpr_t self:udp_socket create_socket_perms;
  	allow $1_lpr_t self:netlink_route_socket r_netlink_socket_perms;
@@ -999,7 +1284,7 @@
  	# Transition from the user domain to the derived domain.
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-2.4.3/policy/modules/services/mta.te
 --- nsaserefpolicy/policy/modules/services/mta.te	2006-10-19 11:47:39.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/services/mta.te	2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/mta.te	2006-11-06 16:45:08.000000000 -0500
 @@ -27,6 +27,7 @@
  
  type sendmail_exec_t;
@@ -1010,7 +1295,7 @@
  role system_r types system_mail_t;
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-2.4.3/policy/modules/services/nscd.if
 --- nsaserefpolicy/policy/modules/services/nscd.if	2006-08-07 18:55:18.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/services/nscd.if	2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/nscd.if	2006-11-06 16:45:08.000000000 -0500
 @@ -181,3 +181,23 @@
  
  	allow $1 nscd_t:nscd *;
@@ -1037,7 +1322,7 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-2.4.3/policy/modules/services/nscd.te
 --- nsaserefpolicy/policy/modules/services/nscd.te	2006-10-19 11:47:39.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/services/nscd.te	2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/nscd.te	2006-11-06 16:45:08.000000000 -0500
 @@ -120,6 +120,9 @@
  	term_dontaudit_use_unallocated_ttys(nscd_t)
  	term_dontaudit_use_generic_ptys(nscd_t)
@@ -1050,7 +1335,7 @@
  optional_policy(`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.te serefpolicy-2.4.3/policy/modules/services/oddjob.te
 --- nsaserefpolicy/policy/modules/services/oddjob.te	2006-11-06 11:13:19.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/services/oddjob.te	2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/oddjob.te	2006-11-06 16:45:08.000000000 -0500
 @@ -10,6 +10,7 @@
  type oddjob_exec_t;
  domain_type(oddjob_t)
@@ -1061,7 +1346,7 @@
  type oddjob_mkhomedir_exec_t;
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.if serefpolicy-2.4.3/policy/modules/services/pegasus.if
 --- nsaserefpolicy/policy/modules/services/pegasus.if	2006-07-14 17:04:41.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/services/pegasus.if	2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/pegasus.if	2006-11-06 16:45:08.000000000 -0500
 @@ -1 +1,32 @@
  ## <summary>The Open Group Pegasus CIM/WBEM Server.</summary>
 +
@@ -1097,7 +1382,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-2.4.3/policy/modules/services/pegasus.te
 --- nsaserefpolicy/policy/modules/services/pegasus.te	2006-10-19 11:47:39.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/services/pegasus.te	2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/pegasus.te	2006-11-06 16:45:08.000000000 -0500
 @@ -100,13 +100,12 @@
  
  auth_use_nsswitch(pegasus_t)
@@ -1116,7 +1401,7 @@
  hostname_exec(pegasus_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-2.4.3/policy/modules/services/procmail.te
 --- nsaserefpolicy/policy/modules/services/procmail.te	2006-11-06 11:13:19.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/services/procmail.te	2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/procmail.te	2006-11-06 16:45:08.000000000 -0500
 @@ -10,6 +10,7 @@
  type procmail_exec_t;
  domain_type(procmail_t)
@@ -1149,7 +1434,7 @@
  userdom_dontaudit_search_staff_home_dirs(procmail_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.fc serefpolicy-2.4.3/policy/modules/services/ricci.fc
 --- nsaserefpolicy/policy/modules/services/ricci.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/services/ricci.fc	2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/ricci.fc	2006-11-06 16:45:08.000000000 -0500
 @@ -0,0 +1,20 @@
 +# ricci executable will have:
 +# label: system_u:object_r:ricci_exec_t
@@ -1173,7 +1458,7 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.if serefpolicy-2.4.3/policy/modules/services/ricci.if
 --- nsaserefpolicy/policy/modules/services/ricci.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/services/ricci.if	2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/ricci.if	2006-11-06 16:45:08.000000000 -0500
 @@ -0,0 +1,184 @@
 +## <summary>policy for ricci</summary>
 +
@@ -1361,7 +1646,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-2.4.3/policy/modules/services/ricci.te
 --- nsaserefpolicy/policy/modules/services/ricci.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/services/ricci.te	2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/ricci.te	2006-11-06 16:45:08.000000000 -0500
 @@ -0,0 +1,477 @@
 +policy_module(ricci,1.0.0)
 +
@@ -1842,7 +2127,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-2.4.3/policy/modules/services/rsync.te
 --- nsaserefpolicy/policy/modules/services/rsync.te	2006-10-19 11:47:39.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/services/rsync.te	2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/rsync.te	2006-11-06 16:45:08.000000000 -0500
 @@ -9,6 +9,7 @@
  type rsync_t;
  type rsync_exec_t;
@@ -1853,7 +2138,7 @@
  type rsync_data_t;
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-2.4.3/policy/modules/services/samba.te
 --- nsaserefpolicy/policy/modules/services/samba.te	2006-11-06 11:13:19.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/services/samba.te	2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/samba.te	2006-11-06 16:45:08.000000000 -0500
 @@ -525,7 +525,8 @@
  allow swat_t self:netlink_audit_socket create;
  allow swat_t self:tcp_socket create_stream_socket_perms;
@@ -1883,7 +2168,7 @@
  optional_policy(`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-2.4.3/policy/modules/services/sasl.te
 --- nsaserefpolicy/policy/modules/services/sasl.te	2006-10-19 11:47:39.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/services/sasl.te	2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/sasl.te	2006-11-06 16:45:08.000000000 -0500
 @@ -47,6 +47,8 @@
  fs_getattr_all_fs(saslauthd_t)
  fs_search_auto_mountpoints(saslauthd_t)
@@ -1895,7 +2180,7 @@
  auth_domtrans_chk_passwd(saslauthd_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-2.4.3/policy/modules/services/snmp.te
 --- nsaserefpolicy/policy/modules/services/snmp.te	2006-11-06 11:13:19.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/services/snmp.te	2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/snmp.te	2006-11-06 16:45:08.000000000 -0500
 @@ -87,6 +87,7 @@
  files_read_etc_runtime_files(snmpd_t)
  files_search_home(snmpd_t)
@@ -1906,7 +2191,7 @@
  fs_getattr_rpc_dirs(snmpd_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-2.4.3/policy/modules/services/spamassassin.te
 --- nsaserefpolicy/policy/modules/services/spamassassin.te	2006-11-06 11:13:19.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/services/spamassassin.te	2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/spamassassin.te	2006-11-06 16:45:08.000000000 -0500
 @@ -8,7 +8,7 @@
  
  # spamassassin client executable
@@ -1927,7 +2212,7 @@
  #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-2.4.3/policy/modules/services/squid.te
 --- nsaserefpolicy/policy/modules/services/squid.te	2006-10-19 11:47:39.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/services/squid.te	2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/squid.te	2006-11-06 16:45:08.000000000 -0500
 @@ -98,6 +98,9 @@
  
  fs_getattr_all_fs(squid_t)
@@ -1948,7 +2233,7 @@
 -') dnl end TODO
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-2.4.3/policy/modules/services/ssh.te
 --- nsaserefpolicy/policy/modules/services/ssh.te	2006-11-06 11:13:19.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/services/ssh.te	2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/ssh.te	2006-11-06 16:45:08.000000000 -0500
 @@ -10,7 +10,7 @@
  
  # ssh client executable.
@@ -1960,7 +2245,7 @@
  type ssh_keygen_exec_t;
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/telnet.te serefpolicy-2.4.3/policy/modules/services/telnet.te
 --- nsaserefpolicy/policy/modules/services/telnet.te	2006-10-19 11:47:39.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/services/telnet.te	2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/telnet.te	2006-11-06 16:45:08.000000000 -0500
 @@ -32,6 +32,7 @@
  allow telnetd_t self:udp_socket create_socket_perms;
  # for identd; cjp: this should probably only be inetd_child rules?
@@ -1971,7 +2256,7 @@
  allow telnetd_t telnetd_devpts_t:chr_file { rw_file_perms setattr };
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-2.4.3/policy/modules/services/xserver.if
 --- nsaserefpolicy/policy/modules/services/xserver.if	2006-09-15 13:14:25.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/services/xserver.if	2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/xserver.if	2006-11-06 16:45:08.000000000 -0500
 @@ -898,10 +898,12 @@
  
  	domain_auto_trans($1,xserver_exec_t,xdm_xserver_t)
@@ -2029,7 +2314,7 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-2.4.3/policy/modules/system/authlogin.if
 --- nsaserefpolicy/policy/modules/system/authlogin.if	2006-11-06 11:13:21.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/system/authlogin.if	2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/system/authlogin.if	2006-11-06 16:45:08.000000000 -0500
 @@ -1258,7 +1258,7 @@
  		type wtmp_t;
  	')
@@ -2041,7 +2326,7 @@
  #######################################
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-2.4.3/policy/modules/system/authlogin.te
 --- nsaserefpolicy/policy/modules/system/authlogin.te	2006-11-06 11:13:21.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/system/authlogin.te	2006-11-06 15:47:00.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/system/authlogin.te	2006-11-06 16:45:08.000000000 -0500
 @@ -141,6 +141,7 @@
  allow pam_console_t pam_var_console_t:lnk_file { getattr read };
  allow pam_console_t pam_var_console_t:file r_file_perms;
@@ -2052,7 +2337,7 @@
  kernel_use_fds(pam_console_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-2.4.3/policy/modules/system/fstools.fc
 --- nsaserefpolicy/policy/modules/system/fstools.fc	2006-09-05 07:41:01.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/system/fstools.fc	2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/system/fstools.fc	2006-11-06 16:45:08.000000000 -0500
 @@ -19,7 +19,6 @@
  /sbin/mkfs.*		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/mkraid		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
@@ -2063,7 +2348,7 @@
  /sbin/partx		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-2.4.3/policy/modules/system/fstools.te
 --- nsaserefpolicy/policy/modules/system/fstools.te	2006-11-06 11:13:21.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/system/fstools.te	2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/system/fstools.te	2006-11-06 16:45:08.000000000 -0500
 @@ -9,7 +9,7 @@
  type fsadm_t;
  type fsadm_exec_t;
@@ -2075,7 +2360,7 @@
  type fsadm_log_t;
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.te serefpolicy-2.4.3/policy/modules/system/getty.te
 --- nsaserefpolicy/policy/modules/system/getty.te	2006-10-19 11:47:40.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/system/getty.te	2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/system/getty.te	2006-11-06 16:45:08.000000000 -0500
 @@ -33,7 +33,8 @@
  #
  
@@ -2088,7 +2373,7 @@
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-2.4.3/policy/modules/system/hostname.te
 --- nsaserefpolicy/policy/modules/system/hostname.te	2006-10-19 11:47:40.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/system/hostname.te	2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/system/hostname.te	2006-11-06 16:45:08.000000000 -0500
 @@ -8,8 +8,12 @@
  
  type hostname_t;
@@ -2105,7 +2390,7 @@
  #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-2.4.3/policy/modules/system/init.fc
 --- nsaserefpolicy/policy/modules/system/init.fc	2006-08-25 13:29:58.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/system/init.fc	2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/system/init.fc	2006-11-06 16:45:08.000000000 -0500
 @@ -66,3 +66,6 @@
  /var/run/sysconfig(/.*)?	gen_context(system_u:object_r:initrc_var_run_t,s0)
  ')
@@ -2115,7 +2400,7 @@
 +/var/run/pcscd\.pid	--	gen_context(system_u:object_r:initrc_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-2.4.3/policy/modules/system/init.te
 --- nsaserefpolicy/policy/modules/system/init.te	2006-11-06 11:13:21.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/system/init.te	2006-11-06 15:28:30.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/system/init.te	2006-11-06 16:45:08.000000000 -0500
 @@ -347,7 +347,8 @@
  logging_append_all_logs(initrc_t)
  logging_read_audit_config(initrc_t)
@@ -2153,7 +2438,7 @@
  optional_policy(`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.if serefpolicy-2.4.3/policy/modules/system/iscsi.if
 --- nsaserefpolicy/policy/modules/system/iscsi.if	2006-11-06 11:13:21.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/system/iscsi.if	2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/system/iscsi.if	2006-11-06 16:45:08.000000000 -0500
 @@ -16,6 +16,8 @@
  	')
  
@@ -2165,8 +2450,22 @@
  	allow iscsid_t $1:process sigchld;
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-2.4.3/policy/modules/system/libraries.fc
 --- nsaserefpolicy/policy/modules/system/libraries.fc	2006-11-06 11:13:21.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/system/libraries.fc	2006-11-06 15:51:12.000000000 -0500
-@@ -170,6 +170,8 @@
++++ serefpolicy-2.4.3/policy/modules/system/libraries.fc	2006-11-07 09:28:47.000000000 -0500
+@@ -1,3 +1,4 @@
++
+ #
+ # /emul
+ #
+@@ -144,7 +145,7 @@
+ /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/xulrunner-[^/]*/libxul\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+-
++/usr/lib(64)?/libx264\.so(\.[^/]*)* 	-- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/(local/)?.*\.so(\.[^/]*)*		--	gen_context(system_u:object_r:shlib_t,s0)
+ /usr/(local/)?lib(64)?/wine/.+\.so  	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/(local/)?lib(64)?/(sse2/)?libfame-.*\.so.*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+@@ -170,6 +171,8 @@
  /usr/lib(64)?/gstreamer-.*/libgstffmpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/gstreamer-.*/libgsthermescolorspace\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/gstreamer-.*/libgstmms\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -2175,7 +2474,7 @@
  /usr/lib(64)?/libstdc\+\+\.so\.2\.7\.2\.8 --	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/libg\+\+\.so\.2\.7\.2\.8	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/libglide3\.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -262,6 +264,7 @@
+@@ -262,6 +265,7 @@
  /usr/(local/)?(.*/)?jre.*/libjvm\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/(local/)?(.*/)?jre.*/libawt\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/(local/)?(.*/)?jre.*/libjavaplugin_ojigcc3\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -2185,7 +2484,7 @@
  /usr/(local/)?Adobe/(.*/)?intellinux/sidecars/* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.if serefpolicy-2.4.3/policy/modules/system/locallogin.if
 --- nsaserefpolicy/policy/modules/system/locallogin.if	2006-10-16 12:20:18.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/system/locallogin.if	2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/system/locallogin.if	2006-11-06 16:45:08.000000000 -0500
 @@ -75,3 +75,40 @@
  
  	allow $1 local_login_t:process signull;
@@ -2229,7 +2528,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-2.4.3/policy/modules/system/logging.te
 --- nsaserefpolicy/policy/modules/system/logging.te	2006-11-06 11:13:21.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/system/logging.te	2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/system/logging.te	2006-11-06 16:45:08.000000000 -0500
 @@ -53,6 +53,7 @@
  
  type var_log_t;
@@ -2240,7 +2539,7 @@
  	init_ranged_daemon_domain(auditd_t,auditd_exec_t,mls_systemhigh)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-2.4.3/policy/modules/system/mount.te
 --- nsaserefpolicy/policy/modules/system/mount.te	2006-11-06 11:13:21.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/system/mount.te	2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/system/mount.te	2006-11-06 16:45:08.000000000 -0500
 @@ -9,6 +9,7 @@
  type mount_t;
  type mount_exec_t;
@@ -2278,7 +2577,7 @@
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-2.4.3/policy/modules/system/raid.te
 --- nsaserefpolicy/policy/modules/system/raid.te	2006-11-06 11:13:21.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/system/raid.te	2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/system/raid.te	2006-11-06 16:45:08.000000000 -0500
 @@ -38,12 +38,15 @@
  dev_dontaudit_getattr_all_blk_files(mdadm_t)
  dev_dontaudit_getattr_all_chr_files(mdadm_t)
@@ -2305,7 +2604,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-2.4.3/policy/modules/system/selinuxutil.if
 --- nsaserefpolicy/policy/modules/system/selinuxutil.if	2006-10-27 10:27:56.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/system/selinuxutil.if	2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/system/selinuxutil.if	2006-11-06 16:45:08.000000000 -0500
 @@ -713,7 +713,7 @@
  	')
  
@@ -2326,7 +2625,7 @@
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-2.4.3/policy/modules/system/selinuxutil.te
 --- nsaserefpolicy/policy/modules/system/selinuxutil.te	2006-11-06 11:13:21.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/system/selinuxutil.te	2006-11-06 13:09:23.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/system/selinuxutil.te	2006-11-06 16:45:08.000000000 -0500
 @@ -107,6 +107,11 @@
  type semanage_exec_t;
  domain_entry_file(semanage_t, semanage_exec_t)
@@ -2367,7 +2666,7 @@
  init_dontaudit_use_script_ptys(restorecond_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-2.4.3/policy/modules/system/unconfined.if
 --- nsaserefpolicy/policy/modules/system/unconfined.if	2006-10-19 11:47:40.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/system/unconfined.if	2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/system/unconfined.if	2006-11-06 16:45:08.000000000 -0500
 @@ -31,6 +31,7 @@
  	allow $1 self:nscd *;
  	allow $1 self:dbus *;
@@ -2403,8 +2702,18 @@
  ## </summary>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-2.4.3/policy/modules/system/unconfined.te
 --- nsaserefpolicy/policy/modules/system/unconfined.te	2006-11-06 11:13:21.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/system/unconfined.te	2006-11-06 15:26:09.000000000 -0500
-@@ -138,6 +138,8 @@
++++ serefpolicy-2.4.3/policy/modules/system/unconfined.te	2006-11-06 16:45:21.000000000 -0500
+@@ -83,6 +83,9 @@
+ 		optional_policy(`
+ 			networkmanager_dbus_chat(unconfined_t)
+ 		')
++		optional_policy(`
++			oddjob_dbus_chat(unconfined_t)
++		')
+ 	')
+ 
+ 	optional_policy(`
+@@ -138,6 +141,8 @@
  
  	optional_policy(`
  		rpm_domtrans(unconfined_t)
@@ -2413,7 +2722,7 @@
  	')
  
  	optional_policy(`
-@@ -173,6 +175,8 @@
+@@ -173,6 +178,8 @@
  	optional_policy(`
  		xserver_domtrans_xdm_xserver(unconfined_t)
  	')
@@ -2422,7 +2731,7 @@
  ')
  
  ########################################
-@@ -181,6 +185,10 @@
+@@ -181,6 +188,10 @@
  #
  
  ifdef(`targeted_policy',`
@@ -2435,7 +2744,7 @@
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-2.4.3/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2006-11-06 11:13:21.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/system/userdomain.if	2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/system/userdomain.if	2006-11-06 16:45:08.000000000 -0500
 @@ -22,6 +22,10 @@
  ## <rolebase/>
  #
@@ -2692,7 +3001,7 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-2.4.3/policy/modules/system/userdomain.te
 --- nsaserefpolicy/policy/modules/system/userdomain.te	2006-11-06 11:13:21.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/system/userdomain.te	2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/system/userdomain.te	2006-11-07 14:07:54.000000000 -0500
 @@ -24,6 +24,9 @@
  # users home directory contents
  attribute home_type;
@@ -2703,7 +3012,23 @@
  # The privhome attribute identifies every domain that can create files under
  # regular user home directories in the regular context (IE act on behalf of
  # a user in writing regular files)
-@@ -428,6 +431,9 @@
+@@ -155,11 +158,15 @@
+ 		init_exec(secadm_t)
+ 		logging_read_audit_log(secadm_t)
+ 	        logging_read_generic_logs(secadm_t)
++		logging_read_audit_config(secadm_t)
+ 		userdom_dontaudit_append_staff_home_content_files(secadm_t)
+ 		userdom_dontaudit_read_sysadm_home_content_files(secadm_t)
+ 		optional_policy(`
+ 			netlabel_run_mgmt(secadm_t,secadm_r, { secadm_tty_device_t secadm_devpts_t })
+ 		')
++		optional_policy(`
++			aide_run(secadm_t,secadm_r, { secadm_tty_device_t secadm_devpts_t })
++		')
+ 	',`
+ 		logging_manage_audit_log(sysadm_t)
+ 		logging_manage_audit_config(sysadm_t)
+@@ -428,6 +435,9 @@
  	')
  
  	optional_policy(`
@@ -2715,7 +3040,7 @@
  		usermanage_run_useradd(sysadm_t,sysadm_r,admin_terminal)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.fc serefpolicy-2.4.3/policy/modules/system/xen.fc
 --- nsaserefpolicy/policy/modules/system/xen.fc	2006-11-06 11:13:21.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/system/xen.fc	2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/system/xen.fc	2006-11-06 16:45:08.000000000 -0500
 @@ -8,6 +8,7 @@
  /usr/sbin/xm		--	gen_context(system_u:object_r:xm_exec_t,s0)
  
@@ -2726,7 +3051,7 @@
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-2.4.3/policy/modules/system/xen.te
 --- nsaserefpolicy/policy/modules/system/xen.te	2006-11-06 11:13:21.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/system/xen.te	2006-11-06 12:20:00.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/system/xen.te	2006-11-06 16:45:08.000000000 -0500
 @@ -152,6 +152,7 @@
  dev_manage_xen(xend_t)
  dev_filetrans_xen(xend_t)
@@ -2783,7 +3108,7 @@
 +fs_read_nfs_files(xend_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-2.4.3/Rules.modular
 --- nsaserefpolicy/Rules.modular	2006-10-16 12:20:19.000000000 -0400
-+++ serefpolicy-2.4.3/Rules.modular	2006-11-06 12:11:58.000000000 -0500
++++ serefpolicy-2.4.3/Rules.modular	2006-11-06 16:45:08.000000000 -0500
 @@ -219,6 +219,16 @@
  
  ########################################


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.331
retrieving revision 1.332
diff -u -r1.331 -r1.332
--- selinux-policy.spec	6 Nov 2006 21:15:56 -0000	1.331
+++ selinux-policy.spec	7 Nov 2006 20:38:46 -0000	1.332
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 2.4.3
-Release: 1
+Release: 2
 License: GPL
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -133,7 +133,7 @@
 %ghost %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs \
 %config %{_sysconfdir}/selinux/%1/contexts/files/media \
 %dir %{_sysconfdir}/selinux/%1/contexts/users \
-%{_sysconfdir}/selinux/%1/contexts/users/root 
+%{_sysconfdir}/selinux/%1/contexts/users/root
 
 %define saveFileContext() \
 if [ -s /etc/selinux/config ]; then \
@@ -351,7 +351,11 @@
 %endif
 
 %changelog
-* Fri Nov 3 2006 Dan Walsh <dwalsh at redhat.com> 2.4.3-1
+* Tue Nov 7 2006 Dan Walsh <dwalsh at redhat.com> 2.4.3-2
+- Fix rpc_port_types
+- Add aide policy for mls
+
+* Mon Nov 6 2006 Dan Walsh <dwalsh at redhat.com> 2.4.3-1
 - Merge with upstream
 
 * Fri Nov 3 2006 Dan Walsh <dwalsh at redhat.com> 2.4.2-8




More information about the fedora-cvs-commits mailing list