rpms/selinux-policy/FC-6 policy-20061106.patch, 1.1, 1.2 selinux-policy.spec, 1.325, 1.326
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Mon Nov 13 16:32:46 UTC 2006
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy/FC-6
In directory cvs.devel.redhat.com:/tmp/cvs-serv7835
Modified Files:
policy-20061106.patch selinux-policy.spec
Log Message:
* Mon Nov 13 2006 Dan Walsh <dwalsh at redhat.com> 2.4.3-10.fc6
- Bump for fc6
policy-20061106.patch:
Rules.modular | 10
policy/flask/access_vectors | 3
policy/global_tunables | 36 ++
policy/mls | 3
policy/modules/admin/acct.te | 1
policy/modules/admin/amanda.te | 1
policy/modules/admin/consoletype.te | 8
policy/modules/admin/dmesg.te | 1
policy/modules/admin/logwatch.te | 1
policy/modules/admin/netutils.te | 2
policy/modules/admin/prelink.te | 5
policy/modules/admin/rpm.fc | 3
policy/modules/admin/rpm.if | 24 +
policy/modules/admin/rpm.te | 38 --
policy/modules/apps/java.fc | 2
policy/modules/kernel/corecommands.if | 17 +
policy/modules/kernel/corenetwork.if.in | 12
policy/modules/kernel/corenetwork.te.in | 18 -
policy/modules/kernel/corenetwork.te.m4 | 4
policy/modules/kernel/devices.fc | 3
policy/modules/kernel/devices.te | 6
policy/modules/kernel/domain.te | 7
policy/modules/kernel/files.if | 66 ++++
policy/modules/kernel/files.te | 2
policy/modules/kernel/filesystem.te | 6
policy/modules/kernel/terminal.fc | 1
policy/modules/kernel/terminal.te | 1
policy/modules/services/aide.fc | 3
policy/modules/services/aide.if | 56 +++
policy/modules/services/aide.te | 52 +++
policy/modules/services/apache.fc | 10
policy/modules/services/apache.te | 10
policy/modules/services/automount.te | 1
policy/modules/services/bind.te | 1
policy/modules/services/ccs.fc | 10
policy/modules/services/ccs.if | 83 +++++
policy/modules/services/ccs.te | 89 +++++
policy/modules/services/cron.if | 26 -
policy/modules/services/cron.te | 5
policy/modules/services/cups.fc | 2
policy/modules/services/cups.te | 4
policy/modules/services/cvs.te | 1
policy/modules/services/dbus.fc | 1
policy/modules/services/dbus.if | 1
policy/modules/services/hal.fc | 4
policy/modules/services/hal.te | 8
policy/modules/services/kerberos.if | 1
policy/modules/services/kerberos.te | 12
policy/modules/services/lpd.if | 52 +--
policy/modules/services/mta.if | 1
policy/modules/services/mta.te | 1
policy/modules/services/nscd.if | 20 +
policy/modules/services/nscd.te | 3
policy/modules/services/oddjob.te | 3
policy/modules/services/pegasus.if | 31 ++
policy/modules/services/pegasus.te | 5
policy/modules/services/procmail.te | 16 +
policy/modules/services/ricci.fc | 20 +
policy/modules/services/ricci.if | 184 ++++++++++++
policy/modules/services/ricci.te | 483 ++++++++++++++++++++++++++++++++
policy/modules/services/rsync.te | 1
policy/modules/services/samba.if | 2
policy/modules/services/samba.te | 6
policy/modules/services/sasl.te | 2
policy/modules/services/snmp.te | 1
policy/modules/services/spamassassin.te | 4
policy/modules/services/squid.te | 7
policy/modules/services/ssh.te | 2
policy/modules/services/telnet.te | 1
policy/modules/services/xserver.if | 40 ++
policy/modules/system/authlogin.if | 2
policy/modules/system/authlogin.te | 1
policy/modules/system/fstools.fc | 1
policy/modules/system/fstools.te | 2
policy/modules/system/getty.te | 3
policy/modules/system/hostname.te | 6
policy/modules/system/init.fc | 3
policy/modules/system/init.te | 14
policy/modules/system/iscsi.if | 2
policy/modules/system/libraries.fc | 12
policy/modules/system/libraries.te | 6
policy/modules/system/locallogin.if | 37 ++
policy/modules/system/logging.te | 1
policy/modules/system/lvm.fc | 1
policy/modules/system/lvm.te | 13
policy/modules/system/modutils.te | 6
policy/modules/system/mount.te | 19 -
policy/modules/system/raid.te | 7
policy/modules/system/selinuxutil.if | 4
policy/modules/system/selinuxutil.te | 13
policy/modules/system/unconfined.if | 19 +
policy/modules/system/unconfined.te | 11
policy/modules/system/userdomain.if | 201 +++++++++++++
policy/modules/system/userdomain.te | 10
policy/modules/system/xen.fc | 1
policy/modules/system/xen.te | 29 +
96 files changed, 1823 insertions(+), 147 deletions(-)
Index: policy-20061106.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/FC-6/policy-20061106.patch,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- policy-20061106.patch 7 Nov 2006 20:41:45 -0000 1.1
+++ policy-20061106.patch 13 Nov 2006 16:32:43 -0000 1.2
@@ -1,6 +1,6 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors serefpolicy-2.4.3/policy/flask/access_vectors
--- nsaserefpolicy/policy/flask/access_vectors 2006-10-23 16:14:53.000000000 -0400
-+++ serefpolicy-2.4.3/policy/flask/access_vectors 2006-11-06 16:45:08.000000000 -0500
++++ serefpolicy-2.4.3/policy/flask/access_vectors 2006-11-09 14:03:18.000000000 -0500
@@ -619,6 +619,8 @@
send
recv
@@ -18,7 +18,7 @@
}
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-2.4.3/policy/global_tunables
--- nsaserefpolicy/policy/global_tunables 2006-11-06 11:13:22.000000000 -0500
-+++ serefpolicy-2.4.3/policy/global_tunables 2006-11-06 16:45:08.000000000 -0500
++++ serefpolicy-2.4.3/policy/global_tunables 2006-11-09 14:03:18.000000000 -0500
@@ -574,6 +574,13 @@
gen_tunable(xdm_sysadm_login,false)
')
@@ -76,7 +76,7 @@
+gen_tunable(use_lpd_server,false)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mls serefpolicy-2.4.3/policy/mls
--- nsaserefpolicy/policy/mls 2006-11-06 11:13:22.000000000 -0500
-+++ serefpolicy-2.4.3/policy/mls 2006-11-06 16:45:08.000000000 -0500
++++ serefpolicy-2.4.3/policy/mls 2006-11-09 14:03:18.000000000 -0500
@@ -597,4 +597,7 @@
mlsconstrain context translate
(( h1 dom h2 ) or ( t1 == mlstranslate ));
@@ -87,7 +87,7 @@
') dnl end enable_mls
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/acct.te serefpolicy-2.4.3/policy/modules/admin/acct.te
--- nsaserefpolicy/policy/modules/admin/acct.te 2006-07-14 17:04:46.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/admin/acct.te 2006-11-06 16:45:08.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/admin/acct.te 2006-11-09 14:03:18.000000000 -0500
@@ -9,6 +9,7 @@
type acct_t;
type acct_exec_t;
@@ -98,7 +98,7 @@
logging_log_file(acct_data_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.te serefpolicy-2.4.3/policy/modules/admin/amanda.te
--- nsaserefpolicy/policy/modules/admin/amanda.te 2006-11-06 11:13:21.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/admin/amanda.te 2006-11-06 16:45:08.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/admin/amanda.te 2006-11-09 14:03:18.000000000 -0500
@@ -75,6 +75,7 @@
allow amanda_t self:unix_dgram_socket create_socket_perms;
allow amanda_t self:tcp_socket create_stream_socket_perms;
@@ -109,7 +109,7 @@
allow amanda_t amanda_amandates_t:file { getattr lock read write };
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-2.4.3/policy/modules/admin/consoletype.te
--- nsaserefpolicy/policy/modules/admin/consoletype.te 2006-10-19 11:47:40.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/admin/consoletype.te 2006-11-06 16:45:08.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/admin/consoletype.te 2006-11-09 14:03:18.000000000 -0500
@@ -8,7 +8,12 @@
type consoletype_t;
@@ -134,7 +134,7 @@
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.te serefpolicy-2.4.3/policy/modules/admin/dmesg.te
--- nsaserefpolicy/policy/modules/admin/dmesg.te 2006-07-14 17:04:46.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/admin/dmesg.te 2006-11-06 16:45:08.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/admin/dmesg.te 2006-11-09 14:03:18.000000000 -0500
@@ -10,6 +10,7 @@
type dmesg_t;
type dmesg_exec_t;
@@ -145,7 +145,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-2.4.3/policy/modules/admin/logwatch.te
--- nsaserefpolicy/policy/modules/admin/logwatch.te 2006-10-19 11:47:40.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/admin/logwatch.te 2006-11-06 16:45:08.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/admin/logwatch.te 2006-11-09 14:03:18.000000000 -0500
@@ -53,6 +53,7 @@
corecmd_exec_ls(logwatch_t)
@@ -156,7 +156,7 @@
domain_read_all_domains_state(logwatch_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-2.4.3/policy/modules/admin/netutils.te
--- nsaserefpolicy/policy/modules/admin/netutils.te 2006-11-06 11:13:22.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/admin/netutils.te 2006-11-06 16:45:08.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/admin/netutils.te 2006-11-09 14:03:18.000000000 -0500
@@ -18,10 +18,12 @@
type ping_exec_t;
init_system_domain(ping_t,ping_exec_t)
@@ -172,7 +172,7 @@
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-2.4.3/policy/modules/admin/prelink.te
--- nsaserefpolicy/policy/modules/admin/prelink.te 2006-11-06 11:13:21.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/admin/prelink.te 2006-11-06 16:45:08.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/admin/prelink.te 2006-11-09 14:03:18.000000000 -0500
@@ -57,6 +57,7 @@
files_write_non_security_dirs(prelink_t)
files_read_etc_files(prelink_t)
@@ -195,7 +195,7 @@
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-2.4.3/policy/modules/admin/rpm.fc
--- nsaserefpolicy/policy/modules/admin/rpm.fc 2006-09-22 14:07:08.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/admin/rpm.fc 2006-11-06 16:45:08.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/admin/rpm.fc 2006-11-09 14:03:18.000000000 -0500
@@ -21,6 +21,9 @@
/usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -208,7 +208,7 @@
/var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-2.4.3/policy/modules/admin/rpm.if
--- nsaserefpolicy/policy/modules/admin/rpm.if 2006-11-06 11:13:21.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/admin/rpm.if 2006-11-06 16:45:08.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/admin/rpm.if 2006-11-09 14:03:18.000000000 -0500
@@ -278,3 +278,27 @@
dontaudit $1 rpm_var_lib_t:file create_file_perms;
dontaudit $1 rpm_var_lib_t:lnk_file create_lnk_perms;
@@ -239,7 +239,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-2.4.3/policy/modules/admin/rpm.te
--- nsaserefpolicy/policy/modules/admin/rpm.te 2006-11-06 11:13:22.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/admin/rpm.te 2006-11-06 16:45:08.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/admin/rpm.te 2006-11-10 13:44:31.000000000 -0500
@@ -9,6 +9,8 @@
type rpm_t;
type rpm_exec_t;
@@ -249,7 +249,26 @@
domain_obj_id_change_exemption(rpm_t)
domain_role_change_exemption(rpm_t)
domain_system_change_exemption(rpm_t)
-@@ -254,6 +256,9 @@
+@@ -176,6 +178,7 @@
+ unconfined_domain(rpm_t)
+ ')
+
++
+ ifdef(`targeted_policy',`
+ unconfined_domain(rpm_t)
+ # yum-updatesd requires this
+@@ -189,6 +192,10 @@
+ ')
+
+ optional_policy(`
++ hal_dbus_chat(rpm_t)
++')
++
++optional_policy(`
+ cron_system_entry(rpm_t,rpm_exec_t)
+ ')
+
+@@ -254,6 +261,9 @@
kernel_read_kernel_sysctls(rpm_script_t)
kernel_read_system_state(rpm_script_t)
@@ -259,9 +278,41 @@
dev_list_sysfs(rpm_script_t)
# ideally we would not need this
+@@ -368,31 +378,3 @@
+ usermanage_domtrans_useradd(rpm_script_t)
+ ')
+
+-ifdef(`TODO',`
+-optional_policy(`
+-can_exec(rpm_script_t,printconf_t)
+-')
+-
+-optional_policy(`
+-allow cupsd_t rpm_var_lib_t:dir r_dir_perms;
+-allow cupsd_t rpm_var_lib_t:file r_file_perms;
+-allow cupsd_t rpb_var_lib_t:lnk_file r_file_perms;
+-allow cupsd_t initrc_exec_t:file r_file_perms;
+-domain_auto_trans(rpm_script_t, cupsd_exec_t, cupsd_t)
+-')
+-
+-optional_policy(`
+-domain_auto_trans(rpm_script_t, ssh_agent_exec_t, sysadm_ssh_agent_t)
+-')
+-
+-optional_policy(`
+-domain_auto_trans(rpm_t, prelink_exec_t, prelink_t)
+-')
+-
+-ifdef(`hide_broken_symptoms', `
+- optional_policy(`
+- domain_trans(rpm_t, pam_console_exec_t, rpm_script_t)
+- ')
+-')
+-
+-') dnl end TODO
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-2.4.3/policy/modules/apps/java.fc
--- nsaserefpolicy/policy/modules/apps/java.fc 2006-11-06 11:13:17.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/apps/java.fc 2006-11-06 16:45:08.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/apps/java.fc 2006-11-09 14:03:18.000000000 -0500
@@ -1,7 +1,7 @@
#
# /opt
@@ -273,7 +324,7 @@
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-2.4.3/policy/modules/kernel/corecommands.if
--- nsaserefpolicy/policy/modules/kernel/corecommands.if 2006-10-27 10:27:56.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/kernel/corecommands.if 2006-11-06 16:45:08.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/kernel/corecommands.if 2006-11-09 14:03:18.000000000 -0500
@@ -928,7 +928,19 @@
type bin_t, sbin_t;
')
@@ -319,7 +370,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-2.4.3/policy/modules/kernel/corenetwork.if.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in 2006-10-17 13:47:44.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/kernel/corenetwork.if.in 2006-11-07 11:31:40.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/kernel/corenetwork.if.in 2006-11-09 14:03:18.000000000 -0500
@@ -998,9 +998,11 @@
interface(`corenet_tcp_sendrecv_reserved_port',`
gen_require(`
@@ -394,7 +445,7 @@
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-2.4.3/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2006-11-06 11:13:17.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/kernel/corenetwork.te.in 2006-11-07 11:32:22.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/kernel/corenetwork.te.in 2006-11-10 15:53:05.000000000 -0500
@@ -43,11 +43,16 @@
sid port gen_context(system_u:object_r:port_t,s0)
@@ -421,7 +472,15 @@
network_port(cvs, tcp,2401,s0, udp,2401,s0)
network_port(dcc, udp,6276,s0, udp,6277,s0)
network_port(dbskkd, tcp,1178,s0)
-@@ -122,6 +128,8 @@
+@@ -108,6 +114,7 @@
+ network_port(nessus, tcp,1241,s0)
+ network_port(nmbd, udp,137,s0, udp,138,s0, udp,139,s0)
+ network_port(ntp, udp,123,s0)
++network_port(ocsp, tcp,9080,s0)
+ network_port(openvpn, udp,1194,s0)
+ network_port(pegasus_http, tcp,5988,s0)
+ network_port(pegasus_https, tcp,5989,s0)
+@@ -122,6 +129,8 @@
network_port(radacct, udp,1646,s0, udp,1813,s0)
network_port(radius, udp,1645,s0, udp,1812,s0)
network_port(razor, tcp,2703,s0)
@@ -430,7 +489,7 @@
network_port(rlogind, tcp,513,s0)
network_port(rndc, tcp,953,s0)
network_port(router, udp,520,s0)
-@@ -152,8 +160,11 @@
+@@ -152,8 +161,11 @@
# Defaults for reserved ports. Earlier portcon entries take precedence;
# these entries just cover any remaining reserved ports not otherwise declared.
@@ -446,7 +505,7 @@
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.m4 serefpolicy-2.4.3/policy/modules/kernel/corenetwork.te.m4
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.m4 2006-09-29 14:28:01.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/kernel/corenetwork.te.m4 2006-11-07 11:08:36.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/kernel/corenetwork.te.m4 2006-11-09 14:03:18.000000000 -0500
@@ -55,8 +55,8 @@
define(`declare_ports',`dnl
ifelse(eval($3 < 1024),1,`
@@ -460,7 +519,7 @@
ifelse(`$5',`',`',`declare_ports($1,shiftn(4,$*))')dnl
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-2.4.3/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2006-11-06 11:13:17.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/kernel/devices.fc 2006-11-07 12:52:47.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/kernel/devices.fc 2006-11-09 14:03:18.000000000 -0500
@@ -20,11 +20,13 @@
/dev/fb[0-9]* -c gen_context(system_u:object_r:framebuf_device_t,s0)
/dev/full -c gen_context(system_u:object_r:null_device_t,s0)
@@ -485,7 +544,7 @@
/dev/usbdev.* -c gen_context(system_u:object_r:usb_device_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-2.4.3/policy/modules/kernel/devices.te
--- nsaserefpolicy/policy/modules/kernel/devices.te 2006-11-06 11:13:17.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/kernel/devices.te 2006-11-07 12:43:22.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/kernel/devices.te 2006-11-09 14:03:18.000000000 -0500
@@ -27,6 +27,12 @@
dev_node(agp_device_t)
@@ -501,7 +560,7 @@
type apm_bios_t;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-2.4.3/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2006-10-19 11:47:35.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/kernel/domain.te 2006-11-06 16:45:08.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/kernel/domain.te 2006-11-09 14:03:18.000000000 -0500
@@ -144,3 +144,10 @@
# act on all domains keys
@@ -515,7 +574,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.4.3/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2006-09-29 14:28:01.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/kernel/files.if 2006-11-06 16:45:08.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/kernel/files.if 2006-11-10 15:09:35.000000000 -0500
@@ -353,8 +353,7 @@
########################################
@@ -612,9 +671,21 @@
+ allow $1 root_t:dir rw_dir_perms;
+ allow $1 root_t:file { create getattr write };
+')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-2.4.3/policy/modules/kernel/files.te
+--- nsaserefpolicy/policy/modules/kernel/files.te 2006-11-06 11:13:17.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/kernel/files.te 2006-11-09 14:03:18.000000000 -0500
+@@ -209,6 +209,8 @@
+ #
+
+ # Create/access any file in a labeled filesystem;
++allow files_unconfined_type security_file_type:file ~execmod;
++allow files_unconfined_type security_file_type:dir *;
+ allow files_unconfined_type file_type:{ file chr_file } ~execmod;
+ allow files_unconfined_type file_type:{ dir lnk_file sock_file fifo_file blk_file } *;
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-2.4.3/policy/modules/kernel/filesystem.te
--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2006-11-06 11:13:17.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/kernel/filesystem.te 2006-11-06 16:45:08.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/kernel/filesystem.te 2006-11-09 14:03:18.000000000 -0500
@@ -21,9 +21,11 @@
# Use xattrs for the following filesystem types.
@@ -644,7 +715,7 @@
+fs_associate_noxattr(noxattrfs)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.fc serefpolicy-2.4.3/policy/modules/kernel/terminal.fc
--- nsaserefpolicy/policy/modules/kernel/terminal.fc 2006-10-16 12:20:16.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/kernel/terminal.fc 2006-11-06 16:45:08.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/kernel/terminal.fc 2006-11-09 14:03:18.000000000 -0500
@@ -11,6 +11,7 @@
/dev/ircomm[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/ip2[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
@@ -655,7 +726,7 @@
/dev/tty -c gen_context(system_u:object_r:devtty_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.te serefpolicy-2.4.3/policy/modules/kernel/terminal.te
--- nsaserefpolicy/policy/modules/kernel/terminal.te 2006-11-06 11:13:17.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/kernel/terminal.te 2006-11-06 16:45:08.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/kernel/terminal.te 2006-11-09 14:03:18.000000000 -0500
@@ -28,6 +28,7 @@
type devpts_t;
files_mountpoint(devpts_t)
@@ -666,14 +737,14 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aide.fc serefpolicy-2.4.3/policy/modules/services/aide.fc
--- nsaserefpolicy/policy/modules/services/aide.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/services/aide.fc 2006-11-07 14:05:35.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/aide.fc 2006-11-09 14:03:18.000000000 -0500
@@ -0,0 +1,3 @@
+/usr/sbin/aide -- gen_context(system_u:object_r:aide_exec_t,mls_systemhigh)
+/var/lib/aide(/.*) gen_context(system_u:object_r:aide_db_t,mls_systemhigh)
+/var/log/aide.log -- gen_context(system_u:object_r:aide_log_t,mls_systemhigh)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aide.if serefpolicy-2.4.3/policy/modules/services/aide.if
--- nsaserefpolicy/policy/modules/services/aide.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/services/aide.if 2006-11-07 14:05:35.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/aide.if 2006-11-09 14:03:18.000000000 -0500
@@ -0,0 +1,56 @@
+## <summary>Aide filesystem integrity checker</summary>
+
@@ -733,7 +804,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aide.te serefpolicy-2.4.3/policy/modules/services/aide.te
--- nsaserefpolicy/policy/modules/services/aide.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/services/aide.te 2006-11-07 14:05:35.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/aide.te 2006-11-09 14:03:18.000000000 -0500
@@ -0,0 +1,52 @@
+
+policy_module(aide,1.0)
@@ -789,7 +860,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-2.4.3/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2006-08-02 10:34:07.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/services/apache.fc 2006-11-06 16:45:08.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/apache.fc 2006-11-09 14:03:18.000000000 -0500
@@ -45,6 +45,7 @@
/var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
/var/cache/mason(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
@@ -813,7 +884,7 @@
+/opt/fortitude/run(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-2.4.3/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2006-11-06 11:13:19.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/services/apache.te 2006-11-06 16:45:08.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/apache.te 2006-11-09 14:03:18.000000000 -0500
@@ -143,6 +143,8 @@
allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow httpd_t self:tcp_socket create_stream_socket_perms;
@@ -861,7 +932,7 @@
ifdef(`targeted_policy',`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-2.4.3/policy/modules/services/automount.te
--- nsaserefpolicy/policy/modules/services/automount.te 2006-11-06 11:13:19.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/services/automount.te 2006-11-06 16:45:08.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/automount.te 2006-11-09 14:03:18.000000000 -0500
@@ -76,6 +76,7 @@
files_mounton_all_mountpoints(automount_t)
files_mount_all_file_type_fs(automount_t)
@@ -870,9 +941,20 @@
fs_mount_all_fs(automount_t)
fs_unmount_all_fs(automount_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-2.4.3/policy/modules/services/bind.te
+--- nsaserefpolicy/policy/modules/services/bind.te 2006-10-19 11:47:39.000000000 -0400
++++ serefpolicy-2.4.3/policy/modules/services/bind.te 2006-11-09 14:03:18.000000000 -0500
+@@ -8,6 +8,7 @@
+
+ # for DNSSEC key files
+ type dnssec_t;
++files_type(dnssec_t)
+ files_security_file(dnssec_t)
+
+ type named_t;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.fc serefpolicy-2.4.3/policy/modules/services/ccs.fc
--- nsaserefpolicy/policy/modules/services/ccs.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/services/ccs.fc 2006-11-06 16:45:08.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/ccs.fc 2006-11-09 14:03:18.000000000 -0500
@@ -0,0 +1,10 @@
+# ccs executable will have:
+# label: system_u:object_r:ccs_exec_t
@@ -886,7 +968,7 @@
+/var/run/cman_.* -s gen_context(system_u:object_r:ccs_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.if serefpolicy-2.4.3/policy/modules/services/ccs.if
--- nsaserefpolicy/policy/modules/services/ccs.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/services/ccs.if 2006-11-06 16:45:08.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/ccs.if 2006-11-09 14:03:18.000000000 -0500
@@ -0,0 +1,83 @@
+## <summary>policy for ccs</summary>
+
@@ -973,7 +1055,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.te serefpolicy-2.4.3/policy/modules/services/ccs.te
--- nsaserefpolicy/policy/modules/services/ccs.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/services/ccs.te 2006-11-06 16:45:08.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/ccs.te 2006-11-09 14:03:18.000000000 -0500
@@ -0,0 +1,89 @@
+policy_module(ccs,1.0.0)
+
@@ -1066,7 +1148,7 @@
+dev_read_urand(ccs_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-2.4.3/policy/modules/services/cron.if
--- nsaserefpolicy/policy/modules/services/cron.if 2006-09-15 13:14:25.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/services/cron.if 2006-11-06 16:45:08.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/cron.if 2006-11-09 14:03:18.000000000 -0500
@@ -54,9 +54,6 @@
domain_entry_file($1_crontab_t,crontab_exec_t)
role $3 types $1_crontab_t;
@@ -1142,7 +1224,7 @@
# fcron wants an instant update of a crontab change for the administrator
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-2.4.3/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te 2006-11-06 11:13:19.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/services/cron.te 2006-11-06 16:45:08.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/cron.te 2006-11-09 14:03:18.000000000 -0500
@@ -166,6 +166,11 @@
')
')
@@ -1157,7 +1239,7 @@
allow crond_t system_crond_tmp_t:file create_file_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-2.4.3/policy/modules/services/cups.fc
--- nsaserefpolicy/policy/modules/services/cups.fc 2006-11-06 11:13:19.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/services/cups.fc 2006-11-06 16:45:08.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/cups.fc 2006-11-09 14:03:18.000000000 -0500
@@ -23,7 +23,7 @@
/usr/libexec/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
@@ -1169,7 +1251,7 @@
/usr/sbin/printconf-backend -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-2.4.3/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2006-11-06 11:13:19.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/services/cups.te 2006-11-06 16:45:08.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/cups.te 2006-11-09 14:03:18.000000000 -0500
@@ -161,6 +161,7 @@
dev_read_urand(cupsd_t)
dev_read_sysfs(cupsd_t)
@@ -1190,7 +1272,7 @@
ifdef(`targeted_policy',`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-2.4.3/policy/modules/services/cvs.te
--- nsaserefpolicy/policy/modules/services/cvs.te 2006-10-19 11:47:39.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/services/cvs.te 2006-11-06 16:45:08.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/cvs.te 2006-11-09 14:03:18.000000000 -0500
@@ -9,6 +9,7 @@
type cvs_t;
type cvs_exec_t;
@@ -1201,7 +1283,7 @@
type cvs_data_t; # customizable
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.fc serefpolicy-2.4.3/policy/modules/services/dbus.fc
--- nsaserefpolicy/policy/modules/services/dbus.fc 2006-07-14 17:04:41.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/services/dbus.fc 2006-11-06 16:45:08.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/dbus.fc 2006-11-09 14:03:18.000000000 -0500
@@ -4,3 +4,4 @@
/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:system_dbusd_exec_t,s0)
/bin/dbus-daemon -- gen_context(system_u:object_r:system_dbusd_exec_t,s0)
@@ -1209,7 +1291,7 @@
+/var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-2.4.3/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if 2006-09-15 13:14:24.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/services/dbus.if 2006-11-06 16:45:08.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/dbus.if 2006-11-09 14:03:18.000000000 -0500
@@ -123,6 +123,7 @@
selinux_compute_relabel_context($1_dbusd_t)
selinux_compute_user_contexts($1_dbusd_t)
@@ -1218,9 +1300,91 @@
corecmd_list_bin($1_dbusd_t)
corecmd_read_bin_symlinks($1_dbusd_t)
corecmd_read_bin_files($1_dbusd_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-2.4.3/policy/modules/services/hal.fc
+--- nsaserefpolicy/policy/modules/services/hal.fc 2006-07-14 17:04:40.000000000 -0400
++++ serefpolicy-2.4.3/policy/modules/services/hal.fc 2006-11-09 14:03:18.000000000 -0500
+@@ -7,3 +7,7 @@
+ /usr/sbin/hald -- gen_context(system_u:object_r:hald_exec_t,s0)
+
+ /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
++
++/var/lib/hal(/.*)? gen_context(system_u:object_r:hald_var_lib_t,s0)
++
++/var/run/haldaemon.pid -- gen_context(system_u:object_r:hald_var_run_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-2.4.3/policy/modules/services/hal.te
+--- nsaserefpolicy/policy/modules/services/hal.te 2006-11-06 11:13:19.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/hal.te 2006-11-09 14:03:18.000000000 -0500
+@@ -16,6 +16,9 @@
+ type hald_var_run_t;
+ files_pid_file(hald_var_run_t)
+
++type hald_var_lib_t;
++files_type(hald_var_lib_t)
++
+ ########################################
+ #
+ # Local policy
+@@ -39,6 +42,11 @@
+ allow hald_t hald_tmp_t:file create_file_perms;
+ files_tmp_filetrans(hald_t, hald_tmp_t, { file dir })
+
++# var/lib files for hald
++allow hald_t hald_var_lib_t:file create_file_perms;
++allow hald_t hald_var_lib_t:sock_file create_file_perms;
++allow hald_t hald_var_lib_t:dir create_dir_perms;
++
+ allow hald_t hald_var_run_t:file create_file_perms;
+ allow hald_t hald_var_run_t:dir rw_dir_perms;
+ files_pid_filetrans(hald_t,hald_var_run_t,file)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-2.4.3/policy/modules/services/kerberos.if
+--- nsaserefpolicy/policy/modules/services/kerberos.if 2006-09-22 14:07:06.000000000 -0400
++++ serefpolicy-2.4.3/policy/modules/services/kerberos.if 2006-11-10 16:54:22.000000000 -0500
+@@ -57,6 +57,7 @@
+ corenet_udp_bind_all_nodes($1)
+ corenet_tcp_connect_kerberos_port($1)
+ corenet_sendrecv_kerberos_client_packets($1)
++ corenet_tcp_connect_ocsp_port($1)
+
+ sysnet_read_config($1)
+ sysnet_dns_name_resolve($1)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-2.4.3/policy/modules/services/kerberos.te
+--- nsaserefpolicy/policy/modules/services/kerberos.te 2006-10-19 11:47:39.000000000 -0400
++++ serefpolicy-2.4.3/policy/modules/services/kerberos.te 2006-11-10 16:53:44.000000000 -0500
+@@ -24,6 +24,7 @@
+
+ # types for general configuration files in /etc
+ type krb5_keytab_t;
++files_type(krb5_keytab_t)
+ files_security_file(krb5_keytab_t)
+
+ # types for KDC configs and principal file(s)
+@@ -156,14 +157,21 @@
+ # Use capabilities. Surplus capabilities may be allowed.
+ allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_override sys_nice };
+ dontaudit krb5kdc_t self:capability sys_tty_config;
+-allow krb5kdc_t self:process signal_perms;
++allow krb5kdc_t self:process { getsched signal_perms };
+ allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms;
+-allow krb5kdc_t self:tcp_socket connected_stream_socket_perms;
++allow krb5kdc_t self:tcp_socket create_stream_socket_perms;
+ allow krb5kdc_t self:udp_socket create_socket_perms;
+
++files_read_usr_symlinks(krb5kdc_t)
++files_read_var_files(krb5kdc_t)
++
+ allow krb5kdc_t krb5_conf_t:file r_file_perms;
+ dontaudit krb5kdc_t krb5_conf_t:file write;
+
++corenet_tcp_connect_ocsp_port(krb5kdc_t)
++corecmd_exec_sbin(krb5kdc_t)
++corecmd_exec_bin(krb5kdc_t)
++
+ can_exec(krb5kdc_t, krb5kdc_exec_t)
+
+ allow krb5kdc_t krb5kdc_conf_t:dir search;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.if serefpolicy-2.4.3/policy/modules/services/lpd.if
--- nsaserefpolicy/policy/modules/services/lpd.if 2006-11-06 11:13:19.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/services/lpd.if 2006-11-06 16:45:08.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/lpd.if 2006-11-09 14:03:18.000000000 -0500
@@ -64,33 +64,35 @@
allow $1_lpr_t self:udp_socket create_socket_perms;
allow $1_lpr_t self:netlink_route_socket r_netlink_socket_perms;
@@ -1282,9 +1446,20 @@
dontaudit $1_lpr_t $2:unix_stream_socket { read write };
# Transition from the user domain to the derived domain.
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-2.4.3/policy/modules/services/mta.if
+--- nsaserefpolicy/policy/modules/services/mta.if 2006-09-15 13:14:25.000000000 -0400
++++ serefpolicy-2.4.3/policy/modules/services/mta.if 2006-11-10 16:50:04.000000000 -0500
+@@ -820,6 +820,7 @@
+ type mqueue_spool_t;
+ ')
+
++ dontaudit $1 mqueue_spool_t:dir search_dir_perms;
+ dontaudit $1 mqueue_spool_t:file { getattr read write };
+ ')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-2.4.3/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2006-10-19 11:47:39.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/services/mta.te 2006-11-06 16:45:08.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/mta.te 2006-11-09 14:03:18.000000000 -0500
@@ -27,6 +27,7 @@
type sendmail_exec_t;
@@ -1295,7 +1470,7 @@
role system_r types system_mail_t;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-2.4.3/policy/modules/services/nscd.if
--- nsaserefpolicy/policy/modules/services/nscd.if 2006-08-07 18:55:18.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/services/nscd.if 2006-11-06 16:45:08.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/nscd.if 2006-11-09 14:03:18.000000000 -0500
@@ -181,3 +181,23 @@
allow $1 nscd_t:nscd *;
@@ -1322,7 +1497,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-2.4.3/policy/modules/services/nscd.te
--- nsaserefpolicy/policy/modules/services/nscd.te 2006-10-19 11:47:39.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/services/nscd.te 2006-11-06 16:45:08.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/nscd.te 2006-11-09 14:03:18.000000000 -0500
@@ -120,6 +120,9 @@
term_dontaudit_use_unallocated_ttys(nscd_t)
term_dontaudit_use_generic_ptys(nscd_t)
@@ -1335,7 +1510,7 @@
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.te serefpolicy-2.4.3/policy/modules/services/oddjob.te
--- nsaserefpolicy/policy/modules/services/oddjob.te 2006-11-06 11:13:19.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/services/oddjob.te 2006-11-06 16:45:08.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/oddjob.te 2006-11-09 20:51:53.000000000 -0500
@@ -10,6 +10,7 @@
type oddjob_exec_t;
domain_type(oddjob_t)
@@ -1344,9 +1519,18 @@
type oddjob_mkhomedir_t;
type oddjob_mkhomedir_exec_t;
+@@ -27,7 +28,7 @@
+ #
+
+ allow oddjob_t self:capability { audit_write setgid } ;
+-allow oddjob_t self:process setexec;
++allow oddjob_t self:process { setexec signal };
+ allow oddjob_t self:fifo_file { read write };
+ allow oddjob_t self:unix_stream_socket create_stream_socket_perms;
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.if serefpolicy-2.4.3/policy/modules/services/pegasus.if
--- nsaserefpolicy/policy/modules/services/pegasus.if 2006-07-14 17:04:41.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/services/pegasus.if 2006-11-06 16:45:08.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/pegasus.if 2006-11-09 14:03:18.000000000 -0500
@@ -1 +1,32 @@
## <summary>The Open Group Pegasus CIM/WBEM Server.</summary>
+
@@ -1382,7 +1566,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-2.4.3/policy/modules/services/pegasus.te
--- nsaserefpolicy/policy/modules/services/pegasus.te 2006-10-19 11:47:39.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/services/pegasus.te 2006-11-06 16:45:08.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/pegasus.te 2006-11-09 14:03:18.000000000 -0500
@@ -100,13 +100,12 @@
auth_use_nsswitch(pegasus_t)
@@ -1401,7 +1585,7 @@
hostname_exec(pegasus_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-2.4.3/policy/modules/services/procmail.te
--- nsaserefpolicy/policy/modules/services/procmail.te 2006-11-06 11:13:19.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/services/procmail.te 2006-11-06 16:45:08.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/procmail.te 2006-11-09 14:03:18.000000000 -0500
@@ -10,6 +10,7 @@
type procmail_exec_t;
domain_type(procmail_t)
@@ -1434,7 +1618,7 @@
userdom_dontaudit_search_staff_home_dirs(procmail_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.fc serefpolicy-2.4.3/policy/modules/services/ricci.fc
--- nsaserefpolicy/policy/modules/services/ricci.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/services/ricci.fc 2006-11-06 16:45:08.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/ricci.fc 2006-11-09 14:03:18.000000000 -0500
@@ -0,0 +1,20 @@
+# ricci executable will have:
+# label: system_u:object_r:ricci_exec_t
@@ -1458,7 +1642,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.if serefpolicy-2.4.3/policy/modules/services/ricci.if
--- nsaserefpolicy/policy/modules/services/ricci.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/services/ricci.if 2006-11-06 16:45:08.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/ricci.if 2006-11-09 14:03:18.000000000 -0500
@@ -0,0 +1,184 @@
+## <summary>policy for ricci</summary>
+
@@ -1646,8 +1830,8 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-2.4.3/policy/modules/services/ricci.te
--- nsaserefpolicy/policy/modules/services/ricci.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/services/ricci.te 2006-11-06 16:45:08.000000000 -0500
-@@ -0,0 +1,477 @@
++++ serefpolicy-2.4.3/policy/modules/services/ricci.te 2006-11-10 17:09:48.000000000 -0500
+@@ -0,0 +1,483 @@
+policy_module(ricci,1.0.0)
+
+########################################
@@ -2027,15 +2211,17 @@
+')
+domain_auto_trans(ricci_t,ricci_modstorage_exec_t,ricci_modstorage_t)
+
-+allow ricci_modstorage_t self:process setsched;
++allow ricci_modstorage_t self:process { setsched signal };
+allow ricci_modstorage_t self:capability { mknod sys_nice };
+allow ricci_modstorage_t self:fifo_file rw_file_perms;
++allow ricci_modstorage_t self:unix_dgram_socket create_socket_perms;
+
+corecmd_exec_bin(ricci_modstorage_t)
+corecmd_exec_sbin(ricci_modstorage_t)
+
+files_read_etc_files(ricci_modstorage_t)
+files_read_etc_runtime_files(ricci_modstorage_t)
++files_read_usr_files(ricci_modstorage_t)
+
+fstools_domtrans(ricci_modstorage_t)
+
@@ -2057,9 +2243,10 @@
+
+modutils_read_module_deps(ricci_modstorage_t)
+
-+files_read_usr_files(ricci_modstorage_t)
+storage_raw_read_fixed_disk(ricci_modstorage_t)
+
++term_dontaudit_use_console(ricci_modstorage_t)
++
+optional_policy(`
+ ccs_read_config(ricci_modstorage_t)
+')
@@ -2085,6 +2272,7 @@
+
+corecmd_exec_shell(ricci_modcluster_t)
+init_exec(ricci_modcluster_t)
++init_domtrans_script(ricci_modcluster_t)
+files_search_locks(ricci_modcluster_t)
+
+logging_send_syslog_msg(ricci_modcluster_t)
@@ -2120,14 +2308,16 @@
+ ccs_manage_config(ricci_modcluster_t)
+')
+
-+
-+
+optional_policy(`
+ consoletype_exec(ricci_modcluster_t)
+')
++
++# THis has got to go.
++unconfined_domain(ricci_modcluster_t)
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-2.4.3/policy/modules/services/rsync.te
--- nsaserefpolicy/policy/modules/services/rsync.te 2006-10-19 11:47:39.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/services/rsync.te 2006-11-06 16:45:08.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/rsync.te 2006-11-09 14:03:18.000000000 -0500
@@ -9,6 +9,7 @@
type rsync_t;
type rsync_exec_t;
@@ -2136,9 +2326,28 @@
role system_r types rsync_t;
type rsync_data_t;
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-2.4.3/policy/modules/services/samba.if
+--- nsaserefpolicy/policy/modules/services/samba.if 2006-09-15 13:14:24.000000000 -0400
++++ serefpolicy-2.4.3/policy/modules/services/samba.if 2006-11-10 08:19:15.000000000 -0500
+@@ -140,6 +140,7 @@
+ ')
+
+ files_search_etc($1)
++ allow $1 samba_etc_t:dir search_dir_perms;
+ allow $1 samba_etc_t:file { read getattr lock };
+ ')
+
+@@ -161,6 +162,7 @@
+ ')
+
+ files_search_etc($1)
++ allow $1 samba_etc_t:dir search_dir_perms;
+ allow $1 samba_etc_t:file rw_file_perms;
+ ')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-2.4.3/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2006-11-06 11:13:19.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/services/samba.te 2006-11-06 16:45:08.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/samba.te 2006-11-09 14:03:18.000000000 -0500
@@ -525,7 +525,8 @@
allow swat_t self:netlink_audit_socket create;
allow swat_t self:tcp_socket create_stream_socket_perms;
@@ -2168,7 +2377,7 @@
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-2.4.3/policy/modules/services/sasl.te
--- nsaserefpolicy/policy/modules/services/sasl.te 2006-10-19 11:47:39.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/services/sasl.te 2006-11-06 16:45:08.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/sasl.te 2006-11-09 14:03:18.000000000 -0500
@@ -47,6 +47,8 @@
fs_getattr_all_fs(saslauthd_t)
fs_search_auto_mountpoints(saslauthd_t)
@@ -2180,7 +2389,7 @@
auth_domtrans_chk_passwd(saslauthd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-2.4.3/policy/modules/services/snmp.te
--- nsaserefpolicy/policy/modules/services/snmp.te 2006-11-06 11:13:19.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/services/snmp.te 2006-11-06 16:45:08.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/snmp.te 2006-11-09 14:03:18.000000000 -0500
@@ -87,6 +87,7 @@
files_read_etc_runtime_files(snmpd_t)
files_search_home(snmpd_t)
@@ -2191,7 +2400,7 @@
fs_getattr_rpc_dirs(snmpd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-2.4.3/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2006-11-06 11:13:19.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/services/spamassassin.te 2006-11-06 16:45:08.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/spamassassin.te 2006-11-09 14:03:18.000000000 -0500
@@ -8,7 +8,7 @@
# spamassassin client executable
@@ -2212,7 +2421,7 @@
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-2.4.3/policy/modules/services/squid.te
--- nsaserefpolicy/policy/modules/services/squid.te 2006-10-19 11:47:39.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/services/squid.te 2006-11-06 16:45:08.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/squid.te 2006-11-09 14:03:18.000000000 -0500
@@ -98,6 +98,9 @@
fs_getattr_all_fs(squid_t)
@@ -2233,7 +2442,7 @@
-') dnl end TODO
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-2.4.3/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2006-11-06 11:13:19.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/services/ssh.te 2006-11-06 16:45:08.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/ssh.te 2006-11-09 14:03:18.000000000 -0500
@@ -10,7 +10,7 @@
# ssh client executable.
@@ -2245,7 +2454,7 @@
type ssh_keygen_exec_t;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/telnet.te serefpolicy-2.4.3/policy/modules/services/telnet.te
--- nsaserefpolicy/policy/modules/services/telnet.te 2006-10-19 11:47:39.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/services/telnet.te 2006-11-06 16:45:08.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/telnet.te 2006-11-09 14:03:18.000000000 -0500
@@ -32,6 +32,7 @@
allow telnetd_t self:udp_socket create_socket_perms;
# for identd; cjp: this should probably only be inetd_child rules?
@@ -2256,7 +2465,7 @@
allow telnetd_t telnetd_devpts_t:chr_file { rw_file_perms setattr };
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-2.4.3/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2006-09-15 13:14:25.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/services/xserver.if 2006-11-06 16:45:08.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/xserver.if 2006-11-09 14:03:18.000000000 -0500
@@ -898,10 +898,12 @@
domain_auto_trans($1,xserver_exec_t,xdm_xserver_t)
@@ -2314,7 +2523,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-2.4.3/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2006-11-06 11:13:21.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/system/authlogin.if 2006-11-06 16:45:08.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/system/authlogin.if 2006-11-09 14:03:18.000000000 -0500
@@ -1258,7 +1258,7 @@
type wtmp_t;
')
@@ -2326,7 +2535,7 @@
#######################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-2.4.3/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te 2006-11-06 11:13:21.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/system/authlogin.te 2006-11-06 16:45:08.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/system/authlogin.te 2006-11-09 14:03:18.000000000 -0500
@@ -141,6 +141,7 @@
allow pam_console_t pam_var_console_t:lnk_file { getattr read };
allow pam_console_t pam_var_console_t:file r_file_perms;
@@ -2337,7 +2546,7 @@
kernel_use_fds(pam_console_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-2.4.3/policy/modules/system/fstools.fc
--- nsaserefpolicy/policy/modules/system/fstools.fc 2006-09-05 07:41:01.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/system/fstools.fc 2006-11-06 16:45:08.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/system/fstools.fc 2006-11-09 14:03:18.000000000 -0500
@@ -19,7 +19,6 @@
/sbin/mkfs.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
@@ -2348,7 +2557,7 @@
/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-2.4.3/policy/modules/system/fstools.te
--- nsaserefpolicy/policy/modules/system/fstools.te 2006-11-06 11:13:21.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/system/fstools.te 2006-11-06 16:45:08.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/system/fstools.te 2006-11-09 14:03:18.000000000 -0500
@@ -9,7 +9,7 @@
type fsadm_t;
type fsadm_exec_t;
@@ -2360,7 +2569,7 @@
type fsadm_log_t;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.te serefpolicy-2.4.3/policy/modules/system/getty.te
--- nsaserefpolicy/policy/modules/system/getty.te 2006-10-19 11:47:40.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/system/getty.te 2006-11-06 16:45:08.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/system/getty.te 2006-11-09 14:03:18.000000000 -0500
@@ -33,7 +33,8 @@
#
@@ -2373,7 +2582,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-2.4.3/policy/modules/system/hostname.te
--- nsaserefpolicy/policy/modules/system/hostname.te 2006-10-19 11:47:40.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/system/hostname.te 2006-11-06 16:45:08.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/system/hostname.te 2006-11-09 14:03:18.000000000 -0500
@@ -8,8 +8,12 @@
type hostname_t;
@@ -2390,7 +2599,7 @@
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-2.4.3/policy/modules/system/init.fc
--- nsaserefpolicy/policy/modules/system/init.fc 2006-08-25 13:29:58.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/system/init.fc 2006-11-06 16:45:08.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/system/init.fc 2006-11-09 14:03:18.000000000 -0500
@@ -66,3 +66,6 @@
/var/run/sysconfig(/.*)? gen_context(system_u:object_r:initrc_var_run_t,s0)
')
@@ -2400,7 +2609,7 @@
+/var/run/pcscd\.pid -- gen_context(system_u:object_r:initrc_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-2.4.3/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2006-11-06 11:13:21.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/system/init.te 2006-11-06 16:45:08.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/system/init.te 2006-11-09 14:03:18.000000000 -0500
@@ -347,7 +347,8 @@
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@@ -2438,7 +2647,7 @@
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.if serefpolicy-2.4.3/policy/modules/system/iscsi.if
--- nsaserefpolicy/policy/modules/system/iscsi.if 2006-11-06 11:13:21.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/system/iscsi.if 2006-11-06 16:45:08.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/system/iscsi.if 2006-11-09 14:03:18.000000000 -0500
@@ -16,6 +16,8 @@
')
@@ -2450,7 +2659,7 @@
allow iscsid_t $1:process sigchld;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-2.4.3/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2006-11-06 11:13:21.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/system/libraries.fc 2006-11-07 09:28:47.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/system/libraries.fc 2006-11-09 14:03:18.000000000 -0500
@@ -1,3 +1,4 @@
+
#
@@ -2474,17 +2683,39 @@
/usr/lib(64)?/libstdc\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libg\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libglide3\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -262,6 +265,7 @@
- /usr/(local/)?(.*/)?jre.*/libjvm\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/(local/)?(.*/)?jre.*/libawt\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/(local/)?(.*/)?jre.*/libjavaplugin_ojigcc3\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/(local/)?(.*/)?jre.*/libj9thr23.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+@@ -258,10 +261,9 @@
+ /usr/lib(64)?/vmware/(.*/)?VmPerl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+ # Java, Sun Microsystems (JPackage SRPM)
+-/usr/(.*/)?jre.*/libdeploy\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/(local/)?(.*/)?jre.*/libjvm\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/(local/)?(.*/)?jre.*/libawt\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/(local/)?(.*/)?jre.*/libjavaplugin_ojigcc3\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/local/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(local/)?Adobe/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(local/)?Adobe/(.*/)?intellinux/sidecars/* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-2.4.3/policy/modules/system/libraries.te
+--- nsaserefpolicy/policy/modules/system/libraries.te 2006-11-06 11:13:21.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/system/libraries.te 2006-11-09 14:03:18.000000000 -0500
+@@ -81,12 +81,6 @@
+
+ userdom_use_all_users_fds(ldconfig_t)
+
+-ifdef(`hide_broken_symptoms',`
+- optional_policy(`
+- unconfined_dontaudit_rw_tcp_sockets(ldconfig_t)
+- ')
+-')
+-
+ ifdef(`targeted_policy',`
+ allow ldconfig_t lib_t:file r_file_perms;
+ unconfined_domain(ldconfig_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.if serefpolicy-2.4.3/policy/modules/system/locallogin.if
--- nsaserefpolicy/policy/modules/system/locallogin.if 2006-10-16 12:20:18.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/system/locallogin.if 2006-11-06 16:45:08.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/system/locallogin.if 2006-11-09 14:03:18.000000000 -0500
@@ -75,3 +75,40 @@
allow $1 local_login_t:process signull;
@@ -2528,7 +2759,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-2.4.3/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2006-11-06 11:13:21.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/system/logging.te 2006-11-06 16:45:08.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/system/logging.te 2006-11-09 14:03:18.000000000 -0500
@@ -53,6 +53,7 @@
type var_log_t;
@@ -2537,9 +2768,91 @@
ifdef(`enable_mls',`
init_ranged_daemon_domain(auditd_t,auditd_exec_t,mls_systemhigh)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc serefpolicy-2.4.3/policy/modules/system/lvm.fc
+--- nsaserefpolicy/policy/modules/system/lvm.fc 2006-08-29 09:00:29.000000000 -0400
++++ serefpolicy-2.4.3/policy/modules/system/lvm.fc 2006-11-10 13:52:25.000000000 -0500
+@@ -88,3 +88,4 @@
+ /var/cache/multipathd(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
+ /var/lock/lvm(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0)
+ /var/run/multipathd.sock -s gen_context(system_u:object_r:lvm_var_run_t,s0)
++/var/lib/multipath(/.*)? gen_context(system_u:object_r:lvm_var_lib_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-2.4.3/policy/modules/system/lvm.te
+--- nsaserefpolicy/policy/modules/system/lvm.te 2006-10-19 11:47:40.000000000 -0400
++++ serefpolicy-2.4.3/policy/modules/system/lvm.te 2006-11-10 15:46:32.000000000 -0500
+@@ -13,6 +13,9 @@
+ type clvmd_var_run_t;
+ files_pid_file(clvmd_var_run_t)
+
++type lvm_var_lib_t;
++files_type(lvm_var_lib_t)
++
+ type lvm_t;
+ type lvm_exec_t;
+ init_system_domain(lvm_t,lvm_exec_t)
+@@ -121,7 +124,9 @@
+
+ # DAC overrides and mknod for modifying /dev entries (vgmknodes)
+ # rawio needed for dmraid
+-allow lvm_t self:capability { dac_override fowner ipc_lock sys_admin sys_nice mknod chown sys_resource sys_rawio };
++allow lvm_t self:capability { dac_override fowner ipc_lock sys_admin sys_nice mknod chown sys_resource sys_rawio net_admin };
++# lvm needs net_admin for multipath
++
+ dontaudit lvm_t self:capability sys_tty_config;
+ allow lvm_t self:process { sigchld sigkill sigstop signull signal };
+ # LVM will complain a lot if it cannot set its priority.
+@@ -147,6 +152,10 @@
+ allow lvm_t lvm_lock_t:file create_file_perms;
+ files_lock_filetrans(lvm_t,lvm_lock_t,file)
+
++allow lvm_t lvm_var_lib_t:dir manage_dir_perms;
++allow lvm_t lvm_var_lib_t:file manage_file_perms;
++files_var_lib_filetrans(lvm_t,lvm_var_lib_t,{ dir file })
++
+ allow lvm_t lvm_var_run_t:file manage_file_perms;
+ allow lvm_t lvm_var_run_t:sock_file manage_file_perms;
+ allow lvm_t lvm_var_run_t:dir manage_dir_perms;
+@@ -216,7 +225,7 @@
+ term_dontaudit_getattr_all_user_ttys(lvm_t)
+ term_dontaudit_getattr_pty_dirs(lvm_t)
+
+-corecmd_search_sbin(lvm_t)
++corecmd_exec_sbin(lvm_t)
+ corecmd_dontaudit_getattr_sbin_files(lvm_t)
+
+ domain_use_interactive_fds(lvm_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-2.4.3/policy/modules/system/modutils.te
+--- nsaserefpolicy/policy/modules/system/modutils.te 2006-10-19 11:47:40.000000000 -0400
++++ serefpolicy-2.4.3/policy/modules/system/modutils.te 2006-11-10 15:11:34.000000000 -0500
+@@ -117,10 +117,6 @@
+ kernel_domtrans_to(insmod_t,insmod_exec_t)
+ }
+
+-ifdef(`hide_broken_symptoms',`
+- dev_dontaudit_rw_cardmgr(insmod_t)
+-')
+-
+ ifdef(`targeted_policy',`
+ unconfined_domain(insmod_t)
+ ')
+@@ -172,6 +168,7 @@
+ # Read conf.modules.
+ allow depmod_t modules_conf_t:file r_file_perms;
+
++
+ allow depmod_t modules_dep_t:file create_file_perms;
+ files_kernel_modules_filetrans(depmod_t,modules_dep_t,file)
+
+@@ -179,6 +176,7 @@
+
+ files_read_kernel_symbol_table(depmod_t)
+ files_read_kernel_modules(depmod_t)
++files_delete_kernel_modules(depmod_t)
+
+ fs_getattr_xattr_fs(depmod_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-2.4.3/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2006-11-06 11:13:21.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/system/mount.te 2006-11-06 16:45:08.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/system/mount.te 2006-11-09 14:03:18.000000000 -0500
@@ -9,6 +9,7 @@
type mount_t;
type mount_exec_t;
@@ -2575,9 +2888,24 @@
')
')
+@@ -163,14 +170,6 @@
+ apm_use_fds(mount_t)
+ ')
+
+-optional_policy(`
+- ifdef(`hide_broken_symptoms',`
+- # for a bug in the X server
+- rhgb_dontaudit_rw_stream_sockets(mount_t)
+- term_dontaudit_use_ptmx(mount_t)
+- ')
+-')
+-
+ # for kernel package installation
+ optional_policy(`
+ rpm_rw_pipes(mount_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-2.4.3/policy/modules/system/raid.te
--- nsaserefpolicy/policy/modules/system/raid.te 2006-11-06 11:13:21.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/system/raid.te 2006-11-06 16:45:08.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/system/raid.te 2006-11-09 14:03:18.000000000 -0500
@@ -38,12 +38,15 @@
dev_dontaudit_getattr_all_blk_files(mdadm_t)
dev_dontaudit_getattr_all_chr_files(mdadm_t)
@@ -2604,7 +2932,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-2.4.3/policy/modules/system/selinuxutil.if
--- nsaserefpolicy/policy/modules/system/selinuxutil.if 2006-10-27 10:27:56.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/system/selinuxutil.if 2006-11-06 16:45:08.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/system/selinuxutil.if 2006-11-09 14:03:18.000000000 -0500
@@ -713,7 +713,7 @@
')
@@ -2625,7 +2953,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-2.4.3/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2006-11-06 11:13:21.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/system/selinuxutil.te 2006-11-06 16:45:08.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/system/selinuxutil.te 2006-11-09 14:03:18.000000000 -0500
@@ -107,6 +107,11 @@
type semanage_exec_t;
domain_entry_file(semanage_t, semanage_exec_t)
@@ -2646,17 +2974,20 @@
corecmd_list_bin(newrole_t)
corecmd_read_bin_symlinks(newrole_t)
-@@ -413,6 +419,9 @@
- optional_policy(`
- udev_dontaudit_rw_dgram_sockets(restorecon_t)
- ')
-+ optional_policy(`
-+ xserver_use_xdm_fds(restorecon_t)
-+ ')
+@@ -409,12 +415,6 @@
+ fs_relabel_tmpfs_chr_file(restorecon_t)
')
+-ifdef(`hide_broken_symptoms',`
+- optional_policy(`
+- udev_dontaudit_rw_dgram_sockets(restorecon_t)
+- ')
+-')
+-
optional_policy(`
-@@ -449,6 +458,7 @@
+ hotplug_use_fds(restorecon_t)
+ ')
+@@ -449,6 +449,7 @@
auth_relabel_all_files_except_shadow(restorecond_t )
auth_read_all_files_except_shadow(restorecond_t)
@@ -2666,7 +2997,7 @@
init_dontaudit_use_script_ptys(restorecond_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-2.4.3/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2006-10-19 11:47:40.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/system/unconfined.if 2006-11-06 16:45:08.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/system/unconfined.if 2006-11-09 14:03:18.000000000 -0500
@@ -31,6 +31,7 @@
allow $1 self:nscd *;
allow $1 self:dbus *;
@@ -2702,7 +3033,7 @@
## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-2.4.3/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2006-11-06 11:13:21.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/system/unconfined.te 2006-11-06 16:45:21.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/system/unconfined.te 2006-11-09 14:03:18.000000000 -0500
@@ -83,6 +83,9 @@
optional_policy(`
networkmanager_dbus_chat(unconfined_t)
@@ -2744,7 +3075,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-2.4.3/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2006-11-06 11:13:21.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/system/userdomain.if 2006-11-06 16:45:08.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/system/userdomain.if 2006-11-09 14:03:19.000000000 -0500
@@ -22,6 +22,10 @@
## <rolebase/>
#
@@ -3001,7 +3332,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-2.4.3/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2006-11-06 11:13:21.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/system/userdomain.te 2006-11-07 14:07:54.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/system/userdomain.te 2006-11-09 14:03:19.000000000 -0500
@@ -24,6 +24,9 @@
# users home directory contents
attribute home_type;
@@ -3040,7 +3371,7 @@
usermanage_run_useradd(sysadm_t,sysadm_r,admin_terminal)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.fc serefpolicy-2.4.3/policy/modules/system/xen.fc
--- nsaserefpolicy/policy/modules/system/xen.fc 2006-11-06 11:13:21.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/system/xen.fc 2006-11-06 16:45:08.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/system/xen.fc 2006-11-09 14:03:19.000000000 -0500
@@ -8,6 +8,7 @@
/usr/sbin/xm -- gen_context(system_u:object_r:xm_exec_t,s0)
@@ -3051,8 +3382,27 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-2.4.3/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te 2006-11-06 11:13:21.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/system/xen.te 2006-11-06 16:45:08.000000000 -0500
-@@ -152,6 +152,7 @@
++++ serefpolicy-2.4.3/policy/modules/system/xen.te 2006-11-10 13:39:54.000000000 -0500
+@@ -86,8 +86,8 @@
+ allow xend_t self:tcp_socket create_stream_socket_perms;
+ allow xend_t self:packet_socket create_socket_perms;
+
+-allow xend_t xen_image_t:dir r_dir_perms;
+-allow xend_t xen_image_t:file rw_file_perms;
++allow xend_t xen_image_t:dir create_dir_perms;
++allow xend_t xen_image_t:file create_file_perms;
+ allow xend_t xen_image_t:blk_file rw_file_perms;
+
+ allow xend_t xenctl_t:fifo_file create_file_perms;
+@@ -143,6 +143,7 @@
+ corenet_tcp_bind_generic_port(xend_t)
+ corenet_tcp_bind_vnc_port(xend_t)
+ corenet_tcp_connect_xserver_port(xend_t)
++corenet_tcp_connect_xen_port(xend_t)
+ corenet_sendrecv_xserver_client_packets(xend_t)
+ corenet_sendrecv_xen_server_packets(xend_t)
+ corenet_sendrecv_soundd_server_packets(xend_t)
+@@ -152,6 +153,7 @@
dev_manage_xen(xend_t)
dev_filetrans_xen(xend_t)
dev_rw_sysfs(xend_t)
@@ -3060,7 +3410,7 @@
domain_read_all_domains_state(xend_t)
domain_dontaudit_read_all_domains_state(xend_t)
-@@ -164,7 +165,11 @@
+@@ -164,7 +166,11 @@
files_etc_filetrans_etc_runtime(xend_t,file)
files_read_usr_files(xend_t)
@@ -3073,7 +3423,7 @@
storage_raw_read_removable_device(xend_t)
term_getattr_all_user_ptys(xend_t)
-@@ -236,6 +241,10 @@
+@@ -236,6 +242,10 @@
files_read_usr_files(xenconsoled_t)
@@ -3084,7 +3434,7 @@
term_create_pty(xenconsoled_t,xen_devpts_t);
term_use_generic_ptys(xenconsoled_t)
term_use_console(xenconsoled_t)
-@@ -283,6 +292,12 @@
+@@ -283,6 +293,12 @@
files_read_usr_files(xenstored_t)
@@ -3097,18 +3447,20 @@
term_use_generic_ptys(xenstored_t)
term_use_console(xenconsoled_t)
-@@ -353,3 +368,8 @@
+@@ -353,3 +369,10 @@
xen_append_log(xm_t)
xen_stream_connect(xm_t)
xen_stream_connect_xenstore(xm_t)
+
+#Should have a boolean wrapping these
++fs_list_auto_mountpoints(xend_t)
+files_search_mnt(xend_t)
+fs_write_nfs_files(xend_t)
+fs_read_nfs_files(xend_t)
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-2.4.3/Rules.modular
--- nsaserefpolicy/Rules.modular 2006-10-16 12:20:19.000000000 -0400
-+++ serefpolicy-2.4.3/Rules.modular 2006-11-06 16:45:08.000000000 -0500
++++ serefpolicy-2.4.3/Rules.modular 2006-11-09 14:03:19.000000000 -0500
@@ -219,6 +219,16 @@
########################################
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/FC-6/selinux-policy.spec,v
retrieving revision 1.325
retrieving revision 1.326
diff -u -r1.325 -r1.326
--- selinux-policy.spec 7 Nov 2006 20:54:33 -0000 1.325
+++ selinux-policy.spec 13 Nov 2006 16:32:43 -0000 1.326
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 2.4.3
-Release: 2%{?dist}
+Release: 10%{?dist}
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -351,6 +351,34 @@
%endif
%changelog
+* Mon Nov 13 2006 Dan Walsh <dwalsh at redhat.com> 2.4.3-10.fc6
+- Bump for fc6
+
+* Fri Nov 10 2006 Dan Walsh <dwalsh at redhat.com> 2.4.3-10
+- Allow xen to connect to xen port
+
+* Fri Nov 10 2006 Dan Walsh <dwalsh at redhat.com> 2.4.3-9
+- Allow cups to search samba_etc_t directory
+- Allow xend_t to list auto_mountpoints
+
+* Thu Nov 9 2006 Dan Walsh <dwalsh at redhat.com> 2.4.3-8
+- Allow xen to search automount
+
+* Thu Nov 9 2006 Dan Walsh <dwalsh at redhat.com> 2.4.3-7
+- Fix spec of jre files
+
+* Wed Nov 8 2006 Dan Walsh <dwalsh at redhat.com> 2.4.3-6
+- Fix unconfined access to shadow file
+
+* Wed Nov 8 2006 Dan Walsh <dwalsh at redhat.com> 2.4.3-5
+- Allow xend to create files in xen_image_t directories
+
+* Wed Nov 8 2006 Dan Walsh <dwalsh at redhat.com> 2.4.3-4
+- Fixes for /var/lib/hal
+
+* Tue Nov 7 2006 Dan Walsh <dwalsh at redhat.com> 2.4.3-3
+- Remove ability for sysadm_t to look at audit.log
+
* Tue Nov 7 2006 Dan Walsh <dwalsh at redhat.com> 2.4.3-2.fc6
- Bump for fc6
More information about the fedora-cvs-commits
mailing list