rpms/selinux-policy/devel .cvsignore, 1.84, 1.85 policy-20060829.patch, 1.8, 1.9 selinux-policy.spec, 1.269, 1.270 sources, 1.88, 1.89

fedora-cvs-commits at redhat.com fedora-cvs-commits at redhat.com
Tue Sep 5 12:03:40 UTC 2006 

Author: dwalsh

Update of /cvs/dist/rpms/selinux-policy/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv30791

Modified Files:
	.cvsignore policy-20060829.patch selinux-policy.spec sources 
Log Message:
* Tue Sep 5 2006 Dan Walsh <dwalsh at redhat.com> 2.3.12-1
- Update to upstream



Index: .cvsignore
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/.cvsignore,v
retrieving revision 1.84
retrieving revision 1.85
diff -u -r1.84 -r1.85
--- .cvsignore	1 Sep 2006 19:45:39 -0000	1.84
+++ .cvsignore	5 Sep 2006 12:03:37 -0000	1.85
@@ -86,3 +86,4 @@
 serefpolicy-2.3.10.tgz
 clog
 serefpolicy-2.3.11.tgz
+serefpolicy-2.3.12.tgz

policy-20060829.patch:
 admin/anaconda.te            |    6 
 admin/bootloader.fc          |    1 
 admin/bootloader.te          |    2 
 admin/consoletype.te         |    7 
 admin/rpm.fc                 |    2 
 admin/rpm.if                 |   13 -
 apps/java.fc                 |    2 
 kernel/corenetwork.te.in     |    4 
 kernel/files.fc              |    1 
 services/amavis.te           |    1 
 services/apache.te           |    1 
 services/bluetooth.te        |    4 
 services/ccs.fc              |    8 
 services/ccs.if              |   65 +++++++
 services/ccs.te              |   87 +++++++++
 services/clamav.te           |    1 
 services/cron.if             |   18 +-
 services/cron.te             |    1 
 services/dbus.if             |    1 
 services/dovecot.te          |    2 
 services/networkmanager.te   |    4 
 services/oddjob.fc           |    8 
 services/oddjob.if           |   76 ++++++++
 services/oddjob.te           |   73 ++++++++
 services/oddjob_mkhomedir.fc |    6 
 services/oddjob_mkhomedir.if |   24 ++
 services/oddjob_mkhomedir.te |   29 +++
 services/pegasus.if          |   31 +++
 services/pegasus.te          |    5 
 services/postfix.te          |    6 
 services/ricci.fc            |   20 ++
 services/ricci.if            |  184 ++++++++++++++++++++
 services/ricci.te            |  386 +++++++++++++++++++++++++++++++++++++++++++
 services/setroubleshoot.te   |    2 
 services/xserver.if          |   22 ++
 system/authlogin.te          |    2 
 system/hostname.te           |    5 
 system/init.te               |    3 
 system/selinuxutil.te        |    7 
 system/userdomain.if         |  247 ++++++++++++++++++---------
 system/userdomain.te         |   48 ++---
 41 files changed, 1278 insertions(+), 137 deletions(-)

Index: policy-20060829.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/policy-20060829.patch,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -r1.8 -r1.9
--- policy-20060829.patch	1 Sep 2006 20:27:51 -0000	1.8
+++ policy-20060829.patch	5 Sep 2006 12:03:37 -0000	1.9
@@ -1,90 +1,3 @@
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.fc serefpolicy-2.3.11/policy/modules/admin/amanda.fc
---- nsaserefpolicy/policy/modules/admin/amanda.fc	2006-08-29 09:00:30.000000000 -0400
-+++ serefpolicy-2.3.11/policy/modules/admin/amanda.fc	2006-09-01 15:41:44.000000000 -0400
-@@ -11,61 +11,11 @@
- /usr/lib(64)?/amanda		-d	gen_context(system_u:object_r:amanda_usr_lib_t,s0)
- /usr/lib(64)?/amanda/.+		--	gen_context(system_u:object_r:amanda_exec_t,s0)
- /usr/lib(64)?/amanda/amandad	--	gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
--/usr/lib(64)?/amanda/amcat\.awk	--	gen_context(system_u:object_r:amanda_script_exec_t,s0)
--/usr/lib(64)?/amanda/amcleanupdisk --	gen_context(system_u:object_r:amanda_exec_t,s0)
- /usr/lib(64)?/amanda/amidxtaped	--	gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
- /usr/lib(64)?/amanda/amindexd	--	gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
--/usr/lib(64)?/amanda/amlogroll	--	gen_context(system_u:object_r:amanda_exec_t,s0)
--/usr/lib(64)?/amanda/amplot\.awk --	gen_context(system_u:object_r:amanda_script_exec_t,s0)
--/usr/lib(64)?/amanda/amplot\.g	--	gen_context(system_u:object_r:amanda_script_exec_t,s0)
--/usr/lib(64)?/amanda/amplot\.gp	--	gen_context(system_u:object_r:amanda_script_exec_t,s0)
--/usr/lib(64)?/amanda/amtrmidx	--	gen_context(system_u:object_r:amanda_exec_t,s0)
--/usr/lib(64)?/amanda/amtrmlog	--	gen_context(system_u:object_r:amanda_exec_t,s0)
--/usr/lib(64)?/amanda/calcsize	--	gen_context(system_u:object_r:amanda_exec_t,s0)
--/usr/lib(64)?/amanda/chg-chio	--	gen_context(system_u:object_r:amanda_exec_t,s0)
--/usr/lib(64)?/amanda/chg-chs	--	gen_context(system_u:object_r:amanda_exec_t,s0)
--/usr/lib(64)?/amanda/chg-manual	--	gen_context(system_u:object_r:amanda_exec_t,s0)
--/usr/lib(64)?/amanda/chg-mtx	--	gen_context(system_u:object_r:amanda_exec_t,s0)
--/usr/lib(64)?/amanda/chg-multi	--	gen_context(system_u:object_r:amanda_exec_t,s0)
--/usr/lib(64)?/amanda/chg-rth	--	gen_context(system_u:object_r:amanda_exec_t,s0)
--/usr/lib(64)?/amanda/chg-scsi	--	gen_context(system_u:object_r:amanda_exec_t,s0)
--/usr/lib(64)?/amanda/chg-zd-mtx	--	gen_context(system_u:object_r:amanda_exec_t,s0)
--/usr/lib(64)?/amanda/driver	--	gen_context(system_u:object_r:amanda_exec_t,s0)
--/usr/lib(64)?/amanda/dumper	--	gen_context(system_u:object_r:amanda_exec_t,s0)
--/usr/lib(64)?/amanda/killpgrp	--	gen_context(system_u:object_r:amanda_exec_t,s0)
--/usr/lib(64)?/amanda/patch-system --	gen_context(system_u:object_r:amanda_exec_t,s0)
--/usr/lib(64)?/amanda/planner	--	gen_context(system_u:object_r:amanda_exec_t,s0)
--/usr/lib(64)?/amanda/rundump	--	gen_context(system_u:object_r:amanda_exec_t,s0)
--/usr/lib(64)?/amanda/runtar	--	gen_context(system_u:object_r:amanda_exec_t,s0)
--/usr/lib(64)?/amanda/selfcheck	--	gen_context(system_u:object_r:amanda_exec_t,s0)
--/usr/lib(64)?/amanda/sendbackup	--	gen_context(system_u:object_r:amanda_exec_t,s0)
--/usr/lib(64)?/amanda/sendsize	--	gen_context(system_u:object_r:amanda_exec_t,s0)
--/usr/lib(64)?/amanda/taper	--	gen_context(system_u:object_r:amanda_exec_t,s0)
--/usr/lib(64)?/amanda/versionsuffix --	gen_context(system_u:object_r:amanda_exec_t,s0)
--
--/usr/sbin/amadmin		--	gen_context(system_u:object_r:amanda_user_exec_t,s0)
--/usr/sbin/amcheck		--	gen_context(system_u:object_r:amanda_user_exec_t,s0)
--/usr/sbin/amcheckdb		--	gen_context(system_u:object_r:amanda_user_exec_t,s0)
--/usr/sbin/amcleanup		--	gen_context(system_u:object_r:amanda_user_exec_t,s0)
--/usr/sbin/amdump		--	gen_context(system_u:object_r:amanda_user_exec_t,s0)
--/usr/sbin/amflush		--	gen_context(system_u:object_r:amanda_user_exec_t,s0)
--/usr/sbin/amgetconf		--	gen_context(system_u:object_r:amanda_user_exec_t,s0)
--/usr/sbin/amlabel		--	gen_context(system_u:object_r:amanda_user_exec_t,s0)
--/usr/sbin/amoverview		--	gen_context(system_u:object_r:amanda_user_exec_t,s0)
--/usr/sbin/amplot		--	gen_context(system_u:object_r:amanda_user_exec_t,s0)
- /usr/sbin/amrecover		--	gen_context(system_u:object_r:amanda_recover_exec_t,s0)
--/usr/sbin/amreport		--	gen_context(system_u:object_r:amanda_user_exec_t,s0)
--/usr/sbin/amrestore		--	gen_context(system_u:object_r:amanda_user_exec_t,s0)
--/usr/sbin/amrmtape		--	gen_context(system_u:object_r:amanda_user_exec_t,s0)
--/usr/sbin/amstatus		--	gen_context(system_u:object_r:amanda_user_exec_t,s0)
--/usr/sbin/amtape		--	gen_context(system_u:object_r:amanda_user_exec_t,s0)
--/usr/sbin/amtoc			--	gen_context(system_u:object_r:amanda_user_exec_t,s0)
--/usr/sbin/amverify		--	gen_context(system_u:object_r:amanda_user_exec_t,s0)
--
- /var/lib/amanda			-d	gen_context(system_u:object_r:amanda_var_lib_t,s0)
- /var/lib/amanda/\.amandahosts	--	gen_context(system_u:object_r:amanda_config_t,s0)
--/var/lib/amanda/\.bashrc	--	gen_context(system_u:object_r:amanda_shellconfig_t,s0)
--/var/lib/amanda/\.profile	--	gen_context(system_u:object_r:amanda_shellconfig_t,s0)
- /var/lib/amanda/disklist	--	gen_context(system_u:object_r:amanda_data_t,s0)
- /var/lib/amanda/gnutar-lists(/.*)?	gen_context(system_u:object_r:amanda_gnutarlists_t,s0)
- /var/lib/amanda/index			gen_context(system_u:object_r:amanda_data_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.te serefpolicy-2.3.11/policy/modules/admin/amanda.te
---- nsaserefpolicy/policy/modules/admin/amanda.te	2006-08-29 09:00:30.000000000 -0400
-+++ serefpolicy-2.3.11/policy/modules/admin/amanda.te	2006-09-01 15:41:44.000000000 -0400
-@@ -33,18 +33,6 @@
- type amanda_gnutarlists_t;
- files_type(amanda_gnutarlists_t)
- 
--# type for user startable files
--type amanda_user_exec_t;
--corecmd_executable_file(amanda_user_exec_t)
--
--# type for same awk and other scripts
--type amanda_script_exec_t;
--corecmd_executable_file(amanda_script_exec_t)
--
--# type for the shell configuration files 
--type amanda_shellconfig_t;
--files_type(amanda_shellconfig_t)
--
- type amanda_tmp_t;
- files_tmp_file(amanda_tmp_t)
- 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-2.3.11/policy/modules/admin/anaconda.te
 --- nsaserefpolicy/policy/modules/admin/anaconda.te	2006-09-01 14:10:19.000000000 -0400
 +++ serefpolicy-2.3.11/policy/modules/admin/anaconda.te	2006-09-01 15:41:44.000000000 -0400
@@ -135,43 +48,6 @@
  mls_file_read_up(consoletype_t)
  mls_file_write_down(consoletype_t)
  role system_r types consoletype_t;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstboot.te serefpolicy-2.3.11/policy/modules/admin/firstboot.te
---- nsaserefpolicy/policy/modules/admin/firstboot.te	2006-08-29 09:00:30.000000000 -0400
-+++ serefpolicy-2.3.11/policy/modules/admin/firstboot.te	2006-09-01 15:41:44.000000000 -0400
-@@ -20,9 +20,6 @@
- type firstboot_etc_t;
- files_config_file(firstboot_etc_t)
- 
--type firstboot_rw_t;
--files_type(firstboot_rw_t)
--
- ########################################
- #
- # Local policy
-@@ -38,9 +35,8 @@
- 
- allow firstboot_t firstboot_etc_t:file { getattr read };
- 
--allow firstboot_t firstboot_rw_t:dir create_dir_perms;
--allow firstboot_t firstboot_rw_t:file create_file_perms;
--files_etc_filetrans(firstboot_t,firstboot_rw_t,file)
-+files_manage_etc_runtime_files(firstboot_t)
-+files_etc_filetrans_etc_runtime(firstboot_t, { file dir })
- 
- # The big hammer
- unconfined_domain(firstboot_t) 
-@@ -124,6 +120,11 @@
- 	usermanage_domtrans_useradd(firstboot_t)
- ')
- 
-+optional_policy(`
-+	usermanage_domtrans_admin_passwd(firstboot_t)
-+')
-+
-+
- ifdef(`TODO',`
- allow firstboot_t proc_t:file write;
- 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-2.3.11/policy/modules/admin/rpm.fc
 --- nsaserefpolicy/policy/modules/admin/rpm.fc	2006-07-14 17:04:46.000000000 -0400
 +++ serefpolicy-2.3.11/policy/modules/admin/rpm.fc	2006-09-01 15:41:44.000000000 -0400
@@ -219,17 +95,6 @@
  
  #
  # /usr
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-2.3.11/policy/modules/kernel/corecommands.if
---- nsaserefpolicy/policy/modules/kernel/corecommands.if	2006-08-02 10:34:05.000000000 -0400
-+++ serefpolicy-2.3.11/policy/modules/kernel/corecommands.if	2006-09-01 15:41:44.000000000 -0400
-@@ -950,6 +950,7 @@
- 
- 	allow $1 exec_type:file manage_file_perms;
- 	allow $1 { bin_t sbin_t }:dir rw_dir_perms;
-+	allow $1 { bin_t sbin_t }:lnk_file create_lnk_perms;
- ')
- 
- ########################################
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-2.3.11/policy/modules/kernel/corenetwork.te.in
 --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in	2006-09-01 14:10:17.000000000 -0400
 +++ serefpolicy-2.3.11/policy/modules/kernel/corenetwork.te.in	2006-09-01 15:41:44.000000000 -0400
@@ -257,7 +122,7 @@
  network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
  network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-2.3.11/policy/modules/kernel/files.fc
---- nsaserefpolicy/policy/modules/kernel/files.fc	2006-09-01 14:10:17.000000000 -0400
+--- nsaserefpolicy/policy/modules/kernel/files.fc	2006-09-05 07:41:00.000000000 -0400
 +++ serefpolicy-2.3.11/policy/modules/kernel/files.fc	2006-09-01 15:41:44.000000000 -0400
 @@ -32,6 +32,7 @@
  /boot/lost\+found	-d	gen_context(system_u:object_r:lost_found_t,s15:c0.c255)
@@ -267,22 +132,10 @@
  
  #
  # /emul
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-2.3.11/policy/modules/kernel/terminal.if
---- nsaserefpolicy/policy/modules/kernel/terminal.if	2006-08-29 09:00:26.000000000 -0400
-+++ serefpolicy-2.3.11/policy/modules/kernel/terminal.if	2006-09-01 15:41:44.000000000 -0400
-@@ -886,7 +886,7 @@
- 		type tty_device_t;
- 	')
- 
--	dontaudit $1 tty_device_t:chr_file { read write };
-+	dontaudit $1 tty_device_t:chr_file rw_file_perms;
- ')
- 
- ########################################
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-2.3.11/policy/modules/services/amavis.te
---- nsaserefpolicy/policy/modules/services/amavis.te	2006-08-29 09:00:27.000000000 -0400
+--- nsaserefpolicy/policy/modules/services/amavis.te	2006-09-05 07:41:01.000000000 -0400
 +++ serefpolicy-2.3.11/policy/modules/services/amavis.te	2006-09-01 15:41:44.000000000 -0400
-@@ -155,6 +155,7 @@
+@@ -156,6 +155,7 @@
  
  ifdef(`targeted_policy',`
  	term_dontaudit_use_generic_ptys(amavis_t)
@@ -291,17 +144,9 @@
  
  optional_policy(`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-2.3.11/policy/modules/services/apache.te
---- nsaserefpolicy/policy/modules/services/apache.te	2006-08-29 09:00:28.000000000 -0400
+--- nsaserefpolicy/policy/modules/services/apache.te	2006-09-05 07:41:01.000000000 -0400
 +++ serefpolicy-2.3.11/policy/modules/services/apache.te	2006-09-01 15:41:44.000000000 -0400
-@@ -141,7 +141,6 @@
- allow httpd_t self:msg { send receive };
- allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
- allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
--allow httpd_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
- allow httpd_t self:tcp_socket create_stream_socket_perms;
- allow httpd_t self:udp_socket create_socket_perms;
- 
-@@ -713,4 +712,5 @@
+@@ -712,4 +712,5 @@
  
  ifdef(`targeted_policy',`
  	term_dontaudit_use_generic_ptys(httpd_rotatelogs_t)
@@ -512,44 +357,57 @@
  ')
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-2.3.11/policy/modules/services/cron.if
---- nsaserefpolicy/policy/modules/services/cron.if	2006-08-29 09:00:28.000000000 -0400
+--- nsaserefpolicy/policy/modules/services/cron.if	2006-09-05 07:41:01.000000000 -0400
 +++ serefpolicy-2.3.11/policy/modules/services/cron.if	2006-09-01 15:41:44.000000000 -0400
-@@ -54,6 +54,11 @@
- 	domain_entry_file($1_crontab_t,crontab_exec_t)
- 	role $3 types $1_crontab_t;
+@@ -57,6 +57,8 @@
+ 	type $1_crontab_tmp_t;
+ 	files_tmp_file($1_crontab_tmp_t)
  
-+	type $1_crontab_tmp_t;
-+	files_tmp_file($1_crontab_tmp_t)
-+
 +
 +
  	##############################
  	#
  	# $1_crond_t local policy
-@@ -193,6 +198,10 @@
+@@ -178,10 +180,6 @@
+ 	# $1_crontab_t local policy
+ 	#
+ 
+-	# dac_override is to create the file in the directory under /tmp
+-	allow $1_crontab_t self:capability { fowner setuid setgid chown dac_override };
+-	allow $1_crontab_t self:process signal_perms;
+-
+ 	# Transition from the user domain to the derived domain.
+ 	domain_auto_trans($2, crontab_exec_t, $1_crontab_t)
+ 	allow $2 $1_crontab_t:fd use;
+@@ -200,8 +198,13 @@
  	# Allow crond to read those crontabs in cron spool.
  	allow crond_t $1_cron_spool_t:file create_file_perms;
  
+-	allow $1_crontab_t $1_crontab_tmp_t:file manage_file_perms;
+-	files_tmp_filetrans($1_crontab_t,$1_crontab_tmp_t,file)
 +	allow $1_crontab_t tmp_t:dir rw_dir_perms;
 +	allow $1_crontab_t $1_crontab_tmp_t:file create_file_perms;
 +	type_transition $1_crontab_t tmp_t:file $1_crontab_tmp_t;
 +
- 	# dac_override is to create the file in the directory under /tmp
- 	allow $1_crontab_t self:capability { fowner setuid setgid chown dac_override };
- 	allow $1_crontab_t self:process signal_perms;
++	# dac_override is to create the file in the directory under /tmp
++	allow $1_crontab_t self:capability { fowner setuid setgid chown dac_override };
++	allow $1_crontab_t self:process signal_perms;
+ 
+ 	# create files in /var/spool/cron
+ 	allow $1_crontab_t cron_spool_t:dir rw_dir_perms;
+@@ -256,6 +259,9 @@
+ 	')
+ 
+ 	ifdef(`TODO',`
++	allow $1_crond_t tmp_t:dir rw_dir_perms;
++	type_transition $1_crond_t $1_tmp_t:{ file dir } $1_tmp_t;
++
+ 	# Read user crontabs
+ 	dontaudit $1_crontab_t $1_home_dir_t:dir write;
+ 	') dnl endif TODO
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-2.3.11/policy/modules/services/cron.te
---- nsaserefpolicy/policy/modules/services/cron.te	2006-08-29 09:00:28.000000000 -0400
+--- nsaserefpolicy/policy/modules/services/cron.te	2006-09-05 07:41:01.000000000 -0400
 +++ serefpolicy-2.3.11/policy/modules/services/cron.te	2006-09-01 15:41:44.000000000 -0400
-@@ -36,6 +36,9 @@
- type crontab_exec_t;
- corecmd_executable_file(crontab_exec_t)
- 
-+type crontab_tmp_t;
-+files_tmp_file(crontab_tmp_t)
-+
- type system_cron_spool_t, cron_spool_type;
- files_type(system_cron_spool_t)
- 
 @@ -175,6 +178,7 @@
  	allow crond_t crond_tmp_t:dir create_dir_perms;
  	allow crond_t crond_tmp_t:file create_file_perms;
@@ -558,17 +416,6 @@
  ')
  
  tunable_policy(`fcron_crond', `
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.te serefpolicy-2.3.11/policy/modules/services/cyrus.te
---- nsaserefpolicy/policy/modules/services/cyrus.te	2006-08-29 09:00:28.000000000 -0400
-+++ serefpolicy-2.3.11/policy/modules/services/cyrus.te	2006-09-01 15:41:44.000000000 -0400
-@@ -93,6 +93,7 @@
- files_list_var_lib(cyrus_t)
- files_read_etc_files(cyrus_t)
- files_read_etc_runtime_files(cyrus_t)
-+files_read_usr_files(cyrus_t)
- 
- init_use_fds(cyrus_t)
- init_use_script_ptys(cyrus_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-2.3.11/policy/modules/services/dbus.if
 --- nsaserefpolicy/policy/modules/services/dbus.if	2006-08-29 09:00:28.000000000 -0400
 +++ serefpolicy-2.3.11/policy/modules/services/dbus.if	2006-09-01 15:41:44.000000000 -0400
@@ -580,17 +427,6 @@
  	corecmd_list_bin($1_dbusd_t)
  	corecmd_read_bin_symlinks($1_dbusd_t)
  	corecmd_read_bin_files($1_dbusd_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-2.3.11/policy/modules/services/dbus.te
---- nsaserefpolicy/policy/modules/services/dbus.te	2006-08-29 09:00:28.000000000 -0400
-+++ serefpolicy-2.3.11/policy/modules/services/dbus.te	2006-09-01 15:41:44.000000000 -0400
-@@ -38,7 +38,6 @@
- allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto };
- allow system_dbusd_t self:unix_dgram_socket create_socket_perms;
- allow system_dbusd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
--allow system_dbusd_t self:netlink_route_socket r_netlink_socket_perms;
- # Receive notifications of policy reloads and enforcing status changes.
- allow system_dbusd_t self:netlink_selinux_socket { create bind read };
- 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-2.3.11/policy/modules/services/dovecot.te
 --- nsaserefpolicy/policy/modules/services/dovecot.te	2006-09-01 14:10:18.000000000 -0400
 +++ serefpolicy-2.3.11/policy/modules/services/dovecot.te	2006-09-01 15:41:44.000000000 -0400
@@ -603,74 +439,20 @@
  domain_auto_trans(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t)
  allow dovecot_t dovecot_auth_t:fd use;
  allow dovecot_auth_t dovecot_t:process sigchld;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-2.3.11/policy/modules/services/ftp.te
---- nsaserefpolicy/policy/modules/services/ftp.te	2006-08-23 12:14:53.000000000 -0400
-+++ serefpolicy-2.3.11/policy/modules/services/ftp.te	2006-09-01 15:41:44.000000000 -0400
-@@ -50,7 +50,6 @@
- allow ftpd_t self:unix_stream_socket create_stream_socket_perms;
- allow ftpd_t self:tcp_socket create_stream_socket_perms;
- allow ftpd_t self:udp_socket create_socket_perms;
--allow ftpd_t self:netlink_route_socket r_netlink_socket_perms;
- 
- allow ftpd_t ftpd_etc_t:file r_file_perms;
- 
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-2.3.11/policy/modules/services/hal.te
---- nsaserefpolicy/policy/modules/services/hal.te	2006-09-01 14:10:18.000000000 -0400
-+++ serefpolicy-2.3.11/policy/modules/services/hal.te	2006-09-01 15:41:44.000000000 -0400
-@@ -28,7 +28,6 @@
- allow hald_t self:fifo_file rw_file_perms;
- allow hald_t self:unix_stream_socket { create_stream_socket_perms connectto };
- allow hald_t self:unix_dgram_socket create_socket_perms;
--allow hald_t self:netlink_route_socket r_netlink_socket_perms;
- allow hald_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
- allow hald_t self:netlink_kobject_uevent_socket create_socket_perms;
- allow hald_t self:tcp_socket create_stream_socket_perms;
-@@ -78,6 +77,7 @@
- dev_rw_sysfs(hald_t)
- 
- domain_use_interactive_fds(hald_t)
-+domain_read_all_domains_state(hald_t)
- 
- files_exec_etc_files(hald_t)
- files_read_etc_files(hald_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.te serefpolicy-2.3.11/policy/modules/services/ldap.te
---- nsaserefpolicy/policy/modules/services/ldap.te	2006-08-16 08:46:30.000000000 -0400
-+++ serefpolicy-2.3.11/policy/modules/services/ldap.te	2006-09-01 15:41:44.000000000 -0400
-@@ -72,7 +72,7 @@
- 
- allow slapd_t slapd_var_run_t:file create_file_perms;
- allow slapd_t slapd_var_run_t:dir rw_dir_perms;
--files_pid_filetrans(slapd_t,slapd_var_run_t,file)
-+files_pid_filetrans(slapd_t,slapd_var_run_t,{ file sock_file })
- 
- kernel_read_system_state(slapd_t)
- kernel_read_kernel_sysctls(slapd_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-2.3.11/policy/modules/services/networkmanager.te
---- nsaserefpolicy/policy/modules/services/networkmanager.te	2006-07-14 17:04:41.000000000 -0400
+--- nsaserefpolicy/policy/modules/services/networkmanager.te	2006-09-05 07:41:01.000000000 -0400
 +++ serefpolicy-2.3.11/policy/modules/services/networkmanager.te	2006-09-01 15:41:44.000000000 -0400
-@@ -18,9 +18,9 @@
+@@ -18,9 +18,7 @@
  # Local policy
  #
  
+-# networkmanager will ptrace itself if gdb is installed
+-# and it receives a unexpected signal (rh bug #204161) 
 -allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service ipc_lock};
 +allow NetworkManager_t self:capability { kill setgid setuid sys_nice sys_ptrace dac_override net_admin net_raw net_bind_service ipc_lock};
  dontaudit NetworkManager_t self:capability sys_tty_config;
--allow NetworkManager_t self:process { setcap getsched signal_perms };
-+allow NetworkManager_t self:process { ptrace setcap getsched signal_perms };
+ allow NetworkManager_t self:process { ptrace setcap getsched signal_perms };
  allow NetworkManager_t self:fifo_file rw_file_perms;
- allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms };
- allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-2.3.11/policy/modules/services/ntp.te
---- nsaserefpolicy/policy/modules/services/ntp.te	2006-08-23 12:14:54.000000000 -0400
-+++ serefpolicy-2.3.11/policy/modules/services/ntp.te	2006-09-01 15:41:44.000000000 -0400
-@@ -38,7 +38,6 @@
- allow ntpd_t self:fifo_file { read write getattr };
- allow ntpd_t self:unix_dgram_socket create_socket_perms;
- allow ntpd_t self:unix_stream_socket create_socket_perms;
--allow ntpd_t self:netlink_route_socket r_netlink_socket_perms;
- allow ntpd_t self:tcp_socket create_stream_socket_perms;
- allow ntpd_t self:udp_socket create_socket_perms;
- 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.fc serefpolicy-2.3.11/policy/modules/services/oddjob.fc
 --- nsaserefpolicy/policy/modules/services/oddjob.fc	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-2.3.11/policy/modules/services/oddjob.fc	2006-09-01 15:41:44.000000000 -0400
@@ -1604,26 +1386,6 @@
  corenet_sendrecv_smtp_client_packets(setroubleshootd_t)
  
  dev_read_urand(setroubleshootd_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/stunnel.te serefpolicy-2.3.11/policy/modules/services/stunnel.te
---- nsaserefpolicy/policy/modules/services/stunnel.te	2006-08-02 10:34:07.000000000 -0400
-+++ serefpolicy-2.3.11/policy/modules/services/stunnel.te	2006-09-01 15:41:44.000000000 -0400
-@@ -38,6 +38,7 @@
- allow stunnel_t self:fifo_file rw_file_perms;
- allow stunnel_t self:tcp_socket create_stream_socket_perms;
- allow stunnel_t self:udp_socket create_socket_perms;
-+allow stunnel_t self:netlink_route_socket r_netlink_socket_perms;
- 
- allow stunnel_t stunnel_etc_t:dir { getattr read search };
- allow stunnel_t stunnel_etc_t:file { read getattr };
-@@ -63,7 +64,7 @@
- corenet_tcp_sendrecv_all_ports(stunnel_t)
- corenet_udp_sendrecv_all_ports(stunnel_t)
- corenet_tcp_bind_all_nodes(stunnel_t)
--#corenet_tcp_bind_stunnel_port(stunnel_t)
-+corenet_tcp_connect_all_ports(stunnel_t)
- 
- fs_getattr_all_fs(stunnel_t)
- 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-2.3.11/policy/modules/services/xserver.if
 --- nsaserefpolicy/policy/modules/services/xserver.if	2006-09-01 14:10:18.000000000 -0400
 +++ serefpolicy-2.3.11/policy/modules/services/xserver.if	2006-09-01 15:41:44.000000000 -0400
@@ -1653,6 +1415,18 @@
 +	allow $1 ice_tmp_t:dir ra_dir_perms;
 +	allow $1 ice_tmp_t:sock_file create_file_perms;
 +')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-2.3.11/policy/modules/system/authlogin.te
+--- nsaserefpolicy/policy/modules/system/authlogin.te	2006-08-29 09:00:29.000000000 -0400
++++ serefpolicy-2.3.11/policy/modules/system/authlogin.te	2006-09-01 22:25:56.000000000 -0400
+@@ -176,7 +177,7 @@
+ dev_setattr_xserver_misc_dev(pam_console_t)
+ dev_read_urand(pam_console_t)
+ 
+-fs_search_auto_mountpoints(pam_console_t)
++fs_list_auto_mountpoints(pam_console_t)
+ 
+ mls_file_read_up(pam_console_t)
+ mls_file_write_down(pam_console_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-2.3.11/policy/modules/system/hostname.te
 --- nsaserefpolicy/policy/modules/system/hostname.te	2006-08-29 09:00:29.000000000 -0400
 +++ serefpolicy-2.3.11/policy/modules/system/hostname.te	2006-09-01 15:41:44.000000000 -0400
@@ -1681,19 +1455,8 @@
  # slapd needs to read cert files from its initscript
  miscfiles_read_certs(initrc_t)
  
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-2.3.11/policy/modules/system/selinuxutil.fc
---- nsaserefpolicy/policy/modules/system/selinuxutil.fc	2006-08-02 10:34:08.000000000 -0400
-+++ serefpolicy-2.3.11/policy/modules/system/selinuxutil.fc	2006-09-01 15:41:44.000000000 -0400
-@@ -36,6 +36,7 @@
- /usr/sbin/restorecond		--	gen_context(system_u:object_r:restorecond_exec_t,s0)
- /usr/sbin/run_init		--	gen_context(system_u:object_r:run_init_exec_t,s0)
- /usr/sbin/setfiles.*		--	gen_context(system_u:object_r:setfiles_exec_t,s0)
-+/sbin/setfiles.*		--	gen_context(system_u:object_r:setfiles_exec_t,s0)
- /usr/sbin/setsebool		--	gen_context(system_u:object_r:semanage_exec_t,s0)
- /usr/sbin/semanage		--	gen_context(system_u:object_r:semanage_exec_t,s0)
- /usr/sbin/semodule		--	gen_context(system_u:object_r:semanage_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-2.3.11/policy/modules/system/selinuxutil.te
---- nsaserefpolicy/policy/modules/system/selinuxutil.te	2006-09-01 14:10:18.000000000 -0400
+--- nsaserefpolicy/policy/modules/system/selinuxutil.te	2006-09-05 07:41:01.000000000 -0400
 +++ serefpolicy-2.3.11/policy/modules/system/selinuxutil.te	2006-09-01 15:41:44.000000000 -0400
 @@ -450,6 +450,7 @@
  selinux_compute_user_contexts(restorecond_t)
@@ -1703,7 +1466,7 @@
  
  auth_relabel_all_files_except_shadow(restorecond_t )
  auth_read_all_files_except_shadow(restorecond_t)
-@@ -621,6 +622,12 @@
+@@ -622,6 +622,12 @@
  	# Handle pp files created in homedir and /tmp
  	files_read_generic_tmp_files(semanage_t)
  	userdom_read_generic_user_home_content_files(semanage_t)
@@ -1718,7 +1481,7 @@
  ########################################
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-2.3.11/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2006-08-16 08:46:31.000000000 -0400
-+++ serefpolicy-2.3.11/policy/modules/system/userdomain.if	2006-09-01 15:41:44.000000000 -0400
++++ serefpolicy-2.3.11/policy/modules/system/userdomain.if	2006-09-01 22:29:05.000000000 -0400
 @@ -8,11 +8,10 @@
  ## <desc>
  ##	<p>
@@ -1957,7 +1720,7 @@
  	tunable_policy(`read_default_t',`
  		files_list_default($1_t)
  		files_read_default_files($1_t)
-@@ -322,6 +364,10 @@
+@@ -322,10 +364,15 @@
  	')
  
  	optional_policy(`
@@ -1968,7 +1731,12 @@
  		canna_stream_connect($1_t)
  	')
  
-@@ -426,8 +472,10 @@
+ 	optional_policy(`
++		cups_stream_connect(sysadm_t)
+ 		cups_stream_connect_ptal($1_t)
+ 	')
+ 
+@@ -426,8 +473,10 @@
  		xserver_stream_connect_xdm($1_t)
  		# certain apps want to read xdm.pid file
  		xserver_read_xdm_pid($1_t)
@@ -1979,7 +1747,7 @@
  	')
  ')
  
-@@ -457,6 +505,7 @@
+@@ -457,6 +506,7 @@
  
  	# Inherit rules for ordinary users.
  	base_user_template($1)
@@ -1987,7 +1755,7 @@
  
  	typeattribute $1_t unpriv_userdomain;
  	domain_interactive_fd($1_t)
-@@ -477,9 +526,6 @@
+@@ -477,9 +527,6 @@
  	# Local policy
  	#
  
@@ -1997,7 +1765,7 @@
  	# Rules used to associate a homedir as a mountpoint
  	allow $1_home_t self:filesystem associate;
  	allow $1_file_type $1_home_t:filesystem associate;
-@@ -491,10 +537,6 @@
+@@ -491,10 +538,6 @@
  	allow privhome $1_home_t:sock_file create_file_perms;
  	allow privhome $1_home_t:fifo_file create_file_perms;
  	type_transition privhome $1_home_dir_t:{ dir notdevfile_class_set } $1_home_t;
@@ -2008,7 +1776,7 @@
  	dev_read_sysfs($1_t)
  
  	corecmd_exec_all_executables($1_t)
-@@ -502,11 +544,8 @@
+@@ -502,11 +545,8 @@
  	# port access is audited even if dac would not have allowed it, so dontaudit it here
  	corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
  
@@ -2021,7 +1789,7 @@
  	# Read directories and files with the readable_t type.
  	# This type is a general type for "world"-readable files.
  	files_list_world_readable($1_t)
-@@ -514,8 +553,6 @@
+@@ -514,8 +554,6 @@
  	files_read_world_readable_symlinks($1_t)
  	files_read_world_readable_pipes($1_t)
  	files_read_world_readable_sockets($1_t)
@@ -2030,7 +1798,7 @@
  
  	init_read_utmp($1_t)
  	# The library functions always try to open read-write first,
-@@ -621,6 +658,8 @@
+@@ -621,6 +659,8 @@
  
  	# do not audit read on disk devices
  	dontaudit $1_t { removable_device_t fixed_disk_device_t }:blk_file read;
@@ -2039,7 +1807,7 @@
  
  	ifdef(`xdm.te', `
  		allow xdm_t $1_home_t:lnk_file read;
-@@ -657,8 +696,6 @@
+@@ -657,8 +697,6 @@
  	# Do not audit write denials to /etc/ld.so.cache.
  	dontaudit $1_t ld_so_cache_t:file write;
  
@@ -2048,7 +1816,7 @@
  	allow $1_t initrc_t:fifo_file write;
  	') dnl end TODO
  ')
-@@ -704,6 +741,7 @@
+@@ -704,6 +742,7 @@
  
  	# Inherit rules for ordinary users.
  	base_user_template($1)
@@ -2056,7 +1824,7 @@
  
  	typeattribute $1_t privhome;
  	domain_obj_id_change_exemption($1_t)
-@@ -736,11 +774,6 @@
+@@ -736,11 +775,6 @@
  
  	allow $1_t self:netlink_audit_socket nlmsg_readpriv;
  
@@ -2068,7 +1836,7 @@
  	kernel_read_software_raid_state($1_t)
  	kernel_getattr_core_if($1_t)
  	kernel_getattr_message_if($1_t)
-@@ -806,6 +839,7 @@
+@@ -806,6 +840,7 @@
  	domain_getattr_all_sockets($1_t)
  
  	files_exec_usr_src_files($1_t)
@@ -2076,7 +1844,7 @@
  
  	init_rw_initctl($1_t)
  
-@@ -3359,6 +3393,25 @@
+@@ -3359,6 +3394,25 @@
  
  ########################################
  ## <summary>
@@ -2102,7 +1870,7 @@
  ##	Read files in the staff users home directory.
  ## </summary>
  ## <param name="domain">
-@@ -4079,7 +4132,7 @@
+@@ -4079,7 +4133,7 @@
  	gen_require(`
  		type user_home_dir_t;
  	')
@@ -2111,7 +1879,7 @@
  	files_home_filetrans($1,user_home_dir_t,dir)
  ')
  
-@@ -4164,7 +4217,7 @@
+@@ -4164,7 +4218,7 @@
  	')
  
  	files_search_home($1)
@@ -2120,7 +1888,7 @@
  	allow $1 user_home_t:dir create_dir_perms;
  ')
  
-@@ -4206,7 +4259,7 @@
+@@ -4206,7 +4260,7 @@
  	')
  
  	files_search_home($1)
@@ -2129,7 +1897,7 @@
  	allow $1 user_home_t:dir rw_dir_perms;
  	allow $1 user_home_t:file create_file_perms;
  ')
-@@ -4228,7 +4281,7 @@
+@@ -4228,7 +4282,7 @@
  	')
  
  	files_search_home($1)
@@ -2138,7 +1906,7 @@
  	allow $1 user_home_t:dir rw_dir_perms;
  	allow $1 user_home_t:lnk_file create_lnk_perms;
  ')
-@@ -4250,7 +4303,7 @@
+@@ -4250,7 +4304,7 @@
  	')
  
  	files_search_home($1)
@@ -2147,7 +1915,7 @@
  	allow $1 user_home_t:dir rw_dir_perms;
  	allow $1 user_home_t:fifo_file create_file_perms;
  ')
-@@ -4272,7 +4325,7 @@
+@@ -4272,7 +4326,7 @@
  	')
  
  	files_search_home($1)
@@ -2156,7 +1924,7 @@
  	allow $1 user_home_t:dir rw_dir_perms;
  	allow $1 user_home_t:sock_file create_file_perms;
  ')
-@@ -4740,3 +4793,34 @@
+@@ -4740,3 +4794,34 @@
  	allow $1 user_home_dir_t:dir create_dir_perms;
  	files_home_filetrans($1,user_home_dir_t,dir)
  ')


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.269
retrieving revision 1.270
diff -u -r1.269 -r1.270
--- selinux-policy.spec	1 Sep 2006 19:45:39 -0000	1.269
+++ selinux-policy.spec	5 Sep 2006 12:03:37 -0000	1.270
@@ -15,7 +15,7 @@
 %define CHECKPOLICYVER 1.30.4-1
 Summary: SELinux policy configuration
 Name: selinux-policy
-Version: 2.3.11
+Version: 2.3.12
 Release: 1
 License: GPL
 Group: System Environment/Base
@@ -347,6 +347,9 @@
 %endif
 
 %changelog
+* Tue Sep 5 2006 Dan Walsh <dwalsh at redhat.com> 2.3.12-1
+- Update to upstream
+
 * Fri Sep 1 2006 Dan Walsh <dwalsh at redhat.com> 2.3.11-1
 - Update to upstream
 


Index: sources
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/sources,v
retrieving revision 1.88
retrieving revision 1.89
diff -u -r1.88 -r1.89
--- sources	1 Sep 2006 19:45:39 -0000	1.88
+++ sources	5 Sep 2006 12:03:37 -0000	1.89
@@ -1 +1 @@
-6d64fcdfddfac9c487d06b0b1618664e  serefpolicy-2.3.11.tgz
+7e9a4c9a8502055eb0f7a5b9f399b6cd  serefpolicy-2.3.12.tgz

More information about the fedora-cvs-commits mailing list