rpms/selinux-policy/devel .cvsignore, 1.85, 1.86 policy-20060829.patch, 1.11, 1.12 selinux-policy.spec, 1.273, 1.274 sources, 1.89, 1.90
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Wed Sep 6 18:29:38 UTC 2006
- Previous message (by thread): rpms/compiz/devel compiz.spec, 1.33, 1.34 fbconfig-depth-fix.patch, 1.3, 1.4
- Next message (by thread): rpms/pam_pkcs11/devel pam_pkcs11-0.5.3-l10n.patch, NONE, 1.1 pam_pkcs11-0.5.3-nss.patch, 1.2, 1.3 pam_pkcs11-0.5.3-ocsp.patch, 1.2, 1.3 pam_pkcs11.spec, 1.15, 1.16 rh_pam_pkcs11.conf, 1.5, 1.6
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv14836
Modified Files:
.cvsignore policy-20060829.patch selinux-policy.spec sources
Log Message:
* Wed Sep 6 2006 Dan Walsh <dwalsh at redhat.com> 2.3.13-1
- Update from upstream
Index: .cvsignore
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/.cvsignore,v
retrieving revision 1.85
retrieving revision 1.86
diff -u -r1.85 -r1.86
--- .cvsignore 5 Sep 2006 12:03:37 -0000 1.85
+++ .cvsignore 6 Sep 2006 18:29:35 -0000 1.86
@@ -87,3 +87,4 @@
clog
serefpolicy-2.3.11.tgz
serefpolicy-2.3.12.tgz
+serefpolicy-2.3.13.tgz
policy-20060829.patch:
Makefile | 23 -
Rules.modular | 10
policy/modules/admin/anaconda.te | 6
policy/modules/admin/bootloader.fc | 1
policy/modules/admin/bootloader.te | 2
policy/modules/admin/consoletype.te | 7
policy/modules/admin/rpm.fc | 2
policy/modules/admin/rpm.if | 13
policy/modules/apps/java.fc | 2
policy/modules/apps/mono.te | 4
policy/modules/kernel/corenetwork.te.in | 3
policy/modules/kernel/files.fc | 1
policy/modules/kernel/filesystem.if | 19 +
policy/modules/services/amavis.te | 1
policy/modules/services/apache.te | 1
policy/modules/services/bluetooth.te | 4
policy/modules/services/ccs.fc | 8
policy/modules/services/ccs.if | 65 ++++
policy/modules/services/ccs.te | 87 ++++++
policy/modules/services/clamav.te | 1
policy/modules/services/cron.te | 1
policy/modules/services/dbus.if | 1
policy/modules/services/oddjob.fc | 8
policy/modules/services/oddjob.if | 76 +++++
policy/modules/services/oddjob.te | 73 +++++
policy/modules/services/oddjob_mkhomedir.fc | 6
policy/modules/services/oddjob_mkhomedir.if | 24 +
policy/modules/services/oddjob_mkhomedir.te | 29 ++
policy/modules/services/pegasus.if | 31 ++
policy/modules/services/pegasus.te | 5
policy/modules/services/postfix.te | 6
policy/modules/services/ricci.fc | 20 +
policy/modules/services/ricci.if | 184 +++++++++++++
policy/modules/services/ricci.te | 386 ++++++++++++++++++++++++++++
policy/modules/services/rpc.te | 1
policy/modules/services/xserver.if | 42 +++
policy/modules/system/hostname.te | 5
policy/modules/system/init.te | 3
policy/modules/system/selinuxutil.te | 3
policy/modules/system/userdomain.if | 268 +++++++++++++------
policy/modules/system/userdomain.te | 48 +--
41 files changed, 1344 insertions(+), 136 deletions(-)
Index: policy-20060829.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/policy-20060829.patch,v
retrieving revision 1.11
retrieving revision 1.12
diff -u -r1.11 -r1.12
--- policy-20060829.patch 5 Sep 2006 20:19:56 -0000 1.11
+++ policy-20060829.patch 6 Sep 2006 18:29:35 -0000 1.12
@@ -1,15 +1,7 @@
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-2.3.12/Makefile
---- nsaserefpolicy/Makefile 2006-08-31 14:57:06.000000000 -0400
-+++ serefpolicy-2.3.12/Makefile 2006-09-05 16:16:40.000000000 -0400
-@@ -8,6 +8,7 @@
- # reload - compile, install, and load/reload the policy configuration.
- # relabel - relabel filesystems based on the file contexts configuration.
- # checklabels - check filesystems against the file context configuration
-+# checkfilecontext - check filesystems against the file context configuration
- # restorelabels - check filesystems against the file context configuration
- # and restore the label of files with incorrect labels
- # policy - compile the policy configuration locally for testing/development.
-@@ -44,22 +45,25 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-2.3.13/Makefile
+--- nsaserefpolicy/Makefile 2006-09-06 13:04:51.000000000 -0400
++++ serefpolicy-2.3.13/Makefile 2006-09-06 13:18:45.000000000 -0400
+@@ -44,16 +44,17 @@
endif
# executable paths
@@ -19,36 +11,43 @@
+USRSBINDIR ?= /usr/sbin
+SBINDIR ?= /sbin
ifdef TEST_TOOLCHAIN
--tc_bindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib" $(TEST_TOOLCHAIN)$(BINDIR)
-+tc_usrbindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib" $(TEST_TOOLCHAIN)$(BINDIR)
+ tc_usrbindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib" $(TEST_TOOLCHAIN)$(BINDIR)
+-tc_usrsbindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib" $(TEST_TOOLCHAIN)$(SBINDIR)
+-tc_sbindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib" $(TEST_TOOLCHAIN)/sbin
+tc_usrsbindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib" $(TEST_TOOLCHAIN)$(USRSBINDIR)
- tc_sbindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib" $(TEST_TOOLCHAIN)$(SBINDIR)
++tc_sbindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib" $(TEST_TOOLCHAIN)$(SBINDIR)
else
--tc_bindir := $(BINDIR)
+-tc_usrbindir := $(BINDIR)
+-tc_usrsbindir := $(SBINDIR)
+-tc_sbindir := /sbin
+tc_usrbindir := $(USRBINDIR)
+tc_usrsbindir := $(USRSBINDIR)
- tc_sbindir := $(SBINDIR)
++tc_sbindir := $(SBINDIR)
endif
--CHECKPOLICY ?= $(tc_bindir)/checkpolicy
--CHECKMODULE ?= $(tc_bindir)/checkmodule
--SEMODULE ?= $(tc_sbindir)/semodule
--SEMOD_PKG ?= $(tc_bindir)/semodule_package
--SEMOD_LNK ?= $(tc_bindir)/semodule_link
--SEMOD_EXP ?= $(tc_bindir)/semodule_expand
--LOADPOLICY ?= $(tc_sbindir)/load_policy
-+CHECKPOLICY ?= $(tc_usrbindir)/checkpolicy
-+CHECKMODULE ?= $(tc_usrbindir)/checkmodule
-+SEMODULE ?= $(tc_usrsbindir)/semodule
-+SEMOD_PKG ?= $(tc_usrbindir)/semodule_package
-+SEMOD_LNK ?= $(tc_usrbindir)/semodule_link
-+SEMOD_EXP ?= $(tc_usrbindir)/semodule_expand
-+LOADPOLICY ?= $(tc_usrsbindir)/load_policy
- SETFILES ?= $(tc_sbindir)/setfiles
- XMLLINT ?= $(BINDIR)/xmllint
- SECHECK ?= $(BINDIR)/sechecker
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-2.3.12/policy/modules/admin/anaconda.te
+ CHECKPOLICY ?= $(tc_usrbindir)/checkpolicy
+ CHECKMODULE ?= $(tc_usrbindir)/checkmodule
+@@ -327,14 +328,14 @@
+ #
+ generate: $(generated_te) $(generated_if) $(generated_fc)
+
+-$(moddir)/kernel/corenetwork.if: $(moddir)/kernel/corenetwork.te.in $(moddir)/kernel/corenetwork.if.m4 $(moddir)/kernel/corenetwork.if.in
++$(moddir)/kernel/corenetwork.if: $(moddir)/kernel/corenetwork.if.m4 $(moddir)/kernel/corenetwork.if.in
+ @echo "#" > $@
+ @echo "# This is a generated file! Instead of modifying this file, the" >> $@
+ @echo "# $(notdir $@).in or $(notdir $@).m4 file should be modified." >> $@
+ @echo "#" >> $@
+- $(verbose) cat $@.in >> $@
+- $(verbose) $(GREP) "^[[:blank:]]*network_(interface|node|port|packet)\(.*\)" $< \
+- | $(M4) -D self_contained_policy $(M4PARAM) $@.m4 - \
++ $(verbose) cat $(moddir)/kernel/corenetwork.if.in >> $@
++ $(verbose) $(GREP) "^[[:blank:]]*network_(interface|node|port|packet)\(.*\)" $(@:.if=.te).in \
++ | $(M4) -D self_contained_policy $(M4PARAM) $(moddir)/kernel/corenetwork.if.m4 - \
+ | $(SED) -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@
+
+ $(moddir)/kernel/corenetwork.te: $(moddir)/kernel/corenetwork.te.m4 $(moddir)/kernel/corenetwork.te.in
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-2.3.13/policy/modules/admin/anaconda.te
--- nsaserefpolicy/policy/modules/admin/anaconda.te 2006-09-01 14:10:19.000000000 -0400
-+++ serefpolicy-2.3.12/policy/modules/admin/anaconda.te 2006-09-05 09:37:39.000000000 -0400
++++ serefpolicy-2.3.13/policy/modules/admin/anaconda.te 2006-09-06 13:18:45.000000000 -0400
@@ -64,3 +64,9 @@
optional_policy(`
usermanage_domtrans_admin_passwd(anaconda_t)
@@ -59,17 +58,17 @@
+domain_dontaudit_getattr_all_stream_sockets(anaconda_t)
+dontaudit domain anaconda_t:fd use;
+domain_dontaudit_use_interactive_fds(anaconda_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/bootloader.fc serefpolicy-2.3.12/policy/modules/admin/bootloader.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/bootloader.fc serefpolicy-2.3.13/policy/modules/admin/bootloader.fc
--- nsaserefpolicy/policy/modules/admin/bootloader.fc 2006-07-14 17:04:46.000000000 -0400
-+++ serefpolicy-2.3.12/policy/modules/admin/bootloader.fc 2006-09-05 09:37:39.000000000 -0400
++++ serefpolicy-2.3.13/policy/modules/admin/bootloader.fc 2006-09-06 13:18:45.000000000 -0400
@@ -10,3 +10,4 @@
/sbin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
/sbin/mkinitrd -- gen_context(system_u:object_r:bootloader_exec_t,s0)
/sbin/ybin.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+/boot/grub/.* -- gen_context(system_u:object_r:boot_runtime_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/bootloader.te serefpolicy-2.3.12/policy/modules/admin/bootloader.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/bootloader.te serefpolicy-2.3.13/policy/modules/admin/bootloader.te
--- nsaserefpolicy/policy/modules/admin/bootloader.te 2006-08-29 09:00:30.000000000 -0400
-+++ serefpolicy-2.3.12/policy/modules/admin/bootloader.te 2006-09-05 09:37:39.000000000 -0400
++++ serefpolicy-2.3.13/policy/modules/admin/bootloader.te 2006-09-06 13:18:45.000000000 -0400
@@ -161,7 +161,7 @@
allow bootloader_t self:capability ipc_lock;
@@ -79,9 +78,9 @@
# mkinitrd mount initrd on bootloader temp dir
files_mountpoint(bootloader_tmp_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-2.3.12/policy/modules/admin/consoletype.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-2.3.13/policy/modules/admin/consoletype.te
--- nsaserefpolicy/policy/modules/admin/consoletype.te 2006-08-29 09:00:30.000000000 -0400
-+++ serefpolicy-2.3.12/policy/modules/admin/consoletype.te 2006-09-05 09:37:39.000000000 -0400
++++ serefpolicy-2.3.13/policy/modules/admin/consoletype.te 2006-09-06 13:18:45.000000000 -0400
@@ -8,7 +8,12 @@
type consoletype_t;
@@ -96,33 +95,9 @@
mls_file_read_up(consoletype_t)
mls_file_write_down(consoletype_t)
role system_r types consoletype_t;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstboot.if serefpolicy-2.3.12/policy/modules/admin/firstboot.if
---- nsaserefpolicy/policy/modules/admin/firstboot.if 2006-07-14 17:04:46.000000000 -0400
-+++ serefpolicy-2.3.12/policy/modules/admin/firstboot.if 2006-09-05 10:44:32.000000000 -0400
-@@ -111,20 +111,3 @@
-
- allow $1 firstboot_t:fifo_file write;
- ')
--########################################
--## <summary>
--## Read firstboot writable config files.
--## </summary>
--## <param name="domain">
--## <summary>
--## The type of the process performing this action.
--## </summary>
--## </param>
--#
--interface(`firstboot_read_rw_files',`
-- gen_require(`
-- type firstboot_rw_t;
-- ')
--
-- allow $1 firstboot_rw_t:file r_file_perms;
--')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-2.3.12/policy/modules/admin/rpm.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-2.3.13/policy/modules/admin/rpm.fc
--- nsaserefpolicy/policy/modules/admin/rpm.fc 2006-07-14 17:04:46.000000000 -0400
-+++ serefpolicy-2.3.12/policy/modules/admin/rpm.fc 2006-09-05 09:37:39.000000000 -0400
++++ serefpolicy-2.3.13/policy/modules/admin/rpm.fc 2006-09-06 13:18:45.000000000 -0400
@@ -19,6 +19,8 @@
/usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -132,9 +107,9 @@
')
/var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-2.3.12/policy/modules/admin/rpm.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-2.3.13/policy/modules/admin/rpm.if
--- nsaserefpolicy/policy/modules/admin/rpm.if 2006-08-02 10:34:09.000000000 -0400
-+++ serefpolicy-2.3.12/policy/modules/admin/rpm.if 2006-09-05 09:37:39.000000000 -0400
++++ serefpolicy-2.3.13/policy/modules/admin/rpm.if 2006-09-06 13:18:45.000000000 -0400
@@ -75,12 +75,13 @@
')
@@ -155,9 +130,9 @@
allow rpm_t $3:chr_file rw_term_perms;
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-2.3.12/policy/modules/apps/java.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-2.3.13/policy/modules/apps/java.fc
--- nsaserefpolicy/policy/modules/apps/java.fc 2006-08-29 09:00:26.000000000 -0400
-+++ serefpolicy-2.3.12/policy/modules/apps/java.fc 2006-09-05 09:37:39.000000000 -0400
++++ serefpolicy-2.3.13/policy/modules/apps/java.fc 2006-09-06 13:18:45.000000000 -0400
@@ -1,7 +1,7 @@
#
# /opt
@@ -167,20 +142,24 @@
#
# /usr
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-2.3.12/policy/modules/kernel/corecommands.fc
---- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2006-09-01 14:10:17.000000000 -0400
-+++ serefpolicy-2.3.12/policy/modules/kernel/corecommands.fc 2006-09-05 14:10:00.000000000 -0400
-@@ -122,6 +122,7 @@
- /usr/(.*/)?sbin(/.*)? gen_context(system_u:object_r:sbin_t,s0)
- /usr/lib(.*/)?sbin(/.*)? gen_context(system_u:object_r:sbin_t,s0)
-
-+/usr/lib/vte/gnome-pty-helper -- gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/ccache/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/pgsql/test/regress/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/qt.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-2.3.12/policy/modules/kernel/corenetwork.te.in
---- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2006-09-01 14:10:17.000000000 -0400
-+++ serefpolicy-2.3.12/policy/modules/kernel/corenetwork.te.in 2006-09-05 09:37:39.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-2.3.13/policy/modules/apps/mono.te
+--- nsaserefpolicy/policy/modules/apps/mono.te 2006-09-01 14:10:17.000000000 -0400
++++ serefpolicy-2.3.13/policy/modules/apps/mono.te 2006-09-06 13:18:45.000000000 -0400
+@@ -7,10 +7,8 @@
+ #
+
+ type mono_t;
+-domain_type(mono_t)
+-
+ type mono_exec_t;
+-domain_entry_file(mono_t,mono_exec_t)
++init_system_domain(mono_t,mono_exec_t)
+
+ ########################################
+ #
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-2.3.13/policy/modules/kernel/corenetwork.te.in
+--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2006-09-06 13:04:50.000000000 -0400
++++ serefpolicy-2.3.13/policy/modules/kernel/corenetwork.te.in 2006-09-06 13:18:45.000000000 -0400
@@ -67,6 +67,7 @@
network_port(clamd, tcp,3310,s0)
network_port(clockspeed, udp,4041,s0)
@@ -189,7 +168,7 @@
network_port(cvs, tcp,2401,s0, udp,2401,s0)
network_port(dcc, udp,6276,s0, udp,6277,s0)
network_port(dbskkd, tcp,1178,s0)
-@@ -121,12 +122,13 @@
+@@ -121,6 +122,8 @@
network_port(radacct, udp,1646,s0, udp,1813,s0)
network_port(radius, udp,1645,s0, udp,1812,s0)
network_port(razor, tcp,2703,s0)
@@ -198,15 +177,9 @@
network_port(rlogind, tcp,513,s0)
network_port(rndc, tcp,953,s0)
network_port(router, udp,520,s0)
- network_port(rsh, tcp,514,s0)
- network_port(rsync, tcp,873,s0, udp,873,s0)
--network_port(setroubleshoot, tcp,3267,s0)
- network_port(smbd, tcp,137-139,s0, tcp,445,s0)
- network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
- network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-2.3.12/policy/modules/kernel/files.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-2.3.13/policy/modules/kernel/files.fc
--- nsaserefpolicy/policy/modules/kernel/files.fc 2006-09-05 07:41:00.000000000 -0400
-+++ serefpolicy-2.3.12/policy/modules/kernel/files.fc 2006-09-05 09:37:39.000000000 -0400
++++ serefpolicy-2.3.13/policy/modules/kernel/files.fc 2006-09-06 13:18:45.000000000 -0400
@@ -32,6 +32,7 @@
/boot/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c255)
/boot/lost\+found/.* <<none>>
@@ -215,36 +188,17 @@
#
# /emul
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-2.3.12/policy/modules/kernel/filesystem.if
---- nsaserefpolicy/policy/modules/kernel/filesystem.if 2006-08-02 10:34:05.000000000 -0400
-+++ serefpolicy-2.3.12/policy/modules/kernel/filesystem.if 2006-09-05 14:35:07.000000000 -0400
-@@ -2095,7 +2095,7 @@
- type ramfs_t;
- ')
-
-- allow $1 ramfs_t:dir rw_dir_perms;
-+ allow $1 ramfs_t:dir manage_dir_perms;
- allow $1 ramfs_t:file manage_file_perms;
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-2.3.13/policy/modules/kernel/filesystem.if
+--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2006-09-06 13:04:50.000000000 -0400
++++ serefpolicy-2.3.13/policy/modules/kernel/filesystem.if 2006-09-06 13:18:45.000000000 -0400
+@@ -3303,3 +3303,22 @@
+ allow $1 noxattrfs:blk_file { getattr relabelfrom };
+ allow $1 noxattrfs:chr_file { getattr relabelfrom };
')
-
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-2.3.12/policy/modules/kernel/terminal.if
---- nsaserefpolicy/policy/modules/kernel/terminal.if 2006-09-05 07:41:00.000000000 -0400
-+++ serefpolicy-2.3.12/policy/modules/kernel/terminal.if 2006-09-05 15:27:35.000000000 -0400
-@@ -252,7 +252,8 @@
- ')
-
- dev_list_all_dev_nodes($1)
-- allow $1 console_device_t:chr_file setattr;
-+ allow $1 console_device_t:chr_file setattr
-+;
- ')
-
- ########################################
-@@ -433,6 +434,25 @@
-
- ########################################
- ## <summary>
-+## dontaudit setattr of generic pty types.
++
++#########################################
++## <summary>
++## read, write rpc named pipes
+## </summary>
+## <param name="domain">
+## <summary>
@@ -252,23 +206,17 @@
+## </summary>
+## </param>
+#
-+# dwalsh: added for rhgb
-+interface(`term_dontaudit_setattr_generic_ptys',`
++interface(`fs_rw_rpc_named_pipes',`
+ gen_require(`
-+ type devpts_t;
++ type nfs_t;
+ ')
+
-+ dontaudit $1 devpts_t:chr_file setattr;
++ allow $1 rpc_pipefs_t:fifo_file { read write };
+')
+
-+########################################
-+## <summary>
- ## Read and write the generic pty
- ## type. This is generally only used in
- ## the targeted policy.
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-2.3.12/policy/modules/services/amavis.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-2.3.13/policy/modules/services/amavis.te
--- nsaserefpolicy/policy/modules/services/amavis.te 2006-09-05 07:41:01.000000000 -0400
-+++ serefpolicy-2.3.12/policy/modules/services/amavis.te 2006-09-05 09:37:39.000000000 -0400
++++ serefpolicy-2.3.13/policy/modules/services/amavis.te 2006-09-06 13:18:45.000000000 -0400
@@ -156,6 +156,7 @@
ifdef(`targeted_policy',`
@@ -277,18 +225,18 @@
')
optional_policy(`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-2.3.12/policy/modules/services/apache.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-2.3.13/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2006-09-05 07:41:01.000000000 -0400
-+++ serefpolicy-2.3.12/policy/modules/services/apache.te 2006-09-05 09:37:39.000000000 -0400
++++ serefpolicy-2.3.13/policy/modules/services/apache.te 2006-09-06 13:18:45.000000000 -0400
@@ -712,4 +712,5 @@
ifdef(`targeted_policy',`
term_dontaudit_use_generic_ptys(httpd_rotatelogs_t)
+ term_dontaudit_use_unallocated_ttys(httpd_rotatelogs_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-2.3.12/policy/modules/services/bluetooth.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-2.3.13/policy/modules/services/bluetooth.te
--- nsaserefpolicy/policy/modules/services/bluetooth.te 2006-08-02 10:34:07.000000000 -0400
-+++ serefpolicy-2.3.12/policy/modules/services/bluetooth.te 2006-09-05 09:37:39.000000000 -0400
++++ serefpolicy-2.3.13/policy/modules/services/bluetooth.te 2006-09-06 13:18:45.000000000 -0400
@@ -217,14 +217,16 @@
fs_rw_tmpfs_files(bluetooth_helper_t)
@@ -307,9 +255,9 @@
xserver_stream_connect_xdm(bluetooth_helper_t)
xserver_use_xdm_fds(bluetooth_helper_t)
xserver_rw_xdm_pipes(bluetooth_helper_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.fc serefpolicy-2.3.12/policy/modules/services/ccs.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.fc serefpolicy-2.3.13/policy/modules/services/ccs.fc
--- nsaserefpolicy/policy/modules/services/ccs.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.3.12/policy/modules/services/ccs.fc 2006-09-05 09:37:39.000000000 -0400
++++ serefpolicy-2.3.13/policy/modules/services/ccs.fc 2006-09-06 13:18:45.000000000 -0400
@@ -0,0 +1,8 @@
+# ccs executable will have:
+# label: system_u:object_r:ccs_exec_t
@@ -319,9 +267,9 @@
+/sbin/ccsd -- gen_context(system_u:object_r:ccs_exec_t,s0)
+/var/run/cluster(/.*)? gen_context(system_u:object_r:ccs_var_run_t,s0)
+/etc/cluster(/.*)? gen_context(system_u:object_r:cluster_conf_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.if serefpolicy-2.3.12/policy/modules/services/ccs.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.if serefpolicy-2.3.13/policy/modules/services/ccs.if
--- nsaserefpolicy/policy/modules/services/ccs.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.3.12/policy/modules/services/ccs.if 2006-09-05 09:37:39.000000000 -0400
++++ serefpolicy-2.3.13/policy/modules/services/ccs.if 2006-09-06 13:18:45.000000000 -0400
@@ -0,0 +1,65 @@
+## <summary>policy for ccs</summary>
+
@@ -388,9 +336,9 @@
+ allow $1 cluster_conf_t:file { getattr read };
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.te serefpolicy-2.3.12/policy/modules/services/ccs.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.te serefpolicy-2.3.13/policy/modules/services/ccs.te
--- nsaserefpolicy/policy/modules/services/ccs.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.3.12/policy/modules/services/ccs.te 2006-09-05 09:37:39.000000000 -0400
++++ serefpolicy-2.3.13/policy/modules/services/ccs.te 2006-09-06 13:18:45.000000000 -0400
@@ -0,0 +1,87 @@
+policy_module(ccs,1.0.0)
+
@@ -479,9 +427,9 @@
+
+allow ccs_t cluster_conf_t:dir r_dir_perms;
+allow ccs_t cluster_conf_t:file rw_file_perms;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-2.3.12/policy/modules/services/clamav.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-2.3.13/policy/modules/services/clamav.te
--- nsaserefpolicy/policy/modules/services/clamav.te 2006-08-02 10:34:07.000000000 -0400
-+++ serefpolicy-2.3.12/policy/modules/services/clamav.te 2006-09-05 09:37:39.000000000 -0400
++++ serefpolicy-2.3.13/policy/modules/services/clamav.te 2006-09-06 13:18:45.000000000 -0400
@@ -121,6 +121,7 @@
cron_rw_pipes(clamd_t)
@@ -490,58 +438,9 @@
term_dontaudit_use_generic_ptys(clamd_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-2.3.12/policy/modules/services/cron.if
---- nsaserefpolicy/policy/modules/services/cron.if 2006-09-05 07:41:01.000000000 -0400
-+++ serefpolicy-2.3.12/policy/modules/services/cron.if 2006-09-05 09:37:39.000000000 -0400
-@@ -57,6 +57,8 @@
- type $1_crontab_tmp_t;
- files_tmp_file($1_crontab_tmp_t)
-
-+
-+
- ##############################
- #
- # $1_crond_t local policy
-@@ -178,10 +180,6 @@
- # $1_crontab_t local policy
- #
-
-- # dac_override is to create the file in the directory under /tmp
-- allow $1_crontab_t self:capability { fowner setuid setgid chown dac_override };
-- allow $1_crontab_t self:process signal_perms;
--
- # Transition from the user domain to the derived domain.
- domain_auto_trans($2, crontab_exec_t, $1_crontab_t)
- allow $2 $1_crontab_t:fd use;
-@@ -200,8 +198,13 @@
- # Allow crond to read those crontabs in cron spool.
- allow crond_t $1_cron_spool_t:file create_file_perms;
-
-- allow $1_crontab_t $1_crontab_tmp_t:file manage_file_perms;
-- files_tmp_filetrans($1_crontab_t,$1_crontab_tmp_t,file)
-+ allow $1_crontab_t tmp_t:dir rw_dir_perms;
-+ allow $1_crontab_t $1_crontab_tmp_t:file create_file_perms;
-+ type_transition $1_crontab_t tmp_t:file $1_crontab_tmp_t;
-+
-+ # dac_override is to create the file in the directory under /tmp
-+ allow $1_crontab_t self:capability { fowner setuid setgid chown dac_override };
-+ allow $1_crontab_t self:process signal_perms;
-
- # create files in /var/spool/cron
- allow $1_crontab_t cron_spool_t:dir rw_dir_perms;
-@@ -256,6 +259,9 @@
- ')
-
- ifdef(`TODO',`
-+ allow $1_crond_t tmp_t:dir rw_dir_perms;
-+ type_transition $1_crond_t $1_tmp_t:{ file dir } $1_tmp_t;
-+
- # Read user crontabs
- dontaudit $1_crontab_t $1_home_dir_t:dir write;
- ') dnl endif TODO
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-2.3.12/policy/modules/services/cron.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-2.3.13/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te 2006-09-05 07:41:01.000000000 -0400
-+++ serefpolicy-2.3.12/policy/modules/services/cron.te 2006-09-05 09:37:39.000000000 -0400
++++ serefpolicy-2.3.13/policy/modules/services/cron.te 2006-09-06 13:18:45.000000000 -0400
@@ -175,6 +175,7 @@
allow crond_t crond_tmp_t:dir create_dir_perms;
allow crond_t crond_tmp_t:file create_file_perms;
@@ -550,9 +449,9 @@
')
tunable_policy(`fcron_crond', `
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-2.3.12/policy/modules/services/dbus.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-2.3.13/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if 2006-08-29 09:00:28.000000000 -0400
-+++ serefpolicy-2.3.12/policy/modules/services/dbus.if 2006-09-05 09:37:39.000000000 -0400
++++ serefpolicy-2.3.13/policy/modules/services/dbus.if 2006-09-06 13:18:45.000000000 -0400
@@ -123,6 +123,7 @@
selinux_compute_relabel_context($1_dbusd_t)
selinux_compute_user_contexts($1_dbusd_t)
@@ -561,35 +460,9 @@
corecmd_list_bin($1_dbusd_t)
corecmd_read_bin_symlinks($1_dbusd_t)
corecmd_read_bin_files($1_dbusd_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-2.3.12/policy/modules/services/dovecot.te
---- nsaserefpolicy/policy/modules/services/dovecot.te 2006-09-01 14:10:18.000000000 -0400
-+++ serefpolicy-2.3.12/policy/modules/services/dovecot.te 2006-09-05 09:37:39.000000000 -0400
-@@ -46,8 +46,6 @@
- allow dovecot_t self:tcp_socket create_stream_socket_perms;
- allow dovecot_t self:unix_dgram_socket create_socket_perms;
- allow dovecot_t self:unix_stream_socket { create_stream_socket_perms connectto };
--allow dovecot_t self:netlink_route_socket r_netlink_socket_perms;
--
- domain_auto_trans(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t)
- allow dovecot_t dovecot_auth_t:fd use;
- allow dovecot_auth_t dovecot_t:process sigchld;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-2.3.12/policy/modules/services/networkmanager.te
---- nsaserefpolicy/policy/modules/services/networkmanager.te 2006-09-05 07:41:01.000000000 -0400
-+++ serefpolicy-2.3.12/policy/modules/services/networkmanager.te 2006-09-05 09:37:39.000000000 -0400
-@@ -18,9 +18,7 @@
- # Local policy
- #
-
--# networkmanager will ptrace itself if gdb is installed
--# and it receives a unexpected signal (rh bug #204161)
--allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service ipc_lock};
-+allow NetworkManager_t self:capability { kill setgid setuid sys_nice sys_ptrace dac_override net_admin net_raw net_bind_service ipc_lock};
- dontaudit NetworkManager_t self:capability sys_tty_config;
- allow NetworkManager_t self:process { ptrace setcap getsched signal_perms };
- allow NetworkManager_t self:fifo_file rw_file_perms;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.fc serefpolicy-2.3.12/policy/modules/services/oddjob.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.fc serefpolicy-2.3.13/policy/modules/services/oddjob.fc
--- nsaserefpolicy/policy/modules/services/oddjob.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.3.12/policy/modules/services/oddjob.fc 2006-09-05 09:37:39.000000000 -0400
++++ serefpolicy-2.3.13/policy/modules/services/oddjob.fc 2006-09-06 13:18:45.000000000 -0400
@@ -0,0 +1,8 @@
+# oddjob executable will have:
+# label: system_u:object_r:oddjob_exec_t
@@ -599,9 +472,9 @@
+/usr/sbin/oddjobd -- gen_context(system_u:object_r:oddjob_exec_t,s0)
+/var/run/oddjobd.pid gen_context(system_u:object_r:oddjob_var_run_t,s0)
+/usr/lib/oddjobd gen_context(system_u:object_r:oddjob_var_lib_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.if serefpolicy-2.3.12/policy/modules/services/oddjob.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.if serefpolicy-2.3.13/policy/modules/services/oddjob.if
--- nsaserefpolicy/policy/modules/services/oddjob.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.3.12/policy/modules/services/oddjob.if 2006-09-05 09:37:39.000000000 -0400
++++ serefpolicy-2.3.13/policy/modules/services/oddjob.if 2006-09-06 13:18:45.000000000 -0400
@@ -0,0 +1,76 @@
+## <summary>policy for oddjob</summary>
+
@@ -679,9 +552,9 @@
+ allow $1 oddjob_t:dbus send_msg;
+ allow oddjob_t $1:dbus send_msg;
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob_mkhomedir.fc serefpolicy-2.3.12/policy/modules/services/oddjob_mkhomedir.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob_mkhomedir.fc serefpolicy-2.3.13/policy/modules/services/oddjob_mkhomedir.fc
--- nsaserefpolicy/policy/modules/services/oddjob_mkhomedir.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.3.12/policy/modules/services/oddjob_mkhomedir.fc 2006-09-05 09:37:39.000000000 -0400
++++ serefpolicy-2.3.13/policy/modules/services/oddjob_mkhomedir.fc 2006-09-06 13:18:45.000000000 -0400
@@ -0,0 +1,6 @@
+# oddjob_mkhomedir executable will have:
+# label: system_u:object_r:oddjob_mkhomedir_exec_t
@@ -689,9 +562,9 @@
+# MCS categories: <none>
+
+/usr/lib/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob_mkhomedir.if serefpolicy-2.3.12/policy/modules/services/oddjob_mkhomedir.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob_mkhomedir.if serefpolicy-2.3.13/policy/modules/services/oddjob_mkhomedir.if
--- nsaserefpolicy/policy/modules/services/oddjob_mkhomedir.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.3.12/policy/modules/services/oddjob_mkhomedir.if 2006-09-05 09:37:39.000000000 -0400
++++ serefpolicy-2.3.13/policy/modules/services/oddjob_mkhomedir.if 2006-09-06 13:18:45.000000000 -0400
@@ -0,0 +1,24 @@
+## <summary>policy for oddjob_mkhomedir</summary>
+
@@ -717,9 +590,9 @@
+ allow oddjob_mkhomedir_t $1:fifo_file rw_file_perms;
+ allow oddjob_mkhomedir_t $1:process sigchld;
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob_mkhomedir.te serefpolicy-2.3.12/policy/modules/services/oddjob_mkhomedir.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob_mkhomedir.te serefpolicy-2.3.13/policy/modules/services/oddjob_mkhomedir.te
--- nsaserefpolicy/policy/modules/services/oddjob_mkhomedir.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.3.12/policy/modules/services/oddjob_mkhomedir.te 2006-09-05 09:37:39.000000000 -0400
++++ serefpolicy-2.3.13/policy/modules/services/oddjob_mkhomedir.te 2006-09-06 13:18:45.000000000 -0400
@@ -0,0 +1,29 @@
+policy_module(oddjob_mkhomedir,1.0.0)
+
@@ -750,9 +623,9 @@
+oddjob_system_entry(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
+domain_auto_trans(unconfined_t,oddjob_mkhomedir_exec_t,oddjob_mkhomedir_t)
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.te serefpolicy-2.3.12/policy/modules/services/oddjob.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.te serefpolicy-2.3.13/policy/modules/services/oddjob.te
--- nsaserefpolicy/policy/modules/services/oddjob.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.3.12/policy/modules/services/oddjob.te 2006-09-05 09:37:39.000000000 -0400
++++ serefpolicy-2.3.13/policy/modules/services/oddjob.te 2006-09-06 13:18:45.000000000 -0400
@@ -0,0 +1,73 @@
+policy_module(oddjob,1.0.0)
+
@@ -827,9 +700,9 @@
+ term_dontaudit_use_unallocated_ttys(oddjob_t)
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.if serefpolicy-2.3.12/policy/modules/services/pegasus.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.if serefpolicy-2.3.13/policy/modules/services/pegasus.if
--- nsaserefpolicy/policy/modules/services/pegasus.if 2006-07-14 17:04:41.000000000 -0400
-+++ serefpolicy-2.3.12/policy/modules/services/pegasus.if 2006-09-05 09:37:39.000000000 -0400
++++ serefpolicy-2.3.13/policy/modules/services/pegasus.if 2006-09-06 13:18:45.000000000 -0400
@@ -1 +1,32 @@
## <summary>The Open Group Pegasus CIM/WBEM Server.</summary>
+
@@ -863,9 +736,9 @@
+ allow pegasus_t $1:fifo_file rw_file_perms;
+ allow pegasus_t $1:process sigchld;
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-2.3.12/policy/modules/services/pegasus.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-2.3.13/policy/modules/services/pegasus.te
--- nsaserefpolicy/policy/modules/services/pegasus.te 2006-08-23 12:14:54.000000000 -0400
-+++ serefpolicy-2.3.12/policy/modules/services/pegasus.te 2006-09-05 09:37:39.000000000 -0400
++++ serefpolicy-2.3.13/policy/modules/services/pegasus.te 2006-09-06 13:18:45.000000000 -0400
@@ -100,13 +100,12 @@
auth_use_nsswitch(pegasus_t)
@@ -882,9 +755,9 @@
files_read_var_lib_symlinks(pegasus_t)
hostname_exec(pegasus_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-2.3.12/policy/modules/services/postfix.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-2.3.13/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2006-08-29 09:00:28.000000000 -0400
-+++ serefpolicy-2.3.12/policy/modules/services/postfix.te 2006-09-05 09:37:39.000000000 -0400
++++ serefpolicy-2.3.13/policy/modules/services/postfix.te 2006-09-06 13:18:45.000000000 -0400
@@ -171,6 +171,11 @@
mta_rw_aliases(postfix_master_t)
mta_read_sendmail_bin(postfix_master_t)
@@ -905,134 +778,9 @@
term_dontaudit_use_generic_ptys(postfix_map_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhgb.te serefpolicy-2.3.12/policy/modules/services/rhgb.te
---- nsaserefpolicy/policy/modules/services/rhgb.te 2006-09-01 14:10:18.000000000 -0400
-+++ serefpolicy-2.3.12/policy/modules/services/rhgb.te 2006-09-05 15:28:11.000000000 -0400
-@@ -10,9 +10,6 @@
- type rhgb_exec_t;
- init_daemon_domain(rhgb_t,rhgb_exec_t)
-
--type rhgb_devpts_t;
--term_pty(rhgb_devpts_t)
--
- type rhgb_tmpfs_t;
- files_tmpfs_file(rhgb_tmpfs_t)
-
-@@ -21,7 +18,7 @@
- # Local policy
- #
-
--allow rhgb_t self:capability { sys_admin sys_tty_config };
-+allow rhgb_t self:capability { fsetid setgid setuid sys_admin sys_tty_config };
- dontaudit rhgb_t self:capability sys_tty_config;
- allow rhgb_t self:process signal_perms;
- allow rhgb_t self:shm create_shm_perms;
-@@ -29,9 +26,7 @@
- allow rhgb_t self:fifo_file rw_file_perms;
- allow rhgb_t self:tcp_socket create_socket_perms;
- allow rhgb_t self:udp_socket create_socket_perms;
--
--allow rhgb_t rhgb_devpts_t:chr_file { rw_file_perms setattr };
--term_create_pty(rhgb_t,rhgb_devpts_t)
-+allow rhgb_t self:netlink_route_socket r_netlink_socket_perms;
-
- allow rhgb_t rhgb_tmpfs_t:dir manage_dir_perms;
- allow rhgb_t rhgb_tmpfs_t:file manage_file_perms;
-@@ -39,12 +34,14 @@
- allow rhgb_t rhgb_tmpfs_t:sock_file manage_file_perms;
- allow rhgb_t rhgb_tmpfs_t:fifo_file manage_file_perms;
- fs_tmpfs_filetrans(rhgb_t,rhgb_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
-+fs_getattr_tmpfs(rhgb_t)
-
- kernel_read_kernel_sysctls(rhgb_t)
- kernel_read_system_state(rhgb_t)
-
- corecmd_exec_bin(rhgb_t)
- corecmd_exec_sbin(rhgb_t)
-+corecmd_exec_shell(rhgb_t)
-
- corenet_non_ipsec_sendrecv(rhgb_t)
- corenet_tcp_sendrecv_generic_if(rhgb_t)
-@@ -61,6 +58,7 @@
- domain_use_interactive_fds(rhgb_t)
-
- files_read_etc_files(rhgb_t)
-+files_read_var_files(rhgb_t)
- files_read_etc_runtime_files(rhgb_t)
- files_search_tmp(rhgb_t)
- files_read_usr_files(rhgb_t)
-@@ -80,6 +78,8 @@
-
- term_dontaudit_use_console(rhgb_t)
- term_use_unallocated_ttys(rhgb_t)
-+term_use_ptmx(rhgb_t)
-+term_getattr_pty_fs(rhgb_t)
-
- init_use_fds(rhgb_t)
- init_use_script_ptys(rhgb_t)
-@@ -96,6 +96,7 @@
- miscfiles_read_fonts(rhgb_t)
-
- sysnet_read_config(rhgb_t)
-+sysnet_domtrans_ifconfig(rhgb_t)
-
- userdom_dontaudit_use_unpriv_user_fds(rhgb_t)
-
-@@ -104,14 +105,21 @@
- # for running setxkbmap
- xserver_read_xkb_libs(rhgb_t)
-
--ifdef(`targeted_policy',`
-+ifdef(`strict_policy',`
-+ type rhgb_devpts_t;
-+ term_pty(rhgb_devpts_t)
-+
-+ allow rhgb_t rhgb_devpts_t:chr_file { rw_file_perms setattr };
-+ term_create_pty(rhgb_t,rhgb_devpts_t)
-+', `
-+ term_dontaudit_use_generic_ptys(rhgb_t)
-+ term_dontaudit_setattr_generic_ptys(rhgb_t)
- term_dontaudit_use_unallocated_ttys(rhgb_t)
- term_dontaudit_use_generic_ptys(rhgb_t)
- files_dontaudit_read_root_files(rhgb_t)
--')
--
--optional_policy(`
-- firstboot_read_rw_files(rhgb_t)
-+ xserver_domtrans_xdm_xserver(rhgb_t)
-+ xserver_signal_xdm_xserver(rhgb_t)
-+ xserver_read_xdm_tmp_files(rhgb_t)
- ')
-
- optional_policy(`
-@@ -126,22 +134,13 @@
- udev_read_db(rhgb_t)
- ')
-
-+userdom_dontaudit_search_sysadm_home_dirs(rhgb_t)
-+
- ifdef(`TODO',`
-- #TODO
-- ifdef(`hide_broken_symptoms', `
-- # for a bug in the X server
-- dontaudit mount_t rhgb_gph_t:fd use;
-- ')
- #TODO this seems a bit much
- allow domain rhgb_devpts_t:chr_file { read write };
-- #TODO this (ie files_dontaudit_read_default_files(rhgb_t))doesn't make sense with the following
-- allow rhgb_t default_t:file { getattr read };
- #TODO
- # for gnome-pty-helper
- gph_domain(rhgb, system)
- allow initrc_t rhgb_gph_t:fd use;
-- ifdef(`hide_broken_symptoms', `
-- # it should not do this
-- dontaudit rhgb_t { staff_home_dir_t sysadm_home_dir_t }:dir search;
-- ')
- ')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.fc serefpolicy-2.3.12/policy/modules/services/ricci.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.fc serefpolicy-2.3.13/policy/modules/services/ricci.fc
--- nsaserefpolicy/policy/modules/services/ricci.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.3.12/policy/modules/services/ricci.fc 2006-09-05 09:37:39.000000000 -0400
++++ serefpolicy-2.3.13/policy/modules/services/ricci.fc 2006-09-06 13:18:45.000000000 -0400
@@ -0,0 +1,20 @@
+# ricci executable will have:
+# label: system_u:object_r:ricci_exec_t
@@ -1054,9 +802,9 @@
+/usr/sbin/ricci-modservice -- gen_context(system_u:object_r:ricci_modservice_exec_t,s0)
+/usr/sbin/ricci-modstorage -- gen_context(system_u:object_r:ricci_modstorage_exec_t,s0)
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.if serefpolicy-2.3.12/policy/modules/services/ricci.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.if serefpolicy-2.3.13/policy/modules/services/ricci.if
--- nsaserefpolicy/policy/modules/services/ricci.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.3.12/policy/modules/services/ricci.if 2006-09-05 09:37:39.000000000 -0400
++++ serefpolicy-2.3.13/policy/modules/services/ricci.if 2006-09-06 13:18:45.000000000 -0400
@@ -0,0 +1,184 @@
+## <summary>policy for ricci</summary>
+
@@ -1242,9 +990,9 @@
+ allow $1 ricci_modcluster_var_run_t:sock_file write;
+ allow $1 ricci_modclusterd_t:unix_stream_socket connectto;
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-2.3.12/policy/modules/services/ricci.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-2.3.13/policy/modules/services/ricci.te
--- nsaserefpolicy/policy/modules/services/ricci.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.3.12/policy/modules/services/ricci.te 2006-09-05 09:37:39.000000000 -0400
++++ serefpolicy-2.3.13/policy/modules/services/ricci.te 2006-09-06 13:18:45.000000000 -0400
@@ -0,0 +1,386 @@
+policy_module(ricci,1.0.0)
+
@@ -1632,162 +1380,21 @@
+')
+
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-2.3.12/policy/modules/services/setroubleshoot.te
---- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2006-09-01 14:10:18.000000000 -0400
-+++ serefpolicy-2.3.12/policy/modules/services/setroubleshoot.te 2006-09-05 09:37:39.000000000 -0400
-@@ -64,9 +64,7 @@
- corenet_tcp_sendrecv_all_nodes(setroubleshootd_t)
- corenet_tcp_sendrecv_all_ports(setroubleshootd_t)
- corenet_tcp_bind_all_nodes(setroubleshootd_t)
--corenet_tcp_bind_setroubleshoot_port(setroubleshootd_t)
- corenet_tcp_connect_smtp_port(setroubleshootd_t)
--corenet_sendrecv_setroubleshoot_server_packets(setroubleshootd_t)
- corenet_sendrecv_smtp_client_packets(setroubleshootd_t)
-
- dev_read_urand(setroubleshootd_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-2.3.12/policy/modules/services/ssh.te
---- nsaserefpolicy/policy/modules/services/ssh.te 2006-08-16 08:46:30.000000000 -0400
-+++ serefpolicy-2.3.12/policy/modules/services/ssh.te 2006-09-05 13:13:30.000000000 -0400
-@@ -39,10 +39,6 @@
- type ssh_agent_exec_t;
- files_type(ssh_agent_exec_t)
-
-- type ssh_keygen_t;
-- init_system_domain(ssh_keygen_t,ssh_keygen_exec_t)
-- role system_r types ssh_keygen_t;
--
- ssh_server_template(sshd)
- ssh_server_template(sshd_extern)
-
-@@ -193,62 +189,68 @@
- # ssh_keygen local policy
- #
-
--ifdef(`targeted_policy',`',`
-- # ssh_keygen_t is the type of the ssh-keygen program when run at install time
-- # and by sysadm_t
-+# ssh_keygen_t is the type of the ssh-keygen program when run at install time
-+# and by sysadm_t
-
-- dontaudit ssh_keygen_t self:capability sys_tty_config;
-- allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
-+type ssh_keygen_t;
-+init_system_domain(ssh_keygen_t,ssh_keygen_exec_t)
-+role system_r types ssh_keygen_t;
-
-- allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
-+dontaudit ssh_keygen_t self:capability sys_tty_config;
-+allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
-
-- allow ssh_keygen_t sshd_key_t:file create_file_perms;
-- files_etc_filetrans(ssh_keygen_t,sshd_key_t,file)
-+allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
-
-- kernel_read_kernel_sysctls(ssh_keygen_t)
-+allow ssh_keygen_t sshd_key_t:file create_file_perms;
-+files_etc_filetrans(ssh_keygen_t,sshd_key_t,file)
-
-- fs_search_auto_mountpoints(ssh_keygen_t)
-+kernel_read_kernel_sysctls(ssh_keygen_t)
-
-- dev_read_sysfs(ssh_keygen_t)
-- dev_read_urand(ssh_keygen_t)
-+fs_search_auto_mountpoints(ssh_keygen_t)
-
-- term_dontaudit_use_console(ssh_keygen_t)
-+dev_read_sysfs(ssh_keygen_t)
-+dev_read_urand(ssh_keygen_t)
-
-- domain_use_interactive_fds(ssh_keygen_t)
-+term_dontaudit_use_console(ssh_keygen_t)
-
-- files_read_etc_files(ssh_keygen_t)
-+domain_use_interactive_fds(ssh_keygen_t)
-
-- init_use_fds(ssh_keygen_t)
-- init_use_script_ptys(ssh_keygen_t)
-+files_read_etc_files(ssh_keygen_t)
-
-- libs_use_ld_so(ssh_keygen_t)
-- libs_use_shared_libs(ssh_keygen_t)
-+init_use_fds(ssh_keygen_t)
-+init_use_script_ptys(ssh_keygen_t)
-
-- logging_send_syslog_msg(ssh_keygen_t)
-+libs_use_ld_so(ssh_keygen_t)
-+libs_use_shared_libs(ssh_keygen_t)
-
-- allow ssh_keygen_t proc_t:dir r_dir_perms;
-- allow ssh_keygen_t proc_t:lnk_file read;
-+logging_send_syslog_msg(ssh_keygen_t)
-
-- userdom_use_sysadm_ttys(ssh_keygen_t)
-- userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
-+allow ssh_keygen_t proc_t:dir r_dir_perms;
-+allow ssh_keygen_t proc_t:lnk_file read;
-
-- # cjp: with the old daemon_(base_)domain being broken up into
-- # a daemon and system interface, this probably is not needed:
-- ifdef(`direct_sysadm_daemon',`
-- userdom_dontaudit_use_sysadm_terms(ssh_keygen_t)
-- ')
-+userdom_use_sysadm_ttys(ssh_keygen_t)
-+userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
-
-- ifdef(`targeted_policy', `
-- term_dontaudit_use_unallocated_ttys(ssh_keygen_t)
-- term_dontaudit_use_generic_ptys(ssh_keygen_t)
-- files_dontaudit_read_root_files(ssh_keygen_t)
-- ')
-+# cjp: with the old daemon_(base_)domain being broken up into
-+# a daemon and system interface, this probably is not needed:
-+ifdef(`direct_sysadm_daemon',`
-+ userdom_dontaudit_use_sysadm_terms(ssh_keygen_t)
-+')
-
-- optional_policy(`
-- seutil_sigchld_newrole(ssh_keygen_t)
-- ')
-+ifdef(`targeted_policy', `
-+ term_dontaudit_use_unallocated_ttys(ssh_keygen_t)
-+ term_dontaudit_use_generic_ptys(ssh_keygen_t)
-+ files_dontaudit_read_root_files(ssh_keygen_t)
-+')
-
-- optional_policy(`
-- udev_read_db(ssh_keygen_t)
-- ')
-+optional_policy(`
-+ seutil_sigchld_newrole(ssh_keygen_t)
-+')
-+
-+optional_policy(`
-+ udev_read_db(ssh_keygen_t)
-+')
-+
-+optional_policy(`
-+ nscd_socket_use(ssh_keygen_t)
- ')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-2.3.12/policy/modules/services/xserver.if
---- nsaserefpolicy/policy/modules/services/xserver.if 2006-09-01 14:10:18.000000000 -0400
-+++ serefpolicy-2.3.12/policy/modules/services/xserver.if 2006-09-05 15:13:42.000000000 -0400
-@@ -1053,7 +1053,6 @@
- gen_require(`
- type xdm_xserver_tmp_t;
- ')
--
- allow $1 xdm_xserver_tmp_t:file { getattr read };
- ')
-
-@@ -1072,6 +1071,7 @@
- type xdm_tmp_t;
- ')
-
-+ allow $1 xdm_tmp_t:dir search_dir_perms;
- allow $1 xdm_tmp_t:file { getattr read };
- ')
-
-@@ -1133,3 +1133,45 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-2.3.13/policy/modules/services/rpc.te
+--- nsaserefpolicy/policy/modules/services/rpc.te 2006-09-05 07:41:01.000000000 -0400
++++ serefpolicy-2.3.13/policy/modules/services/rpc.te 2006-09-06 13:18:45.000000000 -0400
+@@ -53,6 +53,7 @@
+ fs_read_rpc_files(rpcd_t)
+ fs_read_rpc_symlinks(rpcd_t)
+ fs_read_rpc_sockets(rpcd_t)
++fs_rw_rpc_named_pipes(rpcd_t)
+ term_use_controlling_term(rpcd_t)
+
+ # cjp: this should really have its own type
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-2.3.13/policy/modules/services/xserver.if
+--- nsaserefpolicy/policy/modules/services/xserver.if 2006-09-06 13:04:51.000000000 -0400
++++ serefpolicy-2.3.13/policy/modules/services/xserver.if 2006-09-06 13:18:45.000000000 -0400
+@@ -1152,3 +1152,45 @@
allow $1 xdm_xserver_tmp_t:sock_file write;
allow $1 xdm_xserver_t:unix_stream_socket connectto;
')
@@ -1833,45 +1440,9 @@
+ allow $1 xdm_xserver_t:process signal;
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-2.3.12/policy/modules/services/xserver.te
---- nsaserefpolicy/policy/modules/services/xserver.te 2006-09-01 14:10:18.000000000 -0400
-+++ serefpolicy-2.3.12/policy/modules/services/xserver.te 2006-09-05 15:02:35.000000000 -0400
-@@ -214,15 +214,15 @@
- userdom_read_all_users_state(xdm_t)
- userdom_signal_all_users(xdm_t)
-
-+allow xdm_t xdm_tmp_t:dir manage_dir_perms;
-+allow xdm_t xdm_tmp_t:file manage_file_perms;
-+allow xdm_t xdm_tmp_t:sock_file manage_file_perms;
-+files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file })
-+
- ifdef(`strict_policy',`
- allow xdm_t xdm_lock_t:file create_file_perms;
- files_lock_filetrans(xdm_t,xdm_lock_t,file)
-
-- allow xdm_t xdm_tmp_t:dir manage_dir_perms;
-- allow xdm_t xdm_tmp_t:file manage_file_perms;
-- allow xdm_t xdm_tmp_t:sock_file manage_file_perms;
-- files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file })
--
- allow xdm_t xdm_tmpfs_t:dir manage_dir_perms;
- allow xdm_t xdm_tmpfs_t:file manage_file_perms;
- allow xdm_t xdm_tmpfs_t:lnk_file create_lnk_perms;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-2.3.12/policy/modules/system/authlogin.te
---- nsaserefpolicy/policy/modules/system/authlogin.te 2006-08-29 09:00:29.000000000 -0400
-+++ serefpolicy-2.3.12/policy/modules/system/authlogin.te 2006-09-05 09:37:39.000000000 -0400
-@@ -176,7 +176,7 @@
- dev_setattr_xserver_misc_dev(pam_console_t)
- dev_read_urand(pam_console_t)
-
--fs_search_auto_mountpoints(pam_console_t)
-+fs_list_auto_mountpoints(pam_console_t)
-
- mls_file_read_up(pam_console_t)
- mls_file_write_down(pam_console_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-2.3.12/policy/modules/system/hostname.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-2.3.13/policy/modules/system/hostname.te
--- nsaserefpolicy/policy/modules/system/hostname.te 2006-08-29 09:00:29.000000000 -0400
-+++ serefpolicy-2.3.12/policy/modules/system/hostname.te 2006-09-05 09:37:39.000000000 -0400
++++ serefpolicy-2.3.13/policy/modules/system/hostname.te 2006-09-06 13:18:45.000000000 -0400
@@ -8,7 +8,10 @@
type hostname_t;
@@ -1884,9 +1455,9 @@
role system_r types hostname_t;
########################################
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-2.3.12/policy/modules/system/init.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-2.3.13/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2006-08-28 16:22:32.000000000 -0400
-+++ serefpolicy-2.3.12/policy/modules/system/init.te 2006-09-05 09:37:39.000000000 -0400
++++ serefpolicy-2.3.13/policy/modules/system/init.te 2006-09-06 13:18:45.000000000 -0400
@@ -361,7 +361,8 @@
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@@ -1897,9 +1468,9 @@
# slapd needs to read cert files from its initscript
miscfiles_read_certs(initrc_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-2.3.12/policy/modules/system/selinuxutil.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-2.3.13/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2006-09-05 07:41:01.000000000 -0400
-+++ serefpolicy-2.3.12/policy/modules/system/selinuxutil.te 2006-09-05 09:37:39.000000000 -0400
++++ serefpolicy-2.3.13/policy/modules/system/selinuxutil.te 2006-09-06 14:19:33.000000000 -0400
@@ -450,6 +450,7 @@
selinux_compute_user_contexts(restorecond_t)
@@ -1908,22 +1479,18 @@
auth_relabel_all_files_except_shadow(restorecond_t )
auth_read_all_files_except_shadow(restorecond_t)
-@@ -622,6 +623,12 @@
+@@ -622,6 +623,8 @@
# Handle pp files created in homedir and /tmp
files_read_generic_tmp_files(semanage_t)
userdom_read_generic_user_home_content_files(semanage_t)
+',`
-+ ifdef(`enable_mls',`
-+ userdom_read_user_tmp_files(secadm, semanage_t)
-+ ',`
-+ userdom_read_user_tmp_files(sysadm, semanage_t)
-+ ')
++ userdom_read_admin_tmp_files(semanage_t)
')
########################################
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-2.3.12/policy/modules/system/userdomain.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-2.3.13/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2006-08-16 08:46:31.000000000 -0400
-+++ serefpolicy-2.3.12/policy/modules/system/userdomain.if 2006-09-05 09:37:39.000000000 -0400
++++ serefpolicy-2.3.13/policy/modules/system/userdomain.if 2006-09-06 14:19:50.000000000 -0400
@@ -8,11 +8,10 @@
## <desc>
## <p>
@@ -2075,7 +1642,10 @@
- allow $1_t self:process execmem;
- ')
+ sysnet_dns_name_resolve($1_t)
-+
+
+- tunable_policy(`allow_execmem && allow_execstack',`
+- # Allow making the stack executable via mprotect.
+- allow $1_t self:process execstack;
+')
+#######################################
+## <summary>
@@ -2100,10 +1670,7 @@
+## </param>
+#
+template(`base_login_user_template',`
-
-- tunable_policy(`allow_execmem && allow_execstack',`
-- # Allow making the stack executable via mprotect.
-- allow $1_t self:process execstack;
++
+ gen_require(`
+ attribute $1_file_type;
+ attribute home_dir_type, home_type;
@@ -2366,7 +1933,7 @@
allow $1 user_home_t:dir rw_dir_perms;
allow $1 user_home_t:sock_file create_file_perms;
')
-@@ -4740,3 +4794,34 @@
+@@ -4740,3 +4794,55 @@
allow $1 user_home_dir_t:dir create_dir_perms;
files_home_filetrans($1,user_home_dir_t,dir)
')
@@ -2401,9 +1968,30 @@
+ dontaudit $1_t { $2_devpts_t $2_tty_device_t }:chr_file ioctl;
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-2.3.12/policy/modules/system/userdomain.te
++
++########################################
++## <summary>
++## Read admin temporary files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_read_admin_tmp_files',`
++
++ ifdef(`enable_mls',`
++ userdom_read_user_tmp_files(secadm, $1)
++ ',`
++ userdom_read_user_tmp_files(sysadm, $1)
++ ')
++
++')
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-2.3.13/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2006-08-16 08:46:31.000000000 -0400
-+++ serefpolicy-2.3.12/policy/modules/system/userdomain.te 2006-09-05 09:37:39.000000000 -0400
++++ serefpolicy-2.3.13/policy/modules/system/userdomain.te 2006-09-06 13:18:45.000000000 -0400
@@ -56,14 +56,6 @@
# Local policy
#
@@ -2503,26 +2091,9 @@
', `
selinux_set_enforce_mode(sysadm_t)
selinux_set_boolean(sysadm_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-2.3.12/policy/modules/system/xen.te
---- nsaserefpolicy/policy/modules/system/xen.te 2006-08-29 09:00:29.000000000 -0400
-+++ serefpolicy-2.3.12/policy/modules/system/xen.te 2006-09-05 12:50:19.000000000 -0400
-@@ -131,6 +131,7 @@
- corenet_tcp_bind_xen_port(xend_t)
- corenet_tcp_bind_soundd_port(xend_t)
- corenet_tcp_bind_generic_port(xend_t)
-+corenet_tcp_bind_vnc_port(xend_t)
- corenet_sendrecv_xen_server_packets(xend_t)
- corenet_sendrecv_soundd_server_packets(xend_t)
- corenet_rw_tun_tap_dev(xend_t)
-@@ -313,3 +314,5 @@
- xen_append_log(xm_t)
- xen_stream_connect(xm_t)
- xen_stream_connect_xenstore(xm_t)
-+
-+userdom_dontaudit_search_sysadm_home_dirs(xend_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-2.3.12/Rules.modular
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-2.3.13/Rules.modular
--- nsaserefpolicy/Rules.modular 2006-08-31 14:57:06.000000000 -0400
-+++ serefpolicy-2.3.12/Rules.modular 2006-09-05 16:00:01.000000000 -0400
++++ serefpolicy-2.3.13/Rules.modular 2006-09-06 13:18:45.000000000 -0400
@@ -218,6 +218,16 @@
########################################
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.273
retrieving revision 1.274
diff -u -r1.273 -r1.274
--- selinux-policy.spec 5 Sep 2006 21:13:31 -0000 1.273
+++ selinux-policy.spec 6 Sep 2006 18:29:35 -0000 1.274
@@ -15,8 +15,8 @@
%define CHECKPOLICYVER 1.30.4-1
Summary: SELinux policy configuration
Name: selinux-policy
-Version: 2.3.12
-Release: 2
+Version: 2.3.13
+Release: 1
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -348,6 +348,9 @@
%endif
%changelog
+* Wed Sep 6 2006 Dan Walsh <dwalsh at redhat.com> 2.3.13-1
+- Update from upstream
+
* Tue Sep 5 2006 Dan Walsh <dwalsh at redhat.com> 2.3.12-2
- Fixup for test6
Index: sources
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/sources,v
retrieving revision 1.89
retrieving revision 1.90
diff -u -r1.89 -r1.90
--- sources 5 Sep 2006 12:03:37 -0000 1.89
+++ sources 6 Sep 2006 18:29:35 -0000 1.90
@@ -1 +1 @@
-7e9a4c9a8502055eb0f7a5b9f399b6cd serefpolicy-2.3.12.tgz
+2dcf233ed155c1cceeebd12a2be76acd serefpolicy-2.3.13.tgz
- Previous message (by thread): rpms/compiz/devel compiz.spec, 1.33, 1.34 fbconfig-depth-fix.patch, 1.3, 1.4
- Next message (by thread): rpms/pam_pkcs11/devel pam_pkcs11-0.5.3-l10n.patch, NONE, 1.1 pam_pkcs11-0.5.3-nss.patch, 1.2, 1.3 pam_pkcs11-0.5.3-ocsp.patch, 1.2, 1.3 pam_pkcs11.spec, 1.15, 1.16 rh_pam_pkcs11.conf, 1.5, 1.6
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-cvs-commits
mailing list