rpms/selinux-policy/devel .cvsignore, 1.85, 1.86 policy-20060829.patch, 1.11, 1.12 selinux-policy.spec, 1.273, 1.274 sources, 1.89, 1.90

fedora-cvs-commits at redhat.com fedora-cvs-commits at redhat.com
Wed Sep 6 18:29:38 UTC 2006


Author: dwalsh

Update of /cvs/dist/rpms/selinux-policy/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv14836

Modified Files:
	.cvsignore policy-20060829.patch selinux-policy.spec sources 
Log Message:
* Wed Sep 6 2006 Dan Walsh <dwalsh at redhat.com> 2.3.13-1
- Update from upstream



Index: .cvsignore
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/.cvsignore,v
retrieving revision 1.85
retrieving revision 1.86
diff -u -r1.85 -r1.86
--- .cvsignore	5 Sep 2006 12:03:37 -0000	1.85
+++ .cvsignore	6 Sep 2006 18:29:35 -0000	1.86
@@ -87,3 +87,4 @@
 clog
 serefpolicy-2.3.11.tgz
 serefpolicy-2.3.12.tgz
+serefpolicy-2.3.13.tgz

policy-20060829.patch:
 Makefile                                    |   23 -
 Rules.modular                               |   10 
 policy/modules/admin/anaconda.te            |    6 
 policy/modules/admin/bootloader.fc          |    1 
 policy/modules/admin/bootloader.te          |    2 
 policy/modules/admin/consoletype.te         |    7 
 policy/modules/admin/rpm.fc                 |    2 
 policy/modules/admin/rpm.if                 |   13 
 policy/modules/apps/java.fc                 |    2 
 policy/modules/apps/mono.te                 |    4 
 policy/modules/kernel/corenetwork.te.in     |    3 
 policy/modules/kernel/files.fc              |    1 
 policy/modules/kernel/filesystem.if         |   19 +
 policy/modules/services/amavis.te           |    1 
 policy/modules/services/apache.te           |    1 
 policy/modules/services/bluetooth.te        |    4 
 policy/modules/services/ccs.fc              |    8 
 policy/modules/services/ccs.if              |   65 ++++
 policy/modules/services/ccs.te              |   87 ++++++
 policy/modules/services/clamav.te           |    1 
 policy/modules/services/cron.te             |    1 
 policy/modules/services/dbus.if             |    1 
 policy/modules/services/oddjob.fc           |    8 
 policy/modules/services/oddjob.if           |   76 +++++
 policy/modules/services/oddjob.te           |   73 +++++
 policy/modules/services/oddjob_mkhomedir.fc |    6 
 policy/modules/services/oddjob_mkhomedir.if |   24 +
 policy/modules/services/oddjob_mkhomedir.te |   29 ++
 policy/modules/services/pegasus.if          |   31 ++
 policy/modules/services/pegasus.te          |    5 
 policy/modules/services/postfix.te          |    6 
 policy/modules/services/ricci.fc            |   20 +
 policy/modules/services/ricci.if            |  184 +++++++++++++
 policy/modules/services/ricci.te            |  386 ++++++++++++++++++++++++++++
 policy/modules/services/rpc.te              |    1 
 policy/modules/services/xserver.if          |   42 +++
 policy/modules/system/hostname.te           |    5 
 policy/modules/system/init.te               |    3 
 policy/modules/system/selinuxutil.te        |    3 
 policy/modules/system/userdomain.if         |  268 +++++++++++++------
 policy/modules/system/userdomain.te         |   48 +--
 41 files changed, 1344 insertions(+), 136 deletions(-)

Index: policy-20060829.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/policy-20060829.patch,v
retrieving revision 1.11
retrieving revision 1.12
diff -u -r1.11 -r1.12
--- policy-20060829.patch	5 Sep 2006 20:19:56 -0000	1.11
+++ policy-20060829.patch	6 Sep 2006 18:29:35 -0000	1.12
@@ -1,15 +1,7 @@
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-2.3.12/Makefile
---- nsaserefpolicy/Makefile	2006-08-31 14:57:06.000000000 -0400
-+++ serefpolicy-2.3.12/Makefile	2006-09-05 16:16:40.000000000 -0400
-@@ -8,6 +8,7 @@
- # reload        - compile, install, and load/reload the policy configuration.
- # relabel       - relabel filesystems based on the file contexts configuration.
- # checklabels   - check filesystems against the file context configuration
-+# checkfilecontext  - check filesystems against the file context configuration
- # restorelabels - check filesystems against the file context configuration
- #                 and restore the label of files with incorrect labels
- # policy        - compile the policy configuration locally for testing/development.
-@@ -44,22 +45,25 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-2.3.13/Makefile
+--- nsaserefpolicy/Makefile	2006-09-06 13:04:51.000000000 -0400
++++ serefpolicy-2.3.13/Makefile	2006-09-06 13:18:45.000000000 -0400
+@@ -44,16 +44,17 @@
  endif
  
  # executable paths
@@ -19,36 +11,43 @@
 +USRSBINDIR ?= /usr/sbin
 +SBINDIR ?= /sbin
  ifdef TEST_TOOLCHAIN
--tc_bindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib" $(TEST_TOOLCHAIN)$(BINDIR)
-+tc_usrbindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib" $(TEST_TOOLCHAIN)$(BINDIR)
+ tc_usrbindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib" $(TEST_TOOLCHAIN)$(BINDIR)
+-tc_usrsbindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib" $(TEST_TOOLCHAIN)$(SBINDIR)
+-tc_sbindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib" $(TEST_TOOLCHAIN)/sbin
 +tc_usrsbindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib" $(TEST_TOOLCHAIN)$(USRSBINDIR)
- tc_sbindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib" $(TEST_TOOLCHAIN)$(SBINDIR)
++tc_sbindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib" $(TEST_TOOLCHAIN)$(SBINDIR)
  else
--tc_bindir := $(BINDIR)
+-tc_usrbindir := $(BINDIR)
+-tc_usrsbindir := $(SBINDIR)
+-tc_sbindir := /sbin
 +tc_usrbindir := $(USRBINDIR)
 +tc_usrsbindir := $(USRSBINDIR)
- tc_sbindir := $(SBINDIR)
++tc_sbindir := $(SBINDIR)
  endif
--CHECKPOLICY ?= $(tc_bindir)/checkpolicy
--CHECKMODULE ?= $(tc_bindir)/checkmodule
--SEMODULE ?= $(tc_sbindir)/semodule
--SEMOD_PKG ?= $(tc_bindir)/semodule_package
--SEMOD_LNK ?= $(tc_bindir)/semodule_link
--SEMOD_EXP ?= $(tc_bindir)/semodule_expand
--LOADPOLICY ?= $(tc_sbindir)/load_policy
-+CHECKPOLICY ?= $(tc_usrbindir)/checkpolicy
-+CHECKMODULE ?= $(tc_usrbindir)/checkmodule
-+SEMODULE ?= $(tc_usrsbindir)/semodule
-+SEMOD_PKG ?= $(tc_usrbindir)/semodule_package
-+SEMOD_LNK ?= $(tc_usrbindir)/semodule_link
-+SEMOD_EXP ?= $(tc_usrbindir)/semodule_expand
-+LOADPOLICY ?= $(tc_usrsbindir)/load_policy
- SETFILES ?= $(tc_sbindir)/setfiles
- XMLLINT ?= $(BINDIR)/xmllint
- SECHECK ?= $(BINDIR)/sechecker
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-2.3.12/policy/modules/admin/anaconda.te
+ CHECKPOLICY ?= $(tc_usrbindir)/checkpolicy
+ CHECKMODULE ?= $(tc_usrbindir)/checkmodule
+@@ -327,14 +328,14 @@
+ #
+ generate: $(generated_te) $(generated_if) $(generated_fc)
+ 
+-$(moddir)/kernel/corenetwork.if: $(moddir)/kernel/corenetwork.te.in $(moddir)/kernel/corenetwork.if.m4 $(moddir)/kernel/corenetwork.if.in
++$(moddir)/kernel/corenetwork.if: $(moddir)/kernel/corenetwork.if.m4 $(moddir)/kernel/corenetwork.if.in
+ 	@echo "#" > $@
+ 	@echo "# This is a generated file!  Instead of modifying this file, the" >> $@
+ 	@echo "# $(notdir $@).in or $(notdir $@).m4 file should be modified." >> $@
+ 	@echo "#" >> $@
+-	$(verbose) cat $@.in >> $@
+-	$(verbose) $(GREP) "^[[:blank:]]*network_(interface|node|port|packet)\(.*\)" $< \
+-		| $(M4) -D self_contained_policy $(M4PARAM) $@.m4 - \
++	$(verbose) cat $(moddir)/kernel/corenetwork.if.in >> $@
++	$(verbose) $(GREP) "^[[:blank:]]*network_(interface|node|port|packet)\(.*\)" $(@:.if=.te).in \
++		| $(M4) -D self_contained_policy $(M4PARAM) $(moddir)/kernel/corenetwork.if.m4 - \
+ 		| $(SED) -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@
+ 
+ $(moddir)/kernel/corenetwork.te: $(moddir)/kernel/corenetwork.te.m4 $(moddir)/kernel/corenetwork.te.in
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-2.3.13/policy/modules/admin/anaconda.te
 --- nsaserefpolicy/policy/modules/admin/anaconda.te	2006-09-01 14:10:19.000000000 -0400
-+++ serefpolicy-2.3.12/policy/modules/admin/anaconda.te	2006-09-05 09:37:39.000000000 -0400
++++ serefpolicy-2.3.13/policy/modules/admin/anaconda.te	2006-09-06 13:18:45.000000000 -0400
 @@ -64,3 +64,9 @@
  optional_policy(`
  	usermanage_domtrans_admin_passwd(anaconda_t)
@@ -59,17 +58,17 @@
 +domain_dontaudit_getattr_all_stream_sockets(anaconda_t)
 +dontaudit domain anaconda_t:fd use;
 +domain_dontaudit_use_interactive_fds(anaconda_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/bootloader.fc serefpolicy-2.3.12/policy/modules/admin/bootloader.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/bootloader.fc serefpolicy-2.3.13/policy/modules/admin/bootloader.fc
 --- nsaserefpolicy/policy/modules/admin/bootloader.fc	2006-07-14 17:04:46.000000000 -0400
-+++ serefpolicy-2.3.12/policy/modules/admin/bootloader.fc	2006-09-05 09:37:39.000000000 -0400
++++ serefpolicy-2.3.13/policy/modules/admin/bootloader.fc	2006-09-06 13:18:45.000000000 -0400
 @@ -10,3 +10,4 @@
  /sbin/lilo.*		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
  /sbin/mkinitrd		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
  /sbin/ybin.*		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
 +/boot/grub/.*		--	gen_context(system_u:object_r:boot_runtime_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/bootloader.te serefpolicy-2.3.12/policy/modules/admin/bootloader.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/bootloader.te serefpolicy-2.3.13/policy/modules/admin/bootloader.te
 --- nsaserefpolicy/policy/modules/admin/bootloader.te	2006-08-29 09:00:30.000000000 -0400
-+++ serefpolicy-2.3.12/policy/modules/admin/bootloader.te	2006-09-05 09:37:39.000000000 -0400
++++ serefpolicy-2.3.13/policy/modules/admin/bootloader.te	2006-09-06 13:18:45.000000000 -0400
 @@ -161,7 +161,7 @@
  	allow bootloader_t self:capability ipc_lock;
  
@@ -79,9 +78,9 @@
  
  	# mkinitrd mount initrd on bootloader temp dir
  	files_mountpoint(bootloader_tmp_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-2.3.12/policy/modules/admin/consoletype.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-2.3.13/policy/modules/admin/consoletype.te
 --- nsaserefpolicy/policy/modules/admin/consoletype.te	2006-08-29 09:00:30.000000000 -0400
-+++ serefpolicy-2.3.12/policy/modules/admin/consoletype.te	2006-09-05 09:37:39.000000000 -0400
++++ serefpolicy-2.3.13/policy/modules/admin/consoletype.te	2006-09-06 13:18:45.000000000 -0400
 @@ -8,7 +8,12 @@
  
  type consoletype_t;
@@ -96,33 +95,9 @@
  mls_file_read_up(consoletype_t)
  mls_file_write_down(consoletype_t)
  role system_r types consoletype_t;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstboot.if serefpolicy-2.3.12/policy/modules/admin/firstboot.if
---- nsaserefpolicy/policy/modules/admin/firstboot.if	2006-07-14 17:04:46.000000000 -0400
-+++ serefpolicy-2.3.12/policy/modules/admin/firstboot.if	2006-09-05 10:44:32.000000000 -0400
-@@ -111,20 +111,3 @@
- 
- 	allow $1 firstboot_t:fifo_file write;
- ')
--########################################
--## <summary>
--##	Read firstboot writable config files.
--## </summary>
--## <param name="domain">
--##	<summary>
--##	The type of the process performing this action.
--##	</summary>
--## </param>
--#
--interface(`firstboot_read_rw_files',`
--	gen_require(`
--		type firstboot_rw_t;
--	')
--
--	allow $1 firstboot_rw_t:file r_file_perms;
--')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-2.3.12/policy/modules/admin/rpm.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-2.3.13/policy/modules/admin/rpm.fc
 --- nsaserefpolicy/policy/modules/admin/rpm.fc	2006-07-14 17:04:46.000000000 -0400
-+++ serefpolicy-2.3.12/policy/modules/admin/rpm.fc	2006-09-05 09:37:39.000000000 -0400
++++ serefpolicy-2.3.13/policy/modules/admin/rpm.fc	2006-09-06 13:18:45.000000000 -0400
 @@ -19,6 +19,8 @@
  /usr/sbin/pup			--	gen_context(system_u:object_r:rpm_exec_t,s0)
  /usr/sbin/rhn_check		--	gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -132,9 +107,9 @@
  ')
  
  /var/lib/alternatives(/.*)?		gen_context(system_u:object_r:rpm_var_lib_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-2.3.12/policy/modules/admin/rpm.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-2.3.13/policy/modules/admin/rpm.if
 --- nsaserefpolicy/policy/modules/admin/rpm.if	2006-08-02 10:34:09.000000000 -0400
-+++ serefpolicy-2.3.12/policy/modules/admin/rpm.if	2006-09-05 09:37:39.000000000 -0400
++++ serefpolicy-2.3.13/policy/modules/admin/rpm.if	2006-09-06 13:18:45.000000000 -0400
 @@ -75,12 +75,13 @@
  	')
  
@@ -155,9 +130,9 @@
  	allow rpm_t $3:chr_file rw_term_perms;
  ')
  
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-2.3.12/policy/modules/apps/java.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-2.3.13/policy/modules/apps/java.fc
 --- nsaserefpolicy/policy/modules/apps/java.fc	2006-08-29 09:00:26.000000000 -0400
-+++ serefpolicy-2.3.12/policy/modules/apps/java.fc	2006-09-05 09:37:39.000000000 -0400
++++ serefpolicy-2.3.13/policy/modules/apps/java.fc	2006-09-06 13:18:45.000000000 -0400
 @@ -1,7 +1,7 @@
  #
  # /opt
@@ -167,20 +142,24 @@
  
  #
  # /usr
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-2.3.12/policy/modules/kernel/corecommands.fc
---- nsaserefpolicy/policy/modules/kernel/corecommands.fc	2006-09-01 14:10:17.000000000 -0400
-+++ serefpolicy-2.3.12/policy/modules/kernel/corecommands.fc	2006-09-05 14:10:00.000000000 -0400
-@@ -122,6 +122,7 @@
- /usr/(.*/)?sbin(/.*)?			gen_context(system_u:object_r:sbin_t,s0)
- /usr/lib(.*/)?sbin(/.*)?		gen_context(system_u:object_r:sbin_t,s0)
- 
-+/usr/lib/vte/gnome-pty-helper --	gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/ccache/bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/pgsql/test/regress/.*\.sh --	gen_context(system_u:object_r:bin_t,s0)
- /usr/lib/qt.*/bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-2.3.12/policy/modules/kernel/corenetwork.te.in
---- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in	2006-09-01 14:10:17.000000000 -0400
-+++ serefpolicy-2.3.12/policy/modules/kernel/corenetwork.te.in	2006-09-05 09:37:39.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-2.3.13/policy/modules/apps/mono.te
+--- nsaserefpolicy/policy/modules/apps/mono.te	2006-09-01 14:10:17.000000000 -0400
++++ serefpolicy-2.3.13/policy/modules/apps/mono.te	2006-09-06 13:18:45.000000000 -0400
+@@ -7,10 +7,8 @@
+ #
+ 
+ type mono_t;
+-domain_type(mono_t)
+-
+ type mono_exec_t;
+-domain_entry_file(mono_t,mono_exec_t)
++init_system_domain(mono_t,mono_exec_t)
+ 
+ ########################################
+ #
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-2.3.13/policy/modules/kernel/corenetwork.te.in
+--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in	2006-09-06 13:04:50.000000000 -0400
++++ serefpolicy-2.3.13/policy/modules/kernel/corenetwork.te.in	2006-09-06 13:18:45.000000000 -0400
 @@ -67,6 +67,7 @@
  network_port(clamd, tcp,3310,s0)
  network_port(clockspeed, udp,4041,s0)
@@ -189,7 +168,7 @@
  network_port(cvs, tcp,2401,s0, udp,2401,s0)
  network_port(dcc, udp,6276,s0, udp,6277,s0)
  network_port(dbskkd, tcp,1178,s0)
-@@ -121,12 +122,13 @@
+@@ -121,6 +122,8 @@
  network_port(radacct, udp,1646,s0, udp,1813,s0)
  network_port(radius, udp,1645,s0, udp,1812,s0)
  network_port(razor, tcp,2703,s0)
@@ -198,15 +177,9 @@
  network_port(rlogind, tcp,513,s0)
  network_port(rndc, tcp,953,s0)
  network_port(router, udp,520,s0)
- network_port(rsh, tcp,514,s0)
- network_port(rsync, tcp,873,s0, udp,873,s0)
--network_port(setroubleshoot, tcp,3267,s0)
- network_port(smbd, tcp,137-139,s0, tcp,445,s0)
- network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
- network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-2.3.12/policy/modules/kernel/files.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-2.3.13/policy/modules/kernel/files.fc
 --- nsaserefpolicy/policy/modules/kernel/files.fc	2006-09-05 07:41:00.000000000 -0400
-+++ serefpolicy-2.3.12/policy/modules/kernel/files.fc	2006-09-05 09:37:39.000000000 -0400
++++ serefpolicy-2.3.13/policy/modules/kernel/files.fc	2006-09-06 13:18:45.000000000 -0400
 @@ -32,6 +32,7 @@
  /boot/lost\+found	-d	gen_context(system_u:object_r:lost_found_t,s15:c0.c255)
  /boot/lost\+found/.*		<<none>>
@@ -215,36 +188,17 @@
  
  #
  # /emul
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-2.3.12/policy/modules/kernel/filesystem.if
---- nsaserefpolicy/policy/modules/kernel/filesystem.if	2006-08-02 10:34:05.000000000 -0400
-+++ serefpolicy-2.3.12/policy/modules/kernel/filesystem.if	2006-09-05 14:35:07.000000000 -0400
-@@ -2095,7 +2095,7 @@
- 		type ramfs_t;
- 	')
- 
--	allow $1 ramfs_t:dir rw_dir_perms;
-+	allow $1 ramfs_t:dir manage_dir_perms;
- 	allow $1 ramfs_t:file manage_file_perms;
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-2.3.13/policy/modules/kernel/filesystem.if
+--- nsaserefpolicy/policy/modules/kernel/filesystem.if	2006-09-06 13:04:50.000000000 -0400
++++ serefpolicy-2.3.13/policy/modules/kernel/filesystem.if	2006-09-06 13:18:45.000000000 -0400
+@@ -3303,3 +3303,22 @@
+ 	allow $1 noxattrfs:blk_file { getattr relabelfrom };
+ 	allow $1 noxattrfs:chr_file { getattr relabelfrom };
  ')
- 
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-2.3.12/policy/modules/kernel/terminal.if
---- nsaserefpolicy/policy/modules/kernel/terminal.if	2006-09-05 07:41:00.000000000 -0400
-+++ serefpolicy-2.3.12/policy/modules/kernel/terminal.if	2006-09-05 15:27:35.000000000 -0400
-@@ -252,7 +252,8 @@
- 	')
- 
- 	dev_list_all_dev_nodes($1)
--	allow $1 console_device_t:chr_file setattr;
-+	allow $1 console_device_t:chr_file setattr
-+;
- ')
- 
- ########################################
-@@ -433,6 +434,25 @@
- 
- ########################################
- ## <summary>
-+##	dontaudit setattr of generic pty types.
++
++#########################################
++## <summary>
++##	read, write rpc named pipes
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -252,23 +206,17 @@
 +##	</summary>
 +## </param>
 +#
-+# dwalsh: added for rhgb
-+interface(`term_dontaudit_setattr_generic_ptys',`
++interface(`fs_rw_rpc_named_pipes',`
 +	gen_require(`
-+		type devpts_t;
++		type nfs_t;
 +	')
 +
-+	dontaudit $1 devpts_t:chr_file setattr;
++	allow $1 rpc_pipefs_t:fifo_file { read write };
 +')
 +
-+########################################
-+## <summary>
- ##	Read and write the generic pty
- ##	type.  This is generally only used in
- ##	the targeted policy.
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-2.3.12/policy/modules/services/amavis.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-2.3.13/policy/modules/services/amavis.te
 --- nsaserefpolicy/policy/modules/services/amavis.te	2006-09-05 07:41:01.000000000 -0400
-+++ serefpolicy-2.3.12/policy/modules/services/amavis.te	2006-09-05 09:37:39.000000000 -0400
++++ serefpolicy-2.3.13/policy/modules/services/amavis.te	2006-09-06 13:18:45.000000000 -0400
 @@ -156,6 +156,7 @@
  
  ifdef(`targeted_policy',`
@@ -277,18 +225,18 @@
  ')
  
  optional_policy(`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-2.3.12/policy/modules/services/apache.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-2.3.13/policy/modules/services/apache.te
 --- nsaserefpolicy/policy/modules/services/apache.te	2006-09-05 07:41:01.000000000 -0400
-+++ serefpolicy-2.3.12/policy/modules/services/apache.te	2006-09-05 09:37:39.000000000 -0400
++++ serefpolicy-2.3.13/policy/modules/services/apache.te	2006-09-06 13:18:45.000000000 -0400
 @@ -712,4 +712,5 @@
  
  ifdef(`targeted_policy',`
  	term_dontaudit_use_generic_ptys(httpd_rotatelogs_t)
 +	term_dontaudit_use_unallocated_ttys(httpd_rotatelogs_t)
  ')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-2.3.12/policy/modules/services/bluetooth.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-2.3.13/policy/modules/services/bluetooth.te
 --- nsaserefpolicy/policy/modules/services/bluetooth.te	2006-08-02 10:34:07.000000000 -0400
-+++ serefpolicy-2.3.12/policy/modules/services/bluetooth.te	2006-09-05 09:37:39.000000000 -0400
++++ serefpolicy-2.3.13/policy/modules/services/bluetooth.te	2006-09-06 13:18:45.000000000 -0400
 @@ -217,14 +217,16 @@
  	fs_rw_tmpfs_files(bluetooth_helper_t)
  
@@ -307,9 +255,9 @@
  		xserver_stream_connect_xdm(bluetooth_helper_t)
  		xserver_use_xdm_fds(bluetooth_helper_t)
  		xserver_rw_xdm_pipes(bluetooth_helper_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.fc serefpolicy-2.3.12/policy/modules/services/ccs.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.fc serefpolicy-2.3.13/policy/modules/services/ccs.fc
 --- nsaserefpolicy/policy/modules/services/ccs.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.3.12/policy/modules/services/ccs.fc	2006-09-05 09:37:39.000000000 -0400
++++ serefpolicy-2.3.13/policy/modules/services/ccs.fc	2006-09-06 13:18:45.000000000 -0400
 @@ -0,0 +1,8 @@
 +# ccs executable will have:
 +# label: system_u:object_r:ccs_exec_t
@@ -319,9 +267,9 @@
 +/sbin/ccsd		--	gen_context(system_u:object_r:ccs_exec_t,s0)
 +/var/run/cluster(/.*)?		gen_context(system_u:object_r:ccs_var_run_t,s0)
 +/etc/cluster(/.*)?		gen_context(system_u:object_r:cluster_conf_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.if serefpolicy-2.3.12/policy/modules/services/ccs.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.if serefpolicy-2.3.13/policy/modules/services/ccs.if
 --- nsaserefpolicy/policy/modules/services/ccs.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.3.12/policy/modules/services/ccs.if	2006-09-05 09:37:39.000000000 -0400
++++ serefpolicy-2.3.13/policy/modules/services/ccs.if	2006-09-06 13:18:45.000000000 -0400
 @@ -0,0 +1,65 @@
 +## <summary>policy for ccs</summary>
 +
@@ -388,9 +336,9 @@
 +	allow $1 cluster_conf_t:file { getattr read };
 +')
 +
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.te serefpolicy-2.3.12/policy/modules/services/ccs.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.te serefpolicy-2.3.13/policy/modules/services/ccs.te
 --- nsaserefpolicy/policy/modules/services/ccs.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.3.12/policy/modules/services/ccs.te	2006-09-05 09:37:39.000000000 -0400
++++ serefpolicy-2.3.13/policy/modules/services/ccs.te	2006-09-06 13:18:45.000000000 -0400
 @@ -0,0 +1,87 @@
 +policy_module(ccs,1.0.0)
 +
@@ -479,9 +427,9 @@
 +
 +allow ccs_t cluster_conf_t:dir r_dir_perms;
 +allow ccs_t cluster_conf_t:file rw_file_perms;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-2.3.12/policy/modules/services/clamav.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-2.3.13/policy/modules/services/clamav.te
 --- nsaserefpolicy/policy/modules/services/clamav.te	2006-08-02 10:34:07.000000000 -0400
-+++ serefpolicy-2.3.12/policy/modules/services/clamav.te	2006-09-05 09:37:39.000000000 -0400
++++ serefpolicy-2.3.13/policy/modules/services/clamav.te	2006-09-06 13:18:45.000000000 -0400
 @@ -121,6 +121,7 @@
  cron_rw_pipes(clamd_t)
  
@@ -490,58 +438,9 @@
  	term_dontaudit_use_generic_ptys(clamd_t)
  ')
  
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-2.3.12/policy/modules/services/cron.if
---- nsaserefpolicy/policy/modules/services/cron.if	2006-09-05 07:41:01.000000000 -0400
-+++ serefpolicy-2.3.12/policy/modules/services/cron.if	2006-09-05 09:37:39.000000000 -0400
-@@ -57,6 +57,8 @@
- 	type $1_crontab_tmp_t;
- 	files_tmp_file($1_crontab_tmp_t)
- 
-+
-+
- 	##############################
- 	#
- 	# $1_crond_t local policy
-@@ -178,10 +180,6 @@
- 	# $1_crontab_t local policy
- 	#
- 
--	# dac_override is to create the file in the directory under /tmp
--	allow $1_crontab_t self:capability { fowner setuid setgid chown dac_override };
--	allow $1_crontab_t self:process signal_perms;
--
- 	# Transition from the user domain to the derived domain.
- 	domain_auto_trans($2, crontab_exec_t, $1_crontab_t)
- 	allow $2 $1_crontab_t:fd use;
-@@ -200,8 +198,13 @@
- 	# Allow crond to read those crontabs in cron spool.
- 	allow crond_t $1_cron_spool_t:file create_file_perms;
- 
--	allow $1_crontab_t $1_crontab_tmp_t:file manage_file_perms;
--	files_tmp_filetrans($1_crontab_t,$1_crontab_tmp_t,file)
-+	allow $1_crontab_t tmp_t:dir rw_dir_perms;
-+	allow $1_crontab_t $1_crontab_tmp_t:file create_file_perms;
-+	type_transition $1_crontab_t tmp_t:file $1_crontab_tmp_t;
-+
-+	# dac_override is to create the file in the directory under /tmp
-+	allow $1_crontab_t self:capability { fowner setuid setgid chown dac_override };
-+	allow $1_crontab_t self:process signal_perms;
- 
- 	# create files in /var/spool/cron
- 	allow $1_crontab_t cron_spool_t:dir rw_dir_perms;
-@@ -256,6 +259,9 @@
- 	')
- 
- 	ifdef(`TODO',`
-+	allow $1_crond_t tmp_t:dir rw_dir_perms;
-+	type_transition $1_crond_t $1_tmp_t:{ file dir } $1_tmp_t;
-+
- 	# Read user crontabs
- 	dontaudit $1_crontab_t $1_home_dir_t:dir write;
- 	') dnl endif TODO
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-2.3.12/policy/modules/services/cron.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-2.3.13/policy/modules/services/cron.te
 --- nsaserefpolicy/policy/modules/services/cron.te	2006-09-05 07:41:01.000000000 -0400
-+++ serefpolicy-2.3.12/policy/modules/services/cron.te	2006-09-05 09:37:39.000000000 -0400
++++ serefpolicy-2.3.13/policy/modules/services/cron.te	2006-09-06 13:18:45.000000000 -0400
 @@ -175,6 +175,7 @@
  	allow crond_t crond_tmp_t:dir create_dir_perms;
  	allow crond_t crond_tmp_t:file create_file_perms;
@@ -550,9 +449,9 @@
  ')
  
  tunable_policy(`fcron_crond', `
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-2.3.12/policy/modules/services/dbus.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-2.3.13/policy/modules/services/dbus.if
 --- nsaserefpolicy/policy/modules/services/dbus.if	2006-08-29 09:00:28.000000000 -0400
-+++ serefpolicy-2.3.12/policy/modules/services/dbus.if	2006-09-05 09:37:39.000000000 -0400
++++ serefpolicy-2.3.13/policy/modules/services/dbus.if	2006-09-06 13:18:45.000000000 -0400
 @@ -123,6 +123,7 @@
  	selinux_compute_relabel_context($1_dbusd_t)
  	selinux_compute_user_contexts($1_dbusd_t)
@@ -561,35 +460,9 @@
  	corecmd_list_bin($1_dbusd_t)
  	corecmd_read_bin_symlinks($1_dbusd_t)
  	corecmd_read_bin_files($1_dbusd_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-2.3.12/policy/modules/services/dovecot.te
---- nsaserefpolicy/policy/modules/services/dovecot.te	2006-09-01 14:10:18.000000000 -0400
-+++ serefpolicy-2.3.12/policy/modules/services/dovecot.te	2006-09-05 09:37:39.000000000 -0400
-@@ -46,8 +46,6 @@
- allow dovecot_t self:tcp_socket create_stream_socket_perms;
- allow dovecot_t self:unix_dgram_socket create_socket_perms;
- allow dovecot_t self:unix_stream_socket { create_stream_socket_perms connectto };
--allow dovecot_t self:netlink_route_socket r_netlink_socket_perms;
--
- domain_auto_trans(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t)
- allow dovecot_t dovecot_auth_t:fd use;
- allow dovecot_auth_t dovecot_t:process sigchld;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-2.3.12/policy/modules/services/networkmanager.te
---- nsaserefpolicy/policy/modules/services/networkmanager.te	2006-09-05 07:41:01.000000000 -0400
-+++ serefpolicy-2.3.12/policy/modules/services/networkmanager.te	2006-09-05 09:37:39.000000000 -0400
-@@ -18,9 +18,7 @@
- # Local policy
- #
- 
--# networkmanager will ptrace itself if gdb is installed
--# and it receives a unexpected signal (rh bug #204161) 
--allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service ipc_lock};
-+allow NetworkManager_t self:capability { kill setgid setuid sys_nice sys_ptrace dac_override net_admin net_raw net_bind_service ipc_lock};
- dontaudit NetworkManager_t self:capability sys_tty_config;
- allow NetworkManager_t self:process { ptrace setcap getsched signal_perms };
- allow NetworkManager_t self:fifo_file rw_file_perms;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.fc serefpolicy-2.3.12/policy/modules/services/oddjob.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.fc serefpolicy-2.3.13/policy/modules/services/oddjob.fc
 --- nsaserefpolicy/policy/modules/services/oddjob.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.3.12/policy/modules/services/oddjob.fc	2006-09-05 09:37:39.000000000 -0400
++++ serefpolicy-2.3.13/policy/modules/services/oddjob.fc	2006-09-06 13:18:45.000000000 -0400
 @@ -0,0 +1,8 @@
 +# oddjob executable will have:
 +# label: system_u:object_r:oddjob_exec_t
@@ -599,9 +472,9 @@
 +/usr/sbin/oddjobd		--	gen_context(system_u:object_r:oddjob_exec_t,s0)
 +/var/run/oddjobd.pid			gen_context(system_u:object_r:oddjob_var_run_t,s0)
 +/usr/lib/oddjobd			gen_context(system_u:object_r:oddjob_var_lib_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.if serefpolicy-2.3.12/policy/modules/services/oddjob.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.if serefpolicy-2.3.13/policy/modules/services/oddjob.if
 --- nsaserefpolicy/policy/modules/services/oddjob.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.3.12/policy/modules/services/oddjob.if	2006-09-05 09:37:39.000000000 -0400
++++ serefpolicy-2.3.13/policy/modules/services/oddjob.if	2006-09-06 13:18:45.000000000 -0400
 @@ -0,0 +1,76 @@
 +## <summary>policy for oddjob</summary>
 +
@@ -679,9 +552,9 @@
 +	allow $1 oddjob_t:dbus send_msg;
 +	allow oddjob_t $1:dbus send_msg;
 +')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob_mkhomedir.fc serefpolicy-2.3.12/policy/modules/services/oddjob_mkhomedir.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob_mkhomedir.fc serefpolicy-2.3.13/policy/modules/services/oddjob_mkhomedir.fc
 --- nsaserefpolicy/policy/modules/services/oddjob_mkhomedir.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.3.12/policy/modules/services/oddjob_mkhomedir.fc	2006-09-05 09:37:39.000000000 -0400
++++ serefpolicy-2.3.13/policy/modules/services/oddjob_mkhomedir.fc	2006-09-06 13:18:45.000000000 -0400
 @@ -0,0 +1,6 @@
 +# oddjob_mkhomedir executable will have:
 +# label: system_u:object_r:oddjob_mkhomedir_exec_t
@@ -689,9 +562,9 @@
 +# MCS categories: <none>
 +
 +/usr/lib/oddjob/mkhomedir		--	gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob_mkhomedir.if serefpolicy-2.3.12/policy/modules/services/oddjob_mkhomedir.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob_mkhomedir.if serefpolicy-2.3.13/policy/modules/services/oddjob_mkhomedir.if
 --- nsaserefpolicy/policy/modules/services/oddjob_mkhomedir.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.3.12/policy/modules/services/oddjob_mkhomedir.if	2006-09-05 09:37:39.000000000 -0400
++++ serefpolicy-2.3.13/policy/modules/services/oddjob_mkhomedir.if	2006-09-06 13:18:45.000000000 -0400
 @@ -0,0 +1,24 @@
 +## <summary>policy for oddjob_mkhomedir</summary>
 +
@@ -717,9 +590,9 @@
 +	allow oddjob_mkhomedir_t $1:fifo_file rw_file_perms;
 +	allow oddjob_mkhomedir_t $1:process sigchld;
 +')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob_mkhomedir.te serefpolicy-2.3.12/policy/modules/services/oddjob_mkhomedir.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob_mkhomedir.te serefpolicy-2.3.13/policy/modules/services/oddjob_mkhomedir.te
 --- nsaserefpolicy/policy/modules/services/oddjob_mkhomedir.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.3.12/policy/modules/services/oddjob_mkhomedir.te	2006-09-05 09:37:39.000000000 -0400
++++ serefpolicy-2.3.13/policy/modules/services/oddjob_mkhomedir.te	2006-09-06 13:18:45.000000000 -0400
 @@ -0,0 +1,29 @@
 +policy_module(oddjob_mkhomedir,1.0.0)
 +
@@ -750,9 +623,9 @@
 +oddjob_system_entry(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
 +domain_auto_trans(unconfined_t,oddjob_mkhomedir_exec_t,oddjob_mkhomedir_t)
 +
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.te serefpolicy-2.3.12/policy/modules/services/oddjob.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.te serefpolicy-2.3.13/policy/modules/services/oddjob.te
 --- nsaserefpolicy/policy/modules/services/oddjob.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.3.12/policy/modules/services/oddjob.te	2006-09-05 09:37:39.000000000 -0400
++++ serefpolicy-2.3.13/policy/modules/services/oddjob.te	2006-09-06 13:18:45.000000000 -0400
 @@ -0,0 +1,73 @@
 +policy_module(oddjob,1.0.0)
 +
@@ -827,9 +700,9 @@
 +	term_dontaudit_use_unallocated_ttys(oddjob_t)
 +')
 +
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.if serefpolicy-2.3.12/policy/modules/services/pegasus.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.if serefpolicy-2.3.13/policy/modules/services/pegasus.if
 --- nsaserefpolicy/policy/modules/services/pegasus.if	2006-07-14 17:04:41.000000000 -0400
-+++ serefpolicy-2.3.12/policy/modules/services/pegasus.if	2006-09-05 09:37:39.000000000 -0400
++++ serefpolicy-2.3.13/policy/modules/services/pegasus.if	2006-09-06 13:18:45.000000000 -0400
 @@ -1 +1,32 @@
  ## <summary>The Open Group Pegasus CIM/WBEM Server.</summary>
 +
@@ -863,9 +736,9 @@
 +	allow pegasus_t $1:fifo_file rw_file_perms;
 +	allow pegasus_t $1:process sigchld;
 +')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-2.3.12/policy/modules/services/pegasus.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-2.3.13/policy/modules/services/pegasus.te
 --- nsaserefpolicy/policy/modules/services/pegasus.te	2006-08-23 12:14:54.000000000 -0400
-+++ serefpolicy-2.3.12/policy/modules/services/pegasus.te	2006-09-05 09:37:39.000000000 -0400
++++ serefpolicy-2.3.13/policy/modules/services/pegasus.te	2006-09-06 13:18:45.000000000 -0400
 @@ -100,13 +100,12 @@
  
  auth_use_nsswitch(pegasus_t)
@@ -882,9 +755,9 @@
  files_read_var_lib_symlinks(pegasus_t)
  
  hostname_exec(pegasus_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-2.3.12/policy/modules/services/postfix.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-2.3.13/policy/modules/services/postfix.te
 --- nsaserefpolicy/policy/modules/services/postfix.te	2006-08-29 09:00:28.000000000 -0400
-+++ serefpolicy-2.3.12/policy/modules/services/postfix.te	2006-09-05 09:37:39.000000000 -0400
++++ serefpolicy-2.3.13/policy/modules/services/postfix.te	2006-09-06 13:18:45.000000000 -0400
 @@ -171,6 +171,11 @@
  mta_rw_aliases(postfix_master_t)
  mta_read_sendmail_bin(postfix_master_t)
@@ -905,134 +778,9 @@
  	term_dontaudit_use_generic_ptys(postfix_map_t)
  ')
  
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhgb.te serefpolicy-2.3.12/policy/modules/services/rhgb.te
---- nsaserefpolicy/policy/modules/services/rhgb.te	2006-09-01 14:10:18.000000000 -0400
-+++ serefpolicy-2.3.12/policy/modules/services/rhgb.te	2006-09-05 15:28:11.000000000 -0400
-@@ -10,9 +10,6 @@
- type rhgb_exec_t;
- init_daemon_domain(rhgb_t,rhgb_exec_t)
- 
--type rhgb_devpts_t;
--term_pty(rhgb_devpts_t)
--
- type rhgb_tmpfs_t;
- files_tmpfs_file(rhgb_tmpfs_t)
- 
-@@ -21,7 +18,7 @@
- # Local policy
- #
- 
--allow rhgb_t self:capability { sys_admin sys_tty_config };
-+allow rhgb_t self:capability { fsetid setgid setuid sys_admin sys_tty_config };
- dontaudit rhgb_t self:capability sys_tty_config;
- allow rhgb_t self:process signal_perms;
- allow rhgb_t self:shm create_shm_perms;
-@@ -29,9 +26,7 @@
- allow rhgb_t self:fifo_file rw_file_perms;
- allow rhgb_t self:tcp_socket create_socket_perms;
- allow rhgb_t self:udp_socket create_socket_perms;
--
--allow rhgb_t rhgb_devpts_t:chr_file { rw_file_perms setattr };
--term_create_pty(rhgb_t,rhgb_devpts_t)
-+allow rhgb_t self:netlink_route_socket r_netlink_socket_perms;
- 
- allow rhgb_t rhgb_tmpfs_t:dir manage_dir_perms;
- allow rhgb_t rhgb_tmpfs_t:file manage_file_perms;
-@@ -39,12 +34,14 @@
- allow rhgb_t rhgb_tmpfs_t:sock_file manage_file_perms;
- allow rhgb_t rhgb_tmpfs_t:fifo_file manage_file_perms;
- fs_tmpfs_filetrans(rhgb_t,rhgb_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
-+fs_getattr_tmpfs(rhgb_t)
- 
- kernel_read_kernel_sysctls(rhgb_t)
- kernel_read_system_state(rhgb_t)
- 
- corecmd_exec_bin(rhgb_t)
- corecmd_exec_sbin(rhgb_t)
-+corecmd_exec_shell(rhgb_t)
- 
- corenet_non_ipsec_sendrecv(rhgb_t)
- corenet_tcp_sendrecv_generic_if(rhgb_t)
-@@ -61,6 +58,7 @@
- domain_use_interactive_fds(rhgb_t)
- 
- files_read_etc_files(rhgb_t)
-+files_read_var_files(rhgb_t)
- files_read_etc_runtime_files(rhgb_t)
- files_search_tmp(rhgb_t)
- files_read_usr_files(rhgb_t)
-@@ -80,6 +78,8 @@
- 
- term_dontaudit_use_console(rhgb_t)
- term_use_unallocated_ttys(rhgb_t)
-+term_use_ptmx(rhgb_t)
-+term_getattr_pty_fs(rhgb_t)
- 
- init_use_fds(rhgb_t)
- init_use_script_ptys(rhgb_t)
-@@ -96,6 +96,7 @@
- miscfiles_read_fonts(rhgb_t)
- 
- sysnet_read_config(rhgb_t)
-+sysnet_domtrans_ifconfig(rhgb_t)
- 
- userdom_dontaudit_use_unpriv_user_fds(rhgb_t)
- 
-@@ -104,14 +105,21 @@
- # for running setxkbmap
- xserver_read_xkb_libs(rhgb_t)
- 
--ifdef(`targeted_policy',`
-+ifdef(`strict_policy',`
-+	type rhgb_devpts_t;
-+	term_pty(rhgb_devpts_t)
-+
-+	allow rhgb_t rhgb_devpts_t:chr_file { rw_file_perms setattr };
-+	term_create_pty(rhgb_t,rhgb_devpts_t)
-+', `
-+	term_dontaudit_use_generic_ptys(rhgb_t)
-+	term_dontaudit_setattr_generic_ptys(rhgb_t)
- 	term_dontaudit_use_unallocated_ttys(rhgb_t)
- 	term_dontaudit_use_generic_ptys(rhgb_t)
- 	files_dontaudit_read_root_files(rhgb_t)
--')
--
--optional_policy(`
--	firstboot_read_rw_files(rhgb_t)
-+	xserver_domtrans_xdm_xserver(rhgb_t)
-+	xserver_signal_xdm_xserver(rhgb_t)
-+	xserver_read_xdm_tmp_files(rhgb_t)
- ')
- 
- optional_policy(`
-@@ -126,22 +134,13 @@
- 	udev_read_db(rhgb_t)
- ')
- 
-+userdom_dontaudit_search_sysadm_home_dirs(rhgb_t)
-+
- ifdef(`TODO',`
--	#TODO
--	ifdef(`hide_broken_symptoms', `
--		# for a bug in the X server
--		dontaudit mount_t rhgb_gph_t:fd use;
--	')
- 	#TODO this seems a bit much
- 	allow domain rhgb_devpts_t:chr_file { read write };
--	#TODO this (ie files_dontaudit_read_default_files(rhgb_t))doesn't make sense with the following
--	allow rhgb_t default_t:file { getattr read };
- 	#TODO
- 	# for gnome-pty-helper
- 	gph_domain(rhgb, system)
- 	allow initrc_t rhgb_gph_t:fd use;
--	ifdef(`hide_broken_symptoms', `
--		# it should not do this
--		dontaudit rhgb_t { staff_home_dir_t sysadm_home_dir_t }:dir search;
--	')
- ')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.fc serefpolicy-2.3.12/policy/modules/services/ricci.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.fc serefpolicy-2.3.13/policy/modules/services/ricci.fc
 --- nsaserefpolicy/policy/modules/services/ricci.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.3.12/policy/modules/services/ricci.fc	2006-09-05 09:37:39.000000000 -0400
++++ serefpolicy-2.3.13/policy/modules/services/ricci.fc	2006-09-06 13:18:45.000000000 -0400
 @@ -0,0 +1,20 @@
 +# ricci executable will have:
 +# label: system_u:object_r:ricci_exec_t
@@ -1054,9 +802,9 @@
 +/usr/sbin/ricci-modservice	--	gen_context(system_u:object_r:ricci_modservice_exec_t,s0)
 +/usr/sbin/ricci-modstorage	--	gen_context(system_u:object_r:ricci_modstorage_exec_t,s0)
 +
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.if serefpolicy-2.3.12/policy/modules/services/ricci.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.if serefpolicy-2.3.13/policy/modules/services/ricci.if
 --- nsaserefpolicy/policy/modules/services/ricci.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.3.12/policy/modules/services/ricci.if	2006-09-05 09:37:39.000000000 -0400
++++ serefpolicy-2.3.13/policy/modules/services/ricci.if	2006-09-06 13:18:45.000000000 -0400
 @@ -0,0 +1,184 @@
 +## <summary>policy for ricci</summary>
 +
@@ -1242,9 +990,9 @@
 +	allow $1 ricci_modcluster_var_run_t:sock_file write;
 +	allow $1 ricci_modclusterd_t:unix_stream_socket connectto;
 +')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-2.3.12/policy/modules/services/ricci.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-2.3.13/policy/modules/services/ricci.te
 --- nsaserefpolicy/policy/modules/services/ricci.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.3.12/policy/modules/services/ricci.te	2006-09-05 09:37:39.000000000 -0400
++++ serefpolicy-2.3.13/policy/modules/services/ricci.te	2006-09-06 13:18:45.000000000 -0400
 @@ -0,0 +1,386 @@
 +policy_module(ricci,1.0.0)
 +
@@ -1632,162 +1380,21 @@
 +')
 +
 +
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-2.3.12/policy/modules/services/setroubleshoot.te
---- nsaserefpolicy/policy/modules/services/setroubleshoot.te	2006-09-01 14:10:18.000000000 -0400
-+++ serefpolicy-2.3.12/policy/modules/services/setroubleshoot.te	2006-09-05 09:37:39.000000000 -0400
-@@ -64,9 +64,7 @@
- corenet_tcp_sendrecv_all_nodes(setroubleshootd_t)
- corenet_tcp_sendrecv_all_ports(setroubleshootd_t)
- corenet_tcp_bind_all_nodes(setroubleshootd_t)
--corenet_tcp_bind_setroubleshoot_port(setroubleshootd_t)
- corenet_tcp_connect_smtp_port(setroubleshootd_t)
--corenet_sendrecv_setroubleshoot_server_packets(setroubleshootd_t)
- corenet_sendrecv_smtp_client_packets(setroubleshootd_t)
- 
- dev_read_urand(setroubleshootd_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-2.3.12/policy/modules/services/ssh.te
---- nsaserefpolicy/policy/modules/services/ssh.te	2006-08-16 08:46:30.000000000 -0400
-+++ serefpolicy-2.3.12/policy/modules/services/ssh.te	2006-09-05 13:13:30.000000000 -0400
-@@ -39,10 +39,6 @@
- 	type ssh_agent_exec_t;
- 	files_type(ssh_agent_exec_t)
- 
--	type ssh_keygen_t;
--	init_system_domain(ssh_keygen_t,ssh_keygen_exec_t)
--	role system_r types ssh_keygen_t;
--
- 	ssh_server_template(sshd)
- 	ssh_server_template(sshd_extern)
- 
-@@ -193,62 +189,68 @@
- # ssh_keygen local policy
- #
- 
--ifdef(`targeted_policy',`',`
--	# ssh_keygen_t is the type of the ssh-keygen program when run at install time
--	# and by sysadm_t
-+# ssh_keygen_t is the type of the ssh-keygen program when run at install time
-+# and by sysadm_t
- 
--	dontaudit ssh_keygen_t self:capability sys_tty_config;
--	allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
-+type ssh_keygen_t;
-+init_system_domain(ssh_keygen_t,ssh_keygen_exec_t)
-+role system_r types ssh_keygen_t;
- 
--	allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
-+dontaudit ssh_keygen_t self:capability sys_tty_config;
-+allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
- 
--	allow ssh_keygen_t sshd_key_t:file create_file_perms;
--	files_etc_filetrans(ssh_keygen_t,sshd_key_t,file)
-+allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
- 
--	kernel_read_kernel_sysctls(ssh_keygen_t)
-+allow ssh_keygen_t sshd_key_t:file create_file_perms;
-+files_etc_filetrans(ssh_keygen_t,sshd_key_t,file)
- 
--	fs_search_auto_mountpoints(ssh_keygen_t)
-+kernel_read_kernel_sysctls(ssh_keygen_t)
- 
--	dev_read_sysfs(ssh_keygen_t)
--	dev_read_urand(ssh_keygen_t)
-+fs_search_auto_mountpoints(ssh_keygen_t)
- 
--	term_dontaudit_use_console(ssh_keygen_t)
-+dev_read_sysfs(ssh_keygen_t)
-+dev_read_urand(ssh_keygen_t)
- 
--	domain_use_interactive_fds(ssh_keygen_t)
-+term_dontaudit_use_console(ssh_keygen_t)
- 
--	files_read_etc_files(ssh_keygen_t)
-+domain_use_interactive_fds(ssh_keygen_t)
- 
--	init_use_fds(ssh_keygen_t)
--	init_use_script_ptys(ssh_keygen_t)
-+files_read_etc_files(ssh_keygen_t)
- 
--	libs_use_ld_so(ssh_keygen_t)
--	libs_use_shared_libs(ssh_keygen_t)
-+init_use_fds(ssh_keygen_t)
-+init_use_script_ptys(ssh_keygen_t)
- 
--	logging_send_syslog_msg(ssh_keygen_t)
-+libs_use_ld_so(ssh_keygen_t)
-+libs_use_shared_libs(ssh_keygen_t)
- 
--	allow ssh_keygen_t proc_t:dir r_dir_perms;
--	allow ssh_keygen_t proc_t:lnk_file read;
-+logging_send_syslog_msg(ssh_keygen_t)
- 
--	userdom_use_sysadm_ttys(ssh_keygen_t)
--	userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
-+allow ssh_keygen_t proc_t:dir r_dir_perms;
-+allow ssh_keygen_t proc_t:lnk_file read;
- 
--	# cjp: with the old daemon_(base_)domain being broken up into
--	# a daemon and system interface, this probably is not needed:
--	ifdef(`direct_sysadm_daemon',`
--		userdom_dontaudit_use_sysadm_terms(ssh_keygen_t)
--	')
-+userdom_use_sysadm_ttys(ssh_keygen_t)
-+userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
- 
--	ifdef(`targeted_policy', `
--		term_dontaudit_use_unallocated_ttys(ssh_keygen_t)
--		term_dontaudit_use_generic_ptys(ssh_keygen_t)
--		files_dontaudit_read_root_files(ssh_keygen_t)
--	')
-+# cjp: with the old daemon_(base_)domain being broken up into
-+# a daemon and system interface, this probably is not needed:
-+ifdef(`direct_sysadm_daemon',`
-+	userdom_dontaudit_use_sysadm_terms(ssh_keygen_t)
-+')
- 
--	optional_policy(`
--		seutil_sigchld_newrole(ssh_keygen_t)
--	')
-+ifdef(`targeted_policy', `
-+	term_dontaudit_use_unallocated_ttys(ssh_keygen_t)
-+	term_dontaudit_use_generic_ptys(ssh_keygen_t)
-+	files_dontaudit_read_root_files(ssh_keygen_t)
-+')
- 
--	optional_policy(`
--		udev_read_db(ssh_keygen_t)
--	')
-+optional_policy(`
-+	seutil_sigchld_newrole(ssh_keygen_t)
-+')
-+
-+optional_policy(`
-+	udev_read_db(ssh_keygen_t)
-+')
-+
-+optional_policy(`
-+	nscd_socket_use(ssh_keygen_t)
- ')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-2.3.12/policy/modules/services/xserver.if
---- nsaserefpolicy/policy/modules/services/xserver.if	2006-09-01 14:10:18.000000000 -0400
-+++ serefpolicy-2.3.12/policy/modules/services/xserver.if	2006-09-05 15:13:42.000000000 -0400
-@@ -1053,7 +1053,6 @@
- 	gen_require(`
- 		type xdm_xserver_tmp_t;
- 	')
--
- 	allow $1 xdm_xserver_tmp_t:file { getattr read };
- ')
- 
-@@ -1072,6 +1071,7 @@
- 		type xdm_tmp_t;
- 	')
- 
-+	allow $1 xdm_tmp_t:dir search_dir_perms;
- 	allow $1 xdm_tmp_t:file { getattr read };
- ')
- 
-@@ -1133,3 +1133,45 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-2.3.13/policy/modules/services/rpc.te
+--- nsaserefpolicy/policy/modules/services/rpc.te	2006-09-05 07:41:01.000000000 -0400
++++ serefpolicy-2.3.13/policy/modules/services/rpc.te	2006-09-06 13:18:45.000000000 -0400
+@@ -53,6 +53,7 @@
+ fs_read_rpc_files(rpcd_t)
+ fs_read_rpc_symlinks(rpcd_t)
+ fs_read_rpc_sockets(rpcd_t) 
++fs_rw_rpc_named_pipes(rpcd_t) 
+ term_use_controlling_term(rpcd_t)
+ 
+ # cjp: this should really have its own type
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-2.3.13/policy/modules/services/xserver.if
+--- nsaserefpolicy/policy/modules/services/xserver.if	2006-09-06 13:04:51.000000000 -0400
++++ serefpolicy-2.3.13/policy/modules/services/xserver.if	2006-09-06 13:18:45.000000000 -0400
+@@ -1152,3 +1152,45 @@
  	allow $1 xdm_xserver_tmp_t:sock_file write;
  	allow $1 xdm_xserver_t:unix_stream_socket connectto;
  ')
@@ -1833,45 +1440,9 @@
 +	allow $1 xdm_xserver_t:process signal;
 +')
 +
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-2.3.12/policy/modules/services/xserver.te
---- nsaserefpolicy/policy/modules/services/xserver.te	2006-09-01 14:10:18.000000000 -0400
-+++ serefpolicy-2.3.12/policy/modules/services/xserver.te	2006-09-05 15:02:35.000000000 -0400
-@@ -214,15 +214,15 @@
- userdom_read_all_users_state(xdm_t)
- userdom_signal_all_users(xdm_t)
- 
-+allow xdm_t xdm_tmp_t:dir manage_dir_perms;
-+allow xdm_t xdm_tmp_t:file manage_file_perms;
-+allow xdm_t xdm_tmp_t:sock_file manage_file_perms;
-+files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file })
-+
- ifdef(`strict_policy',`
- 	allow xdm_t xdm_lock_t:file create_file_perms;
- 	files_lock_filetrans(xdm_t,xdm_lock_t,file)
- 
--	allow xdm_t xdm_tmp_t:dir manage_dir_perms;
--	allow xdm_t xdm_tmp_t:file manage_file_perms;
--	allow xdm_t xdm_tmp_t:sock_file manage_file_perms;
--	files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file })
--
- 	allow xdm_t xdm_tmpfs_t:dir manage_dir_perms;
- 	allow xdm_t xdm_tmpfs_t:file manage_file_perms;
- 	allow xdm_t xdm_tmpfs_t:lnk_file create_lnk_perms;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-2.3.12/policy/modules/system/authlogin.te
---- nsaserefpolicy/policy/modules/system/authlogin.te	2006-08-29 09:00:29.000000000 -0400
-+++ serefpolicy-2.3.12/policy/modules/system/authlogin.te	2006-09-05 09:37:39.000000000 -0400
-@@ -176,7 +176,7 @@
- dev_setattr_xserver_misc_dev(pam_console_t)
- dev_read_urand(pam_console_t)
- 
--fs_search_auto_mountpoints(pam_console_t)
-+fs_list_auto_mountpoints(pam_console_t)
- 
- mls_file_read_up(pam_console_t)
- mls_file_write_down(pam_console_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-2.3.12/policy/modules/system/hostname.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-2.3.13/policy/modules/system/hostname.te
 --- nsaserefpolicy/policy/modules/system/hostname.te	2006-08-29 09:00:29.000000000 -0400
-+++ serefpolicy-2.3.12/policy/modules/system/hostname.te	2006-09-05 09:37:39.000000000 -0400
++++ serefpolicy-2.3.13/policy/modules/system/hostname.te	2006-09-06 13:18:45.000000000 -0400
 @@ -8,7 +8,10 @@
  
  type hostname_t;
@@ -1884,9 +1455,9 @@
  role system_r types hostname_t;
  
  ########################################
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-2.3.12/policy/modules/system/init.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-2.3.13/policy/modules/system/init.te
 --- nsaserefpolicy/policy/modules/system/init.te	2006-08-28 16:22:32.000000000 -0400
-+++ serefpolicy-2.3.12/policy/modules/system/init.te	2006-09-05 09:37:39.000000000 -0400
++++ serefpolicy-2.3.13/policy/modules/system/init.te	2006-09-06 13:18:45.000000000 -0400
 @@ -361,7 +361,8 @@
  logging_append_all_logs(initrc_t)
  logging_read_audit_config(initrc_t)
@@ -1897,9 +1468,9 @@
  # slapd needs to read cert files from its initscript
  miscfiles_read_certs(initrc_t)
  
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-2.3.12/policy/modules/system/selinuxutil.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-2.3.13/policy/modules/system/selinuxutil.te
 --- nsaserefpolicy/policy/modules/system/selinuxutil.te	2006-09-05 07:41:01.000000000 -0400
-+++ serefpolicy-2.3.12/policy/modules/system/selinuxutil.te	2006-09-05 09:37:39.000000000 -0400
++++ serefpolicy-2.3.13/policy/modules/system/selinuxutil.te	2006-09-06 14:19:33.000000000 -0400
 @@ -450,6 +450,7 @@
  selinux_compute_user_contexts(restorecond_t)
  
@@ -1908,22 +1479,18 @@
  
  auth_relabel_all_files_except_shadow(restorecond_t )
  auth_read_all_files_except_shadow(restorecond_t)
-@@ -622,6 +623,12 @@
+@@ -622,6 +623,8 @@
  	# Handle pp files created in homedir and /tmp
  	files_read_generic_tmp_files(semanage_t)
  	userdom_read_generic_user_home_content_files(semanage_t)
 +',`
-+	ifdef(`enable_mls',`
-+		userdom_read_user_tmp_files(secadm, semanage_t)
-+	',`
-+		userdom_read_user_tmp_files(sysadm, semanage_t)
-+	')
++	userdom_read_admin_tmp_files(semanage_t)
  ')
  
  ########################################
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-2.3.12/policy/modules/system/userdomain.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-2.3.13/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2006-08-16 08:46:31.000000000 -0400
-+++ serefpolicy-2.3.12/policy/modules/system/userdomain.if	2006-09-05 09:37:39.000000000 -0400
++++ serefpolicy-2.3.13/policy/modules/system/userdomain.if	2006-09-06 14:19:50.000000000 -0400
 @@ -8,11 +8,10 @@
  ## <desc>
  ##	<p>
@@ -2075,7 +1642,10 @@
 -		allow $1_t self:process execmem;
 -	')
 +	sysnet_dns_name_resolve($1_t)
-+
+ 
+-	tunable_policy(`allow_execmem && allow_execstack',`
+-		# Allow making the stack executable via mprotect.
+-		allow $1_t self:process execstack;
 +')
 +#######################################
 +## <summary>
@@ -2100,10 +1670,7 @@
 +## </param>
 +#
 +template(`base_login_user_template',`
- 
--	tunable_policy(`allow_execmem && allow_execstack',`
--		# Allow making the stack executable via mprotect.
--		allow $1_t self:process execstack;
++
 +	gen_require(`
 +		attribute $1_file_type;
 +		attribute home_dir_type, home_type;
@@ -2366,7 +1933,7 @@
  	allow $1 user_home_t:dir rw_dir_perms;
  	allow $1 user_home_t:sock_file create_file_perms;
  ')
-@@ -4740,3 +4794,34 @@
+@@ -4740,3 +4794,55 @@
  	allow $1 user_home_dir_t:dir create_dir_perms;
  	files_home_filetrans($1,user_home_dir_t,dir)
  ')
@@ -2401,9 +1968,30 @@
 +        dontaudit $1_t { $2_devpts_t $2_tty_device_t }:chr_file ioctl;
 +')
 +
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-2.3.12/policy/modules/system/userdomain.te
++
++########################################
++## <summary>
++##	Read admin temporary files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`userdom_read_admin_tmp_files',`
++
++	ifdef(`enable_mls',`
++               userdom_read_user_tmp_files(secadm, $1)
++	',`
++               userdom_read_user_tmp_files(sysadm, $1)
++        ')
++
++')
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-2.3.13/policy/modules/system/userdomain.te
 --- nsaserefpolicy/policy/modules/system/userdomain.te	2006-08-16 08:46:31.000000000 -0400
-+++ serefpolicy-2.3.12/policy/modules/system/userdomain.te	2006-09-05 09:37:39.000000000 -0400
++++ serefpolicy-2.3.13/policy/modules/system/userdomain.te	2006-09-06 13:18:45.000000000 -0400
 @@ -56,14 +56,6 @@
  # Local policy
  #
@@ -2503,26 +2091,9 @@
  		', `
  			selinux_set_enforce_mode(sysadm_t)
  			selinux_set_boolean(sysadm_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-2.3.12/policy/modules/system/xen.te
---- nsaserefpolicy/policy/modules/system/xen.te	2006-08-29 09:00:29.000000000 -0400
-+++ serefpolicy-2.3.12/policy/modules/system/xen.te	2006-09-05 12:50:19.000000000 -0400
-@@ -131,6 +131,7 @@
- corenet_tcp_bind_xen_port(xend_t)
- corenet_tcp_bind_soundd_port(xend_t)
- corenet_tcp_bind_generic_port(xend_t)
-+corenet_tcp_bind_vnc_port(xend_t)
- corenet_sendrecv_xen_server_packets(xend_t)
- corenet_sendrecv_soundd_server_packets(xend_t)
- corenet_rw_tun_tap_dev(xend_t)
-@@ -313,3 +314,5 @@
- xen_append_log(xm_t)
- xen_stream_connect(xm_t)
- xen_stream_connect_xenstore(xm_t)
-+
-+userdom_dontaudit_search_sysadm_home_dirs(xend_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-2.3.12/Rules.modular
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-2.3.13/Rules.modular
 --- nsaserefpolicy/Rules.modular	2006-08-31 14:57:06.000000000 -0400
-+++ serefpolicy-2.3.12/Rules.modular	2006-09-05 16:00:01.000000000 -0400
++++ serefpolicy-2.3.13/Rules.modular	2006-09-06 13:18:45.000000000 -0400
 @@ -218,6 +218,16 @@
  
  ########################################


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.273
retrieving revision 1.274
diff -u -r1.273 -r1.274
--- selinux-policy.spec	5 Sep 2006 21:13:31 -0000	1.273
+++ selinux-policy.spec	6 Sep 2006 18:29:35 -0000	1.274
@@ -15,8 +15,8 @@
 %define CHECKPOLICYVER 1.30.4-1
 Summary: SELinux policy configuration
 Name: selinux-policy
-Version: 2.3.12
-Release: 2
+Version: 2.3.13
+Release: 1
 License: GPL
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -348,6 +348,9 @@
 %endif
 
 %changelog
+* Wed Sep 6 2006 Dan Walsh <dwalsh at redhat.com> 2.3.13-1
+- Update from upstream
+
 * Tue Sep 5 2006 Dan Walsh <dwalsh at redhat.com> 2.3.12-2
 - Fixup for test6
 


Index: sources
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/sources,v
retrieving revision 1.89
retrieving revision 1.90
diff -u -r1.89 -r1.90
--- sources	5 Sep 2006 12:03:37 -0000	1.89
+++ sources	6 Sep 2006 18:29:35 -0000	1.90
@@ -1 +1 @@
-7e9a4c9a8502055eb0f7a5b9f399b6cd  serefpolicy-2.3.12.tgz
+2dcf233ed155c1cceeebd12a2be76acd  serefpolicy-2.3.13.tgz




More information about the fedora-cvs-commits mailing list