rpms/selinux-policy/devel policy-20060915.patch, 1.4, 1.5 selinux-policy.spec, 1.285, 1.286 setrans-mls.conf, 1.2, 1.3 setrans-strict.conf, 1.1, 1.2 setrans-targeted.conf, 1.1, 1.2 setrans.conf, 1.1, 1.2 seusers, 1.1, 1.2 seusers-mls, 1.3, 1.4 seusers-strict, 1.2, 1.3 seusers-targeted, 1.1, 1.2 file_contexts.patch, 1.2, NONE
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Tue Sep 19 14:59:48 UTC 2006
- Previous message (by thread): rpms/cman/devel .cvsignore, 1.22, 1.23 cman.spec, 1.80, 1.81 sources, 1.31, 1.32
- Next message (by thread): rpms/nautilus/devel nautilus-2.16.0-selinux.patch, NONE, 1.1 nautilus.spec, 1.122, 1.123
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv15492
Modified Files:
policy-20060915.patch selinux-policy.spec setrans-mls.conf
setrans-strict.conf setrans-targeted.conf setrans.conf seusers
seusers-mls seusers-strict seusers-targeted
Removed Files:
file_contexts.patch
Log Message:
* Mon Sep 18 2006 Dan Walsh <dwalsh at redhat.com> 2.3.14-4
- Multiple policy fixes
- Change max categories to 1023
policy-20060915.patch:
Rules.modular | 10
config/appconfig-strict-mcs/seusers | 2
config/appconfig-strict-mls/initrc_context | 2
config/appconfig-strict-mls/seusers | 2
config/appconfig-targeted-mcs/seusers | 2
config/appconfig-targeted-mls/initrc_context | 2
config/appconfig-targeted-mls/seusers | 2
policy/flask/mkaccess_vector.sh | 3
policy/global_tunables | 9
policy/mcs | 197 +++++++++++++
policy/mls | 225 ++++++++++++++-
policy/modules/admin/amanda.fc | 6
policy/modules/admin/bootloader.fc | 5
policy/modules/admin/bootloader.te | 10
policy/modules/admin/consoletype.te | 7
policy/modules/admin/firstboot.te | 1
policy/modules/admin/logwatch.te | 2
policy/modules/admin/rpm.fc | 3
policy/modules/admin/usermanage.te | 5
policy/modules/apps/java.fc | 2
policy/modules/apps/mono.te | 9
policy/modules/kernel/corecommands.fc | 2
policy/modules/kernel/corenetwork.te.in | 13
policy/modules/kernel/corenetwork.te.m4 | 13
policy/modules/kernel/devices.fc | 10
policy/modules/kernel/domain.te | 8
policy/modules/kernel/files.fc | 27 -
policy/modules/kernel/files.if | 46 +++
policy/modules/kernel/filesystem.if | 19 +
policy/modules/kernel/kernel.te | 24 -
policy/modules/kernel/mcs.te | 17 -
policy/modules/kernel/mls.te | 10
policy/modules/kernel/selinux.te | 2
policy/modules/kernel/storage.fc | 48 +--
policy/modules/kernel/terminal.fc | 2
policy/modules/kernel/terminal.if | 2
policy/modules/services/amavis.te | 1
policy/modules/services/apache.fc | 9
policy/modules/services/apache.te | 6
policy/modules/services/automount.te | 1
policy/modules/services/bluetooth.fc | 3
policy/modules/services/bluetooth.te | 11
policy/modules/services/ccs.fc | 8
policy/modules/services/ccs.if | 65 ++++
policy/modules/services/ccs.te | 87 ++++++
policy/modules/services/clamav.te | 1
policy/modules/services/cups.te | 31 +-
policy/modules/services/dbus.if | 1
policy/modules/services/dhcp.te | 7
policy/modules/services/kerberos.if | 2
policy/modules/services/lpd.fc | 1
policy/modules/services/networkmanager.fc | 1
policy/modules/services/networkmanager.te | 3
policy/modules/services/ntp.te | 3
policy/modules/services/oddjob.fc | 8
policy/modules/services/oddjob.if | 76 +++++
policy/modules/services/oddjob.te | 73 +++++
policy/modules/services/oddjob_mkhomedir.fc | 6
policy/modules/services/oddjob_mkhomedir.if | 24 +
policy/modules/services/oddjob_mkhomedir.te | 29 ++
policy/modules/services/pegasus.if | 31 ++
policy/modules/services/pegasus.te | 5
policy/modules/services/postfix.te | 6
policy/modules/services/ppp.fc | 4
policy/modules/services/ppp.te | 10
policy/modules/services/ricci.fc | 20 +
policy/modules/services/ricci.if | 184 ++++++++++++
policy/modules/services/ricci.te | 386 +++++++++++++++++++++++++++
policy/modules/services/rpc.te | 3
policy/modules/services/setroubleshoot.te | 7
policy/modules/services/snmp.if | 19 +
policy/modules/services/xfs.te | 2
policy/modules/services/xserver.if | 24 +
policy/modules/system/authlogin.te | 1
policy/modules/system/fstools.te | 4
policy/modules/system/hostname.te | 5
policy/modules/system/init.te | 3
policy/modules/system/libraries.fc | 5
policy/modules/system/logging.fc | 8
policy/modules/system/selinuxutil.fc | 6
policy/modules/system/selinuxutil.te | 4
policy/modules/system/setrans.fc | 2
policy/modules/system/setrans.te | 1
policy/modules/system/unconfined.te | 2
policy/modules/system/userdomain.fc | 2
policy/modules/system/userdomain.if | 2
policy/modules/system/xen.fc | 1
policy/modules/system/xen.te | 2
policy/users | 14
89 files changed, 1821 insertions(+), 148 deletions(-)
Index: policy-20060915.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/policy-20060915.patch,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- policy-20060915.patch 16 Sep 2006 12:06:36 -0000 1.4
+++ policy-20060915.patch 19 Sep 2006 14:59:46 -0000 1.5
@@ -1,6 +1,66 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-strict-mcs/seusers serefpolicy-2.3.14/config/appconfig-strict-mcs/seusers
+--- nsaserefpolicy/config/appconfig-strict-mcs/seusers 2006-07-14 17:04:48.000000000 -0400
++++ serefpolicy-2.3.14/config/appconfig-strict-mcs/seusers 2006-09-19 10:47:17.000000000 -0400
+@@ -1,2 +1,2 @@
+-root:root:s0-s0:c0.c255
++root:root:s0-s0:c0.c1023
+ __default__:user_u:s0
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-strict-mls/initrc_context serefpolicy-2.3.14/config/appconfig-strict-mls/initrc_context
+--- nsaserefpolicy/config/appconfig-strict-mls/initrc_context 2006-07-14 17:04:47.000000000 -0400
++++ serefpolicy-2.3.14/config/appconfig-strict-mls/initrc_context 2006-09-19 10:47:17.000000000 -0400
+@@ -1 +1 @@
+-system_u:system_r:initrc_t:s0-s15:c0.c255
++system_u:system_r:initrc_t:s0-s15:c0.c1023
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-strict-mls/seusers serefpolicy-2.3.14/config/appconfig-strict-mls/seusers
+--- nsaserefpolicy/config/appconfig-strict-mls/seusers 2006-07-14 17:04:47.000000000 -0400
++++ serefpolicy-2.3.14/config/appconfig-strict-mls/seusers 2006-09-19 10:47:17.000000000 -0400
+@@ -1,2 +1,2 @@
+-root:root:s0-s15:c0.c255
++root:root:s0-s15:c0.c1023
+ __default__:user_u:s0
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-targeted-mcs/seusers serefpolicy-2.3.14/config/appconfig-targeted-mcs/seusers
+--- nsaserefpolicy/config/appconfig-targeted-mcs/seusers 2006-07-14 17:04:47.000000000 -0400
++++ serefpolicy-2.3.14/config/appconfig-targeted-mcs/seusers 2006-09-19 10:47:17.000000000 -0400
+@@ -1,2 +1,2 @@
+-root:root:s0-s0:c0.c255
++root:root:s0-s0:c0.c1023
+ __default__:user_u:s0
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-targeted-mls/initrc_context serefpolicy-2.3.14/config/appconfig-targeted-mls/initrc_context
+--- nsaserefpolicy/config/appconfig-targeted-mls/initrc_context 2006-07-14 17:04:48.000000000 -0400
++++ serefpolicy-2.3.14/config/appconfig-targeted-mls/initrc_context 2006-09-19 10:47:17.000000000 -0400
+@@ -1 +1 @@
+-user_u:system_r:initrc_t:s0-s15:c0.c255
++user_u:system_r:initrc_t:s0-s15:c0.c1023
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-targeted-mls/seusers serefpolicy-2.3.14/config/appconfig-targeted-mls/seusers
+--- nsaserefpolicy/config/appconfig-targeted-mls/seusers 2006-07-14 17:04:48.000000000 -0400
++++ serefpolicy-2.3.14/config/appconfig-targeted-mls/seusers 2006-09-19 10:47:17.000000000 -0400
+@@ -1,2 +1,2 @@
+-root:root:s0-s15:c0.c255
++root:root:s0-s15:c0.c1023
+ __default__:user_u:s0
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/mkaccess_vector.sh serefpolicy-2.3.14/policy/flask/mkaccess_vector.sh
+--- nsaserefpolicy/policy/flask/mkaccess_vector.sh 2006-07-14 17:04:28.000000000 -0400
++++ serefpolicy-2.3.14/policy/flask/mkaccess_vector.sh 2006-09-19 10:47:17.000000000 -0400
+@@ -118,7 +118,6 @@
+ printf(" ") > outfile;
+ printf("0x%08xUL\n", ind[i]) > outfile;
+ }
+- printf("\n") > outfile;
+ for (i in ind) delete ind[i];
+ for (i in inherited_perms) delete inherited_perms[i];
+
+@@ -214,8 +213,6 @@
+ printf("TE_(common_%s_perm_to_string)\n\n", common_name) > cpermfile;
+ }
+
+- printf("\n") > outfile;
+-
+ nextstate = "COMMON_OR_AV";
+ }
+ END {
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-2.3.14/policy/global_tunables
--- nsaserefpolicy/policy/global_tunables 2006-09-15 13:14:28.000000000 -0400
-+++ serefpolicy-2.3.14/policy/global_tunables 2006-09-15 13:59:07.000000000 -0400
++++ serefpolicy-2.3.14/policy/global_tunables 2006-09-19 10:47:17.000000000 -0400
@@ -587,3 +587,12 @@
## </desc>
gen_tunable(spamd_enable_home_dirs,true)
@@ -16,20 +76,481 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-2.3.14/policy/mcs
--- nsaserefpolicy/policy/mcs 2006-08-02 10:34:09.000000000 -0400
-+++ serefpolicy-2.3.14/policy/mcs 2006-09-15 13:59:07.000000000 -0400
-@@ -139,6 +139,9 @@
++++ serefpolicy-2.3.14/policy/mcs 2006-09-19 10:47:17.000000000 -0400
+@@ -83,12 +83,204 @@
+ category c244; category c245; category c246; category c247;
+ category c248; category c249; category c250; category c251;
+ category c252; category c253; category c254; category c255;
++category c256; category c257; category c258; category c259;
++category c260; category c261; category c262; category c263;
++category c264; category c265; category c266; category c267;
++category c268; category c269; category c270; category c271;
++category c272; category c273; category c274; category c275;
++category c276; category c277; category c278; category c279;
++category c280; category c281; category c282; category c283;
++category c284; category c285; category c286; category c287;
++category c288; category c289; category c290; category c291;
++category c292; category c293; category c294; category c295;
++category c296; category c297; category c298; category c299;
++category c300; category c301; category c302; category c303;
++category c304; category c305; category c306; category c307;
++category c308; category c309; category c310; category c311;
++category c312; category c313; category c314; category c315;
++category c316; category c317; category c318; category c319;
++category c320; category c321; category c322; category c323;
++category c324; category c325; category c326; category c327;
++category c328; category c329; category c330; category c331;
++category c332; category c333; category c334; category c335;
++category c336; category c337; category c338; category c339;
++category c340; category c341; category c342; category c343;
++category c344; category c345; category c346; category c347;
++category c348; category c349; category c350; category c351;
++category c352; category c353; category c354; category c355;
++category c356; category c357; category c358; category c359;
++category c360; category c361; category c362; category c363;
++category c364; category c365; category c366; category c367;
++category c368; category c369; category c370; category c371;
++category c372; category c373; category c374; category c375;
++category c376; category c377; category c378; category c379;
++category c380; category c381; category c382; category c383;
++category c384; category c385; category c386; category c387;
++category c388; category c389; category c390; category c391;
++category c392; category c393; category c394; category c395;
++category c396; category c397; category c398; category c399;
++category c400; category c401; category c402; category c403;
++category c404; category c405; category c406; category c407;
++category c408; category c409; category c410; category c411;
++category c412; category c413; category c414; category c415;
++category c416; category c417; category c418; category c419;
++category c420; category c421; category c422; category c423;
++category c424; category c425; category c426; category c427;
++category c428; category c429; category c430; category c431;
++category c432; category c433; category c434; category c435;
++category c436; category c437; category c438; category c439;
++category c440; category c441; category c442; category c443;
++category c444; category c445; category c446; category c447;
++category c448; category c449; category c450; category c451;
++category c452; category c453; category c454; category c455;
++category c456; category c457; category c458; category c459;
++category c460; category c461; category c462; category c463;
++category c464; category c465; category c466; category c467;
++category c468; category c469; category c470; category c471;
++category c472; category c473; category c474; category c475;
++category c476; category c477; category c478; category c479;
++category c480; category c481; category c482; category c483;
++category c484; category c485; category c486; category c487;
++category c488; category c489; category c490; category c491;
++category c492; category c493; category c494; category c495;
++category c496; category c497; category c498; category c499;
++category c500; category c501; category c502; category c503;
++category c504; category c505; category c506; category c507;
++category c508; category c509; category c510; category c511;
++category c512; category c513; category c514; category c515;
++category c516; category c517; category c518; category c519;
++category c520; category c521; category c522; category c523;
++category c524; category c525; category c526; category c527;
++category c528; category c529; category c530; category c531;
++category c532; category c533; category c534; category c535;
++category c536; category c537; category c538; category c539;
++category c540; category c541; category c542; category c543;
++category c544; category c545; category c546; category c547;
++category c548; category c549; category c550; category c551;
++category c552; category c553; category c554; category c555;
++category c556; category c557; category c558; category c559;
++category c560; category c561; category c562; category c563;
++category c564; category c565; category c566; category c567;
++category c568; category c569; category c570; category c571;
++category c572; category c573; category c574; category c575;
++category c576; category c577; category c578; category c579;
++category c580; category c581; category c582; category c583;
++category c584; category c585; category c586; category c587;
++category c588; category c589; category c590; category c591;
++category c592; category c593; category c594; category c595;
++category c596; category c597; category c598; category c599;
++category c600; category c601; category c602; category c603;
++category c604; category c605; category c606; category c607;
++category c608; category c609; category c610; category c611;
++category c612; category c613; category c614; category c615;
++category c616; category c617; category c618; category c619;
++category c620; category c621; category c622; category c623;
++category c624; category c625; category c626; category c627;
++category c628; category c629; category c630; category c631;
++category c632; category c633; category c634; category c635;
++category c636; category c637; category c638; category c639;
++category c640; category c641; category c642; category c643;
++category c644; category c645; category c646; category c647;
++category c648; category c649; category c650; category c651;
++category c652; category c653; category c654; category c655;
++category c656; category c657; category c658; category c659;
++category c660; category c661; category c662; category c663;
++category c664; category c665; category c666; category c667;
++category c668; category c669; category c670; category c671;
++category c672; category c673; category c674; category c675;
++category c676; category c677; category c678; category c679;
++category c680; category c681; category c682; category c683;
++category c684; category c685; category c686; category c687;
++category c688; category c689; category c690; category c691;
++category c692; category c693; category c694; category c695;
++category c696; category c697; category c698; category c699;
++category c700; category c701; category c702; category c703;
++category c704; category c705; category c706; category c707;
++category c708; category c709; category c710; category c711;
++category c712; category c713; category c714; category c715;
++category c716; category c717; category c718; category c719;
++category c720; category c721; category c722; category c723;
++category c724; category c725; category c726; category c727;
++category c728; category c729; category c730; category c731;
++category c732; category c733; category c734; category c735;
++category c736; category c737; category c738; category c739;
++category c740; category c741; category c742; category c743;
++category c744; category c745; category c746; category c747;
++category c748; category c749; category c750; category c751;
++category c752; category c753; category c754; category c755;
++category c756; category c757; category c758; category c759;
++category c760; category c761; category c762; category c763;
++category c764; category c765; category c766; category c767;
++category c768; category c769; category c770; category c771;
++category c772; category c773; category c774; category c775;
++category c776; category c777; category c778; category c779;
++category c780; category c781; category c782; category c783;
++category c784; category c785; category c786; category c787;
++category c788; category c789; category c790; category c791;
++category c792; category c793; category c794; category c795;
++category c796; category c797; category c798; category c799;
++category c800; category c801; category c802; category c803;
++category c804; category c805; category c806; category c807;
++category c808; category c809; category c810; category c811;
++category c812; category c813; category c814; category c815;
++category c816; category c817; category c818; category c819;
++category c820; category c821; category c822; category c823;
++category c824; category c825; category c826; category c827;
++category c828; category c829; category c830; category c831;
++category c832; category c833; category c834; category c835;
++category c836; category c837; category c838; category c839;
++category c840; category c841; category c842; category c843;
++category c844; category c845; category c846; category c847;
++category c848; category c849; category c850; category c851;
++category c852; category c853; category c854; category c855;
++category c856; category c857; category c858; category c859;
++category c860; category c861; category c862; category c863;
++category c864; category c865; category c866; category c867;
++category c868; category c869; category c870; category c871;
++category c872; category c873; category c874; category c875;
++category c876; category c877; category c878; category c879;
++category c880; category c881; category c882; category c883;
++category c884; category c885; category c886; category c887;
++category c888; category c889; category c890; category c891;
++category c892; category c893; category c894; category c895;
++category c896; category c897; category c898; category c899;
++category c900; category c901; category c902; category c903;
++category c904; category c905; category c906; category c907;
++category c908; category c909; category c910; category c911;
++category c912; category c913; category c914; category c915;
++category c916; category c917; category c918; category c919;
++category c920; category c921; category c922; category c923;
++category c924; category c925; category c926; category c927;
++category c928; category c929; category c930; category c931;
++category c932; category c933; category c934; category c935;
++category c936; category c937; category c938; category c939;
++category c940; category c941; category c942; category c943;
++category c944; category c945; category c946; category c947;
++category c948; category c949; category c950; category c951;
++category c952; category c953; category c954; category c955;
++category c956; category c957; category c958; category c959;
++category c960; category c961; category c962; category c963;
++category c964; category c965; category c966; category c967;
++category c968; category c969; category c970; category c971;
++category c972; category c973; category c974; category c975;
++category c976; category c977; category c978; category c979;
++category c980; category c981; category c982; category c983;
++category c984; category c985; category c986; category c987;
++category c988; category c989; category c990; category c991;
++category c992; category c993; category c994; category c995;
++category c996; category c997; category c998; category c999;
++category c1000; category c1001; category c1002; category c1003;
++category c1004; category c1005; category c1006; category c1007;
++category c1008; category c1009; category c1010; category c1011;
++category c1012; category c1013; category c1014; category c1015;
++category c1016; category c1017; category c1018; category c1019;
++category c1020; category c1021; category c1022; category c1023;
+
+ #
+ # Each MCS level specifies a sensitivity and zero or more categories which may
+ # be associated with that sensitivity.
+ #
+-level s0:c0.c255;
++level s0:c0.c1023;
+
+ #
+ # Define the MCS policy
+@@ -139,6 +331,9 @@
mlsconstrain file { write setattr append unlink link rename ioctl lock execute relabelfrom }
( h1 dom h2 );
+mlsconstrain dir { create getattr setattr read write link unlink rename search add_name remove_name reparent rmdir lock ioctl }
-+ ( h1 dom h2 );
++ (( h1 dom h2 ) or ( t2 == domain ) or ( t1 == mlsfileread ));
+
# New filesystem object labels must be dominated by the relabeling subject
# clearance, also the objects are single-level.
mlsconstrain file { create relabelto }
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mls serefpolicy-2.3.14/policy/mls
+--- nsaserefpolicy/policy/mls 2006-09-01 14:10:19.000000000 -0400
++++ serefpolicy-2.3.14/policy/mls 2006-09-19 10:47:17.000000000 -0400
+@@ -97,28 +97,219 @@
+ category c244; category c245; category c246; category c247;
+ category c248; category c249; category c250; category c251;
+ category c252; category c253; category c254; category c255;
+-
++category c256; category c257; category c258; category c259;
++category c260; category c261; category c262; category c263;
++category c264; category c265; category c266; category c267;
++category c268; category c269; category c270; category c271;
++category c272; category c273; category c274; category c275;
++category c276; category c277; category c278; category c279;
++category c280; category c281; category c282; category c283;
++category c284; category c285; category c286; category c287;
++category c288; category c289; category c290; category c291;
++category c292; category c293; category c294; category c295;
++category c296; category c297; category c298; category c299;
++category c300; category c301; category c302; category c303;
++category c304; category c305; category c306; category c307;
++category c308; category c309; category c310; category c311;
++category c312; category c313; category c314; category c315;
++category c316; category c317; category c318; category c319;
++category c320; category c321; category c322; category c323;
++category c324; category c325; category c326; category c327;
++category c328; category c329; category c330; category c331;
++category c332; category c333; category c334; category c335;
++category c336; category c337; category c338; category c339;
++category c340; category c341; category c342; category c343;
++category c344; category c345; category c346; category c347;
++category c348; category c349; category c350; category c351;
++category c352; category c353; category c354; category c355;
++category c356; category c357; category c358; category c359;
++category c360; category c361; category c362; category c363;
++category c364; category c365; category c366; category c367;
++category c368; category c369; category c370; category c371;
++category c372; category c373; category c374; category c375;
++category c376; category c377; category c378; category c379;
++category c380; category c381; category c382; category c383;
++category c384; category c385; category c386; category c387;
++category c388; category c389; category c390; category c391;
++category c392; category c393; category c394; category c395;
++category c396; category c397; category c398; category c399;
++category c400; category c401; category c402; category c403;
++category c404; category c405; category c406; category c407;
++category c408; category c409; category c410; category c411;
++category c412; category c413; category c414; category c415;
++category c416; category c417; category c418; category c419;
++category c420; category c421; category c422; category c423;
++category c424; category c425; category c426; category c427;
++category c428; category c429; category c430; category c431;
++category c432; category c433; category c434; category c435;
++category c436; category c437; category c438; category c439;
++category c440; category c441; category c442; category c443;
++category c444; category c445; category c446; category c447;
++category c448; category c449; category c450; category c451;
++category c452; category c453; category c454; category c455;
++category c456; category c457; category c458; category c459;
++category c460; category c461; category c462; category c463;
++category c464; category c465; category c466; category c467;
++category c468; category c469; category c470; category c471;
++category c472; category c473; category c474; category c475;
++category c476; category c477; category c478; category c479;
++category c480; category c481; category c482; category c483;
++category c484; category c485; category c486; category c487;
++category c488; category c489; category c490; category c491;
++category c492; category c493; category c494; category c495;
++category c496; category c497; category c498; category c499;
++category c500; category c501; category c502; category c503;
++category c504; category c505; category c506; category c507;
++category c508; category c509; category c510; category c511;
++category c512; category c513; category c514; category c515;
++category c516; category c517; category c518; category c519;
++category c520; category c521; category c522; category c523;
++category c524; category c525; category c526; category c527;
++category c528; category c529; category c530; category c531;
++category c532; category c533; category c534; category c535;
++category c536; category c537; category c538; category c539;
++category c540; category c541; category c542; category c543;
++category c544; category c545; category c546; category c547;
++category c548; category c549; category c550; category c551;
++category c552; category c553; category c554; category c555;
++category c556; category c557; category c558; category c559;
++category c560; category c561; category c562; category c563;
++category c564; category c565; category c566; category c567;
++category c568; category c569; category c570; category c571;
++category c572; category c573; category c574; category c575;
++category c576; category c577; category c578; category c579;
++category c580; category c581; category c582; category c583;
++category c584; category c585; category c586; category c587;
++category c588; category c589; category c590; category c591;
++category c592; category c593; category c594; category c595;
++category c596; category c597; category c598; category c599;
++category c600; category c601; category c602; category c603;
++category c604; category c605; category c606; category c607;
++category c608; category c609; category c610; category c611;
++category c612; category c613; category c614; category c615;
++category c616; category c617; category c618; category c619;
++category c620; category c621; category c622; category c623;
++category c624; category c625; category c626; category c627;
++category c628; category c629; category c630; category c631;
++category c632; category c633; category c634; category c635;
++category c636; category c637; category c638; category c639;
++category c640; category c641; category c642; category c643;
++category c644; category c645; category c646; category c647;
++category c648; category c649; category c650; category c651;
++category c652; category c653; category c654; category c655;
++category c656; category c657; category c658; category c659;
++category c660; category c661; category c662; category c663;
++category c664; category c665; category c666; category c667;
++category c668; category c669; category c670; category c671;
++category c672; category c673; category c674; category c675;
++category c676; category c677; category c678; category c679;
++category c680; category c681; category c682; category c683;
++category c684; category c685; category c686; category c687;
++category c688; category c689; category c690; category c691;
++category c692; category c693; category c694; category c695;
++category c696; category c697; category c698; category c699;
++category c700; category c701; category c702; category c703;
++category c704; category c705; category c706; category c707;
++category c708; category c709; category c710; category c711;
++category c712; category c713; category c714; category c715;
++category c716; category c717; category c718; category c719;
++category c720; category c721; category c722; category c723;
++category c724; category c725; category c726; category c727;
++category c728; category c729; category c730; category c731;
++category c732; category c733; category c734; category c735;
++category c736; category c737; category c738; category c739;
++category c740; category c741; category c742; category c743;
++category c744; category c745; category c746; category c747;
++category c748; category c749; category c750; category c751;
++category c752; category c753; category c754; category c755;
++category c756; category c757; category c758; category c759;
++category c760; category c761; category c762; category c763;
++category c764; category c765; category c766; category c767;
++category c768; category c769; category c770; category c771;
++category c772; category c773; category c774; category c775;
++category c776; category c777; category c778; category c779;
++category c780; category c781; category c782; category c783;
++category c784; category c785; category c786; category c787;
++category c788; category c789; category c790; category c791;
++category c792; category c793; category c794; category c795;
++category c796; category c797; category c798; category c799;
++category c800; category c801; category c802; category c803;
++category c804; category c805; category c806; category c807;
++category c808; category c809; category c810; category c811;
++category c812; category c813; category c814; category c815;
++category c816; category c817; category c818; category c819;
++category c820; category c821; category c822; category c823;
++category c824; category c825; category c826; category c827;
++category c828; category c829; category c830; category c831;
++category c832; category c833; category c834; category c835;
++category c836; category c837; category c838; category c839;
++category c840; category c841; category c842; category c843;
++category c844; category c845; category c846; category c847;
++category c848; category c849; category c850; category c851;
++category c852; category c853; category c854; category c855;
++category c856; category c857; category c858; category c859;
++category c860; category c861; category c862; category c863;
++category c864; category c865; category c866; category c867;
++category c868; category c869; category c870; category c871;
++category c872; category c873; category c874; category c875;
++category c876; category c877; category c878; category c879;
++category c880; category c881; category c882; category c883;
++category c884; category c885; category c886; category c887;
++category c888; category c889; category c890; category c891;
++category c892; category c893; category c894; category c895;
++category c896; category c897; category c898; category c899;
++category c900; category c901; category c902; category c903;
++category c904; category c905; category c906; category c907;
++category c908; category c909; category c910; category c911;
++category c912; category c913; category c914; category c915;
++category c916; category c917; category c918; category c919;
++category c920; category c921; category c922; category c923;
++category c924; category c925; category c926; category c927;
++category c928; category c929; category c930; category c931;
++category c932; category c933; category c934; category c935;
++category c936; category c937; category c938; category c939;
++category c940; category c941; category c942; category c943;
++category c944; category c945; category c946; category c947;
++category c948; category c949; category c950; category c951;
++category c952; category c953; category c954; category c955;
++category c956; category c957; category c958; category c959;
++category c960; category c961; category c962; category c963;
++category c964; category c965; category c966; category c967;
++category c968; category c969; category c970; category c971;
++category c972; category c973; category c974; category c975;
++category c976; category c977; category c978; category c979;
++category c980; category c981; category c982; category c983;
++category c984; category c985; category c986; category c987;
++category c988; category c989; category c990; category c991;
++category c992; category c993; category c994; category c995;
++category c996; category c997; category c998; category c999;
++category c1000; category c1001; category c1002; category c1003;
++category c1004; category c1005; category c1006; category c1007;
++category c1008; category c1009; category c1010; category c1011;
++category c1012; category c1013; category c1014; category c1015;
++category c1016; category c1017; category c1018; category c1019;
++category c1020; category c1021; category c1022; category c1023;
+
+ #
+ # Each MLS level specifies a sensitivity and zero or more categories which may
+ # be associated with that sensitivity.
+ #
+-level s0:c0.c255;
+-level s1:c0.c255;
+-level s2:c0.c255;
+-level s3:c0.c255;
+-level s4:c0.c255;
+-level s5:c0.c255;
+-level s6:c0.c255;
+-level s7:c0.c255;
+-level s8:c0.c255;
+-level s9:c0.c255;
+-level s10:c0.c255;
+-level s11:c0.c255;
+-level s12:c0.c255;
+-level s13:c0.c255;
+-level s14:c0.c255;
+-level s15:c0.c255;
++level s0:c0.c1023;
++level s1:c0.c1023;
++level s2:c0.c1023;
++level s3:c0.c1023;
++level s4:c0.c1023;
++level s5:c0.c1023;
++level s6:c0.c1023;
++level s7:c0.c1023;
++level s8:c0.c1023;
++level s9:c0.c1023;
++level s10:c0.c1023;
++level s11:c0.c1023;
++level s12:c0.c1023;
++level s13:c0.c1023;
++level s14:c0.c1023;
++level s15:c0.c1023;
+
+
+ #
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.fc serefpolicy-2.3.14/policy/modules/admin/amanda.fc
+--- nsaserefpolicy/policy/modules/admin/amanda.fc 2006-09-05 07:41:02.000000000 -0400
++++ serefpolicy-2.3.14/policy/modules/admin/amanda.fc 2006-09-19 10:47:17.000000000 -0400
+@@ -16,8 +16,8 @@
+ /usr/sbin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0)
+ /var/lib/amanda -d gen_context(system_u:object_r:amanda_var_lib_t,s0)
+ /var/lib/amanda/\.amandahosts -- gen_context(system_u:object_r:amanda_config_t,s0)
+-/var/lib/amanda/disklist -- gen_context(system_u:object_r:amanda_data_t,s0)
+ /var/lib/amanda/gnutar-lists(/.*)? gen_context(system_u:object_r:amanda_gnutarlists_t,s0)
+-/var/lib/amanda/index gen_context(system_u:object_r:amanda_data_t,s0)
+-
++/var/lib/amanda/[^/]+(/.*)? gen_context(system_u:object_r:amanda_data_t,s0)
++/var/lib/amanda/[^/]+/index(/.*)? gen_context(system_u:object_r:amanda_var_lib_t,s0)
++/var/lib/amanda/[^/]*/log(/.*)? gen_context(system_u:object_r:amanda_log_t,s0)
+ /var/log/amanda(/.*)? gen_context(system_u:object_r:amanda_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/bootloader.fc serefpolicy-2.3.14/policy/modules/admin/bootloader.fc
--- nsaserefpolicy/policy/modules/admin/bootloader.fc 2006-07-14 17:04:46.000000000 -0400
-+++ serefpolicy-2.3.14/policy/modules/admin/bootloader.fc 2006-09-15 13:59:07.000000000 -0400
++++ serefpolicy-2.3.14/policy/modules/admin/bootloader.fc 2006-09-19 10:47:17.000000000 -0400
@@ -6,7 +6,10 @@
/usr/sbin/mkinitrd -- gen_context(system_u:object_r:bootloader_exec_t,s0)
@@ -44,7 +565,7 @@
+/boot/grub/.* -- gen_context(system_u:object_r:boot_runtime_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/bootloader.te serefpolicy-2.3.14/policy/modules/admin/bootloader.te
--- nsaserefpolicy/policy/modules/admin/bootloader.te 2006-08-29 09:00:30.000000000 -0400
-+++ serefpolicy-2.3.14/policy/modules/admin/bootloader.te 2006-09-15 13:59:07.000000000 -0400
++++ serefpolicy-2.3.14/policy/modules/admin/bootloader.te 2006-09-19 10:47:17.000000000 -0400
@@ -21,6 +21,13 @@
type bootloader_exec_t;
domain_entry_file(bootloader_t,bootloader_exec_t)
@@ -59,9 +580,19 @@
#
# bootloader_etc_t is the configuration file,
# grub.conf, lilo.conf, etc.
+@@ -161,7 +168,8 @@
+ allow bootloader_t self:capability ipc_lock;
+
+ # new file system defaults to file_t, granting file_t access is still bad.
+- allow bootloader_t boot_runtime_t:file { r_file_perms unlink };
++ #https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=202410
++ allow bootloader_t boot_runtime_t:file { rw_file_perms unlink };
+
+ # mkinitrd mount initrd on bootloader temp dir
+ files_mountpoint(bootloader_tmp_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-2.3.14/policy/modules/admin/consoletype.te
--- nsaserefpolicy/policy/modules/admin/consoletype.te 2006-08-29 09:00:30.000000000 -0400
-+++ serefpolicy-2.3.14/policy/modules/admin/consoletype.te 2006-09-15 13:59:07.000000000 -0400
++++ serefpolicy-2.3.14/policy/modules/admin/consoletype.te 2006-09-19 10:47:17.000000000 -0400
@@ -8,7 +8,12 @@
type consoletype_t;
@@ -78,7 +609,7 @@
role system_r types consoletype_t;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstboot.te serefpolicy-2.3.14/policy/modules/admin/firstboot.te
--- nsaserefpolicy/policy/modules/admin/firstboot.te 2006-09-05 07:41:01.000000000 -0400
-+++ serefpolicy-2.3.14/policy/modules/admin/firstboot.te 2006-09-15 13:59:07.000000000 -0400
++++ serefpolicy-2.3.14/policy/modules/admin/firstboot.te 2006-09-19 10:47:17.000000000 -0400
@@ -58,6 +58,7 @@
auth_dontaudit_getattr_shadow(firstboot_t)
@@ -87,10 +618,29 @@
files_exec_etc_files(firstboot_t)
files_manage_etc_files(firstboot_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-2.3.14/policy/modules/admin/logwatch.te
+--- nsaserefpolicy/policy/modules/admin/logwatch.te 2006-09-15 13:14:27.000000000 -0400
++++ serefpolicy-2.3.14/policy/modules/admin/logwatch.te 2006-09-19 10:47:17.000000000 -0400
+@@ -63,8 +63,10 @@
+ files_search_spool(logwatch_t)
+ files_search_mnt(logwatch_t)
+ files_dontaudit_search_home(logwatch_t)
++files_dontaudit_search_boot(logwatch_t)
+
+ fs_getattr_all_fs(logwatch_t)
++fs_dontaudit_list_auto_mountpoints(logwatch_t)
+
+ term_dontaudit_getattr_pty_dirs(logwatch_t)
+ term_dontaudit_list_ptys(logwatch_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-2.3.14/policy/modules/admin/rpm.fc
--- nsaserefpolicy/policy/modules/admin/rpm.fc 2006-07-14 17:04:46.000000000 -0400
-+++ serefpolicy-2.3.14/policy/modules/admin/rpm.fc 2006-09-15 13:59:07.000000000 -0400
-@@ -19,6 +19,8 @@
++++ serefpolicy-2.3.14/policy/modules/admin/rpm.fc 2006-09-19 10:47:17.000000000 -0400
+@@ -15,10 +15,13 @@
+
+ ifdef(`distro_redhat', `
+ /usr/bin/fedora-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0)
++/usr/bin/rpmdev-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0)
+ /usr/sbin/pirut -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -101,7 +651,7 @@
/var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-2.3.14/policy/modules/admin/usermanage.te
--- nsaserefpolicy/policy/modules/admin/usermanage.te 2006-09-05 07:41:02.000000000 -0400
-+++ serefpolicy-2.3.14/policy/modules/admin/usermanage.te 2006-09-15 16:18:55.000000000 -0400
++++ serefpolicy-2.3.14/policy/modules/admin/usermanage.te 2006-09-19 10:47:17.000000000 -0400
@@ -442,6 +442,11 @@
nis_use_ypbind(sysadm_passwd_t)
')
@@ -116,7 +666,7 @@
# Useradd local policy
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-2.3.14/policy/modules/apps/java.fc
--- nsaserefpolicy/policy/modules/apps/java.fc 2006-08-29 09:00:26.000000000 -0400
-+++ serefpolicy-2.3.14/policy/modules/apps/java.fc 2006-09-15 13:59:07.000000000 -0400
++++ serefpolicy-2.3.14/policy/modules/apps/java.fc 2006-09-19 10:47:17.000000000 -0400
@@ -1,7 +1,7 @@
#
# /opt
@@ -128,7 +678,7 @@
# /usr
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-2.3.14/policy/modules/apps/mono.te
--- nsaserefpolicy/policy/modules/apps/mono.te 2006-09-01 14:10:17.000000000 -0400
-+++ serefpolicy-2.3.14/policy/modules/apps/mono.te 2006-09-15 13:59:07.000000000 -0400
++++ serefpolicy-2.3.14/policy/modules/apps/mono.te 2006-09-19 10:47:17.000000000 -0400
@@ -7,10 +7,8 @@
#
@@ -153,7 +703,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-2.3.14/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2006-09-06 13:04:50.000000000 -0400
-+++ serefpolicy-2.3.14/policy/modules/kernel/corecommands.fc 2006-09-15 13:59:07.000000000 -0400
++++ serefpolicy-2.3.14/policy/modules/kernel/corecommands.fc 2006-09-19 10:47:17.000000000 -0400
@@ -125,7 +125,7 @@
/usr/lib/ccache/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/pgsql/test/regress/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
@@ -165,7 +715,7 @@
/usr/lib(64)?/courier(/.*)? gen_context(system_u:object_r:bin_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-2.3.14/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2006-09-06 13:04:50.000000000 -0400
-+++ serefpolicy-2.3.14/policy/modules/kernel/corenetwork.te.in 2006-09-15 13:59:07.000000000 -0400
++++ serefpolicy-2.3.14/policy/modules/kernel/corenetwork.te.in 2006-09-19 10:47:17.000000000 -0400
@@ -67,6 +67,7 @@
network_port(clamd, tcp,3310,s0)
network_port(clockspeed, udp,4041,s0)
@@ -183,9 +733,41 @@
network_port(rlogind, tcp,513,s0)
network_port(rndc, tcp,953,s0)
network_port(router, udp,520,s0)
+@@ -165,15 +168,15 @@
+ # nodes in net_contexts or net_contexts.mls.
+ #
+ type node_t, node_type;
+-sid node gen_context(system_u:object_r:node_t,s0 - s15:c0.c255)
++sid node gen_context(system_u:object_r:node_t,s0 - s15:c0.c1023)
+
+ network_node(compat_ipv4, s0, ::, ffff:ffff:ffff:ffff:ffff:ffff::)
+ network_node(inaddr_any, s0, 0.0.0.0, 255.255.255.255)
+ type node_internal_t, node_type; dnl network_node(internal, s0, , ) # no nodecon for this in current strict policy
+ network_node(link_local, s0, fe80::, ffff:ffff:ffff:ffff::, )
+-network_node(lo, s0 - s15:c0.c255, 127.0.0.1, 255.255.255.255)
++network_node(lo, s0 - s15:c0.c1023, 127.0.0.1, 255.255.255.255)
+ network_node(mapped_ipv4, s0, ::ffff:0000:0000, ffff:ffff:ffff:ffff:ffff:ffff::)
+-network_node(multicast, s0 - s15:c0.c255, ff00::, ff00::)
++network_node(multicast, s0 - s15:c0.c1023, ff00::, ff00::)
+ network_node(site_local, s0, fec0::, ffc0::)
+ network_node(unspec, s0, ::, ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff)
+
+@@ -186,10 +189,10 @@
+ # netif_t is the default type of network interfaces.
+ #
+ type netif_t, netif_type;
+-sid netif gen_context(system_u:object_r:netif_t,s0 - s15:c0.c255)
++sid netif gen_context(system_u:object_r:netif_t,s0 - s15:c0.c1023)
+
+ ifdef(`enable_mls',`
+-network_interface(lo, lo,s0 - s15:c0.c255)
++network_interface(lo, lo,s0 - s15:c0.c1023)
+ ')
+
+ ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.m4 serefpolicy-2.3.14/policy/modules/kernel/corenetwork.te.m4
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.m4 2006-09-15 13:14:21.000000000 -0400
-+++ serefpolicy-2.3.14/policy/modules/kernel/corenetwork.te.m4 2006-09-15 13:59:07.000000000 -0400
++++ serefpolicy-2.3.14/policy/modules/kernel/corenetwork.te.m4 2006-09-19 10:47:17.000000000 -0400
@@ -32,6 +32,19 @@
declare_nodes($1_node_t,shift($*))
')
@@ -208,18 +790,44 @@
typeattribute $1 reserved_port_type;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-2.3.14/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2006-09-05 07:40:59.000000000 -0400
-+++ serefpolicy-2.3.14/policy/modules/kernel/devices.fc 2006-09-15 16:57:07.000000000 -0400
-@@ -45,6 +45,7 @@
++++ serefpolicy-2.3.14/policy/modules/kernel/devices.fc 2006-09-19 10:47:17.000000000 -0400
+@@ -24,10 +24,10 @@
+ /dev/i915 -c gen_context(system_u:object_r:dri_device_t,s0)
+ /dev/irlpt[0-9]+ -c gen_context(system_u:object_r:printer_device_t,s0)
+ /dev/js.* -c gen_context(system_u:object_r:mouse_device_t,s0)
+-/dev/kmem -c gen_context(system_u:object_r:memory_device_t,s15:c0.c255)
++/dev/kmem -c gen_context(system_u:object_r:memory_device_t,s15:c0.c1023)
+ /dev/logibm -c gen_context(system_u:object_r:mouse_device_t,s0)
+ /dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
+-/dev/mem -c gen_context(system_u:object_r:memory_device_t,s15:c0.c255)
++/dev/mem -c gen_context(system_u:object_r:memory_device_t,s15:c0.c1023)
+ /dev/mice -c gen_context(system_u:object_r:mouse_device_t,s0)
+ /dev/microcode -c gen_context(system_u:object_r:cpu_device_t,s0)
+ /dev/midi.* -c gen_context(system_u:object_r:sound_device_t,s0)
+@@ -36,16 +36,18 @@
+ /dev/mpu401.* -c gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/null -c gen_context(system_u:object_r:null_device_t,s0)
+ /dev/nvidia.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
+-/dev/nvram -c gen_context(system_u:object_r:nvram_device_t,s15:c0.c255)
++/dev/nvram -c gen_context(system_u:object_r:nvram_device_t,s15:c0.c1023)
+ /dev/par.* -c gen_context(system_u:object_r:printer_device_t,s0)
+ /dev/patmgr[01] -c gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/pmu -c gen_context(system_u:object_r:power_device_t,s0)
+-/dev/port -c gen_context(system_u:object_r:memory_device_t,s15:c0.c255)
++/dev/port -c gen_context(system_u:object_r:memory_device_t,s15:c0.c1023)
+ /dev/(misc/)?psaux -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/rmidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/radeon -c gen_context(system_u:object_r:dri_device_t,s0)
/dev/radio.* -c gen_context(system_u:object_r:v4l_device_t,s0)
+/dev/em8300.* -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/random -c gen_context(system_u:object_r:random_device_t,s0)
++/dev/raw1394. -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/(misc/)?rtc -c gen_context(system_u:object_r:clock_device_t,s0)
/dev/sequencer -c gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/sequencer2 -c gen_context(system_u:object_r:sound_device_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-2.3.14/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2006-07-14 17:04:30.000000000 -0400
-+++ serefpolicy-2.3.14/policy/modules/kernel/domain.te 2006-09-15 13:59:07.000000000 -0400
++++ serefpolicy-2.3.14/policy/modules/kernel/domain.te 2006-09-19 10:47:17.000000000 -0400
@@ -144,3 +144,11 @@
# act on all domains keys
@@ -234,18 +842,104 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-2.3.14/policy/modules/kernel/files.fc
--- nsaserefpolicy/policy/modules/kernel/files.fc 2006-09-05 07:41:00.000000000 -0400
-+++ serefpolicy-2.3.14/policy/modules/kernel/files.fc 2006-09-15 13:59:07.000000000 -0400
-@@ -32,6 +32,7 @@
- /boot/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c255)
++++ serefpolicy-2.3.14/policy/modules/kernel/files.fc 2006-09-19 10:47:17.000000000 -0400
+@@ -29,9 +29,10 @@
+ /boot -d gen_context(system_u:object_r:boot_t,s0)
+ /boot/.* gen_context(system_u:object_r:boot_t,s0)
+ /boot/\.journal <<none>>
+-/boot/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c255)
++/boot/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c1023)
/boot/lost\+found/.* <<none>>
/boot/System\.map(-.*)? -- gen_context(system_u:object_r:system_map_t,s0)
+/boot/grub/slapsh.xpm.gz -- gen_context(system_u:object_r:boot_t,s0)
#
# /emul
+@@ -92,9 +93,9 @@
+ # HOME_ROOT
+ # expanded by genhomedircon
+ #
+-HOME_ROOT -d gen_context(system_u:object_r:home_root_t,s0-s15:c0.c255)
++HOME_ROOT -d gen_context(system_u:object_r:home_root_t,s0-s15:c0.c1023)
+ HOME_ROOT/\.journal <<none>>
+-HOME_ROOT/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c255)
++HOME_ROOT/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c1023)
+ HOME_ROOT/lost\+found/.* <<none>>
+
+ #
+@@ -112,7 +113,7 @@
+ #
+ # /lost+found
+ #
+-/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c255)
++/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c1023)
+ /lost\+found/.* <<none>>
+
+ #
+@@ -176,11 +177,11 @@
+ #
+ # /tmp
+ #
+-/tmp -d gen_context(system_u:object_r:tmp_t,s0-s15:c0.c255)
++/tmp -d gen_context(system_u:object_r:tmp_t,s0-s15:c0.c1023)
+ /tmp/.* <<none>>
+ /tmp/\.journal <<none>>
+
+-/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c255)
++/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c1023)
+ /tmp/lost\+found/.* <<none>>
+
+ #
+@@ -200,12 +201,12 @@
+
+ /usr/local/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
+
+-/usr/local/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c255)
++/usr/local/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c1023)
+ /usr/local/lost\+found/.* <<none>>
+
+ /usr/local/src(/.*)? gen_context(system_u:object_r:src_t,s0)
+
+-/usr/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c255)
++/usr/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c1023)
+ /usr/lost\+found/.* <<none>>
+
+ /usr/share(/.*)?/lib(64)?(/.*)? gen_context(system_u:object_r:usr_t,s0)
+@@ -213,7 +214,7 @@
+ /usr/src(/.*)? gen_context(system_u:object_r:src_t,s0)
+ /usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
+
+-/usr/tmp -d gen_context(system_u:object_r:tmp_t,s0-s15:c0.c255)
++/usr/tmp -d gen_context(system_u:object_r:tmp_t,s0-s15:c0.c1023)
+ /usr/tmp/.* <<none>>
+
+ #
+@@ -233,18 +234,18 @@
+
+ /var/lock(/.*)? gen_context(system_u:object_r:var_lock_t,s0)
+
+-/var/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c255)
++/var/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c1023)
+ /var/lost\+found/.* <<none>>
+
+-/var/run -d gen_context(system_u:object_r:var_run_t,s0-s15:c0.c255)
++/var/run -d gen_context(system_u:object_r:var_run_t,s0-s15:c0.c1023)
+ /var/run/.* gen_context(system_u:object_r:var_run_t,s0)
+ /var/run/.*\.*pid <<none>>
+
+ /var/spool(/.*)? gen_context(system_u:object_r:var_spool_t,s0)
+ /var/spool/postfix/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
+
+-/var/tmp -d gen_context(system_u:object_r:tmp_t,s0-s15:c0.c255)
++/var/tmp -d gen_context(system_u:object_r:tmp_t,s0-s15:c0.c1023)
+ /var/tmp/.* <<none>>
+-/var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c255)
++/var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c1023)
+ /var/tmp/lost\+found/.* <<none>>
+ /var/tmp/vi\.recover -d gen_context(system_u:object_r:tmp_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.3.14/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2006-09-15 13:14:21.000000000 -0400
-+++ serefpolicy-2.3.14/policy/modules/kernel/files.if 2006-09-15 13:59:07.000000000 -0400
++++ serefpolicy-2.3.14/policy/modules/kernel/files.if 2006-09-19 10:47:17.000000000 -0400
@@ -386,7 +386,7 @@
attribute file_type, security_file_type;
')
@@ -305,7 +999,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-2.3.14/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2006-09-15 13:14:21.000000000 -0400
-+++ serefpolicy-2.3.14/policy/modules/kernel/filesystem.if 2006-09-15 13:59:07.000000000 -0400
++++ serefpolicy-2.3.14/policy/modules/kernel/filesystem.if 2006-09-19 10:47:17.000000000 -0400
@@ -3363,3 +3363,22 @@
allow $1 noxattrfs:blk_file { getattr relabelfrom };
allow $1 noxattrfs:chr_file { getattr relabelfrom };
@@ -329,20 +1023,232 @@
+ allow $1 rpc_pipefs_t:fifo_file { read write };
+')
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-2.3.14/policy/modules/kernel/kernel.te
+--- nsaserefpolicy/policy/modules/kernel/kernel.te 2006-08-29 09:00:26.000000000 -0400
++++ serefpolicy-2.3.14/policy/modules/kernel/kernel.te 2006-09-19 10:47:17.000000000 -0400
+@@ -39,7 +39,7 @@
+ domain_base_type(kernel_t)
+ mls_rangetrans_source(kernel_t)
+ role system_r types kernel_t;
+-sid kernel gen_context(system_u:system_r:kernel_t,s15:c0.c255)
++sid kernel gen_context(system_u:system_r:kernel_t,s15:c0.c1023)
+
+ #
+ # DebugFS
+@@ -62,13 +62,13 @@
+
+ # kernel message interface
+ type proc_kmsg_t, proc_type;
+-genfscon proc /kmsg gen_context(system_u:object_r:proc_kmsg_t,s15:c0.c255)
++genfscon proc /kmsg gen_context(system_u:object_r:proc_kmsg_t,s15:c0.c1023)
+ neverallow ~{ can_receive_kernel_messages kern_unconfined } proc_kmsg_t:file ~getattr;
+
+ # /proc kcore: inaccessible
+ type proc_kcore_t, proc_type;
+ neverallow ~kern_unconfined proc_kcore_t:file ~getattr;
+-genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,s15:c0.c255)
++genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,s15:c0.c1023)
+
+ type proc_mdstat_t, proc_type;
+ genfscon proc /mdstat gen_context(system_u:object_r:proc_mdstat_t,s0)
+@@ -136,18 +136,18 @@
+ # have labels that are no longer valid are treated as having this type.
+ #
+ type unlabeled_t;
+-sid unlabeled gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
++sid unlabeled gen_context(system_u:object_r:unlabeled_t,s15:c0.c1023)
+
+ # These initial sids are no longer used, and can be removed:
+-sid any_socket gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
++sid any_socket gen_context(system_u:object_r:unlabeled_t,s15:c0.c1023)
+ sid file_labels gen_context(system_u:object_r:unlabeled_t,s0)
+-sid icmp_socket gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
+-sid igmp_packet gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
++sid icmp_socket gen_context(system_u:object_r:unlabeled_t,s15:c0.c1023)
++sid igmp_packet gen_context(system_u:object_r:unlabeled_t,s15:c0.c1023)
+ sid init gen_context(system_u:object_r:unlabeled_t,s0)
+-sid kmod gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
+-sid netmsg gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
+-sid policy gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
+-sid scmp_packet gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
++sid kmod gen_context(system_u:object_r:unlabeled_t,s15:c0.c1023)
++sid netmsg gen_context(system_u:object_r:unlabeled_t,s15:c0.c1023)
++sid policy gen_context(system_u:object_r:unlabeled_t,s15:c0.c1023)
++sid scmp_packet gen_context(system_u:object_r:unlabeled_t,s15:c0.c1023)
+ sid sysctl_modprobe gen_context(system_u:object_r:unlabeled_t,s0)
+ sid sysctl_fs gen_context(system_u:object_r:unlabeled_t,s0)
+ sid sysctl_kernel gen_context(system_u:object_r:unlabeled_t,s0)
+@@ -155,7 +155,7 @@
+ sid sysctl_net_unix gen_context(system_u:object_r:unlabeled_t,s0)
+ sid sysctl_vm gen_context(system_u:object_r:unlabeled_t,s0)
+ sid sysctl_dev gen_context(system_u:object_r:unlabeled_t,s0)
+-sid tcp_socket gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
++sid tcp_socket gen_context(system_u:object_r:unlabeled_t,s15:c0.c1023)
+
+ ########################################
+ #
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mcs.te serefpolicy-2.3.14/policy/modules/kernel/mcs.te
--- nsaserefpolicy/policy/modules/kernel/mcs.te 2006-08-02 10:34:05.000000000 -0400
-+++ serefpolicy-2.3.14/policy/modules/kernel/mcs.te 2006-09-16 07:49:53.000000000 -0400
-@@ -43,6 +43,7 @@
- range_transition initrc_t cupsd_exec_t s0 - s0:c0.c255;
- range_transition initrc_t sshd_exec_t s0 - s0:c0.c255;
- range_transition initrc_t udev_exec_t s0 - s0:c0.c255;
-+range_transition initrc_t setrans_exec_t s0 - s0:c0.c255;
- range_transition initrc_t xdm_exec_t s0 - s0:c0.c255;
- range_transition kernel_t udev_exec_t s0 - s0:c0.c255;
++++ serefpolicy-2.3.14/policy/modules/kernel/mcs.te 2006-09-19 10:47:17.000000000 -0400
+@@ -37,14 +37,15 @@
+ # default and have the daemons which need to run with all categories be
+ # exceptions. But while range_transitions have to be in the base module
+ # this is not possible.
+-range_transition getty_t login_exec_t s0 - s0:c0.c255;
+-range_transition init_t xdm_exec_t s0 - s0:c0.c255;
+-range_transition initrc_t crond_exec_t s0 - s0:c0.c255;
+-range_transition initrc_t cupsd_exec_t s0 - s0:c0.c255;
+-range_transition initrc_t sshd_exec_t s0 - s0:c0.c255;
+-range_transition initrc_t udev_exec_t s0 - s0:c0.c255;
+-range_transition initrc_t xdm_exec_t s0 - s0:c0.c255;
+-range_transition kernel_t udev_exec_t s0 - s0:c0.c255;
++range_transition getty_t login_exec_t s0 - s0:c0.c1023;
++range_transition init_t xdm_exec_t s0 - s0:c0.c1023;
++range_transition initrc_t crond_exec_t s0 - s0:c0.c1023;
++range_transition initrc_t cupsd_exec_t s0 - s0:c0.c1023;
++range_transition initrc_t sshd_exec_t s0 - s0:c0.c1023;
++range_transition initrc_t udev_exec_t s0 - s0:c0.c1023;
++range_transition initrc_t setrans_exec_t s0 - s0:c0.c1023;
++range_transition initrc_t xdm_exec_t s0 - s0:c0.c1023;
++range_transition kernel_t udev_exec_t s0 - s0:c0.c1023;
+
+ # these might be targeted_policy only
+ range_transition unconfined_t initrc_exec_t s0;
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mls.te serefpolicy-2.3.14/policy/modules/kernel/mls.te
+--- nsaserefpolicy/policy/modules/kernel/mls.te 2006-07-14 17:04:29.000000000 -0400
++++ serefpolicy-2.3.14/policy/modules/kernel/mls.te 2006-09-19 10:47:17.000000000 -0400
+@@ -61,9 +61,9 @@
+ type setrans_exec_t;
+
+ ifdef(`enable_mls',`
+-range_transition initrc_t auditd_exec_t s15:c0.c255;
+-range_transition kernel_t init_exec_t s0 - s15:c0.c255;
+-range_transition kernel_t lvm_exec_t s0 - s15:c0.c255;
+-range_transition initrc_t setrans_exec_t s15:c0.c255;
+-range_transition run_init_t initrc_exec_t s0 - s15:c0.c255;
++range_transition initrc_t auditd_exec_t s15:c0.c1023;
++range_transition kernel_t init_exec_t s0 - s15:c0.c1023;
++range_transition kernel_t lvm_exec_t s0 - s15:c0.c1023;
++range_transition initrc_t setrans_exec_t s15:c0.c1023;
++range_transition run_init_t initrc_exec_t s0 - s15:c0.c1023;
+ ')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.te serefpolicy-2.3.14/policy/modules/kernel/selinux.te
+--- nsaserefpolicy/policy/modules/kernel/selinux.te 2006-08-02 10:34:05.000000000 -0400
++++ serefpolicy-2.3.14/policy/modules/kernel/selinux.te 2006-09-19 10:47:17.000000000 -0400
+@@ -19,7 +19,7 @@
+ type security_t;
+ fs_type(security_t)
+ mls_trusted_object(security_t)
+-sid security gen_context(system_u:object_r:security_t,s15:c0.c255)
++sid security gen_context(system_u:object_r:security_t,s15:c0.c1023)
+ genfscon selinuxfs / gen_context(system_u:object_r:security_t,s0)
+
+ neverallow ~{ selinux_unconfined_type can_load_policy } security_t:security load_policy;
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-2.3.14/policy/modules/kernel/storage.fc
+--- nsaserefpolicy/policy/modules/kernel/storage.fc 2006-08-02 10:34:05.000000000 -0400
++++ serefpolicy-2.3.14/policy/modules/kernel/storage.fc 2006-09-19 10:47:17.000000000 -0400
+@@ -5,36 +5,36 @@
+ /dev/n?osst[0-3].* -c gen_context(system_u:object_r:tape_device_t,s0)
+ /dev/n?pt[0-9]+ -c gen_context(system_u:object_r:tape_device_t,s0)
+ /dev/n?tpqic[12].* -c gen_context(system_u:object_r:tape_device_t,s0)
+-/dev/[shmx]d[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
++/dev/[shmx]d[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c1023)
+ /dev/aztcd -b gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/bpcd -b gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/cdu.* -b gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/cm20.* -b gen_context(system_u:object_r:removable_device_t,s0)
+-/dev/dasd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
+-/dev/dm-[0-9]+ -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
++/dev/dasd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c1023)
++/dev/dm-[0-9]+ -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c1023)
+ /dev/fd[^/]+ -b gen_context(system_u:object_r:removable_device_t,s0)
+-/dev/flash[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
++/dev/flash[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c1023)
+ /dev/gscd -b gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/hitcd -b gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/ht[0-1] -b gen_context(system_u:object_r:tape_device_t,s0)
+-/dev/initrd -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
+-/dev/jsfd -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
+-/dev/jsflash -c gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
+-/dev/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
+-/dev/lvm -c gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
++/dev/initrd -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c1023)
++/dev/jsfd -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c1023)
++/dev/jsflash -c gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c1023)
++/dev/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c1023)
++/dev/lvm -c gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c1023)
+ /dev/mcdx? -b gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/mmcblk.* -b gen_context(system_u:object_r:removable_device_t,s0)
+-/dev/nb[^/]+ -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
++/dev/nb[^/]+ -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c1023)
+ /dev/optcd -b gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/p[fg][0-3] -b gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/pcd[0-3] -b gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/pd[a-d][^/]* -b gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/pg[0-3] -c gen_context(system_u:object_r:removable_device_t,s0)
+-/dev/ram.* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
+-/dev/rawctl -c gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
+-/dev/rd.* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
++/dev/ram.* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c1023)
++/dev/rawctl -c gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c1023)
++/dev/rd.* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c1023)
+ ifdef(`distro_redhat', `
+-/dev/root -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
++/dev/root -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c1023)
+ ')
+ /dev/s(cd|r)[^/]* -b gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/sbpcd.* -b gen_context(system_u:object_r:removable_device_t,s0)
+@@ -42,25 +42,25 @@
+ /dev/sjcd -b gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/sonycd -b gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/tape.* -c gen_context(system_u:object_r:tape_device_t,s0)
+-/dev/ub[a-z] -b gen_context(system_u:object_r:removable_device_t,s15:c0.c255)
+-/dev/ubd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
+-/dev/xvd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
++/dev/ub[a-z] -b gen_context(system_u:object_r:removable_device_t,s15:c0.c1023)
++/dev/ubd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c1023)
++/dev/xvd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c1023)
+
+-/dev/ataraid/.* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
++/dev/ataraid/.* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c1023)
+
+-/dev/cciss/[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
++/dev/cciss/[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c1023)
+
+ /dev/floppy/[^/]* -b gen_context(system_u:object_r:removable_device_t,s0)
+
+-/dev/i2o/hd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
++/dev/i2o/hd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c1023)
+
+-/dev/ida/[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
++/dev/ida/[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c1023)
+
+ /dev/md/.* -b gen_context(system_u:object_r:fixed_disk_device_t,s0)
+-/dev/mapper/.* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
++/dev/mapper/.* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c1023)
+
+-/dev/raw/raw[0-9]+ -c gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
++/dev/raw/raw[0-9]+ -c gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c1023)
+
+-/dev/scramdisk/.* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
++/dev/scramdisk/.* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c1023)
+
+ /dev/usb/rio500 -c gen_context(system_u:object_r:removable_device_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.fc serefpolicy-2.3.14/policy/modules/kernel/terminal.fc
+--- nsaserefpolicy/policy/modules/kernel/terminal.fc 2006-09-01 14:10:17.000000000 -0400
++++ serefpolicy-2.3.14/policy/modules/kernel/terminal.fc 2006-09-19 10:47:17.000000000 -0400
+@@ -18,7 +18,7 @@
+
+ /dev/pty/.* -c gen_context(system_u:object_r:bsdpty_device_t,s0)
+
+-/dev/pts -d gen_context(system_u:object_r:devpts_t,s0-s15:c0.c255)
++/dev/pts -d gen_context(system_u:object_r:devpts_t,s0-s15:c0.c1023)
+
+ /dev/tts/[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-2.3.14/policy/modules/kernel/terminal.if
--- nsaserefpolicy/policy/modules/kernel/terminal.if 2006-09-15 13:14:21.000000000 -0400
-+++ serefpolicy-2.3.14/policy/modules/kernel/terminal.if 2006-09-15 13:59:07.000000000 -0400
++++ serefpolicy-2.3.14/policy/modules/kernel/terminal.if 2006-09-19 10:47:17.000000000 -0400
@@ -917,7 +917,7 @@
type tty_device_t;
')
@@ -354,7 +1260,7 @@
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-2.3.14/policy/modules/services/amavis.te
--- nsaserefpolicy/policy/modules/services/amavis.te 2006-09-05 07:41:01.000000000 -0400
-+++ serefpolicy-2.3.14/policy/modules/services/amavis.te 2006-09-15 13:59:07.000000000 -0400
++++ serefpolicy-2.3.14/policy/modules/services/amavis.te 2006-09-19 10:47:17.000000000 -0400
@@ -156,6 +156,7 @@
ifdef(`targeted_policy',`
@@ -365,7 +1271,7 @@
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-2.3.14/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2006-08-02 10:34:07.000000000 -0400
-+++ serefpolicy-2.3.14/policy/modules/services/apache.fc 2006-09-15 13:59:07.000000000 -0400
++++ serefpolicy-2.3.14/policy/modules/services/apache.fc 2006-09-19 10:47:17.000000000 -0400
@@ -80,3 +80,12 @@
/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -381,8 +1287,27 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-2.3.14/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2006-09-05 07:41:01.000000000 -0400
-+++ serefpolicy-2.3.14/policy/modules/services/apache.te 2006-09-15 13:59:07.000000000 -0400
-@@ -712,4 +712,5 @@
++++ serefpolicy-2.3.14/policy/modules/services/apache.te 2006-09-19 10:47:17.000000000 -0400
+@@ -514,6 +514,7 @@
+ allow httpd_suexec_t self:capability { setuid setgid };
+ allow httpd_suexec_t self:process signal_perms;
+ allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
++allow httpd_suexec_t self:netlink_route_socket r_netlink_socket_perms;
+
+ ifdef(`targeted_policy',`
+ gen_tunable(httpd_suexec_disable_trans,false)
+@@ -688,6 +689,10 @@
+ ')
+
+ optional_policy(`
++ snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
++')
++
++optional_policy(`
+ nscd_socket_use(httpd_unconfined_script_t)
+ ')
+
+@@ -712,4 +717,5 @@
ifdef(`targeted_policy',`
term_dontaudit_use_generic_ptys(httpd_rotatelogs_t)
@@ -390,7 +1315,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-2.3.14/policy/modules/services/automount.te
--- nsaserefpolicy/policy/modules/services/automount.te 2006-08-02 10:34:07.000000000 -0400
-+++ serefpolicy-2.3.14/policy/modules/services/automount.te 2006-09-15 13:59:07.000000000 -0400
++++ serefpolicy-2.3.14/policy/modules/services/automount.te 2006-09-19 10:47:17.000000000 -0400
@@ -74,6 +74,7 @@
files_mounton_all_mountpoints(automount_t)
files_mount_all_file_type_fs(automount_t)
@@ -401,7 +1326,7 @@
fs_unmount_all_fs(automount_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.fc serefpolicy-2.3.14/policy/modules/services/bluetooth.fc
--- nsaserefpolicy/policy/modules/services/bluetooth.fc 2006-07-14 17:04:40.000000000 -0400
-+++ serefpolicy-2.3.14/policy/modules/services/bluetooth.fc 2006-09-15 13:59:07.000000000 -0400
++++ serefpolicy-2.3.14/policy/modules/services/bluetooth.fc 2006-09-19 10:47:17.000000000 -0400
@@ -7,7 +7,7 @@
#
# /usr
@@ -421,7 +1346,7 @@
# /var
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-2.3.14/policy/modules/services/bluetooth.te
--- nsaserefpolicy/policy/modules/services/bluetooth.te 2006-08-02 10:34:07.000000000 -0400
-+++ serefpolicy-2.3.14/policy/modules/services/bluetooth.te 2006-09-15 13:59:07.000000000 -0400
++++ serefpolicy-2.3.14/policy/modules/services/bluetooth.te 2006-09-19 10:47:17.000000000 -0400
@@ -217,14 +217,18 @@
fs_rw_tmpfs_files(bluetooth_helper_t)
@@ -453,7 +1378,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.fc serefpolicy-2.3.14/policy/modules/services/ccs.fc
--- nsaserefpolicy/policy/modules/services/ccs.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.3.14/policy/modules/services/ccs.fc 2006-09-15 13:59:07.000000000 -0400
++++ serefpolicy-2.3.14/policy/modules/services/ccs.fc 2006-09-19 10:47:17.000000000 -0400
@@ -0,0 +1,8 @@
+# ccs executable will have:
+# label: system_u:object_r:ccs_exec_t
@@ -465,7 +1390,7 @@
+/etc/cluster(/.*)? gen_context(system_u:object_r:cluster_conf_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.if serefpolicy-2.3.14/policy/modules/services/ccs.if
--- nsaserefpolicy/policy/modules/services/ccs.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.3.14/policy/modules/services/ccs.if 2006-09-15 13:59:07.000000000 -0400
++++ serefpolicy-2.3.14/policy/modules/services/ccs.if 2006-09-19 10:47:17.000000000 -0400
@@ -0,0 +1,65 @@
+## <summary>policy for ccs</summary>
+
@@ -534,7 +1459,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.te serefpolicy-2.3.14/policy/modules/services/ccs.te
--- nsaserefpolicy/policy/modules/services/ccs.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.3.14/policy/modules/services/ccs.te 2006-09-15 13:59:07.000000000 -0400
++++ serefpolicy-2.3.14/policy/modules/services/ccs.te 2006-09-19 10:47:17.000000000 -0400
@@ -0,0 +1,87 @@
+policy_module(ccs,1.0.0)
+
@@ -625,7 +1550,7 @@
+allow ccs_t cluster_conf_t:file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-2.3.14/policy/modules/services/clamav.te
--- nsaserefpolicy/policy/modules/services/clamav.te 2006-08-02 10:34:07.000000000 -0400
-+++ serefpolicy-2.3.14/policy/modules/services/clamav.te 2006-09-15 13:59:07.000000000 -0400
++++ serefpolicy-2.3.14/policy/modules/services/clamav.te 2006-09-19 10:47:17.000000000 -0400
@@ -121,6 +121,7 @@
cron_rw_pipes(clamd_t)
@@ -636,7 +1561,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-2.3.14/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2006-09-15 13:14:24.000000000 -0400
-+++ serefpolicy-2.3.14/policy/modules/services/cups.te 2006-09-15 13:59:07.000000000 -0400
++++ serefpolicy-2.3.14/policy/modules/services/cups.te 2006-09-19 10:47:17.000000000 -0400
@@ -1,5 +1,5 @@
-policy_module(cups,1.3.13)
@@ -705,7 +1630,7 @@
allow hplip_t self:process signal_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-2.3.14/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if 2006-09-15 13:14:24.000000000 -0400
-+++ serefpolicy-2.3.14/policy/modules/services/dbus.if 2006-09-15 13:59:07.000000000 -0400
++++ serefpolicy-2.3.14/policy/modules/services/dbus.if 2006-09-19 10:47:17.000000000 -0400
@@ -123,6 +123,7 @@
selinux_compute_relabel_context($1_dbusd_t)
selinux_compute_user_contexts($1_dbusd_t)
@@ -716,7 +1641,7 @@
corecmd_read_bin_files($1_dbusd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.te serefpolicy-2.3.14/policy/modules/services/dhcp.te
--- nsaserefpolicy/policy/modules/services/dhcp.te 2006-07-14 17:04:40.000000000 -0400
-+++ serefpolicy-2.3.14/policy/modules/services/dhcp.te 2006-09-15 16:12:57.000000000 -0400
++++ serefpolicy-2.3.14/policy/modules/services/dhcp.te 2006-09-19 10:47:17.000000000 -0400
@@ -138,3 +138,10 @@
optional_policy(`
udev_read_db(dhcpd_t)
@@ -728,9 +1653,26 @@
+ dbus_send_system_bus(dhcpd_t)
+')
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-2.3.14/policy/modules/services/kerberos.if
+--- nsaserefpolicy/policy/modules/services/kerberos.if 2006-09-15 13:14:25.000000000 -0400
++++ serefpolicy-2.3.14/policy/modules/services/kerberos.if 2006-09-19 10:50:38.000000000 -0400
+@@ -34,11 +34,13 @@
+ interface(`kerberos_use',`
+ gen_require(`
+ type krb5_conf_t;
++ type krb5kdc_conf_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 krb5_conf_t:file { getattr read };
+ dontaudit $1 krb5_conf_t:file write;
++ dontaudit $1 krb5kdc_conf_t:dir r_dir_perms;
+
+ tunable_policy(`allow_kerberos',`
+ allow $1 self:tcp_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.fc serefpolicy-2.3.14/policy/modules/services/lpd.fc
--- nsaserefpolicy/policy/modules/services/lpd.fc 2006-07-14 17:04:41.000000000 -0400
-+++ serefpolicy-2.3.14/policy/modules/services/lpd.fc 2006-09-15 13:59:07.000000000 -0400
++++ serefpolicy-2.3.14/policy/modules/services/lpd.fc 2006-09-19 10:47:17.000000000 -0400
@@ -9,6 +9,7 @@
/usr/sbin/checkpc -- gen_context(system_u:object_r:checkpc_exec_t,s0)
/usr/sbin/lpd -- gen_context(system_u:object_r:lpd_exec_t,s0)
@@ -741,7 +1683,7 @@
/usr/bin/lprm(\.cups)? -- gen_context(system_u:object_r:lpr_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-2.3.14/policy/modules/services/networkmanager.fc
--- nsaserefpolicy/policy/modules/services/networkmanager.fc 2006-08-02 10:34:07.000000000 -0400
-+++ serefpolicy-2.3.14/policy/modules/services/networkmanager.fc 2006-09-15 13:59:07.000000000 -0400
++++ serefpolicy-2.3.14/policy/modules/services/networkmanager.fc 2006-09-19 10:47:17.000000000 -0400
@@ -3,3 +3,4 @@
/var/run/NetworkManager\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
@@ -749,7 +1691,7 @@
+/var/run/wpa_supplicant-global -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-2.3.14/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2006-09-05 07:41:01.000000000 -0400
-+++ serefpolicy-2.3.14/policy/modules/services/networkmanager.te 2006-09-16 07:26:22.000000000 -0400
++++ serefpolicy-2.3.14/policy/modules/services/networkmanager.te 2006-09-19 10:47:17.000000000 -0400
@@ -21,7 +21,7 @@
# networkmanager will ptrace itself if gdb is installed
# and it receives a unexpected signal (rh bug #204161)
@@ -769,7 +1711,7 @@
files_read_etc_runtime_files(NetworkManager_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-2.3.14/policy/modules/services/ntp.te
--- nsaserefpolicy/policy/modules/services/ntp.te 2006-09-05 07:41:01.000000000 -0400
-+++ serefpolicy-2.3.14/policy/modules/services/ntp.te 2006-09-15 13:59:07.000000000 -0400
++++ serefpolicy-2.3.14/policy/modules/services/ntp.te 2006-09-19 10:47:17.000000000 -0400
@@ -122,6 +122,9 @@
term_dontaudit_use_unallocated_ttys(ntpd_t)
term_dontaudit_use_generic_ptys(ntpd_t)
@@ -782,7 +1724,7 @@
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.fc serefpolicy-2.3.14/policy/modules/services/oddjob.fc
--- nsaserefpolicy/policy/modules/services/oddjob.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.3.14/policy/modules/services/oddjob.fc 2006-09-15 13:59:07.000000000 -0400
++++ serefpolicy-2.3.14/policy/modules/services/oddjob.fc 2006-09-19 10:47:17.000000000 -0400
@@ -0,0 +1,8 @@
+# oddjob executable will have:
+# label: system_u:object_r:oddjob_exec_t
@@ -794,7 +1736,7 @@
+/usr/lib/oddjobd gen_context(system_u:object_r:oddjob_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.if serefpolicy-2.3.14/policy/modules/services/oddjob.if
--- nsaserefpolicy/policy/modules/services/oddjob.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.3.14/policy/modules/services/oddjob.if 2006-09-15 13:59:07.000000000 -0400
++++ serefpolicy-2.3.14/policy/modules/services/oddjob.if 2006-09-19 10:47:17.000000000 -0400
@@ -0,0 +1,76 @@
+## <summary>policy for oddjob</summary>
+
@@ -874,7 +1816,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob_mkhomedir.fc serefpolicy-2.3.14/policy/modules/services/oddjob_mkhomedir.fc
--- nsaserefpolicy/policy/modules/services/oddjob_mkhomedir.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.3.14/policy/modules/services/oddjob_mkhomedir.fc 2006-09-15 13:59:07.000000000 -0400
++++ serefpolicy-2.3.14/policy/modules/services/oddjob_mkhomedir.fc 2006-09-19 10:47:17.000000000 -0400
@@ -0,0 +1,6 @@
+# oddjob_mkhomedir executable will have:
+# label: system_u:object_r:oddjob_mkhomedir_exec_t
@@ -884,7 +1826,7 @@
+/usr/lib/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob_mkhomedir.if serefpolicy-2.3.14/policy/modules/services/oddjob_mkhomedir.if
--- nsaserefpolicy/policy/modules/services/oddjob_mkhomedir.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.3.14/policy/modules/services/oddjob_mkhomedir.if 2006-09-15 13:59:07.000000000 -0400
++++ serefpolicy-2.3.14/policy/modules/services/oddjob_mkhomedir.if 2006-09-19 10:47:17.000000000 -0400
@@ -0,0 +1,24 @@
+## <summary>policy for oddjob_mkhomedir</summary>
+
@@ -912,7 +1854,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob_mkhomedir.te serefpolicy-2.3.14/policy/modules/services/oddjob_mkhomedir.te
--- nsaserefpolicy/policy/modules/services/oddjob_mkhomedir.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.3.14/policy/modules/services/oddjob_mkhomedir.te 2006-09-15 13:59:07.000000000 -0400
++++ serefpolicy-2.3.14/policy/modules/services/oddjob_mkhomedir.te 2006-09-19 10:47:17.000000000 -0400
@@ -0,0 +1,29 @@
+policy_module(oddjob_mkhomedir,1.0.0)
+
@@ -945,7 +1887,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.te serefpolicy-2.3.14/policy/modules/services/oddjob.te
--- nsaserefpolicy/policy/modules/services/oddjob.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.3.14/policy/modules/services/oddjob.te 2006-09-15 13:59:07.000000000 -0400
++++ serefpolicy-2.3.14/policy/modules/services/oddjob.te 2006-09-19 10:47:17.000000000 -0400
@@ -0,0 +1,73 @@
+policy_module(oddjob,1.0.0)
+
@@ -1022,7 +1964,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.if serefpolicy-2.3.14/policy/modules/services/pegasus.if
--- nsaserefpolicy/policy/modules/services/pegasus.if 2006-07-14 17:04:41.000000000 -0400
-+++ serefpolicy-2.3.14/policy/modules/services/pegasus.if 2006-09-15 13:59:07.000000000 -0400
++++ serefpolicy-2.3.14/policy/modules/services/pegasus.if 2006-09-19 10:47:17.000000000 -0400
@@ -1 +1,32 @@
## <summary>The Open Group Pegasus CIM/WBEM Server.</summary>
+
@@ -1058,7 +2000,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-2.3.14/policy/modules/services/pegasus.te
--- nsaserefpolicy/policy/modules/services/pegasus.te 2006-08-23 12:14:54.000000000 -0400
-+++ serefpolicy-2.3.14/policy/modules/services/pegasus.te 2006-09-15 13:59:07.000000000 -0400
++++ serefpolicy-2.3.14/policy/modules/services/pegasus.te 2006-09-19 10:47:17.000000000 -0400
@@ -100,13 +100,12 @@
auth_use_nsswitch(pegasus_t)
@@ -1077,7 +2019,7 @@
hostname_exec(pegasus_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-2.3.14/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2006-08-29 09:00:28.000000000 -0400
-+++ serefpolicy-2.3.14/policy/modules/services/postfix.te 2006-09-15 13:59:07.000000000 -0400
++++ serefpolicy-2.3.14/policy/modules/services/postfix.te 2006-09-19 10:47:17.000000000 -0400
@@ -171,6 +171,11 @@
mta_rw_aliases(postfix_master_t)
mta_read_sendmail_bin(postfix_master_t)
@@ -1100,7 +2042,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.fc serefpolicy-2.3.14/policy/modules/services/ppp.fc
--- nsaserefpolicy/policy/modules/services/ppp.fc 2006-07-14 17:04:40.000000000 -0400
-+++ serefpolicy-2.3.14/policy/modules/services/ppp.fc 2006-09-15 13:59:07.000000000 -0400
++++ serefpolicy-2.3.14/policy/modules/services/ppp.fc 2006-09-19 10:47:17.000000000 -0400
@@ -2,7 +2,8 @@
# /etc
#
@@ -1121,7 +2063,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-2.3.14/policy/modules/services/ppp.te
--- nsaserefpolicy/policy/modules/services/ppp.te 2006-07-14 17:04:40.000000000 -0400
-+++ serefpolicy-2.3.14/policy/modules/services/ppp.te 2006-09-15 13:59:07.000000000 -0400
++++ serefpolicy-2.3.14/policy/modules/services/ppp.te 2006-09-19 10:47:17.000000000 -0400
@@ -64,7 +64,7 @@
allow pppd_t self:socket create_socket_perms;
allow pppd_t self:unix_dgram_socket create_socket_perms;
@@ -1159,7 +2101,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.fc serefpolicy-2.3.14/policy/modules/services/ricci.fc
--- nsaserefpolicy/policy/modules/services/ricci.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.3.14/policy/modules/services/ricci.fc 2006-09-15 13:59:07.000000000 -0400
++++ serefpolicy-2.3.14/policy/modules/services/ricci.fc 2006-09-19 10:47:17.000000000 -0400
@@ -0,0 +1,20 @@
+# ricci executable will have:
+# label: system_u:object_r:ricci_exec_t
@@ -1183,7 +2125,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.if serefpolicy-2.3.14/policy/modules/services/ricci.if
--- nsaserefpolicy/policy/modules/services/ricci.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.3.14/policy/modules/services/ricci.if 2006-09-15 13:59:07.000000000 -0400
++++ serefpolicy-2.3.14/policy/modules/services/ricci.if 2006-09-19 10:47:17.000000000 -0400
@@ -0,0 +1,184 @@
+## <summary>policy for ricci</summary>
+
@@ -1371,7 +2313,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-2.3.14/policy/modules/services/ricci.te
--- nsaserefpolicy/policy/modules/services/ricci.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.3.14/policy/modules/services/ricci.te 2006-09-15 13:59:07.000000000 -0400
++++ serefpolicy-2.3.14/policy/modules/services/ricci.te 2006-09-19 10:47:17.000000000 -0400
@@ -0,0 +1,386 @@
+policy_module(ricci,1.0.0)
+
@@ -1761,7 +2703,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-2.3.14/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te 2006-09-15 13:14:24.000000000 -0400
-+++ serefpolicy-2.3.14/policy/modules/services/rpc.te 2006-09-15 13:59:07.000000000 -0400
++++ serefpolicy-2.3.14/policy/modules/services/rpc.te 2006-09-19 10:47:17.000000000 -0400
@@ -53,6 +53,7 @@
fs_read_rpc_files(rpcd_t)
fs_read_rpc_symlinks(rpcd_t)
@@ -1770,7 +2712,15 @@
term_use_controlling_term(rpcd_t)
# cjp: this should really have its own type
-@@ -130,6 +131,7 @@
+@@ -84,6 +85,7 @@
+ fs_search_nfsd_fs(nfsd_t)
+ fs_getattr_all_fs(nfsd_t)
+ fs_rw_nfsd_fs(nfsd_t)
++fs_rw_rpc_named_pipes(nfsd_t)
+
+ term_use_controlling_term(nfsd_t)
+
+@@ -130,6 +132,7 @@
fs_list_rpc(gssd_t)
fs_read_rpc_sockets(gssd_t)
fs_read_rpc_files(gssd_t)
@@ -1780,7 +2730,7 @@
files_read_generic_tmp_files(gssd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-2.3.14/policy/modules/services/setroubleshoot.te
--- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2006-09-06 13:04:51.000000000 -0400
-+++ serefpolicy-2.3.14/policy/modules/services/setroubleshoot.te 2006-09-15 13:59:07.000000000 -0400
++++ serefpolicy-2.3.14/policy/modules/services/setroubleshoot.te 2006-09-19 10:47:17.000000000 -0400
@@ -55,6 +55,8 @@
kernel_read_kernel_sysctls(setroubleshootd_t)
kernel_read_system_state(setroubleshootd_t)
@@ -1806,9 +2756,35 @@
+optional_policy(`
+ nis_use_ypbind(setroubleshootd_t)
+')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.if serefpolicy-2.3.14/policy/modules/services/snmp.if
+--- nsaserefpolicy/policy/modules/services/snmp.if 2006-08-16 08:46:30.000000000 -0400
++++ serefpolicy-2.3.14/policy/modules/services/snmp.if 2006-09-19 10:47:17.000000000 -0400
+@@ -46,3 +46,22 @@
+ allow $1 snmpd_var_lib_t:file r_file_perms;
+ allow $1 snmpd_var_lib_t:lnk_file { getattr read };
+ ')
++
++########################################
++## <summary>
++## dontaudit Read snmpd libraries.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`snmp_dontaudit_read_snmp_var_lib_files',`
++ gen_require(`
++ type snmpd_var_lib_t;
++ ')
++ dontaudit $1 snmpd_var_lib_t:dir r_dir_perms;
++ dontaudit $1 snmpd_var_lib_t:file r_file_perms;
++ dontaudit $1 snmpd_var_lib_t:lnk_file { getattr read };
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xfs.te serefpolicy-2.3.14/policy/modules/services/xfs.te
--- nsaserefpolicy/policy/modules/services/xfs.te 2006-08-23 12:14:54.000000000 -0400
-+++ serefpolicy-2.3.14/policy/modules/services/xfs.te 2006-09-15 13:59:07.000000000 -0400
++++ serefpolicy-2.3.14/policy/modules/services/xfs.te 2006-09-19 10:47:17.000000000 -0400
@@ -21,7 +21,7 @@
# Local policy
#
@@ -1820,7 +2796,7 @@
allow xfs_t self:unix_stream_socket create_stream_socket_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-2.3.14/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2006-09-15 13:14:25.000000000 -0400
-+++ serefpolicy-2.3.14/policy/modules/services/xserver.if 2006-09-15 13:59:07.000000000 -0400
++++ serefpolicy-2.3.14/policy/modules/services/xserver.if 2006-09-19 10:47:17.000000000 -0400
@@ -1152,3 +1152,27 @@
allow $1 xdm_xserver_tmp_t:sock_file write;
allow $1 xdm_xserver_t:unix_stream_socket connectto;
@@ -1849,9 +2825,35 @@
+')
+
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-2.3.14/policy/modules/system/authlogin.te
+--- nsaserefpolicy/policy/modules/system/authlogin.te 2006-09-06 13:04:51.000000000 -0400
++++ serefpolicy-2.3.14/policy/modules/system/authlogin.te 2006-09-19 10:47:17.000000000 -0400
+@@ -203,6 +203,7 @@
+ files_read_etc_files(pam_console_t)
+ files_search_pids(pam_console_t)
+ files_list_mnt(pam_console_t)
++fs_list_auto_mountpoints(pam_console_t)
+ # read /etc/mtab
+ files_read_etc_runtime_files(pam_console_t)
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-2.3.14/policy/modules/system/fstools.te
+--- nsaserefpolicy/policy/modules/system/fstools.te 2006-09-05 07:41:01.000000000 -0400
++++ serefpolicy-2.3.14/policy/modules/system/fstools.te 2006-09-19 10:47:17.000000000 -0400
+@@ -112,7 +112,11 @@
+ corecmd_list_sbin(fsadm_t)
+ corecmd_read_bin_symlinks(fsadm_t)
+ corecmd_read_sbin_symlinks(fsadm_t)
++#Bugzilla 201164
++corecmd_exec_shell(fsadm_t)
++
+ # cjp: these are probably not needed:
++
+ corecmd_read_bin_files(fsadm_t)
+ corecmd_read_bin_pipes(fsadm_t)
+ corecmd_read_bin_sockets(fsadm_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-2.3.14/policy/modules/system/hostname.te
--- nsaserefpolicy/policy/modules/system/hostname.te 2006-08-29 09:00:29.000000000 -0400
-+++ serefpolicy-2.3.14/policy/modules/system/hostname.te 2006-09-15 13:59:07.000000000 -0400
++++ serefpolicy-2.3.14/policy/modules/system/hostname.te 2006-09-19 10:47:17.000000000 -0400
@@ -8,7 +8,10 @@
type hostname_t;
@@ -1866,7 +2868,7 @@
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-2.3.14/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2006-09-15 13:14:26.000000000 -0400
-+++ serefpolicy-2.3.14/policy/modules/system/init.te 2006-09-15 13:59:07.000000000 -0400
++++ serefpolicy-2.3.14/policy/modules/system/init.te 2006-09-19 10:47:17.000000000 -0400
@@ -361,7 +361,8 @@
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@@ -1879,7 +2881,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-2.3.14/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2006-09-05 07:41:01.000000000 -0400
-+++ serefpolicy-2.3.14/policy/modules/system/libraries.fc 2006-09-15 13:59:07.000000000 -0400
++++ serefpolicy-2.3.14/policy/modules/system/libraries.fc 2006-09-19 10:47:17.000000000 -0400
@@ -128,6 +128,7 @@
/usr/lib(64)?/libsipphoneapi\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/ati-fglrx/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -1888,7 +2890,17 @@
/usr/lib(64)?/libGLU\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?(/.*)?/libnvidia.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -263,6 +264,7 @@
+@@ -140,8 +141,7 @@
+
+ /usr/(local/)?.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
+ /usr/(local/)?lib(64)?/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/(local/)?lib/libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-
++/usr/(local/)?lib(64)?/(sse2/)?libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/NX/lib/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/NX/lib/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+@@ -263,6 +263,7 @@
/usr/(local/)?Adobe/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(local/)?acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(local/)?Adobe/.*\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -1896,9 +2908,55 @@
/usr/local/matlab.*/bin/glnx86/libmwlapack\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-2.3.14/policy/modules/system/logging.fc
+--- nsaserefpolicy/policy/modules/system/logging.fc 2006-09-01 14:10:18.000000000 -0400
++++ serefpolicy-2.3.14/policy/modules/system/logging.fc 2006-09-19 10:47:17.000000000 -0400
+@@ -1,7 +1,7 @@
+
+ /dev/log -s gen_context(system_u:object_r:devlog_t,s0)
+
+-/etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,s15:c0.c255)
++/etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,s15:c0.c1023)
+
+ /sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0)
+ /sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0)
+@@ -24,11 +24,11 @@
+ /var/axfrdns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+ /var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
+-/var/log -d gen_context(system_u:object_r:var_log_t,s0-s15:c0.c255)
++/var/log -d gen_context(system_u:object_r:var_log_t,s0-s15:c0.c1023)
+ /var/log/.* gen_context(system_u:object_r:var_log_t,s0)
+-/var/log/audit\.log -- gen_context(system_u:object_r:auditd_log_t,s15:c0.c255)
++/var/log/audit\.log -- gen_context(system_u:object_r:auditd_log_t,s15:c0.c1023)
+
+-/var/log/audit(/.*)? gen_context(system_u:object_r:auditd_log_t,s15:c0.c255)
++/var/log/audit(/.*)? gen_context(system_u:object_r:auditd_log_t,s15:c0.c1023)
+
+ /var/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,s0)
+ /var/run/auditd\.pid -- gen_context(system_u:object_r:auditd_var_run_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-2.3.14/policy/modules/system/selinuxutil.fc
+--- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2006-09-05 07:41:01.000000000 -0400
++++ serefpolicy-2.3.14/policy/modules/system/selinuxutil.fc 2006-09-19 10:47:17.000000000 -0400
+@@ -6,12 +6,12 @@
+ /etc/selinux(/.*)? gen_context(system_u:object_r:selinux_config_t,s0)
+ /etc/selinux/([^/]*/)?contexts(/.*)? gen_context(system_u:object_r:default_context_t,s0)
+ /etc/selinux/([^/]*/)?contexts/files(/.*)? gen_context(system_u:object_r:file_context_t,s0)
+-/etc/selinux/([^/]*/)?policy(/.*)? gen_context(system_u:object_r:policy_config_t,s15:c0.c255)
+-/etc/selinux/([^/]*/)?seusers -- gen_context(system_u:object_r:selinux_config_t,s15:c0.c255)
++/etc/selinux/([^/]*/)?policy(/.*)? gen_context(system_u:object_r:policy_config_t,s15:c0.c1023)
++/etc/selinux/([^/]*/)?seusers -- gen_context(system_u:object_r:selinux_config_t,s15:c0.c1023)
+ /etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
+ /etc/selinux/([^/]*/)?modules/semanage\.read\.LOCK -- gen_context(system_u:object_r:semanage_read_lock_t,s0)
+ /etc/selinux/([^/]*/)?modules/semanage\.trans\.LOCK -- gen_context(system_u:object_r:semanage_trans_lock_t,s0)
+-/etc/selinux/([^/]*/)?users(/.*)? -- gen_context(system_u:object_r:selinux_config_t,s15:c0.c255)
++/etc/selinux/([^/]*/)?users(/.*)? -- gen_context(system_u:object_r:selinux_config_t,s15:c0.c1023)
+
+ #
+ # /root
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-2.3.14/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2006-09-05 07:41:01.000000000 -0400
-+++ serefpolicy-2.3.14/policy/modules/system/selinuxutil.te 2006-09-15 16:09:38.000000000 -0400
++++ serefpolicy-2.3.14/policy/modules/system/selinuxutil.te 2006-09-19 10:47:17.000000000 -0400
@@ -450,6 +450,7 @@
selinux_compute_user_contexts(restorecond_t)
@@ -1919,9 +2977,17 @@
########################################
#
# Setfiles local policy
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.fc serefpolicy-2.3.14/policy/modules/system/setrans.fc
+--- nsaserefpolicy/policy/modules/system/setrans.fc 2006-07-14 17:04:44.000000000 -0400
++++ serefpolicy-2.3.14/policy/modules/system/setrans.fc 2006-09-19 10:47:17.000000000 -0400
+@@ -1,3 +1,3 @@
+ /sbin/mcstransd -- gen_context(system_u:object_r:setrans_exec_t,s0)
+
+-/var/run/setrans(/.*)? gen_context(system_u:object_r:setrans_var_run_t,s15:c0.c255)
++/var/run/setrans(/.*)? gen_context(system_u:object_r:setrans_var_run_t,s15:c0.c1023)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.te serefpolicy-2.3.14/policy/modules/system/setrans.te
--- nsaserefpolicy/policy/modules/system/setrans.te 2006-09-01 14:10:18.000000000 -0400
-+++ serefpolicy-2.3.14/policy/modules/system/setrans.te 2006-09-15 13:59:08.000000000 -0400
++++ serefpolicy-2.3.14/policy/modules/system/setrans.te 2006-09-19 10:47:17.000000000 -0400
@@ -43,6 +43,7 @@
# allow performing getpidcon() on all processes
@@ -1930,9 +2996,32 @@
domain_getattr_all_domains(setrans_t)
domain_getsession_all_domains(setrans_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-2.3.14/policy/modules/system/unconfined.te
+--- nsaserefpolicy/policy/modules/system/unconfined.te 2006-08-29 09:00:29.000000000 -0400
++++ serefpolicy-2.3.14/policy/modules/system/unconfined.te 2006-09-19 10:47:17.000000000 -0400
+@@ -34,6 +34,8 @@
+ dontaudit unconfined_t self:capability sys_module;
+
+ domain_auto_trans(unconfined_t,unconfined_execmem_exec_t,unconfined_execmem_t)
++ domain_read_all_domains_state(unconfined_t)
++ domain_ptrace_all_domains(unconfined_t)
+
+ files_create_boot_flag(unconfined_t)
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-2.3.14/policy/modules/system/userdomain.fc
+--- nsaserefpolicy/policy/modules/system/userdomain.fc 2006-07-14 17:04:44.000000000 -0400
++++ serefpolicy-2.3.14/policy/modules/system/userdomain.fc 2006-09-19 10:47:17.000000000 -0400
+@@ -4,6 +4,6 @@
+ HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0)
+ HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0)
+ ',`
+-HOME_DIR -d gen_context(system_u:object_r:ROLE_home_dir_t,s0-s15:c0.c255)
++HOME_DIR -d gen_context(system_u:object_r:ROLE_home_dir_t,s0-s15:c0.c1023)
+ HOME_DIR/.+ gen_context(system_u:object_r:ROLE_home_t,s0)
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-2.3.14/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2006-09-15 13:14:26.000000000 -0400
-+++ serefpolicy-2.3.14/policy/modules/system/userdomain.if 2006-09-15 16:02:22.000000000 -0400
++++ serefpolicy-2.3.14/policy/modules/system/userdomain.if 2006-09-19 10:47:17.000000000 -0400
@@ -5314,3 +5314,5 @@
allow $1 user_home_dir_t:dir create_dir_perms;
files_home_filetrans($1,user_home_dir_t,dir)
@@ -1941,7 +3030,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.fc serefpolicy-2.3.14/policy/modules/system/xen.fc
--- nsaserefpolicy/policy/modules/system/xen.fc 2006-07-14 17:04:44.000000000 -0400
-+++ serefpolicy-2.3.14/policy/modules/system/xen.fc 2006-09-15 13:59:08.000000000 -0400
++++ serefpolicy-2.3.14/policy/modules/system/xen.fc 2006-09-19 10:47:17.000000000 -0400
@@ -7,6 +7,7 @@
/var/lib/xend(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0)
/var/lib/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_lib_t,s0)
@@ -1952,7 +3041,7 @@
/var/log/xend-debug\.log -- gen_context(system_u:object_r:xend_var_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-2.3.14/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te 2006-09-06 13:04:51.000000000 -0400
-+++ serefpolicy-2.3.14/policy/modules/system/xen.te 2006-09-15 13:59:08.000000000 -0400
++++ serefpolicy-2.3.14/policy/modules/system/xen.te 2006-09-19 10:47:17.000000000 -0400
@@ -68,7 +68,7 @@
# xend local policy
#
@@ -1962,9 +3051,51 @@
dontaudit xend_t self:capability { sys_ptrace };
allow xend_t self:process { signal sigkill };
dontaudit xend_t self:process ptrace;
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-2.3.14/policy/users
+--- nsaserefpolicy/policy/users 2006-07-14 17:04:46.000000000 -0400
++++ serefpolicy-2.3.14/policy/users 2006-09-19 10:47:17.000000000 -0400
+@@ -16,7 +16,7 @@
+ # and a user process should never be assigned the system user
+ # identity.
+ #
+-gen_user(system_u,, system_r, s0, s0 - s15:c0.c255, c0.c255)
++gen_user(system_u,, system_r, s0, s0 - s15:c0.c1023, c0.c1023)
+
+ #
+ # user_u is a generic user identity for Linux users who have no
+@@ -26,11 +26,11 @@
+ # permit any access to such users, then remove this entry.
+ #
+ ifdef(`targeted_policy',`
+-gen_user(user_u, user, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
++gen_user(user_u, user, user_r sysadm_r system_r, s0, s0 - s15:c0.c1023, c0.c1023)
+ ',`
+ gen_user(user_u, user, user_r, s0, s0)
+-gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - s15:c0.c255, c0.c255)
+-gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - s15:c0.c255, c0.c255)
++gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - s15:c0.c1023, c0.c1023)
++gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - s15:c0.c1023, c0.c1023)
+ ')
+
+ #
+@@ -41,11 +41,11 @@
+ # not in the sysadm_r.
+ #
+ ifdef(`targeted_policy',`
+- gen_user(root, user, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
++ gen_user(root, user, user_r sysadm_r system_r, s0, s0 - s15:c0.c1023, c0.c1023)
+ ',`
+ ifdef(`direct_sysadm_daemon',`
+- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - s15:c0.c255, c0.c255)
++ gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - s15:c0.c1023, c0.c1023)
+ ',`
+- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - s15:c0.c255, c0.c255)
++ gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - s15:c0.c1023, c0.c1023)
+ ')
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-2.3.14/Rules.modular
--- nsaserefpolicy/Rules.modular 2006-09-15 13:14:28.000000000 -0400
-+++ serefpolicy-2.3.14/Rules.modular 2006-09-15 13:59:08.000000000 -0400
++++ serefpolicy-2.3.14/Rules.modular 2006-09-19 10:47:17.000000000 -0400
@@ -212,6 +212,16 @@
########################################
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.285
retrieving revision 1.286
diff -u -r1.285 -r1.286
--- selinux-policy.spec 16 Sep 2006 12:06:36 -0000 1.285
+++ selinux-policy.spec 19 Sep 2006 14:59:46 -0000 1.286
@@ -16,7 +16,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 2.3.14
-Release: 3
+Release: 4
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -348,6 +348,10 @@
%endif
%changelog
+* Mon Sep 18 2006 Dan Walsh <dwalsh at redhat.com> 2.3.14-4
+- Multiple policy fixes
+- Change max categories to 1023
+
* Sat Sep 16 2006 Dan Walsh <dwalsh at redhat.com> 2.3.14-3
- Fix transition on mcstransd
Index: setrans-mls.conf
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/setrans-mls.conf,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- setrans-mls.conf 8 Dec 2005 20:33:17 -0000 1.2
+++ setrans-mls.conf 19 Sep 2006 14:59:46 -0000 1.3
@@ -4,7 +4,7 @@
# Uncomment the following to disable translation libary
# disable=1
#
-# Objects can be labeled with one of 16 levels and be categorized with 0-256
+# Objects can be labeled with one of 16 levels and be categorized with 0-1023
# categories defined by the admin.
# Objects can be in more than one category at a time.
# Users can modify this table to translate the MLS labels for different purpose.
@@ -17,8 +17,8 @@
#
# SystemLow and SystemHigh
s0=SystemLow
-s15:c0.c255=SystemHigh
-s0-s15:c0.c255=SystemLow-SystemHigh
+s15:c0.c1023=SystemHigh
+s0-s15:c0.c1023=SystemLow-SystemHigh
# Unclassified level
s1=Unclassified
@@ -31,7 +31,7 @@
# ranges for Unclassified
s0-s1=SystemLow-Unclassified
s1-s2=Unclassified-Secret
-s1-s15:c0.c255=Unclassified-SystemHigh
+s1-s15:c0.c1023=Unclassified-SystemHigh
# ranges for Secret with compartments
s0-s2=SystemLow-Secret
@@ -44,9 +44,9 @@
s2-s2:c0=Secret-Secret:A
s2-s2:c1=Secret-Secret:B
s2-s2:c0,c1=Secret-Secret:AB
-s2-s15:c0.c255=Secret-SystemHigh
+s2-s15:c0.c1023=Secret-SystemHigh
s2:c0-s2:c0,c1=Secret:A-Secret:AB
-s2:c0-s15:c0.c255=Secret:A-SystemHigh
+s2:c0-s15:c0.c1023=Secret:A-SystemHigh
s2:c1-s2:c0,c1=Secret:B-Secret:AB
-s2:c1-s15:c0.c255=Secret:B-SystemHigh
-s2:c0,c1-s15:c0.c255=Secret:AB-SystemHigh
+s2:c1-s15:c0.c1023=Secret:B-SystemHigh
+s2:c0,c1-s15:c0.c1023=Secret:AB-SystemHigh
Index: setrans-strict.conf
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/setrans-strict.conf,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- setrans-strict.conf 24 Jan 2006 15:41:46 -0000 1.1
+++ setrans-strict.conf 19 Sep 2006 14:59:46 -0000 1.2
@@ -4,9 +4,9 @@
# Uncomment the following to disable translation libary
# disable=1
#
-# Objects can be categorized with 0-256 categories defined by the admin.
+# Objects can be categorized with 0-1023 categories defined by the admin.
# Objects can be in more than one category at a time.
-# Categories are stored in the system as c0-c255. Users can use this
+# Categories are stored in the system as c0-c1023. Users can use this
# table to translate the categories into a more meaningful output.
# Examples:
# s0:c0=CompanyConfidential
@@ -15,5 +15,5 @@
# s0:c3=TopSecret
# s0:c1,c3=CompanyConfidentialRedHat
s0=
-s0-s0:c0.c255=SystemLow-SystemHigh
-s0:c0.c255=SystemHigh
+s0-s0:c0.c1023=SystemLow-SystemHigh
+s0:c0.c1023=SystemHigh
Index: setrans-targeted.conf
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/setrans-targeted.conf,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- setrans-targeted.conf 21 Nov 2005 21:43:55 -0000 1.1
+++ setrans-targeted.conf 19 Sep 2006 14:59:46 -0000 1.2
@@ -4,9 +4,9 @@
# Uncomment the following to disable translation libary
# disable=1
#
-# Objects can be categorized with 0-256 categories defined by the admin.
+# Objects can be categorized with 0-1023 categories defined by the admin.
# Objects can be in more than one category at a time.
-# Categories are stored in the system as c0-c255. Users can use this
+# Categories are stored in the system as c0-c1023. Users can use this
# table to translate the categories into a more meaningful output.
# Examples:
# s0:c0=CompanyConfidential
@@ -15,5 +15,5 @@
# s0:c3=TopSecret
# s0:c1,c3=CompanyConfidentialRedHat
s0=
-s0-s0:c0.c255=SystemLow-SystemHigh
-s0:c0.c255=SystemHigh
+s0-s0:c0.c1023=SystemLow-SystemHigh
+s0:c0.c1023=SystemHigh
Index: setrans.conf
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/setrans.conf,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- setrans.conf 14 Nov 2005 23:22:29 -0000 1.1
+++ setrans.conf 19 Sep 2006 14:59:46 -0000 1.2
@@ -4,9 +4,9 @@
# Uncomment the following to disable translation libary
# disable=1
#
-# Objects can be categorized with 0-256 categories defined by the admin.
+# Objects can be categorized with 0-1023 categories defined by the admin.
# Objects can be in more than one category at a time.
-# Categories are stored in the system as c0-c255. Users can use this
+# Categories are stored in the system as c0-c1023. Users can use this
# table to translate the categories into a more meaningful output.
# Examples:
# s0:c0=CompanyConfidential
@@ -15,5 +15,5 @@
# s0:c3=TopSecret
# s0:c1,c3=CompanyConfidentialRedHat
s0=
-s0-s0:c0.c255=SystemLow-SystemHigh
-s0:c0.c255=SystemHigh
+s0-s0:c0.c1023=SystemLow-SystemHigh
+s0:c0.c1023=SystemHigh
Index: seusers
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/seusers,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- seusers 14 Nov 2005 23:22:29 -0000 1.1
+++ seusers 19 Sep 2006 14:59:46 -0000 1.2
@@ -1,2 +1,2 @@
-root:root:s0-s0:c0.c255
+root:root:s0-s0:c0.c1023
__default__:user_u:s0
Index: seusers-mls
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/seusers-mls,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- seusers-mls 9 Feb 2006 12:26:53 -0000 1.3
+++ seusers-mls 19 Sep 2006 14:59:46 -0000 1.4
@@ -1,3 +1,3 @@
-system_u:system_u:s0-s15:c0.c255
-root:root:s0-s15:c0.c255
+system_u:system_u:s0-s15:c0.c1023
+root:root:s0-s15:c0.c1023
__default__:user_u:s0
Index: seusers-strict
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/seusers-strict,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- seusers-strict 9 Feb 2006 12:26:53 -0000 1.2
+++ seusers-strict 19 Sep 2006 14:59:46 -0000 1.3
@@ -1,3 +1,3 @@
-system_u:system_u:s0-s0:c0.c255
-root:root:s0-s0:c0.c255
+system_u:system_u:s0-s0:c0.c1023
+root:root:s0-s0:c0.c1023
__default__:user_u:s0
Index: seusers-targeted
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/seusers-targeted,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- seusers-targeted 21 Nov 2005 21:43:55 -0000 1.1
+++ seusers-targeted 19 Sep 2006 14:59:46 -0000 1.2
@@ -1,2 +1,2 @@
-root:root:s0-s0:c0.c255
+root:root:s0-s0:c0.c1023
__default__:user_u:s0
--- file_contexts.patch DELETED ---
- Previous message (by thread): rpms/cman/devel .cvsignore, 1.22, 1.23 cman.spec, 1.80, 1.81 sources, 1.31, 1.32
- Next message (by thread): rpms/nautilus/devel nautilus-2.16.0-selinux.patch, NONE, 1.1 nautilus.spec, 1.122, 1.123
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-cvs-commits
mailing list