rpms/selinux-policy/devel policy-20070102.patch, 1.18, 1.19 selinux-policy.spec, 1.390, 1.391
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Tue Feb 6 16:54:15 UTC 2007
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv16289
Modified Files:
policy-20070102.patch selinux-policy.spec
Log Message:
* Mon Feb 5 2007 Dan Walsh <dwalsh at redhat.com> 2.5.2-6
- Allow mozilla, evolution and thunderbird to read dev_random.
Resolves: #227002
- Allow spamd to connect to smtp port
Resolves: #227184
- Fixes to make ypxfr work
Resolves: #227237
policy-20070102.patch:
Rules.modular | 10
config/appconfig-strict-mcs/seusers | 1
config/appconfig-strict-mls/seusers | 1
config/appconfig-strict/seusers | 1
man/man8/httpd_selinux.8 | 88 ++--
man/man8/kerberos_selinux.8 | 24 -
man/man8/named_selinux.8 | 21 -
man/man8/rsync_selinux.8 | 19 -
policy/flask/access_vectors | 4
policy/global_booleans | 2
policy/global_tunables | 128 ++++--
policy/mls | 31 +
policy/modules/admin/acct.te | 2
policy/modules/admin/bootloader.fc | 5
policy/modules/admin/bootloader.te | 5
policy/modules/admin/consoletype.te | 13
policy/modules/admin/dmesg.te | 1
policy/modules/admin/logwatch.te | 5
policy/modules/admin/netutils.te | 1
policy/modules/admin/prelink.te | 7
policy/modules/admin/quota.fc | 7
policy/modules/admin/quota.te | 20 -
policy/modules/admin/rpm.fc | 3
policy/modules/admin/rpm.if | 24 +
policy/modules/admin/rpm.te | 18
policy/modules/admin/su.if | 28 +
policy/modules/admin/su.te | 2
policy/modules/admin/sudo.if | 11
policy/modules/admin/usermanage.te | 23 +
policy/modules/admin/vpn.te | 1
policy/modules/apps/ethereal.if | 4
policy/modules/apps/evolution.if | 136 ++++++-
policy/modules/apps/games.if | 4
policy/modules/apps/gnome.fc | 2
policy/modules/apps/gnome.if | 98 +++++
policy/modules/apps/gnome.te | 5
policy/modules/apps/gpg.fc | 2
policy/modules/apps/gpg.if | 1
policy/modules/apps/java.if | 33 +
policy/modules/apps/java.te | 2
policy/modules/apps/loadkeys.if | 44 --
policy/modules/apps/loadkeys.te | 13
policy/modules/apps/mozilla.if | 255 +++++++++++--
policy/modules/apps/mplayer.if | 83 ++++
policy/modules/apps/mplayer.te | 1
policy/modules/apps/slocate.if | 20 +
policy/modules/apps/slocate.te | 3
policy/modules/apps/thunderbird.if | 113 +++++
policy/modules/apps/tvtime.if | 3
policy/modules/apps/uml.if | 5
policy/modules/apps/userhelper.if | 19 -
policy/modules/apps/vmware.if | 4
policy/modules/apps/webalizer.te | 1
policy/modules/apps/wine.fc | 1
policy/modules/kernel/corecommands.fc | 10
policy/modules/kernel/corecommands.if | 72 +++
policy/modules/kernel/corenetwork.if.in | 81 ++++
policy/modules/kernel/corenetwork.te.in | 16
policy/modules/kernel/corenetwork.te.m4 | 4
policy/modules/kernel/devices.fc | 2
policy/modules/kernel/devices.if | 18
policy/modules/kernel/devices.te | 1
policy/modules/kernel/domain.if | 56 ++
policy/modules/kernel/domain.te | 22 +
policy/modules/kernel/files.if | 198 ++++++++++
policy/modules/kernel/filesystem.if | 41 ++
policy/modules/kernel/filesystem.te | 3
policy/modules/kernel/kernel.if | 64 +++
policy/modules/kernel/kernel.te | 6
policy/modules/kernel/mls.if | 20 +
policy/modules/kernel/mls.te | 3
policy/modules/kernel/storage.fc | 1
policy/modules/kernel/storage.if | 2
policy/modules/kernel/terminal.if | 20 +
policy/modules/kernel/terminal.te | 5
policy/modules/services/apache.fc | 15
policy/modules/services/apache.if | 139 +++++++
policy/modules/services/apache.te | 12
policy/modules/services/apm.te | 3
policy/modules/services/automount.fc | 1
policy/modules/services/automount.te | 10
policy/modules/services/bind.te | 2
policy/modules/services/bluetooth.te | 4
policy/modules/services/ccs.fc | 1
policy/modules/services/ccs.te | 19 -
policy/modules/services/clamav.te | 2
policy/modules/services/cron.fc | 6
policy/modules/services/cron.if | 86 ++--
policy/modules/services/cron.te | 44 ++
policy/modules/services/cups.te | 7
policy/modules/services/cvs.te | 1
policy/modules/services/dbus.if | 64 +++
policy/modules/services/dbus.te | 1
policy/modules/services/dhcp.te | 2
policy/modules/services/dovecot.te | 1
policy/modules/services/ftp.if | 4
policy/modules/services/ftp.te | 14
policy/modules/services/gpm.te | 1
policy/modules/services/hal.if | 38 ++
policy/modules/services/hal.te | 4
policy/modules/services/inetd.te | 31 +
policy/modules/services/irqbalance.te | 4
policy/modules/services/kerberos.if | 2
policy/modules/services/kerberos.te | 5
policy/modules/services/ktalk.fc | 3
policy/modules/services/ktalk.te | 5
policy/modules/services/lpd.if | 52 +-
policy/modules/services/mta.if | 9
policy/modules/services/mta.te | 2
policy/modules/services/networkmanager.te | 2
policy/modules/services/nis.fc | 2
policy/modules/services/nis.if | 5
policy/modules/services/nis.te | 24 +
policy/modules/services/nscd.if | 20 +
policy/modules/services/nscd.te | 16
policy/modules/services/ntp.te | 1
policy/modules/services/openvpn.te | 4
policy/modules/services/pcscd.fc | 9
policy/modules/services/pcscd.if | 58 +++
policy/modules/services/pcscd.te | 78 ++++
policy/modules/services/pegasus.if | 27 +
policy/modules/services/pegasus.te | 5
policy/modules/services/portmap.te | 1
policy/modules/services/postfix.fc | 1
policy/modules/services/postfix.te | 4
policy/modules/services/procmail.te | 4
policy/modules/services/pyzor.if | 4
policy/modules/services/pyzor.te | 4
policy/modules/services/radvd.te | 2
policy/modules/services/razor.if | 9
policy/modules/services/razor.te | 2
policy/modules/services/rdisc.te | 1
policy/modules/services/rhgb.if | 76 ++++
policy/modules/services/rhgb.te | 3
policy/modules/services/ricci.te | 26 +
policy/modules/services/rlogin.te | 10
policy/modules/services/rpc.fc | 1
policy/modules/services/rpc.te | 29 +
policy/modules/services/rsync.te | 1
policy/modules/services/samba.te | 6
policy/modules/services/sasl.te | 1
policy/modules/services/sendmail.te | 4
policy/modules/services/setroubleshoot.if | 20 +
policy/modules/services/setroubleshoot.te | 2
policy/modules/services/smartmon.te | 1
policy/modules/services/snmp.if | 17
policy/modules/services/snmp.te | 2
policy/modules/services/spamassassin.fc | 1
policy/modules/services/spamassassin.if | 28 +
policy/modules/services/spamassassin.te | 18
policy/modules/services/squid.fc | 1
policy/modules/services/squid.if | 2
policy/modules/services/squid.te | 9
policy/modules/services/ssh.fc | 2
policy/modules/services/ssh.if | 79 +++-
policy/modules/services/ssh.te | 161 ++++----
policy/modules/services/uucp.te | 2
policy/modules/services/xfs.te | 1
policy/modules/services/xserver.fc | 2
policy/modules/services/xserver.if | 153 +++++++-
policy/modules/services/xserver.te | 20 -
policy/modules/system/authlogin.if | 91 ++++
policy/modules/system/authlogin.te | 3
policy/modules/system/clock.te | 3
policy/modules/system/fstools.fc | 1
policy/modules/system/fstools.te | 6
policy/modules/system/getty.te | 14
policy/modules/system/hostname.te | 14
policy/modules/system/hotplug.te | 1
policy/modules/system/init.if | 23 +
policy/modules/system/init.te | 37 +
policy/modules/system/ipsec.fc | 6
policy/modules/system/ipsec.if | 100 +++++
policy/modules/system/ipsec.te | 105 +++++
policy/modules/system/iptables.te | 10
policy/modules/system/libraries.fc | 5
policy/modules/system/locallogin.te | 6
policy/modules/system/logging.te | 18
policy/modules/system/lvm.if | 23 +
policy/modules/system/lvm.te | 40 +-
policy/modules/system/miscfiles.fc | 2
policy/modules/system/miscfiles.if | 79 ++++
policy/modules/system/modutils.te | 14
policy/modules/system/mount.te | 10
policy/modules/system/raid.te | 4
policy/modules/system/selinuxutil.fc | 2
policy/modules/system/selinuxutil.if | 115 ++++++
policy/modules/system/selinuxutil.te | 140 ++-----
policy/modules/system/setrans.te | 1
policy/modules/system/sysnetwork.te | 3
policy/modules/system/tzdata.fc | 3
policy/modules/system/tzdata.if | 19 +
policy/modules/system/tzdata.te | 41 ++
policy/modules/system/unconfined.fc | 2
policy/modules/system/unconfined.if | 2
policy/modules/system/unconfined.te | 20 +
policy/modules/system/userdomain.fc | 7
policy/modules/system/userdomain.if | 567 ++++++++++++++++++++++++------
policy/modules/system/userdomain.te | 44 +-
policy/modules/system/xen.te | 26 +
policy/support/obj_perm_sets.spt | 2
201 files changed, 4382 insertions(+), 785 deletions(-)
Index: policy-20070102.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/policy-20070102.patch,v
retrieving revision 1.18
retrieving revision 1.19
diff -u -r1.18 -r1.19
--- policy-20070102.patch 4 Feb 2007 12:42:16 -0000 1.18
+++ policy-20070102.patch 6 Feb 2007 16:54:13 -0000 1.19
@@ -652,7 +652,7 @@
mlsconstrain association { polmatch }
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/acct.te serefpolicy-2.5.2/policy/modules/admin/acct.te
--- nsaserefpolicy/policy/modules/admin/acct.te 2007-01-02 12:57:51.000000000 -0500
-+++ serefpolicy-2.5.2/policy/modules/admin/acct.te 2007-01-25 09:00:58.000000000 -0500
++++ serefpolicy-2.5.2/policy/modules/admin/acct.te 2007-02-06 11:39:20.000000000 -0500
@@ -9,6 +9,7 @@
type acct_t;
type acct_exec_t;
@@ -661,6 +661,14 @@
type acct_data_t;
logging_log_file(acct_data_t)
+@@ -73,6 +74,7 @@
+ ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(acct_t)
+ term_dontaudit_use_generic_ptys(acct_t)
++ term_dontaudit_use_all_user_ptys(acct_t)
+ files_dontaudit_read_root_files(acct_t)
+ ')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/bootloader.fc serefpolicy-2.5.2/policy/modules/admin/bootloader.fc
--- nsaserefpolicy/policy/modules/admin/bootloader.fc 2006-11-16 17:15:26.000000000 -0500
+++ serefpolicy-2.5.2/policy/modules/admin/bootloader.fc 2007-01-25 09:00:58.000000000 -0500
@@ -1201,7 +1209,7 @@
# Declarations
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/evolution.if serefpolicy-2.5.2/policy/modules/apps/evolution.if
--- nsaserefpolicy/policy/modules/apps/evolution.if 2007-01-02 12:57:22.000000000 -0500
-+++ serefpolicy-2.5.2/policy/modules/apps/evolution.if 2007-01-25 09:00:58.000000000 -0500
++++ serefpolicy-2.5.2/policy/modules/apps/evolution.if 2007-02-05 15:26:51.000000000 -0500
@@ -53,7 +53,7 @@
userdom_user_home_content($1,$1_evolution_home_t)
@@ -1267,7 +1275,15 @@
#FIXME check to see if really needed
kernel_read_kernel_sysctls($1_evolution_t)
kernel_read_system_state($1_evolution_t)
-@@ -238,6 +244,7 @@
+@@ -214,6 +220,7 @@
+ corenet_udp_bind_generic_port($1_evolution_t)
+
+ dev_read_urand($1_evolution_t)
++ dev_read_rand($1_evolution_t)
+
+ files_read_etc_files($1_evolution_t)
+ files_read_usr_files($1_evolution_t)
+@@ -238,6 +245,7 @@
userdom_manage_user_tmp_dirs($1,$1_evolution_t)
userdom_manage_user_tmp_sockets($1,$1_evolution_t)
userdom_manage_user_tmp_files($1,$1_evolution_t)
@@ -1275,7 +1291,7 @@
# FIXME: suppress access to .local/.icons/.themes until properly implemented
# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
# until properly implemented
-@@ -246,6 +253,7 @@
+@@ -246,6 +254,7 @@
mta_read_config($1_evolution_t)
xserver_user_client_template($1,$1_evolution_t,$1_evolution_tmpfs_t)
@@ -1283,7 +1299,7 @@
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs($1_evolution_t)
-@@ -367,7 +375,10 @@
+@@ -367,7 +376,10 @@
tunable_policy(`write_untrusted_content',`
files_search_home($1_evolution_t)
@@ -1295,7 +1311,7 @@
',`
files_dontaudit_list_home($1_evolution_t)
files_dontaudit_list_tmp($1_evolution_t)
-@@ -410,7 +421,11 @@
+@@ -410,7 +422,11 @@
')
optional_policy(`
@@ -1308,7 +1324,7 @@
')
### Junk mail filtering (start spamd)
-@@ -425,10 +440,13 @@
+@@ -425,10 +441,13 @@
spamassassin_dontaudit_getattr_spamd_tmp_sockets($1_evolution_t)
')
@@ -1325,7 +1341,7 @@
# Gnome common stuff
gnome_application($1_evolution, $1)
-@@ -450,12 +468,6 @@
+@@ -450,12 +469,6 @@
ifdef(`TODO',`
gnome_file_dialog($1_evolution, $1)
')
@@ -1338,7 +1354,7 @@
')
########################################
-@@ -463,7 +475,8 @@
+@@ -463,7 +476,8 @@
# Evolution alarm local policy
#
@@ -1348,7 +1364,7 @@
allow $1_evolution_alarm_t $1_evolution_t:unix_stream_socket connectto;
allow $1_evolution_alarm_t $1_evolution_orbit_tmp_t:sock_file write;
-@@ -489,6 +502,14 @@
+@@ -489,6 +503,14 @@
domain_auto_trans($2, evolution_alarm_exec_t, $1_evolution_alarm_t)
allow $1_evolution_alarm_t $2:fd use;
@@ -1363,7 +1379,7 @@
fs_search_auto_mountpoints($1_evolution_alarm_t)
miscfiles_read_localization($1_evolution_alarm_t)
-@@ -512,9 +533,18 @@
+@@ -512,9 +534,18 @@
')
optional_policy(`
@@ -1382,7 +1398,7 @@
ifdef(`TODO',`
# Gnome common stuff
gnome_application($1_evolution_alarm,$1)
-@@ -525,6 +555,9 @@
+@@ -525,6 +556,9 @@
# Evolution exchange connector local policy
#
@@ -1392,7 +1408,7 @@
allow $1_evolution_exchange_t self:tcp_socket create_socket_perms;
allow $1_evolution_exchange_t self:udp_socket create_socket_perms;
-@@ -542,6 +575,16 @@
+@@ -542,6 +576,16 @@
allow $1_evolution_exchange_t $1_evolution_server_t:unix_stream_socket connectto;
allow $1_evolution_exchange_t $1_evolution_server_orbit_tmp_t:sock_file write;
@@ -1409,7 +1425,7 @@
# /tmp/.exchange-$USER
allow $1_evolution_exchange_t $1_evolution_exchange_tmp_t:dir manage_dir_perms;
allow $1_evolution_exchange_t $1_evolution_exchange_tmp_t:file manage_file_perms;
-@@ -588,6 +631,10 @@
+@@ -588,6 +632,10 @@
fs_manage_nfs_files($1_evolution_exchange_t)
')
@@ -1420,7 +1436,7 @@
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_files($1_evolution_exchange_t)
')
-@@ -606,6 +653,8 @@
+@@ -606,6 +654,8 @@
# Evolution data server local policy
#
@@ -1429,7 +1445,7 @@
allow $1_evolution_server_t self:fifo_file { read write };
allow $1_evolution_server_t self:unix_stream_socket { accept connectto };
# Talk to ldap (address book),
-@@ -628,6 +677,12 @@
+@@ -628,6 +678,12 @@
allow $1_evolution_server_t $2:fd use;
@@ -1442,7 +1458,7 @@
kernel_read_system_state($1_evolution_server_t)
corecmd_exec_shell($1_evolution_server_t)
-@@ -682,6 +737,10 @@
+@@ -682,6 +738,10 @@
')
optional_policy(`
@@ -1453,7 +1469,7 @@
nscd_socket_use($1_evolution_server_t)
')
-@@ -813,3 +872,45 @@
+@@ -813,3 +873,45 @@
allow $2 $1_evolution_t:unix_stream_socket connectto;
allow $2 $1_evolution_home_t:dir search;
')
@@ -1862,7 +1878,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-2.5.2/policy/modules/apps/mozilla.if
--- nsaserefpolicy/policy/modules/apps/mozilla.if 2007-01-02 12:57:22.000000000 -0500
-+++ serefpolicy-2.5.2/policy/modules/apps/mozilla.if 2007-01-26 14:04:53.000000000 -0500
++++ serefpolicy-2.5.2/policy/modules/apps/mozilla.if 2007-02-05 15:26:58.000000000 -0500
@@ -60,7 +60,7 @@
allow $1_mozilla_t self:capability { sys_nice setgid setuid };
@@ -1880,7 +1896,11 @@
# Mozpluggerrc
allow $1_mozilla_t mozilla_conf_t:file read_file_perms;
-@@ -150,6 +151,7 @@
+@@ -147,9 +148,11 @@
+ corenet_dontaudit_tcp_bind_generic_port($1_mozilla_t)
+
+ dev_read_urand($1_mozilla_t)
++ dev_read_rand($1_mozilla_t)
dev_write_sound($1_mozilla_t)
dev_read_sound($1_mozilla_t)
dev_dontaudit_rw_dri($1_mozilla_t)
@@ -1888,7 +1908,7 @@
files_read_etc_runtime_files($1_mozilla_t)
files_read_usr_files($1_mozilla_t)
-@@ -159,9 +161,10 @@
+@@ -159,9 +162,10 @@
# interacting with gstreamer
files_read_var_files($1_mozilla_t)
files_read_var_symlinks($1_mozilla_t)
@@ -1900,7 +1920,7 @@
fs_rw_tmpfs_files($1_mozilla_t)
libs_use_ld_so($1_mozilla_t)
-@@ -177,6 +180,8 @@
+@@ -177,6 +181,8 @@
sysnet_dns_name_resolve($1_mozilla_t)
sysnet_read_config($1_mozilla_t)
@@ -1909,7 +1929,7 @@
userdom_manage_user_home_content_dirs($1,$1_mozilla_t)
userdom_manage_user_home_content_files($1,$1_mozilla_t)
userdom_manage_user_home_content_symlinks($1,$1_mozilla_t)
-@@ -185,7 +190,9 @@
+@@ -185,7 +191,9 @@
userdom_manage_user_tmp_sockets($1,$1_mozilla_t)
xserver_user_client_template($1,$1_mozilla_t,$1_mozilla_tmpfs_t)
@@ -1920,7 +1940,7 @@
tunable_policy(`allow_execmem',`
allow $1_mozilla_t self:process { execmem execstack };
')
-@@ -318,12 +325,14 @@
+@@ -318,12 +326,14 @@
tunable_policy(`write_untrusted_content',`
files_search_home($1_mozilla_t)
@@ -1938,7 +1958,7 @@
files_dontaudit_list_home($1_mozilla_t)
files_dontaudit_list_tmp($1_mozilla_t)
-@@ -335,22 +344,26 @@
+@@ -335,22 +345,26 @@
')
optional_policy(`
@@ -1972,7 +1992,7 @@
')
optional_policy(`
-@@ -358,44 +371,34 @@
+@@ -358,44 +372,34 @@
')
optional_policy(`
@@ -2034,7 +2054,7 @@
# Macros for mozilla/mozilla (or other browser) domains.
# FIXME: Rules were removed to centralize policy in a gnome_app macro
-@@ -409,3 +412,174 @@
+@@ -409,3 +413,174 @@
')
')
')
@@ -2389,7 +2409,7 @@
libs_use_ld_so(locate_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/thunderbird.if serefpolicy-2.5.2/policy/modules/apps/thunderbird.if
--- nsaserefpolicy/policy/modules/apps/thunderbird.if 2007-01-02 12:57:22.000000000 -0500
-+++ serefpolicy-2.5.2/policy/modules/apps/thunderbird.if 2007-01-25 09:00:58.000000000 -0500
++++ serefpolicy-2.5.2/policy/modules/apps/thunderbird.if 2007-02-05 15:27:06.000000000 -0500
@@ -46,6 +46,7 @@
type $1_thunderbird_home_t alias $1_thunderbird_rw_t;
@@ -2398,17 +2418,18 @@
type $1_thunderbird_tmpfs_t;
files_tmpfs_file($1_thunderbird_tmpfs_t)
-@@ -62,6 +63,9 @@
+@@ -62,6 +63,10 @@
allow $1_thunderbird_t self:unix_stream_socket { create accept connect write getattr read listen bind };
allow $1_thunderbird_t self:tcp_socket create_socket_perms;
allow $1_thunderbird_t self:shm { read write create destroy unix_read unix_write };
+ allow $1_thunderbird_t self:netlink_route_socket r_netlink_socket_perms;
+ dev_read_urand($1_thunderbird_t)
++ dev_read_rand($1_thunderbird_t)
+ dev_dontaudit_search_sysfs($1_thunderbird_t)
# Access ~/.thunderbird
manage_dirs_pattern($1_thunderbird_t,$1_thunderbird_home_t,$1_thunderbird_home_t)
-@@ -89,16 +93,22 @@
+@@ -89,16 +94,22 @@
manage_dirs_pattern($2,$1_thunderbird_home_t,$1_thunderbird_home_t)
manage_files_pattern($2,$1_thunderbird_home_t,$1_thunderbird_home_t)
manage_lnk_files_pattern($2,$1_thunderbird_home_t,$1_thunderbird_home_t)
@@ -2432,7 +2453,7 @@
corenet_non_ipsec_sendrecv($1_thunderbird_t)
corenet_tcp_sendrecv_generic_if($1_thunderbird_t)
-@@ -123,17 +133,26 @@
+@@ -123,17 +134,26 @@
corenet_sendrecv_http_client_packets($1_thunderbird_t)
files_list_tmp($1_thunderbird_t)
@@ -2459,7 +2480,7 @@
sysnet_read_config($1_thunderbird_t)
# Allow DNS
-@@ -147,7 +166,9 @@
+@@ -147,7 +167,9 @@
userdom_read_user_home_content_files($1,$1_thunderbird_t)
xserver_user_client_template($1,$1_thunderbird_t,$1_thunderbird_tmpfs_t)
@@ -2470,7 +2491,7 @@
# Transition from user type
tunable_policy(`! disable_thunderbird_trans',`
domain_auto_trans($2, thunderbird_exec_t, $1_thunderbird_t)
-@@ -200,7 +221,6 @@
+@@ -200,7 +222,6 @@
userdom_read_user_tmp_symlinks($1,$1_thunderbird_t)
userdom_search_user_home_dirs($1,$1_thunderbird_t)
userdom_read_user_home_content_files($1,$1_thunderbird_t)
@@ -2478,7 +2499,7 @@
ifndef(`enable_mls',`
fs_search_removable($1_thunderbird_t)
-@@ -282,11 +302,12 @@
+@@ -282,11 +303,12 @@
# Manage /tmp and /home
tunable_policy(`write_untrusted_content',`
files_search_home($1_thunderbird_t)
@@ -2494,7 +2515,7 @@
',`
files_dontaudit_list_home($1_thunderbird_t)
files_dontaudit_list_tmp($1_thunderbird_t)
-@@ -298,6 +319,10 @@
+@@ -298,6 +320,10 @@
')
optional_policy(`
@@ -2505,7 +2526,7 @@
dbus_system_bus_client_template($1_thunderbird,$1_thunderbird_t)
dbus_user_bus_client_template($1,$1_thunderbird,$1_thunderbird_t)
dbus_send_system_bus($1_thunderbird_t)
-@@ -310,6 +335,7 @@
+@@ -310,6 +336,7 @@
optional_policy(`
cups_read_rw_config($1_thunderbird_t)
@@ -2513,7 +2534,7 @@
')
optional_policy(`
-@@ -320,29 +346,79 @@
+@@ -320,29 +347,79 @@
nis_use_ypbind($1_thunderbird_t)
')
@@ -2691,6 +2712,13 @@
files_read_etc_files(webalizer_t)
files_read_etc_runtime_files(webalizer_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.fc serefpolicy-2.5.2/policy/modules/apps/wine.fc
+--- nsaserefpolicy/policy/modules/apps/wine.fc 2006-11-16 17:15:07.000000000 -0500
++++ serefpolicy-2.5.2/policy/modules/apps/wine.fc 2007-02-06 10:34:42.000000000 -0500
+@@ -1,2 +1,3 @@
+ /usr/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0)
+ /opt/picasa/wine/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0)
++/opt/cxoffice/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-2.5.2/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2007-01-02 12:57:13.000000000 -0500
+++ serefpolicy-2.5.2/policy/modules/kernel/corecommands.fc 2007-01-25 09:00:58.000000000 -0500
@@ -3472,8 +3500,8 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-2.5.2/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2007-01-02 12:57:13.000000000 -0500
-+++ serefpolicy-2.5.2/policy/modules/kernel/filesystem.if 2007-01-25 09:00:58.000000000 -0500
-@@ -1110,6 +1110,7 @@
++++ serefpolicy-2.5.2/policy/modules/kernel/filesystem.if 2007-02-06 11:14:02.000000000 -0500
+@@ -1110,11 +1110,31 @@
type dosfs_t;
')
@@ -3481,7 +3509,31 @@
manage_files_pattern($1,dosfs_t,dosfs_t)
')
-@@ -2735,7 +2736,26 @@
+ ########################################
+ ## <summary>
++## read files
++## on a DOS filesystem.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_read_dos_files',`
++ gen_require(`
++ type dosfs_t;
++ ')
++
++ read_files_pattern($1,dosfs_t,dosfs_t)
++')
++
++########################################
++## <summary>
+ ## Read eventpollfs files.
+ ## </summary>
+ ## <desc>
+@@ -2735,7 +2755,26 @@
type tmpfs_t;
')
@@ -3991,7 +4043,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-2.5.2/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2007-01-25 08:13:58.000000000 -0500
-+++ serefpolicy-2.5.2/policy/modules/services/apache.te 2007-02-01 14:10:21.000000000 -0500
++++ serefpolicy-2.5.2/policy/modules/services/apache.te 2007-02-06 11:29:43.000000000 -0500
@@ -171,6 +171,7 @@
allow httpd_t httpd_modules_t:dir list_dir_perms;
mmap_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t)
@@ -4008,7 +4060,15 @@
corenet_non_ipsec_sendrecv(httpd_t)
corenet_tcp_sendrecv_all_if(httpd_t)
-@@ -448,6 +450,11 @@
+@@ -285,6 +287,7 @@
+ ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(httpd_t)
+ term_dontaudit_use_generic_ptys(httpd_t)
++ term_dontaudit_use_all_user_ptys(httpd_t)
+ files_dontaudit_read_root_files(httpd_t)
+
+ tunable_policy(`httpd_enable_homedirs',`
+@@ -448,6 +451,11 @@
logging_send_syslog_msg(httpd_helper_t)
@@ -4020,7 +4080,7 @@
tunable_policy(`httpd_tty_comm',`
# cjp: this is redundant:
term_use_controlling_term(httpd_helper_t)
-@@ -686,6 +693,7 @@
+@@ -686,6 +694,7 @@
optional_policy(`
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
@@ -4028,7 +4088,7 @@
')
########################################
-@@ -694,6 +702,8 @@
+@@ -694,6 +703,8 @@
#
manage_files_pattern(httpd_rotatelogs_t,httpd_log_t,httpd_log_t)
@@ -4037,7 +4097,7 @@
kernel_read_kernel_sysctls(httpd_rotatelogs_t)
kernel_dontaudit_list_proc(httpd_rotatelogs_t)
-@@ -712,3 +722,4 @@
+@@ -712,3 +723,4 @@
term_dontaudit_use_generic_ptys(httpd_rotatelogs_t)
term_dontaudit_use_unallocated_ttys(httpd_rotatelogs_t)
')
@@ -4082,7 +4142,7 @@
# /usr
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-2.5.2/policy/modules/services/automount.te
--- nsaserefpolicy/policy/modules/services/automount.te 2007-01-02 12:57:43.000000000 -0500
-+++ serefpolicy-2.5.2/policy/modules/services/automount.te 2007-01-25 09:00:58.000000000 -0500
++++ serefpolicy-2.5.2/policy/modules/services/automount.te 2007-02-06 11:25:05.000000000 -0500
@@ -13,8 +13,7 @@
type automount_var_run_t;
files_pid_file(automount_var_run_t)
@@ -4120,9 +4180,36 @@
fs_mount_all_fs(automount_t)
fs_unmount_all_fs(automount_t)
+@@ -160,6 +157,7 @@
+ files_dontaudit_read_root_files(automount_t)
+ term_dontaudit_use_unallocated_ttys(automount_t)
+ term_dontaudit_use_generic_ptys(automount_t)
++ term_dontaudit_use_all_user_ptys(automount_t)
+ ')
+
+ optional_policy(`
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-2.5.2/policy/modules/services/bind.te
+--- nsaserefpolicy/policy/modules/services/bind.te 2007-01-02 12:57:43.000000000 -0500
++++ serefpolicy-2.5.2/policy/modules/services/bind.te 2007-02-06 11:32:59.000000000 -0500
+@@ -147,6 +147,7 @@
+ ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(named_t)
+ term_dontaudit_use_generic_ptys(named_t)
++ term_dontaudit_use_all_user_ptys(named_t)
+ files_dontaudit_read_root_files(named_t)
+ ')
+
+@@ -265,6 +266,7 @@
+
+ term_use_unallocated_ttys(ndc_t)
+ term_use_generic_ptys(ndc_t)
++ term_dontaudit_use_all_user_ptys(ndc_t)
+ ')
+
+ optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-2.5.2/policy/modules/services/bluetooth.te
--- nsaserefpolicy/policy/modules/services/bluetooth.te 2007-01-02 12:57:43.000000000 -0500
-+++ serefpolicy-2.5.2/policy/modules/services/bluetooth.te 2007-02-01 14:50:35.000000000 -0500
++++ serefpolicy-2.5.2/policy/modules/services/bluetooth.te 2007-02-06 11:29:23.000000000 -0500
@@ -41,7 +41,7 @@
# Bluetooth services local policy
#
@@ -4140,6 +4227,14 @@
term_dontaudit_use_console(bluetooth_t)
#Handle bluetooth serial devices
+@@ -135,6 +136,7 @@
+ ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(bluetooth_t)
+ term_dontaudit_use_generic_ptys(bluetooth_t)
++ term_dontaudit_use_all_user_ptys(bluetooth_t)
+ files_dontaudit_read_root_files(bluetooth_t)
+ ')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.fc serefpolicy-2.5.2/policy/modules/services/ccs.fc
--- nsaserefpolicy/policy/modules/services/ccs.fc 2006-11-16 17:15:21.000000000 -0500
+++ serefpolicy-2.5.2/policy/modules/services/ccs.fc 2007-01-25 09:00:58.000000000 -0500
@@ -4561,7 +4656,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-2.5.2/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2007-01-02 12:57:43.000000000 -0500
-+++ serefpolicy-2.5.2/policy/modules/services/cups.te 2007-01-25 09:00:58.000000000 -0500
++++ serefpolicy-2.5.2/policy/modules/services/cups.te 2007-02-06 11:27:59.000000000 -0500
@@ -120,6 +120,8 @@
manage_files_pattern(cupsd_t,cupsd_tmp_t,cupsd_tmp_t)
manage_fifo_files_pattern(cupsd_t,cupsd_tmp_t,cupsd_tmp_t)
@@ -4571,7 +4666,15 @@
allow cupsd_t cupsd_var_run_t:dir setattr;
manage_files_pattern(cupsd_t,cupsd_var_run_t,cupsd_var_run_t)
-@@ -233,6 +235,9 @@
+@@ -177,6 +179,7 @@
+
+ term_dontaudit_use_console(cupsd_t)
+ term_use_unallocated_ttys(cupsd_t)
++
+ term_search_ptys(cupsd_t)
+
+ auth_domtrans_chk_passwd(cupsd_t)
+@@ -233,6 +236,9 @@
ifdef(`enable_mls',`
lpd_relabel_spool(cupsd_t)
@@ -4581,6 +4684,14 @@
')
ifdef(`targeted_policy',`
+@@ -240,6 +246,7 @@
+
+ term_dontaudit_use_unallocated_ttys(cupsd_t)
+ term_dontaudit_use_generic_ptys(cupsd_t)
++ term_dontaudit_use_all_user_ptys(cupsd_t)
+
+ init_stream_connect_script(cupsd_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-2.5.2/policy/modules/services/cvs.te
--- nsaserefpolicy/policy/modules/services/cvs.te 2007-01-02 12:57:43.000000000 -0500
+++ serefpolicy-2.5.2/policy/modules/services/cvs.te 2007-01-25 09:00:58.000000000 -0500
@@ -4711,6 +4822,17 @@
+')
+
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-2.5.2/policy/modules/services/dbus.te
+--- nsaserefpolicy/policy/modules/services/dbus.te 2007-01-02 12:57:43.000000000 -0500
++++ serefpolicy-2.5.2/policy/modules/services/dbus.te 2007-02-06 11:32:13.000000000 -0500
+@@ -114,6 +114,7 @@
+ ifdef(`targeted_policy', `
+ term_dontaudit_use_unallocated_ttys(system_dbusd_t)
+ term_dontaudit_use_generic_ptys(system_dbusd_t)
++ term_dontaudit_use_all_user_ptys(system_dbusd_t)
+ files_dontaudit_read_root_files(system_dbusd_t)
+ ')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.te serefpolicy-2.5.2/policy/modules/services/dhcp.te
--- nsaserefpolicy/policy/modules/services/dhcp.te 2007-01-02 12:57:43.000000000 -0500
+++ serefpolicy-2.5.2/policy/modules/services/dhcp.te 2007-01-29 17:31:09.000000000 -0500
@@ -4723,6 +4845,17 @@
')
optional_policy(`
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-2.5.2/policy/modules/services/dovecot.te
+--- nsaserefpolicy/policy/modules/services/dovecot.te 2007-01-02 12:57:43.000000000 -0500
++++ serefpolicy-2.5.2/policy/modules/services/dovecot.te 2007-02-06 11:28:22.000000000 -0500
+@@ -125,6 +125,7 @@
+ ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(dovecot_t)
+ term_dontaudit_use_generic_ptys(dovecot_t)
++ term_dontaudit_use_all_user_ptys(dovecot_t)
+ files_dontaudit_read_root_files(dovecot_t)
+ ')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.if serefpolicy-2.5.2/policy/modules/services/ftp.if
--- nsaserefpolicy/policy/modules/services/ftp.if 2007-01-02 12:57:43.000000000 -0500
+++ serefpolicy-2.5.2/policy/modules/services/ftp.if 2007-01-25 09:00:58.000000000 -0500
@@ -4739,7 +4872,7 @@
userdom_manage_user_home_content_symlinks($1,ftpd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-2.5.2/policy/modules/services/ftp.te
--- nsaserefpolicy/policy/modules/services/ftp.te 2007-01-02 12:57:43.000000000 -0500
-+++ serefpolicy-2.5.2/policy/modules/services/ftp.te 2007-01-25 09:00:58.000000000 -0500
++++ serefpolicy-2.5.2/policy/modules/services/ftp.te 2007-02-06 11:43:23.000000000 -0500
@@ -102,6 +102,8 @@
corenet_tcp_bind_ftp_port(ftpd_t)
corenet_tcp_bind_ftp_data_port(ftpd_t)
@@ -4757,7 +4890,15 @@
init_use_fds(ftpd_t)
init_use_script_ptys(ftpd_t)
-@@ -173,6 +176,11 @@
+@@ -149,6 +152,7 @@
+
+ term_dontaudit_use_generic_ptys(ftpd_t)
+ term_dontaudit_use_unallocated_ttys(ftpd_t)
++ term_dontaudit_use_all_user_ptys(ftpd_t)
+ ')
+
+ tunable_policy(`allow_ftpd_anon_write',`
+@@ -173,6 +177,11 @@
fs_manage_nfs_files(ftpd_t)
')
@@ -4769,7 +4910,7 @@
tunable_policy(`ftp_home_dir',`
allow ftpd_t self:capability { dac_override dac_read_search };
-@@ -182,10 +190,15 @@
+@@ -182,10 +191,15 @@
userdom_manage_all_users_home_content_dirs(ftpd_t)
userdom_manage_all_users_home_content_files(ftpd_t)
userdom_manage_all_users_home_content_symlinks(ftpd_t)
@@ -4785,6 +4926,17 @@
')
tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpm.te serefpolicy-2.5.2/policy/modules/services/gpm.te
+--- nsaserefpolicy/policy/modules/services/gpm.te 2007-01-02 12:57:43.000000000 -0500
++++ serefpolicy-2.5.2/policy/modules/services/gpm.te 2007-02-06 11:28:47.000000000 -0500
+@@ -78,6 +78,7 @@
+ ifdef(`targeted_policy', `
+ term_dontaudit_use_unallocated_ttys(gpm_t)
+ term_dontaudit_use_generic_ptys(gpm_t)
++ term_dontaudit_use_all_user_ptys(gpm_t)
+ files_dontaudit_read_root_files(gpm_t)
+ ')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-2.5.2/policy/modules/services/hal.if
--- nsaserefpolicy/policy/modules/services/hal.if 2007-01-02 12:57:43.000000000 -0500
+++ serefpolicy-2.5.2/policy/modules/services/hal.if 2007-01-25 09:00:58.000000000 -0500
@@ -4832,7 +4984,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-2.5.2/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2007-01-02 12:57:43.000000000 -0500
-+++ serefpolicy-2.5.2/policy/modules/services/hal.te 2007-02-04 07:37:00.000000000 -0500
++++ serefpolicy-2.5.2/policy/modules/services/hal.te 2007-02-06 11:29:07.000000000 -0500
@@ -85,6 +85,8 @@
dev_rw_power_management(hald_t)
# hal is now execing pm-suspend
@@ -4850,6 +5002,14 @@
libs_use_ld_so(hald_t)
libs_use_shared_libs(hald_t)
+@@ -159,6 +162,7 @@
+ ifdef(`targeted_policy',`
+ term_dontaudit_use_console(hald_t)
+ term_dontaudit_use_generic_ptys(hald_t)
++ term_dontaudit_use_all_user_ptys(hald_t)
+ files_dontaudit_read_root_files(hald_t)
+ ')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.te serefpolicy-2.5.2/policy/modules/services/inetd.te
--- nsaserefpolicy/policy/modules/services/inetd.te 2007-01-02 12:57:43.000000000 -0500
+++ serefpolicy-2.5.2/policy/modules/services/inetd.te 2007-01-25 09:00:58.000000000 -0500
@@ -5202,7 +5362,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-2.5.2/policy/modules/services/nis.te
--- nsaserefpolicy/policy/modules/services/nis.te 2007-01-02 12:57:43.000000000 -0500
-+++ serefpolicy-2.5.2/policy/modules/services/nis.te 2007-01-25 14:27:40.000000000 -0500
++++ serefpolicy-2.5.2/policy/modules/services/nis.te 2007-02-05 15:59:38.000000000 -0500
@@ -285,6 +285,7 @@
domain_use_interactive_fds(ypserv_t)
@@ -5211,7 +5371,7 @@
init_use_fds(ypserv_t)
init_use_script_ptys(ypserv_t)
-@@ -323,7 +324,14 @@
+@@ -323,11 +324,22 @@
# ypxfr local policy
#
@@ -5220,18 +5380,36 @@
+allow ypxfr_t ypserv_t:tcp_socket { read write };
+allow ypxfr_t ypserv_t:udp_socket { read write };
+
++allow ypxfr_t self:unix_dgram_socket create_stream_socket_perms;
allow ypxfr_t self:unix_stream_socket create_stream_socket_perms;
+allow ypxfr_t self:tcp_socket create_stream_socket_perms;
+allow ypxfr_t self:udp_socket create_socket_perms;
++allow ypxfr_t self:netlink_route_socket r_netlink_socket_perms;
allow ypxfr_t ypserv_t:tcp_socket { read write };
allow ypxfr_t ypserv_t:udp_socket { read write };
-@@ -352,3 +360,5 @@
+
++allow ypxfr_t ypserv_conf_t:file { getattr read };
++
+ read_files_pattern(ypxfr_t,var_yp_t,var_yp_t)
+
+ corenet_non_ipsec_sendrecv(ypxfr_t)
+@@ -352,3 +364,15 @@
libs_use_shared_libs(ypxfr_t)
libs_use_ld_so(ypxfr_t)
+
++logging_send_syslog_msg(ypxfr_t)
++
+sysnet_read_config(ypxfr_t)
++
++miscfiles_read_localization(ypxfr_t)
++init_use_fds(ypxfr_t)
++
++ifdef(`targeted_policy', `
++ term_dontaudit_use_unallocated_ttys(ypxfr_t)
++ term_dontaudit_use_generic_ptys(ypxfr_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-2.5.2/policy/modules/services/nscd.if
--- nsaserefpolicy/policy/modules/services/nscd.if 2007-01-02 12:57:43.000000000 -0500
+++ serefpolicy-2.5.2/policy/modules/services/nscd.if 2007-01-25 09:00:58.000000000 -0500
@@ -5261,7 +5439,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-2.5.2/policy/modules/services/nscd.te
--- nsaserefpolicy/policy/modules/services/nscd.te 2007-01-02 12:57:43.000000000 -0500
-+++ serefpolicy-2.5.2/policy/modules/services/nscd.te 2007-01-25 09:00:58.000000000 -0500
++++ serefpolicy-2.5.2/policy/modules/services/nscd.te 2007-02-06 11:35:52.000000000 -0500
@@ -35,7 +35,6 @@
allow nscd_t self:unix_stream_socket create_stream_socket_perms;
allow nscd_t self:unix_dgram_socket create_socket_perms;
@@ -5293,7 +5471,12 @@
sysnet_read_config(nscd_t)
userdom_dontaudit_use_unpriv_user_fds(nscd_t)
-@@ -119,14 +117,9 @@
+@@ -115,18 +113,14 @@
+ ifdef(`targeted_policy',`
+ term_use_unallocated_ttys(nscd_t)
+ term_use_generic_ptys(nscd_t)
++ term_dontaudit_use_all_user_ptys(nscd_t)
+
term_dontaudit_use_unallocated_ttys(nscd_t)
term_dontaudit_use_generic_ptys(nscd_t)
files_dontaudit_read_root_files(nscd_t)
@@ -5311,6 +5494,17 @@
')
optional_policy(`
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-2.5.2/policy/modules/services/ntp.te
+--- nsaserefpolicy/policy/modules/services/ntp.te 2007-01-02 12:57:43.000000000 -0500
++++ serefpolicy-2.5.2/policy/modules/services/ntp.te 2007-02-06 11:36:07.000000000 -0500
+@@ -119,6 +119,7 @@
+ ifdef(`targeted_policy', `
+ term_dontaudit_use_unallocated_ttys(ntpd_t)
+ term_dontaudit_use_generic_ptys(ntpd_t)
++ term_dontaudit_use_all_user_ptys(ntpd_t)
+ files_dontaudit_read_root_files(ntpd_t)
+
+ optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-2.5.2/policy/modules/services/openvpn.te
--- nsaserefpolicy/policy/modules/services/openvpn.te 2007-01-02 12:57:43.000000000 -0500
+++ serefpolicy-2.5.2/policy/modules/services/openvpn.te 2007-01-25 09:00:58.000000000 -0500
@@ -5536,6 +5730,17 @@
files_read_var_lib_symlinks(pegasus_t)
hostname_exec(pegasus_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portmap.te serefpolicy-2.5.2/policy/modules/services/portmap.te
+--- nsaserefpolicy/policy/modules/services/portmap.te 2007-01-02 12:57:43.000000000 -0500
++++ serefpolicy-2.5.2/policy/modules/services/portmap.te 2007-02-06 11:36:25.000000000 -0500
+@@ -96,6 +96,7 @@
+ ifdef(`targeted_policy', `
+ term_dontaudit_use_unallocated_ttys(portmap_t)
+ term_dontaudit_use_generic_ptys(portmap_t)
++ term_dontaudit_use_all_user_ptys(portmap_t)
+ files_dontaudit_read_root_files(portmap_t)
+ ')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-2.5.2/policy/modules/services/postfix.fc
--- nsaserefpolicy/policy/modules/services/postfix.fc 2006-11-16 17:15:20.000000000 -0500
+++ serefpolicy-2.5.2/policy/modules/services/postfix.fc 2007-01-25 09:49:55.000000000 -0500
@@ -5549,8 +5754,8 @@
/usr/libexec/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-2.5.2/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2007-01-02 12:57:43.000000000 -0500
-+++ serefpolicy-2.5.2/policy/modules/services/postfix.te 2007-01-26 09:49:14.000000000 -0500
-@@ -173,6 +173,8 @@
++++ serefpolicy-2.5.2/policy/modules/services/postfix.te 2007-02-06 11:38:26.000000000 -0500
+@@ -173,9 +173,12 @@
mta_rw_aliases(postfix_master_t)
mta_read_sendmail_bin(postfix_master_t)
@@ -5559,6 +5764,18 @@
ifdef(`targeted_policy',`
term_dontaudit_use_unallocated_ttys(postfix_master_t)
term_dontaudit_use_generic_ptys(postfix_master_t)
++ term_dontaudit_use_all_user_ptys(postfix_master_t)
+ ')
+
+ optional_policy(`
+@@ -386,6 +389,7 @@
+
+ postfix_list_spool(postfix_pickup_t)
+
++allow postfix_pickup_t postfix_spool_maildrop_t:dir read_dir_perms;
+ read_files_pattern(postfix_pickup_t,postfix_spool_maildrop_t,postfix_spool_maildrop_t)
+ delete_files_pattern(postfix_pickup_t,postfix_spool_maildrop_t,postfix_spool_maildrop_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-2.5.2/policy/modules/services/procmail.te
--- nsaserefpolicy/policy/modules/services/procmail.te 2007-01-02 12:57:43.000000000 -0500
+++ serefpolicy-2.5.2/policy/modules/services/procmail.te 2007-01-29 05:22:56.000000000 -0500
@@ -5672,6 +5889,17 @@
########################################
#
# Local policy
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rdisc.te serefpolicy-2.5.2/policy/modules/services/rdisc.te
+--- nsaserefpolicy/policy/modules/services/rdisc.te 2006-11-16 17:15:20.000000000 -0500
++++ serefpolicy-2.5.2/policy/modules/services/rdisc.te 2007-02-06 11:38:55.000000000 -0500
+@@ -58,6 +58,7 @@
+ ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(rdisc_t)
+ term_dontaudit_use_generic_ptys(rdisc_t)
++ term_dontaudit_use_all_user_ptys(rdisc_t)
+ files_dontaudit_read_root_files(rdisc_t)
+ ')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhgb.if serefpolicy-2.5.2/policy/modules/services/rhgb.if
--- nsaserefpolicy/policy/modules/services/rhgb.if 2006-11-16 17:15:20.000000000 -0500
+++ serefpolicy-2.5.2/policy/modules/services/rhgb.if 2007-01-25 09:00:58.000000000 -0500
@@ -5910,8 +6138,24 @@
/usr/sbin/rpc\.mountd -- gen_context(system_u:object_r:nfsd_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-2.5.2/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te 2007-01-02 12:57:43.000000000 -0500
-+++ serefpolicy-2.5.2/policy/modules/services/rpc.te 2007-01-26 09:40:48.000000000 -0500
-@@ -120,16 +120,20 @@
++++ serefpolicy-2.5.2/policy/modules/services/rpc.te 2007-02-06 11:35:20.000000000 -0500
+@@ -54,6 +54,7 @@
+ fs_read_rpc_symlinks(rpcd_t)
+ fs_read_rpc_sockets(rpcd_t)
+ term_use_controlling_term(rpcd_t)
++term_dontaudit_use_all_user_ptys(rpcd_t)
+
+ # cjp: this should really have its own type
+ files_manage_mounttab(rpcd_t)
+@@ -89,6 +90,7 @@
+ fs_rw_nfsd_fs(nfsd_t)
+
+ term_use_controlling_term(nfsd_t)
++term_dontaudit_use_all_user_ptys(nfsd_t)
+
+ # does not really need this, but it is easier to just allow it
+ files_search_pids(nfsd_t)
+@@ -120,16 +122,20 @@
# GSSD local policy
#
@@ -5935,7 +6179,7 @@
fs_list_rpc(gssd_t)
fs_read_rpc_sockets(gssd_t)
-@@ -138,6 +142,7 @@
+@@ -138,9 +144,13 @@
files_list_tmp(gssd_t)
files_read_generic_tmp_files(gssd_t)
files_read_generic_tmp_symlinks(gssd_t)
@@ -5943,7 +6187,13 @@
miscfiles_read_certs(gssd_t)
-@@ -148,6 +153,19 @@
++term_use_controlling_term(gssd_t)
++term_dontaudit_use_all_user_ptys(gssd_t)
++
+ tunable_policy(`allow_gssd_read_tmp',`
+ userdom_list_unpriv_users_tmp(gssd_t)
+ userdom_read_unpriv_users_tmp_files(gssd_t)
+@@ -148,6 +158,19 @@
')
optional_policy(`
@@ -5976,8 +6226,16 @@
type rsync_data_t;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-2.5.2/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2007-01-02 12:57:43.000000000 -0500
-+++ serefpolicy-2.5.2/policy/modules/services/samba.te 2007-01-25 09:00:58.000000000 -0500
-@@ -347,6 +347,8 @@
++++ serefpolicy-2.5.2/policy/modules/services/samba.te 2007-02-06 11:44:08.000000000 -0500
+@@ -288,6 +288,7 @@
+ files_dontaudit_read_root_files(smbd_t)
+ term_dontaudit_use_generic_ptys(smbd_t)
+ term_dontaudit_use_unallocated_ttys(smbd_t)
++ term_dontaudit_use_all_user_ptys(smbd_t)
+ ')
+
+ tunable_policy(`allow_smbd_anon_write',`
+@@ -347,6 +348,8 @@
create_dirs_pattern(nmbd_t,samba_log_t,samba_log_t)
append_files_pattern(nmbd_t,samba_log_t,samba_log_t)
@@ -5986,6 +6244,34 @@
read_files_pattern(nmbd_t,samba_log_t,samba_log_t)
create_files_pattern(nmbd_t,samba_log_t,samba_log_t)
allow nmbd_t samba_log_t:dir setattr;
+@@ -408,6 +411,7 @@
+ files_dontaudit_read_root_files(nmbd_t)
+ term_dontaudit_use_generic_ptys(nmbd_t)
+ term_dontaudit_use_unallocated_ttys(nmbd_t)
++ term_dontaudit_use_all_user_ptys(nmbd_t)
+ ')
+
+ optional_policy(`
+@@ -697,6 +701,8 @@
+ ifdef(`targeted_policy', `
+ term_dontaudit_use_unallocated_ttys(winbind_t)
+ term_dontaudit_use_generic_ptys(winbind_t)
++ term_dontaudit_use_all_user_ptys(winbind_t)
++
+ files_dontaudit_read_root_files(winbind_t)
+ ')
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-2.5.2/policy/modules/services/sasl.te
+--- nsaserefpolicy/policy/modules/services/sasl.te 2007-01-02 12:57:43.000000000 -0500
++++ serefpolicy-2.5.2/policy/modules/services/sasl.te 2007-02-06 11:40:41.000000000 -0500
+@@ -83,6 +83,7 @@
+ ifdef(`targeted_policy', `
+ term_dontaudit_use_unallocated_ttys(saslauthd_t)
+ term_dontaudit_use_generic_ptys(saslauthd_t)
++ term_dontaudit_use_all_user_ptys(saslauthd_t)
+ files_dontaudit_read_root_files(saslauthd_t)
+ ')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-2.5.2/policy/modules/services/sendmail.te
--- nsaserefpolicy/policy/modules/services/sendmail.te 2007-01-02 12:57:43.000000000 -0500
+++ serefpolicy-2.5.2/policy/modules/services/sendmail.te 2007-01-25 09:00:58.000000000 -0500
@@ -6027,7 +6313,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-2.5.2/policy/modules/services/setroubleshoot.te
--- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2007-01-02 12:57:43.000000000 -0500
-+++ serefpolicy-2.5.2/policy/modules/services/setroubleshoot.te 2007-01-26 11:09:49.000000000 -0500
++++ serefpolicy-2.5.2/policy/modules/services/setroubleshoot.te 2007-02-06 11:40:59.000000000 -0500
@@ -53,6 +53,7 @@
kernel_read_kernel_sysctls(setroubleshootd_t)
@@ -6081,8 +6367,16 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-2.5.2/policy/modules/services/snmp.te
--- nsaserefpolicy/policy/modules/services/snmp.te 2007-01-02 12:57:43.000000000 -0500
-+++ serefpolicy-2.5.2/policy/modules/services/snmp.te 2007-01-29 09:54:04.000000000 -0500
-@@ -157,3 +157,4 @@
++++ serefpolicy-2.5.2/policy/modules/services/snmp.te 2007-02-06 11:42:13.000000000 -0500
+@@ -127,6 +127,7 @@
+ ifdef(`targeted_policy', `
+ term_dontaudit_use_unallocated_ttys(snmpd_t)
+ term_dontaudit_use_generic_ptys(snmpd_t)
++ term_dontaudit_use_all_user_ptys(snmpd_t)
+ files_dontaudit_read_root_files(snmpd_t)
+ ')
+
+@@ -157,3 +158,4 @@
optional_policy(`
udev_read_db(snmpd_t)
')
@@ -6142,7 +6436,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-2.5.2/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2007-01-02 12:57:43.000000000 -0500
-+++ serefpolicy-2.5.2/policy/modules/services/spamassassin.te 2007-02-02 06:40:31.000000000 -0500
++++ serefpolicy-2.5.2/policy/modules/services/spamassassin.te 2007-02-06 11:42:29.000000000 -0500
@@ -8,7 +8,7 @@
# spamassassin client executable
@@ -6172,7 +6466,15 @@
########################################
#
-@@ -107,7 +111,12 @@
+@@ -77,6 +81,7 @@
+ corenet_tcp_bind_all_nodes(spamd_t)
+ corenet_tcp_bind_spamd_port(spamd_t)
+ corenet_tcp_connect_razor_port(spamd_t)
++corenet_tcp_connect_smtp_port(spamd_t)
+ corenet_sendrecv_razor_client_packets(spamd_t)
+ corenet_sendrecv_spamd_server_packets(spamd_t)
+ # spamassassin 3.1 needs this for its
+@@ -107,7 +112,12 @@
files_read_usr_files(spamd_t)
files_read_etc_files(spamd_t)
files_read_etc_runtime_files(spamd_t)
@@ -6186,7 +6488,13 @@
init_use_fds(spamd_t)
init_use_script_ptys(spamd_t)
-@@ -138,6 +147,7 @@
+@@ -133,11 +143,13 @@
+ ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(spamd_t)
+ term_dontaudit_use_generic_ptys(spamd_t)
++ term_dontaudit_use_all_user_ptys(spamd_t)
+
+ files_dontaudit_read_root_files(spamd_t)
tunable_policy(`spamd_enable_home_dirs',`
userdom_home_filetrans_generic_user_home_dir(spamd_t)
@@ -6583,6 +6891,17 @@
nscd_socket_use(uux_t)
')
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xfs.te serefpolicy-2.5.2/policy/modules/services/xfs.te
+--- nsaserefpolicy/policy/modules/services/xfs.te 2007-01-02 12:57:43.000000000 -0500
++++ serefpolicy-2.5.2/policy/modules/services/xfs.te 2007-02-06 11:44:30.000000000 -0500
+@@ -81,6 +81,7 @@
+ ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(xfs_t)
+ term_dontaudit_use_generic_ptys(xfs_t)
++ term_dontaudit_use_all_user_ptys(xfs_t)
+ files_dontaudit_read_root_files(xfs_t)
+ ')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-2.5.2/policy/modules/services/xserver.fc
--- nsaserefpolicy/policy/modules/services/xserver.fc 2006-11-16 17:15:21.000000000 -0500
+++ serefpolicy-2.5.2/policy/modules/services/xserver.fc 2007-01-25 09:00:58.000000000 -0500
@@ -7192,6 +7511,17 @@
+optional_policy(`
+ unconfined_dontaudit_rw_pipes(hostname_t)
+')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplug.te serefpolicy-2.5.2/policy/modules/system/hotplug.te
+--- nsaserefpolicy/policy/modules/system/hotplug.te 2007-01-02 12:57:49.000000000 -0500
++++ serefpolicy-2.5.2/policy/modules/system/hotplug.te 2007-02-06 11:33:22.000000000 -0500
+@@ -133,6 +133,7 @@
+ ifdef(`targeted_policy', `
+ term_dontaudit_use_unallocated_ttys(hotplug_t)
+ term_dontaudit_use_generic_ptys(hotplug_t)
++ term_dontaudit_use_all_user_ptys(hotplug_t)
+
+ optional_policy(`
+ consoletype_exec(hotplug_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-2.5.2/policy/modules/system/init.if
--- nsaserefpolicy/policy/modules/system/init.if 2007-01-02 12:57:49.000000000 -0500
+++ serefpolicy-2.5.2/policy/modules/system/init.if 2007-01-25 09:00:58.000000000 -0500
@@ -7598,10 +7928,12 @@
+kernel_read_network_state(racoon_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-2.5.2/policy/modules/system/iptables.te
--- nsaserefpolicy/policy/modules/system/iptables.te 2007-01-02 12:57:49.000000000 -0500
-+++ serefpolicy-2.5.2/policy/modules/system/iptables.te 2007-01-25 09:00:58.000000000 -0500
-@@ -80,6 +80,11 @@
++++ serefpolicy-2.5.2/policy/modules/system/iptables.te 2007-02-06 11:30:20.000000000 -0500
+@@ -79,7 +79,13 @@
+ ifdef(`targeted_policy', `
term_dontaudit_use_unallocated_ttys(iptables_t)
term_dontaudit_use_generic_ptys(iptables_t)
++ term_dontaudit_use_all_user_ptys(iptables_t)
files_dontaudit_read_root_files(iptables_t)
+ unconfined_rw_pipes(iptables_t)
+')
@@ -7611,7 +7943,7 @@
')
optional_policy(`
-@@ -107,3 +112,7 @@
+@@ -107,3 +113,7 @@
optional_policy(`
udev_read_db(iptables_t)
')
@@ -7621,16 +7953,17 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-2.5.2/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2007-01-02 12:57:49.000000000 -0500
-+++ serefpolicy-2.5.2/policy/modules/system/libraries.fc 2007-01-25 09:00:58.000000000 -0500
-@@ -79,6 +79,7 @@
++++ serefpolicy-2.5.2/policy/modules/system/libraries.fc 2007-02-06 10:34:29.000000000 -0500
+@@ -79,6 +79,8 @@
/opt/netbeans(.*/)?jdk.*/linux/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:shlib_t,s0)
/opt/(.*/)?jre/.+\.jar -- gen_context(system_u:object_r:shlib_t,s0)
+/opt/ibm/java2-ppc64-50/jre/bin/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/opt/cxoffice/lib/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
ifdef(`distro_gentoo',`
# despite the extensions, they are actually libs
-@@ -242,6 +243,7 @@
+@@ -242,6 +244,7 @@
/usr/lib(64)?/libmp3lame\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
# Flash plugin, Macromedia
@@ -7638,7 +7971,7 @@
HOME_DIR/.*/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/.*/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/local/(.*/)?libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -301,3 +303,5 @@
+@@ -301,3 +304,5 @@
/var/spool/postfix/lib(64)?/lib.*\.so.* -- gen_context(system_u:object_r:shlib_t,s0)
/var/spool/postfix/lib(64)?/[^/]*/lib.*\.so.* -- gen_context(system_u:object_r:shlib_t,s0)
/var/spool/postfix/lib(64)?/devfsd/.+\.so.* -- gen_context(system_u:object_r:shlib_t,s0)
@@ -7676,8 +8009,33 @@
corecmd_read_sbin_symlinks(local_login_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-2.5.2/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2007-01-02 12:57:49.000000000 -0500
-+++ serefpolicy-2.5.2/policy/modules/system/logging.te 2007-01-25 09:00:58.000000000 -0500
-@@ -320,6 +320,14 @@
++++ serefpolicy-2.5.2/policy/modules/system/logging.te 2007-02-06 11:42:59.000000000 -0500
+@@ -64,7 +64,7 @@
+ # Auditd local policy
+ #
+
+-allow auditctl_t self:capability { audit_write audit_control };
++allow auditctl_t self:capability { fsetsid audit_write audit_control };
+ allow auditctl_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv };
+
+ read_files_pattern(auditctl_t,auditd_etc_t,auditd_etc_t)
+@@ -246,6 +246,7 @@
+ ifdef(`targeted_policy',`
+ term_dontaudit_use_generic_ptys(klogd_t)
+ term_dontaudit_use_unallocated_ttys(klogd_t)
++ term_dontaudit_use_all_user_ptys(klogd_t)
+ ')
+
+ optional_policy(`
+@@ -271,6 +272,7 @@
+ allow syslogd_t self:unix_dgram_socket sendto;
+ allow syslogd_t self:fifo_file rw_file_perms;
+ allow syslogd_t self:udp_socket create_socket_perms;
++allow syslogd_t self:tcp_socket create_stream_socket_perms;
+
+ # Create and bind to /dev/log or /var/run/log.
+ allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
+@@ -320,6 +322,15 @@
corenet_udp_sendrecv_all_ports(syslogd_t)
corenet_udp_bind_all_nodes(syslogd_t)
corenet_udp_bind_syslogd_port(syslogd_t)
@@ -7686,13 +8044,14 @@
+corenet_tcp_sendrecv_all_if(syslogd_t)
+corenet_tcp_sendrecv_all_nodes(syslogd_t)
+corenet_tcp_sendrecv_all_ports(syslogd_t)
++corenet_tcp_bind_all_nodes(syslogd_t)
+corenet_tcp_bind_rsh_port(syslogd_t)
+corenet_tcp_connect_rsh_port(syslogd_t)
+
# syslog-ng can send or receive logs
corenet_sendrecv_syslogd_client_packets(syslogd_t)
corenet_sendrecv_syslogd_server_packets(syslogd_t)
-@@ -392,3 +400,8 @@
+@@ -392,3 +403,8 @@
# log to the xconsole
xserver_rw_console(syslogd_t)
')
@@ -7739,7 +8098,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-2.5.2/policy/modules/system/lvm.te
--- nsaserefpolicy/policy/modules/system/lvm.te 2007-01-02 12:57:49.000000000 -0500
-+++ serefpolicy-2.5.2/policy/modules/system/lvm.te 2007-02-01 16:31:20.000000000 -0500
++++ serefpolicy-2.5.2/policy/modules/system/lvm.te 2007-02-06 11:30:46.000000000 -0500
@@ -44,14 +44,20 @@
# Cluster LVM daemon local policy
#
@@ -7783,7 +8142,15 @@
term_dontaudit_use_console(clvmd_t)
-@@ -132,6 +142,10 @@
+@@ -120,6 +130,7 @@
+ ifdef(`targeted_policy', `
+ term_dontaudit_use_unallocated_ttys(clvmd_t)
+ term_dontaudit_use_generic_ptys(clvmd_t)
++ term_dontaudit_use_all_user_ptys(clvmd_t)
+ files_dontaudit_read_root_files(clvmd_t)
+ ')
+
+@@ -132,6 +143,10 @@
')
optional_policy(`
@@ -7794,7 +8161,7 @@
ricci_dontaudit_rw_modcluster_pipes(clvmd_t)
ricci_dontaudit_use_modcluster_fds(clvmd_t)
')
-@@ -147,7 +161,9 @@
+@@ -147,7 +162,9 @@
# DAC overrides and mknod for modifying /dev entries (vgmknodes)
# rawio needed for dmraid
@@ -7805,7 +8172,7 @@
dontaudit lvm_t self:capability sys_tty_config;
allow lvm_t self:process { sigchld sigkill sigstop signull signal };
# LVM will complain a lot if it cannot set its priority.
-@@ -156,6 +172,7 @@
+@@ -156,6 +173,7 @@
allow lvm_t self:fifo_file rw_file_perms;
allow lvm_t self:unix_dgram_socket create_socket_perms;
allow lvm_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -7813,7 +8180,7 @@
manage_dirs_pattern(lvm_t,lvm_tmp_t,lvm_tmp_t)
manage_files_pattern(lvm_t,lvm_tmp_t,lvm_tmp_t)
-@@ -203,6 +220,7 @@
+@@ -203,6 +221,7 @@
selinux_compute_user_contexts(lvm_t)
dev_create_generic_chr_files(lvm_t)
@@ -7821,7 +8188,7 @@
dev_read_rand(lvm_t)
dev_read_urand(lvm_t)
dev_rw_lvm_control(lvm_t)
-@@ -228,6 +246,7 @@
+@@ -228,6 +247,7 @@
fs_list_tmpfs(lvm_t)
fs_read_tmpfs_symlinks(lvm_t)
fs_dontaudit_read_removable_files(lvm_t)
@@ -7829,7 +8196,7 @@
storage_relabel_fixed_disk(lvm_t)
storage_dontaudit_read_removable_device(lvm_t)
-@@ -240,8 +259,8 @@
+@@ -240,8 +260,8 @@
# Access raw devices and old /dev/lvm (c 109,0). Is this needed?
storage_manage_fixed_disk(lvm_t)
@@ -7840,18 +8207,20 @@
corecmd_exec_sbin(lvm_t)
-@@ -274,8 +293,8 @@
+@@ -274,9 +294,9 @@
')
ifdef(`targeted_policy', `
- term_dontaudit_use_unallocated_ttys(lvm_t)
- term_dontaudit_use_generic_ptys(lvm_t)
+-
+ term_use_unallocated_ttys(lvm_t)
+ term_use_generic_ptys(lvm_t)
-
++ term_dontaudit_use_all_user_ptys(lvm_t)
files_dontaudit_read_root_files(lvm_t)
')
-@@ -289,6 +308,12 @@
+
+@@ -289,6 +309,12 @@
')
optional_policy(`
@@ -8206,7 +8575,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-2.5.2/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2007-01-02 12:57:49.000000000 -0500
-+++ serefpolicy-2.5.2/policy/modules/system/selinuxutil.te 2007-01-26 15:50:15.000000000 -0500
++++ serefpolicy-2.5.2/policy/modules/system/selinuxutil.te 2007-02-06 11:40:01.000000000 -0500
@@ -1,10 +1,8 @@
policy_module(selinuxutil,1.4.0)
@@ -8239,7 +8608,15 @@
type semanage_store_t;
files_type(semanage_store_t)
-@@ -195,6 +205,7 @@
+@@ -171,6 +181,7 @@
+ ifdef(`targeted_policy',`
+ term_use_generic_ptys(checkpolicy_t)
+ term_use_unallocated_ttys(checkpolicy_t)
++
+ ')
+
+ ########################################
+@@ -195,6 +206,7 @@
fs_getattr_xattr_fs(load_policy_t)
mls_file_read_up(load_policy_t)
@@ -8247,7 +8624,7 @@
selinux_get_fs_mount(load_policy_t)
selinux_load_policy(load_policy_t)
-@@ -218,6 +229,7 @@
+@@ -218,6 +230,7 @@
dontaudit load_policy_t selinux_config_t:file write;
optional_policy(`
unconfined_dontaudit_read_pipes(load_policy_t)
@@ -8255,7 +8632,7 @@
')
')
-@@ -283,6 +295,10 @@
+@@ -283,6 +296,10 @@
auth_domtrans_chk_passwd(newrole_t)
auth_rw_faillog(newrole_t)
@@ -8266,7 +8643,7 @@
corecmd_list_bin(newrole_t)
corecmd_read_bin_symlinks(newrole_t)
-@@ -292,6 +308,7 @@
+@@ -292,6 +309,7 @@
# Write to utmp.
init_rw_utmp(newrole_t)
@@ -8274,7 +8651,7 @@
files_read_etc_files(newrole_t)
files_read_var_files(newrole_t)
-@@ -307,16 +324,15 @@
+@@ -307,16 +325,15 @@
userdom_use_unpriv_users_fds(newrole_t)
# for some PAM modules and for cwd
userdom_dontaudit_search_all_users_home_content(newrole_t)
@@ -8299,7 +8676,7 @@
optional_policy(`
nis_use_ypbind(newrole_t)
-@@ -403,6 +419,10 @@
+@@ -403,6 +420,10 @@
fs_rw_tmpfs_blk_files(restorecon_t)
fs_relabel_tmpfs_blk_file(restorecon_t)
fs_relabel_tmpfs_chr_file(restorecon_t)
@@ -8310,7 +8687,15 @@
')
ifdef(`hide_broken_symptoms',`
-@@ -546,82 +566,12 @@
+@@ -462,6 +483,7 @@
+ ifdef(`targeted_policy',`
+ term_dontaudit_use_generic_ptys(restorecond_t)
+ term_dontaudit_use_unallocated_ttys(restorecond_t)
++ term_dontaudit_use_all_user_ptys(restorecond_t)
+ ')
+
+ optional_policy(`
+@@ -546,82 +568,12 @@
########################################
#
@@ -8397,7 +8782,7 @@
########################################
#
-@@ -669,6 +619,7 @@
+@@ -669,6 +621,7 @@
init_use_fds(setfiles_t)
init_use_script_fds(setfiles_t)
init_use_script_ptys(setfiles_t)
@@ -8405,7 +8790,7 @@
domain_use_interactive_fds(setfiles_t)
-@@ -688,3 +639,16 @@
+@@ -688,3 +641,16 @@
userdom_use_all_users_fds(setfiles_t)
# for config files in a home directory
userdom_read_all_users_home_content_files(setfiles_t)
@@ -8422,6 +8807,17 @@
+ ssh_sigchld(load_policy_t)
+ ssh_rw_stream_sockets(load_policy_t)
+')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.te serefpolicy-2.5.2/policy/modules/system/setrans.te
+--- nsaserefpolicy/policy/modules/system/setrans.te 2007-01-02 12:57:49.000000000 -0500
++++ serefpolicy-2.5.2/policy/modules/system/setrans.te 2007-02-06 11:31:35.000000000 -0500
+@@ -65,6 +65,7 @@
+
+ term_dontaudit_use_generic_ptys(setrans_t)
+ term_dontaudit_use_unallocated_ttys(setrans_t)
++term_dontaudit_use_all_user_ptys(setrans_t)
+
+ init_use_fds(setrans_t)
+ init_dontaudit_use_script_ptys(setrans_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-2.5.2/policy/modules/system/sysnetwork.te
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2007-01-02 12:57:49.000000000 -0500
+++ serefpolicy-2.5.2/policy/modules/system/sysnetwork.te 2007-01-25 09:00:58.000000000 -0500
@@ -9538,7 +9934,7 @@
usermanage_run_useradd(sysadm_t,sysadm_r,admin_terminal)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-2.5.2/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te 2007-01-02 12:57:49.000000000 -0500
-+++ serefpolicy-2.5.2/policy/modules/system/xen.te 2007-01-25 09:00:58.000000000 -0500
++++ serefpolicy-2.5.2/policy/modules/system/xen.te 2007-02-06 11:15:27.000000000 -0500
@@ -166,8 +166,13 @@
files_manage_etc_runtime_files(xend_t)
files_etc_filetrans_etc_runtime(xend_t,file)
@@ -9579,7 +9975,7 @@
kernel_read_system_state(xm_t)
kernel_read_kernel_sysctls(xm_t)
-@@ -357,3 +373,10 @@
+@@ -357,3 +373,11 @@
xen_append_log(xm_t)
xen_stream_connect(xm_t)
xen_stream_connect_xenstore(xm_t)
@@ -9590,6 +9986,7 @@
+fs_write_nfs_files(xend_t)
+fs_read_nfs_files(xend_t)
+
++fs_read_dos_files(xend_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-2.5.2/policy/support/obj_perm_sets.spt
--- nsaserefpolicy/policy/support/obj_perm_sets.spt 2007-01-02 12:57:51.000000000 -0500
+++ serefpolicy-2.5.2/policy/support/obj_perm_sets.spt 2007-01-25 09:00:58.000000000 -0500
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.390
retrieving revision 1.391
diff -u -r1.390 -r1.391
--- selinux-policy.spec 4 Feb 2007 12:42:16 -0000 1.390
+++ selinux-policy.spec 6 Feb 2007 16:54:13 -0000 1.391
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 2.5.2
-Release: 5%{?dist}
+Release: 6%{?dist}
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -356,6 +356,14 @@
%endif
%changelog
+* Mon Feb 5 2007 Dan Walsh <dwalsh at redhat.com> 2.5.2-6
+- Allow mozilla, evolution and thunderbird to read dev_random.
+Resolves: #227002
+- Allow spamd to connect to smtp port
+Resolves: #227184
+- Fixes to make ypxfr work
+Resolves: #227237
+
* Sun Feb 4 2007 Dan Walsh <dwalsh at redhat.com> 2.5.2-5
- Fix ssh_agent to be marked as an executable
- Allow Hal to rw sound device
More information about the fedora-cvs-commits
mailing list