[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

rpms/selinux-policy/FC-6 policy-20061106.patch, 1.51, 1.52 selinux-policy.spec, 1.370, 1.371



Author: dwalsh

Update of /cvs/dist/rpms/selinux-policy/FC-6
In directory cvs.devel.redhat.com:/tmp/cvs-serv10880

Modified Files:
	policy-20061106.patch selinux-policy.spec 
Log Message:
* Fri Jul 7 2007 Dan Walsh <dwalsh redhat com> 2.4.6-79
- Allow hal to write to pm-suspend
Resolves:#245926


policy-20061106.patch:
 Rules.modular                                |   10 
 config/appconfig-strict-mcs/seusers          |    1 
 config/appconfig-strict-mls/default_contexts |    6 
 config/appconfig-strict-mls/seusers          |    1 
 config/appconfig-strict/seusers              |    1 
 man/man8/kerberos_selinux.8                  |    2 
 policy/flask/access_vectors                  |   21 
 policy/flask/security_classes                |    8 
 policy/global_tunables                       |   94 +++-
 policy/mls                                   |   31 +
 policy/modules/admin/acct.te                 |    1 
 policy/modules/admin/amanda.if               |   17 
 policy/modules/admin/amanda.te               |   11 
 policy/modules/admin/amtu.fc                 |    3 
 policy/modules/admin/amtu.if                 |   57 ++
 policy/modules/admin/amtu.te                 |   56 ++
 policy/modules/admin/backup.te               |    5 
 policy/modules/admin/bootloader.fc           |    5 
 policy/modules/admin/bootloader.te           |   14 
 policy/modules/admin/consoletype.te          |   21 
 policy/modules/admin/ddcprobe.te             |   10 
 policy/modules/admin/dmesg.te                |    7 
 policy/modules/admin/dmidecode.te            |    5 
 policy/modules/admin/firstboot.if            |   24 -
 policy/modules/admin/kudzu.te                |   14 
 policy/modules/admin/logrotate.te            |    5 
 policy/modules/admin/logwatch.te             |   22 
 policy/modules/admin/netutils.te             |   19 
 policy/modules/admin/portage.te              |    5 
 policy/modules/admin/prelink.te              |   23 
 policy/modules/admin/quota.fc                |    7 
 policy/modules/admin/quota.te                |   24 -
 policy/modules/admin/readahead.te            |    2 
 policy/modules/admin/rpm.fc                  |    3 
 policy/modules/admin/rpm.if                  |  104 ++++
 policy/modules/admin/rpm.te                  |   49 --
 policy/modules/admin/su.if                   |   38 +
 policy/modules/admin/su.te                   |    2 
 policy/modules/admin/sudo.if                 |   13 
 policy/modules/admin/tripwire.te             |   11 
 policy/modules/admin/usbmodules.te           |    5 
 policy/modules/admin/usermanage.if           |    2 
 policy/modules/admin/usermanage.te           |   58 ++
 policy/modules/admin/vpn.te                  |    1 
 policy/modules/apps/ethereal.te              |    5 
 policy/modules/apps/evolution.if             |  107 ++++
 policy/modules/apps/evolution.te             |    1 
 policy/modules/apps/games.fc                 |    1 
 policy/modules/apps/gnome.fc                 |    2 
 policy/modules/apps/gnome.if                 |  108 ++++
 policy/modules/apps/gnome.te                 |    5 
 policy/modules/apps/gpg.if                   |    1 
 policy/modules/apps/java.fc                  |    2 
 policy/modules/apps/java.if                  |   70 +++
 policy/modules/apps/java.te                  |    2 
 policy/modules/apps/loadkeys.if              |   39 -
 policy/modules/apps/mozilla.if               |  208 +++++++--
 policy/modules/apps/mplayer.if               |   84 +++
 policy/modules/apps/mplayer.te               |    1 
 policy/modules/apps/slocate.te               |    7 
 policy/modules/apps/thunderbird.if           |   81 +++
 policy/modules/apps/userhelper.if            |   20 
 policy/modules/apps/webalizer.te             |    6 
 policy/modules/apps/wine.fc                  |    1 
 policy/modules/apps/yam.te                   |    5 
 policy/modules/kernel/corecommands.fc        |   30 +
 policy/modules/kernel/corecommands.if        |   77 +++
 policy/modules/kernel/corenetwork.if.in      |  140 ++++++
 policy/modules/kernel/corenetwork.te.in      |   16 
 policy/modules/kernel/devices.fc             |    8 
 policy/modules/kernel/devices.if             |   36 +
 policy/modules/kernel/devices.te             |    8 
 policy/modules/kernel/domain.if              |   80 +++
 policy/modules/kernel/domain.te              |   26 +
 policy/modules/kernel/files.fc               |    2 
 policy/modules/kernel/files.if               |  224 +++++++++
 policy/modules/kernel/filesystem.if          |   62 ++
 policy/modules/kernel/filesystem.te          |   30 +
 policy/modules/kernel/kernel.if              |   84 +++
 policy/modules/kernel/kernel.te              |   22 
 policy/modules/kernel/mls.if                 |   28 +
 policy/modules/kernel/mls.te                 |    6 
 policy/modules/kernel/storage.fc             |    4 
 policy/modules/kernel/storage.if             |    2 
 policy/modules/kernel/terminal.fc            |    1 
 policy/modules/kernel/terminal.if            |   21 
 policy/modules/kernel/terminal.te            |    1 
 policy/modules/services/aide.fc              |    3 
 policy/modules/services/aide.te              |   11 
 policy/modules/services/amavis.if            |   19 
 policy/modules/services/amavis.te            |    4 
 policy/modules/services/apache.fc            |   17 
 policy/modules/services/apache.if            |  157 ++++++
 policy/modules/services/apache.te            |   47 +-
 policy/modules/services/apm.te               |    3 
 policy/modules/services/arpwatch.te          |    5 
 policy/modules/services/audioentropy.te      |    4 
 policy/modules/services/automount.fc         |    1 
 policy/modules/services/automount.te         |   10 
 policy/modules/services/avahi.if             |   40 +
 policy/modules/services/avahi.te             |   10 
 policy/modules/services/bind.fc              |    1 
 policy/modules/services/bind.te              |    6 
 policy/modules/services/bluetooth.te         |   10 
 policy/modules/services/ccs.fc               |    1 
 policy/modules/services/ccs.te               |   25 -
 policy/modules/services/clamav.te            |    3 
 policy/modules/services/courier.te           |    1 
 policy/modules/services/cron.fc              |    6 
 policy/modules/services/cron.if              |   92 ++-
 policy/modules/services/cron.te              |   58 ++
 policy/modules/services/cups.fc              |    5 
 policy/modules/services/cups.te              |   19 
 policy/modules/services/cvs.te               |    2 
 policy/modules/services/cyrus.te             |    5 
 policy/modules/services/dbus.fc              |    1 
 policy/modules/services/dbus.if              |   66 ++
 policy/modules/services/dbus.te              |    4 
 policy/modules/services/dcc.te               |    9 
 policy/modules/services/dhcp.te              |    3 
 policy/modules/services/dovecot.fc           |    1 
 policy/modules/services/dovecot.if           |   44 +
 policy/modules/services/dovecot.te           |   64 ++
 policy/modules/services/fail2ban.fc          |    3 
 policy/modules/services/fail2ban.if          |   80 +++
 policy/modules/services/fail2ban.te          |   74 +++
 policy/modules/services/ftp.te               |   21 
 policy/modules/services/hal.fc               |   14 
 policy/modules/services/hal.if               |  160 ++++++
 policy/modules/services/hal.te               |  176 ++++++-
 policy/modules/services/inetd.te             |   34 +
 policy/modules/services/irqbalance.te        |    4 
 policy/modules/services/kerberos.if          |   25 +
 policy/modules/services/kerberos.te          |   21 
 policy/modules/services/ktalk.fc             |    3 
 policy/modules/services/ktalk.te             |    5 
 policy/modules/services/lpd.if               |   75 ++-
 policy/modules/services/lpd.te               |    5 
 policy/modules/services/mailman.if           |   20 
 policy/modules/services/mailman.te           |    1 
 policy/modules/services/mta.fc               |    1 
 policy/modules/services/mta.if               |   20 
 policy/modules/services/mta.te               |    2 
 policy/modules/services/munin.te             |    5 
 policy/modules/services/nagios.fc            |    3 
 policy/modules/services/nagios.te            |    8 
 policy/modules/services/networkmanager.fc    |    2 
 policy/modules/services/networkmanager.te    |    2 
 policy/modules/services/nis.fc               |    7 
 policy/modules/services/nis.if               |    8 
 policy/modules/services/nis.te               |   39 +
 policy/modules/services/nscd.if              |   20 
 policy/modules/services/nscd.te              |   31 -
 policy/modules/services/ntp.te               |    2 
 policy/modules/services/oav.te               |    5 
 policy/modules/services/oddjob.te            |    5 
 policy/modules/services/openca.if            |    4 
 policy/modules/services/openca.te            |    2 
 policy/modules/services/openct.te            |    2 
 policy/modules/services/openvpn.te           |    9 
 policy/modules/services/pcscd.fc             |    9 
 policy/modules/services/pcscd.if             |   62 ++
 policy/modules/services/pcscd.te             |   79 +++
 policy/modules/services/pegasus.if           |   31 +
 policy/modules/services/pegasus.te           |   11 
 policy/modules/services/portmap.te           |    5 
 policy/modules/services/portslave.te         |    1 
 policy/modules/services/postfix.fc           |    2 
 policy/modules/services/postfix.if           |   45 +
 policy/modules/services/postfix.te           |   94 ++++
 policy/modules/services/ppp.te               |    2 
 policy/modules/services/procmail.te          |   32 +
 policy/modules/services/pyzor.if             |   18 
 policy/modules/services/pyzor.te             |   13 
 policy/modules/services/radius.te            |    2 
 policy/modules/services/radvd.te             |    2 
 policy/modules/services/rhgb.if              |   76 +++
 policy/modules/services/rhgb.te              |    3 
 policy/modules/services/ricci.te             |   26 +
 policy/modules/services/rlogin.te            |   11 
 policy/modules/services/rpc.fc               |    1 
 policy/modules/services/rpc.if               |    3 
 policy/modules/services/rpc.te               |   27 -
 policy/modules/services/rshd.te              |    1 
 policy/modules/services/rsync.te             |    1 
 policy/modules/services/samba.fc             |    6 
 policy/modules/services/samba.if             |  101 ++++
 policy/modules/services/samba.te             |   96 +++-
 policy/modules/services/sasl.te              |   14 
 policy/modules/services/sendmail.if          |   22 
 policy/modules/services/sendmail.te          |    8 
 policy/modules/services/setroubleshoot.if    |   20 
 policy/modules/services/setroubleshoot.te    |    2 
 policy/modules/services/smartmon.te          |    1 
 policy/modules/services/snmp.if              |   17 
 policy/modules/services/snmp.te              |   17 
 policy/modules/services/spamassassin.fc      |    5 
 policy/modules/services/spamassassin.if      |   42 +
 policy/modules/services/spamassassin.te      |   26 -
 policy/modules/services/squid.fc             |    2 
 policy/modules/services/squid.if             |   21 
 policy/modules/services/squid.te             |   16 
 policy/modules/services/ssh.if               |   83 +++
 policy/modules/services/ssh.te               |   14 
 policy/modules/services/telnet.te            |    3 
 policy/modules/services/tftp.te              |    2 
 policy/modules/services/uucp.fc              |    1 
 policy/modules/services/uucp.if              |   67 ++
 policy/modules/services/uucp.te              |   44 +
 policy/modules/services/uwimap.te            |    1 
 policy/modules/services/xserver.fc           |    2 
 policy/modules/services/xserver.if           |  211 +++++++++
 policy/modules/services/xserver.te           |   12 
 policy/modules/system/authlogin.fc           |    1 
 policy/modules/system/authlogin.if           |  180 +++++++
 policy/modules/system/authlogin.te           |   43 +
 policy/modules/system/clock.te               |   18 
 policy/modules/system/fstools.fc             |    1 
 policy/modules/system/fstools.if             |   19 
 policy/modules/system/fstools.te             |   11 
 policy/modules/system/getty.te               |   14 
 policy/modules/system/hostname.te            |   19 
 policy/modules/system/init.if                |   66 ++
 policy/modules/system/init.te                |   51 ++
 policy/modules/system/ipsec.fc               |    5 
 policy/modules/system/ipsec.if               |   99 ++++
 policy/modules/system/ipsec.te               |  121 +++++
 policy/modules/system/iptables.te            |   27 -
 policy/modules/system/libraries.fc           |   43 +
 policy/modules/system/libraries.te           |   11 
 policy/modules/system/locallogin.if          |   37 +
 policy/modules/system/locallogin.te          |   11 
 policy/modules/system/logging.fc             |    5 
 policy/modules/system/logging.if             |   61 ++
 policy/modules/system/logging.te             |   33 +
 policy/modules/system/lvm.fc                 |    2 
 policy/modules/system/lvm.if                 |   44 +
 policy/modules/system/lvm.te                 |   92 +++
 policy/modules/system/miscfiles.fc           |    3 
 policy/modules/system/miscfiles.if           |   79 +++
 policy/modules/system/modutils.te            |   26 -
 policy/modules/system/mount.te               |   31 -
 policy/modules/system/netlabel.te            |   10 
 policy/modules/system/pcmcia.te              |    5 
 policy/modules/system/raid.te                |   16 
 policy/modules/system/selinuxutil.fc         |   10 
 policy/modules/system/selinuxutil.if         |  124 +++++
 policy/modules/system/selinuxutil.te         |  138 ++---
 policy/modules/system/sysnetwork.if          |    2 
 policy/modules/system/sysnetwork.te          |   13 
 policy/modules/system/tzdata.fc              |    3 
 policy/modules/system/tzdata.if              |   23 
 policy/modules/system/tzdata.te              |   51 ++
 policy/modules/system/udev.te                |   22 
 policy/modules/system/unconfined.fc          |    4 
 policy/modules/system/unconfined.if          |   22 
 policy/modules/system/unconfined.te          |   23 
 policy/modules/system/userdomain.if          |  622 +++++++++++++++++++++++----
 policy/modules/system/userdomain.te          |  117 ++---
 policy/modules/system/xen.fc                 |    1 
 policy/modules/system/xen.if                 |   44 +
 policy/modules/system/xen.te                 |   61 ++
 policy/support/*Warnings*                    |  189 ++++++++
 policy/support/file_patterns.spt             |  534 +++++++++++++++++++++++
 policy/support/obj_perm_sets.spt             |  144 ++++++
 265 files changed, 8070 insertions(+), 811 deletions(-)

Index: policy-20061106.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/FC-6/policy-20061106.patch,v
retrieving revision 1.51
retrieving revision 1.52
diff -u -r1.51 -r1.52
--- policy-20061106.patch	14 Jun 2007 13:56:37 -0000	1.51
+++ policy-20061106.patch	6 Jul 2007 15:35:02 -0000	1.52
@@ -47,8 +47,35 @@
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors serefpolicy-2.4.6/policy/flask/access_vectors
 --- nsaserefpolicy/policy/flask/access_vectors	2006-11-29 12:04:48.000000000 -0500
-+++ serefpolicy-2.4.6/policy/flask/access_vectors	2007-05-22 12:40:26.000000000 -0400
-@@ -619,6 +619,8 @@
++++ serefpolicy-2.4.6/policy/flask/access_vectors	2007-06-26 16:22:26.000000000 -0400
+@@ -185,6 +185,8 @@
+ 	rawip_recv
+ 	rawip_send
+ 	enforce_dest
++	dccp_recv
++	dccp_send
+ }
+ 
+ class netif
+@@ -195,6 +197,8 @@
+ 	udp_send
+ 	rawip_recv
+ 	rawip_send
++	dccp_recv
++	dccp_send
+ }
+ 
+ class netlink_socket
+@@ -594,6 +598,8 @@
+ 	shmempwd
+ 	shmemgrp
+ 	shmemhost
++	getserv
++	shmemserv
+ }
+ 
+ # Define the access vector interpretation for controlling
+@@ -619,6 +625,8 @@
  	send
  	recv
  	relabelto
@@ -57,6 +84,46 @@
  }
  
  class key
+@@ -637,3 +645,16 @@
+ 	translate
+ 	contains
+ }
++
++class dccp_socket
++inherits socket
++{
++	node_bind
++	name_connect
++}
++
++class memprotect
++{
++	mmap_zero
++}
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/security_classes serefpolicy-2.4.6/policy/flask/security_classes
+--- nsaserefpolicy/policy/flask/security_classes	2006-11-29 12:04:48.000000000 -0500
++++ serefpolicy-2.4.6/policy/flask/security_classes	2007-06-26 16:21:45.000000000 -0400
+@@ -63,8 +63,8 @@
+ class xserver			# userspace
+ class xextension		# userspace
+ 
+-# pax flags
+-class pax
++# pax flags; deprecated--can be reclaimed
++class pax			# userspace
+ 
+ # extended netlink sockets
+ class netlink_route_socket
+@@ -95,4 +95,8 @@
+ 
+ class context			# userspace
+ 
++class dccp_socket
++
++class memprotect
++
+ # FLASK
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-2.4.6/policy/global_tunables
 --- nsaserefpolicy/policy/global_tunables	2006-11-29 12:04:51.000000000 -0500
 +++ serefpolicy-2.4.6/policy/global_tunables	2007-05-22 12:40:26.000000000 -0400
@@ -517,7 +584,7 @@
  /sbin/ybin.*		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/bootloader.te serefpolicy-2.4.6/policy/modules/admin/bootloader.te
 --- nsaserefpolicy/policy/modules/admin/bootloader.te	2006-11-29 12:04:48.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/admin/bootloader.te	2007-05-22 12:40:26.000000000 -0400
++++ serefpolicy-2.4.6/policy/modules/admin/bootloader.te	2007-07-06 09:36:29.000000000 -0400
 @@ -93,6 +93,8 @@
  fs_manage_dos_files(bootloader_t)
  
@@ -543,7 +610,7 @@
  ')
 +
 +optional_policy(`
-+	hal_dontaudit_append_var_lib_files(bootloader_t)
++	hal_dontaudit_append_lib_files(bootloader_t)
 +')
 +
 +optional_policy(`
@@ -892,8 +959,8 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-2.4.6/policy/modules/admin/prelink.te
 --- nsaserefpolicy/policy/modules/admin/prelink.te	2006-11-29 12:04:49.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/admin/prelink.te	2007-05-22 12:40:26.000000000 -0400
-@@ -18,24 +18,33 @@
++++ serefpolicy-2.4.6/policy/modules/admin/prelink.te	2007-07-06 11:23:21.000000000 -0400
+@@ -18,31 +18,39 @@
  type prelink_log_t;
  logging_log_file(prelink_log_t)
  
@@ -928,7 +995,15 @@
  # prelink misc objects that are not system
  # libraries or entrypoints
  allow prelink_t prelink_object:file { create_file_perms execute relabelto relabelfrom };
-@@ -57,6 +66,7 @@
+ 
+ kernel_read_system_state(prelink_t)
+-kernel_dontaudit_search_kernel_sysctl(prelink_t)
+-kernel_dontaudit_search_sysctl(prelink_t)
++kernel_read_kernel_sysctls(prelink_t)
+ 
+ corecmd_manage_all_executables(prelink_t)
+ corecmd_relabel_all_executables(prelink_t)
+@@ -57,6 +65,7 @@
  files_write_non_security_dirs(prelink_t)
  files_read_etc_files(prelink_t)
  files_read_etc_runtime_files(prelink_t)
@@ -936,7 +1011,7 @@
  
  fs_getattr_xattr_fs(prelink_t)
  
-@@ -79,11 +89,15 @@
+@@ -79,11 +88,15 @@
  ifdef(`targeted_policy',`
  	term_use_unallocated_ttys(prelink_t)
  	term_use_generic_ptys(prelink_t)
@@ -1046,8 +1121,33 @@
  /var/lib/alternatives(/.*)?		gen_context(system_u:object_r:rpm_var_lib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-2.4.6/policy/modules/admin/rpm.if
 --- nsaserefpolicy/policy/modules/admin/rpm.if	2006-11-29 12:04:49.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/admin/rpm.if	2007-05-22 12:40:26.000000000 -0400
-@@ -278,3 +278,89 @@
++++ serefpolicy-2.4.6/policy/modules/admin/rpm.if	2007-06-18 11:24:35.000000000 -0400
+@@ -218,6 +218,24 @@
+ 
+ ########################################
+ ## <summary>
++##	dontaudit and use file descriptors from RPM scripts.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	The type of the process performing this action.
++##	</summary>
++## </param>
++#
++interface(`rpm_dontaudit_use_script_fds',`
++	gen_require(`
++		type rpm_script_t;
++	')
++
++	dontaudit $1 rpm_script_t:fd use;
++')
++
++########################################
++## <summary>
+ ##	Read the RPM package database.
+ ## </summary>
+ ## <param name="domain">
+@@ -278,3 +296,89 @@
  	dontaudit $1 rpm_var_lib_t:file create_file_perms;
  	dontaudit $1 rpm_var_lib_t:lnk_file create_lnk_perms;
  ')
@@ -3381,8 +3481,33 @@
  /dev/usbdev.*		-c	gen_context(system_u:object_r:usb_device_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-2.4.6/policy/modules/kernel/devices.if
 --- nsaserefpolicy/policy/modules/kernel/devices.if	2006-11-29 12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/kernel/devices.if	2007-05-22 12:40:26.000000000 -0400
-@@ -3248,3 +3248,21 @@
++++ serefpolicy-2.4.6/policy/modules/kernel/devices.if	2007-07-03 12:59:04.000000000 -0400
+@@ -2717,6 +2717,24 @@
+ 
+ ########################################
+ ## <summary>
++##	Get the attributes of a directory in the usb filesystem.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dev_search_usbfs_dirs',`
++	gen_require(`
++		type usbfs_t;
++	')
++
++	allow $1 usbfs_t:dir search_dir_perms;
++')
++
++########################################
++## <summary>
+ ##	Mount a usbfs filesystem.
+ ## </summary>
+ ## <param name="domain">
+@@ -3248,3 +3266,21 @@
  
  	typeattribute $1 devices_unconfined_type;
  ')
@@ -3431,7 +3556,7 @@
  # random_device_t is the type of /dev/random
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-2.4.6/policy/modules/kernel/domain.if
 --- nsaserefpolicy/policy/modules/kernel/domain.if	2006-11-29 12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/kernel/domain.if	2007-05-22 12:40:26.000000000 -0400
++++ serefpolicy-2.4.6/policy/modules/kernel/domain.if	2007-06-22 21:48:34.000000000 -0400
 @@ -413,6 +413,24 @@
  
  ########################################
@@ -3457,7 +3582,7 @@
  ##	Send general signals to all domains.
  ## </summary>
  ## <param name="domain">
-@@ -1276,3 +1294,43 @@
+@@ -1276,3 +1294,65 @@
  	domain_trans($1,$2,$3)
  	type_transition $1 $2:process $3;
  ')
@@ -3501,10 +3626,43 @@
 +	allow $1 domain:association { sendto recvfrom };
 +')
 +
++########################################
++## <summary>
++##	Ability to mmap a low area of the address space,
++##      as configured by /proc/sys/kernel/mmap_min_addr.
++##      Preventing such mappings helps protect against
++##      exploiting null deref bugs in the kernel.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed to mmap low memory.
++##	</summary>
++## </param>
++#
++interface(`domain_mmap_low',`
++	gen_require(`
++		attribute mmap_low_domain_type;
++	')
++
++	allow $1 self:memprotect mmap_zero;
++
++	typeattribute $1 mmap_low_domain_type;
++')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-2.4.6/policy/modules/kernel/domain.te
 --- nsaserefpolicy/policy/modules/kernel/domain.te	2006-11-29 12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/kernel/domain.te	2007-05-22 12:40:26.000000000 -0400
-@@ -144,3 +144,25 @@
++++ serefpolicy-2.4.6/policy/modules/kernel/domain.te	2007-06-22 14:13:07.000000000 -0400
+@@ -15,6 +15,10 @@
+ # Domains that are unconfined
+ attribute unconfined_domain_type;
+ 
++# Domains that can mmap low memory.
++attribute mmap_low_domain_type;
++neverallow { domain -mmap_low_domain_type } self:memprotect mmap_zero;
++
+ # Domains that can set their current context
+ # (perform dynamic transitions)
+ attribute set_curr_context;
+@@ -144,3 +148,25 @@
  
  # act on all domains keys
  allow unconfined_domain_type domain:key *;
@@ -4313,8 +4471,16 @@
  attribute privrangetrans;
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-2.4.6/policy/modules/kernel/storage.fc
 --- nsaserefpolicy/policy/modules/kernel/storage.fc	2006-11-29 12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/kernel/storage.fc	2007-05-22 12:40:26.000000000 -0400
-@@ -42,7 +42,8 @@
++++ serefpolicy-2.4.6/policy/modules/kernel/storage.fc	2007-07-06 10:28:37.000000000 -0400
+@@ -23,6 +23,7 @@
+ /dev/loop.*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+ /dev/lvm		-c	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+ /dev/mcdx?		-b	gen_context(system_u:object_r:removable_device_t,s0)
++/dev/megadev.*		-c	gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/mmcblk.*		-b	gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/nb[^/]+		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+ /dev/optcd		-b	gen_context(system_u:object_r:removable_device_t,s0)
+@@ -42,7 +43,8 @@
  /dev/sjcd		-b	gen_context(system_u:object_r:removable_device_t,s0)
  /dev/sonycd		-b	gen_context(system_u:object_r:removable_device_t,s0)
  /dev/tape.*		-c	gen_context(system_u:object_r:tape_device_t,s0)
@@ -4735,7 +4901,16 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-2.4.6/policy/modules/services/apache.te
 --- nsaserefpolicy/policy/modules/services/apache.te	2006-11-29 12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/apache.te	2007-05-23 13:48:48.000000000 -0400
++++ serefpolicy-2.4.6/policy/modules/services/apache.te	2007-07-03 10:49:14.000000000 -0400
+@@ -129,7 +129,7 @@
+ # Apache server local policy
+ #
+ 
+-allow httpd_t self:capability { chown dac_override kill setgid setuid sys_tty_config };
++allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config };
+ dontaudit httpd_t self:capability { net_admin sys_tty_config };
+ allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow httpd_t self:fd use;
 @@ -143,6 +143,8 @@
  allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
  allow httpd_t self:tcp_socket create_stream_socket_perms;
@@ -4818,7 +4993,16 @@
  
  allow httpd_sys_script_t squirrelmail_spool_t:dir r_dir_perms;
  allow httpd_sys_script_t squirrelmail_spool_t:file r_file_perms;
-@@ -695,6 +713,7 @@
+@@ -659,6 +677,8 @@
+ # Should we add a boolean?
+ apache_domtrans_rotatelogs(httpd_sys_script_t)
+ 
++sysnet_read_config(httpd_sys_script_t)
++
+ ifdef(`distro_redhat',`
+ 	allow httpd_sys_script_t httpd_log_t:file { getattr append };
+ ')
+@@ -695,6 +715,7 @@
  
  optional_policy(`
  	snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
@@ -4826,7 +5010,7 @@
  ')
  
  ########################################
-@@ -704,6 +723,8 @@
+@@ -704,6 +725,8 @@
  
  allow httpd_rotatelogs_t httpd_log_t:dir rw_dir_perms;
  allow httpd_rotatelogs_t httpd_log_t:file manage_file_perms;
@@ -4835,7 +5019,7 @@
  
  kernel_read_kernel_sysctls(httpd_rotatelogs_t)
  kernel_dontaudit_list_proc(httpd_rotatelogs_t)
-@@ -714,9 +735,27 @@
+@@ -714,9 +737,27 @@
  libs_use_ld_so(httpd_rotatelogs_t)
  libs_use_shared_libs(httpd_rotatelogs_t)
  
@@ -4953,7 +5137,7 @@
  # /usr
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-2.4.6/policy/modules/services/automount.te
 --- nsaserefpolicy/policy/modules/services/automount.te	2006-11-29 12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/automount.te	2007-05-22 12:40:26.000000000 -0400
++++ serefpolicy-2.4.6/policy/modules/services/automount.te	2007-07-01 21:22:12.000000000 -0400
 @@ -13,8 +13,7 @@
  type automount_var_run_t;
  files_pid_file(automount_var_run_t)
@@ -4991,6 +5175,14 @@
  
  fs_mount_all_fs(automount_t)
  fs_unmount_all_fs(automount_t)
+@@ -106,6 +103,7 @@
+ 
+ dev_read_sysfs(automount_t)
+ # for SSP
++dev_read_rand(automount_t)
+ dev_read_urand(automount_t)
+ 
+ domain_use_interactive_fds(automount_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.if serefpolicy-2.4.6/policy/modules/services/avahi.if
 --- nsaserefpolicy/policy/modules/services/avahi.if	2006-11-29 12:04:49.000000000 -0500
 +++ serefpolicy-2.4.6/policy/modules/services/avahi.if	2007-05-22 12:40:26.000000000 -0400
@@ -5643,7 +5835,7 @@
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-2.4.6/policy/modules/services/cups.fc
 --- nsaserefpolicy/policy/modules/services/cups.fc	2006-11-29 12:04:49.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/cups.fc	2007-05-22 12:40:26.000000000 -0400
++++ serefpolicy-2.4.6/policy/modules/services/cups.fc	2007-07-06 10:56:58.000000000 -0400
 @@ -8,6 +8,7 @@
  /etc/cups/ppd/.*	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
  /etc/cups/ppds\.dat	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@@ -5662,6 +5854,11 @@
  /usr/lib(64)?/cups/daemon/.*	-- gen_context(system_u:object_r:cupsd_exec_t,s0)
  /usr/lib(64)?/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
  
+@@ -52,3 +56,4 @@
+ /var/run/ptal-mlcd(/.*)?	gen_context(system_u:object_r:ptal_var_run_t,s0)
+ 
+ /var/spool/cups(/.*)?		gen_context(system_u:object_r:print_spool_t,mls_systemhigh)
++/usr/local/Brother/inf(/.*)?	gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-2.4.6/policy/modules/services/cups.te
 --- nsaserefpolicy/policy/modules/services/cups.te	2006-11-29 12:04:49.000000000 -0500
 +++ serefpolicy-2.4.6/policy/modules/services/cups.te	2007-05-22 12:40:26.000000000 -0400
@@ -5958,8 +6155,14 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.te serefpolicy-2.4.6/policy/modules/services/dhcp.te
 --- nsaserefpolicy/policy/modules/services/dhcp.te	2006-11-29 12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/dhcp.te	2007-05-22 12:40:26.000000000 -0400
-@@ -127,6 +127,8 @@
++++ serefpolicy-2.4.6/policy/modules/services/dhcp.te	2007-07-02 12:08:23.000000000 -0400
+@@ -1,4 +1,5 @@
+ 
++
+ policy_module(dhcp,1.2.0)
+ 
+ ########################################
+@@ -127,6 +128,8 @@
  	dbus_system_bus_client_template(dhcpd,dhcpd_t)
  	dbus_connect_system_bus(dhcpd_t)
  	dbus_send_system_bus(dhcpd_t)
@@ -6431,27 +6634,90 @@
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-2.4.6/policy/modules/services/hal.fc
 --- nsaserefpolicy/policy/modules/services/hal.fc	2006-11-29 12:04:49.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/hal.fc	2007-05-22 12:40:26.000000000 -0400
-@@ -7,3 +7,7 @@
++++ serefpolicy-2.4.6/policy/modules/services/hal.fc	2007-07-06 09:29:41.000000000 -0400
+@@ -6,4 +6,16 @@
+ 
  /usr/sbin/hald		--			gen_context(system_u:object_r:hald_exec_t,s0)
  
- /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
+-/usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
++/var/lib/hal(/.*)?				gen_context(system_u:object_r:hald_var_lib_t,s0)
++
++/var/cache/hald(/.*)?				gen_context(system_u:object_r:hald_cache_t,s0)
++
++/var/run/haldaemon.pid	--	 		gen_context(system_u:object_r:hald_var_run_t,s0)
++/var/run/vbestate 	--			gen_context(system_u:object_r:hald_var_run_t,s0)
 +
-+/var/lib/hal(/.*)?			gen_context(system_u:object_r:hald_var_lib_t,s0)
++/usr/libexec/hal-acl-tool		--	gen_context(system_u:object_r:hald_acl_exec_t,s0)
++/usr/libexec/hald-addon-macbookpro-backlight --	gen_context(system_u:object_r:hald_mac_exec_t,s0)
++/usr/libexec/hal-system-sonypic	 --	gen_context(system_u:object_r:hald_sonypic_exec_t,s0)
++
++/var/log/pm-suspend.log				gen_context(system_u:object_r:hald_log_t,s0)
 +
-+/var/run/haldaemon.pid	-- 		gen_context(system_u:object_r:hald_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-2.4.6/policy/modules/services/hal.if
 --- nsaserefpolicy/policy/modules/services/hal.if	2006-11-29 12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/hal.if	2007-05-22 12:40:26.000000000 -0400
-@@ -157,3 +157,117 @@
- 	files_search_pids($1)
- 	allow $1 hald_var_run_t:file rw_file_perms;
- ')
++++ serefpolicy-2.4.6/policy/modules/services/hal.if	2007-07-06 09:29:44.000000000 -0400
+@@ -15,12 +15,44 @@
+ 		type hald_t, hald_exec_t;
+ 	')
+ 
+-	domain_auto_trans($1,hald_exec_t,hald_t)
++	domtrans_pattern($1,hald_exec_t,hald_t)
++')
++
++########################################
++## <summary>
++##	Do not audit attempts to use file descriptors from hal.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`hal_dontaudit_use_fds',`
++	gen_require(`
++		type hald_t;
++	')
 +
++	dontaudit $1 hald_t:fd use; 
++')
 +
 +########################################
 +## <summary>
-+##	dontaudit Read/Write hal libraries files
++##	Do not audit attempts to read and write to
++##	hald unnamed pipes.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`hal_dontaudit_rw_pipes',`
++	gen_require(`
++		type hald_t;
++	')
+ 
+-	allow $1 hald_t:fd use;
+-	allow hald_t $1:fd use;
+-	allow hald_t $1:fifo_file rw_file_perms;
+-	allow hald_t $1:process sigchld;
++	dontaudit $1 hald_t:fifo_file rw_fifo_file_perms; 
+ ')
+ 
+ ########################################
+@@ -116,7 +148,26 @@
+ 		type hald_tmp_t;
+ 	')
+ 
+-	allow $1 hald_tmp_t:file r_file_perms;
++	allow $1 hald_tmp_t:file read_file_perms;
++')
++
++########################################
++## <summary>
++##	Do not audit attempts to read or write
++##	HAL libraries files
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -6459,14 +6725,28 @@
 +##	</summary>
 +## </param>
 +#
-+interface(`hal_dontaudit_append_var_lib_files',`
++interface(`hal_dontaudit_append_lib_files',`
 +	gen_require(`
 +		type hald_var_lib_t;
 +	')
 +
-+	files_search_pids($1)
-+	dontaudit $1 hald_var_lib_t:file ra_file_perms;
-+')
++	dontaudit $1 hald_var_lib_t:file { read_file_perms append_file_perms };
+ ')
+ 
+ ########################################
+@@ -135,7 +186,7 @@
+ 	')
+ 
+ 	files_search_pids($1)
+-	allow $1 hald_var_run_t:file r_file_perms;
++	allow $1 hald_var_run_t:file read_file_perms;
+ ')
+ 
+ 
+@@ -157,3 +208,98 @@
+ 	files_search_pids($1)
+ 	allow $1 hald_var_run_t:file rw_file_perms;
+ ')
 +
 +########################################
 +## <summary>
@@ -6527,44 +6807,82 @@
 +
 +########################################
 +## <summary>
-+##	dontaudit use file descriptors for hal
++##	Allow attempts to read and write to
++##	hald unnamed pipes.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	The type of the process performing this action.
++##	Domain to not audit.
 +##	</summary>
 +## </param>
 +#
-+interface(`hal_dontaudit_use_fds',`
++interface(`hal_rw_pipes',`
 +	gen_require(`
 +		type hald_t;
 +	')
 +
-+	dontaudit $1 hald_t:fd use; 
++	allow $1 hald_t:fifo_file rw_fifo_file_perms; 
 +')
 +
 +########################################
 +## <summary>
-+##	Read/Write to hald unnamed pipes.
++##	Allow ptrace of hal domain
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	The type of the process performing this action.
++##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
-+interface(`hal_dontaudit_rw_pipes',`
++interface(`hal_ptrace',`
 +	gen_require(`
 +		type hald_t;
 +	')
 +
-+	dontaudit $1 hald_t:fifo_file rw_file_perms; 
++	allow $1 hald_t:process ptrace;
 +')
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-2.4.6/policy/modules/services/hal.te
 --- nsaserefpolicy/policy/modules/services/hal.te	2006-11-29 12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/hal.te	2007-05-22 12:40:26.000000000 -0400
-@@ -16,19 +16,22 @@
++++ serefpolicy-2.4.6/policy/modules/services/hal.te	2007-07-06 09:29:37.000000000 -0400
+@@ -1,5 +1,5 @@
+ 
+-policy_module(hal,1.4.1)
++policy_module(hal,1.6.1)
+ 
+ ########################################
+ #
+@@ -10,44 +10,80 @@
+ type hald_exec_t;
+ init_daemon_domain(hald_t,hald_exec_t)
+ 
++type hald_acl_t;
++type hald_acl_exec_t;
++domain_type(hald_acl_t)
++domain_entry_file(hald_acl_t,hald_acl_exec_t)
++role system_r types hald_acl_t;
++
++type hald_cache_t;
++files_pid_file(hald_cache_t)
++
++type hald_log_t;
++files_type(hald_log_t)
++
++type hald_mac_t;
++type hald_mac_exec_t;
++domain_type(hald_mac_t)
++domain_entry_file(hald_mac_t,hald_mac_exec_t)
++role system_r types hald_mac_t;
++
++type hald_sonypic_t;
++type hald_sonypic_exec_t;
++domain_type(hald_sonypic_t)
++domain_entry_file(hald_sonypic_t,hald_sonypic_exec_t)
++role system_r types hald_sonypic_t;
++
+ type hald_tmp_t;
+ files_tmp_file(hald_tmp_t)
+ 
  type hald_var_run_t;
  files_pid_file(hald_var_run_t)
  
@@ -6580,50 +6898,58 @@
 -allow hald_t self:capability { audit_write chown setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config };
 -dontaudit hald_t self:capability sys_tty_config;
 +allow hald_t self:capability { chown setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config };
-+dontaudit hald_t self:capability { sys_ptrace sys_tty_config };
++dontaudit hald_t self:capability {sys_ptrace sys_tty_config };
  allow hald_t self:process signal_perms;
- allow hald_t self:fifo_file rw_file_perms;
+-allow hald_t self:fifo_file rw_file_perms;
++allow hald_t self:fifo_file rw_fifo_file_perms;
  allow hald_t self:unix_stream_socket { create_stream_socket_perms connectto };
  allow hald_t self:unix_dgram_socket create_socket_perms;
 -allow hald_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
-+logging_send_audit_msg(hald_t)
  allow hald_t self:netlink_kobject_uevent_socket create_socket_perms;
  allow hald_t self:tcp_socket create_stream_socket_perms;
  allow hald_t self:udp_socket create_socket_perms;
-@@ -39,6 +42,11 @@
- allow hald_t hald_tmp_t:file create_file_perms;
+ # For backwards compatibility with older kernels
+ allow hald_t self:netlink_socket create_socket_perms;
+ 
+-allow hald_t hald_tmp_t:dir create_dir_perms;
+-allow hald_t hald_tmp_t:file create_file_perms;
++manage_files_pattern(hald_t,hald_cache_t,hald_cache_t)
++
++# log files for hald
++allow hald_t hald_log_t:file manage_file_perms;
++logging_log_filetrans(hald_t,hald_log_t,file)
++
++manage_dirs_pattern(hald_t,hald_tmp_t,hald_tmp_t)
++manage_files_pattern(hald_t,hald_tmp_t,hald_tmp_t)
  files_tmp_filetrans(hald_t, hald_tmp_t, { file dir })
  
+-allow hald_t hald_var_run_t:file create_file_perms;
+-allow hald_t hald_var_run_t:dir rw_dir_perms;
 +# var/lib files for hald
-+allow hald_t hald_var_lib_t:file create_file_perms;
-+allow hald_t hald_var_lib_t:sock_file create_file_perms;
-+allow hald_t hald_var_lib_t:dir create_dir_perms;
++manage_dirs_pattern(hald_t,hald_var_lib_t,hald_var_lib_t)
++manage_files_pattern(hald_t,hald_var_lib_t,hald_var_lib_t)
++manage_sock_files_pattern(hald_t,hald_var_lib_t,hald_var_lib_t)
 +
- allow hald_t hald_var_run_t:file create_file_perms;
- allow hald_t hald_var_run_t:dir rw_dir_perms;
++manage_files_pattern(hald_t,hald_var_run_t,hald_var_run_t)
  files_pid_filetrans(hald_t,hald_var_run_t,file)
-@@ -47,7 +55,7 @@
+ 
+ kernel_read_system_state(hald_t)
  kernel_read_network_state(hald_t)
- kernel_read_kernel_sysctls(hald_t)
+-kernel_read_kernel_sysctls(hald_t)
++kernel_rw_kernel_sysctl(hald_t)
  kernel_read_fs_sysctls(hald_t)
 -kernel_read_irq_sysctls(hald_t)
 +kernel_rw_irq_sysctls(hald_t)
  kernel_rw_vm_sysctls(hald_t)
  kernel_write_proc_files(hald_t)
  
-@@ -75,11 +83,19 @@
- dev_setattr_generic_usb_dev(hald_t)
- dev_setattr_usbfs_files(hald_t)
+@@ -77,9 +113,13 @@
  dev_rw_power_management(hald_t)
-+
  # hal is now execing pm-suspend
  dev_rw_sysfs(hald_t)
 +dev_read_sound(hald_t)
 +dev_write_sound(hald_t)
-+dev_setattr_sound_dev(hald_t)
-+
 +dev_read_raw_memory(hald_t)
-+dev_write_raw_memory(hald_t)
  
  domain_use_interactive_fds(hald_t)
  domain_read_all_domains_state(hald_t)
@@ -6631,7 +6957,7 @@
  
  files_exec_etc_files(hald_t)
  files_read_etc_files(hald_t)
-@@ -93,6 +109,7 @@
+@@ -93,9 +133,11 @@
  files_create_boot_flag(hald_t)
  files_getattr_all_dirs(hald_t)
  files_read_kernel_img(hald_t)
@@ -6639,14 +6965,162 @@
  
  fs_getattr_all_fs(hald_t)
  fs_search_all(hald_t)
-@@ -126,6 +143,7 @@
++fs_list_inotifyfs(hald_t)
+ fs_list_auto_mountpoints(hald_t)
+ files_getattr_all_mountpoints(hald_t)
+ 
+@@ -119,19 +161,18 @@
+ 
+ auth_use_nsswitch(hald_t)
+ 
+-init_use_fds(hald_t)
+-init_use_script_ptys(hald_t)
+ init_domtrans_script(hald_t)
+-init_write_initctl(hald_t)
  init_read_utmp(hald_t)
  #hal runs shutdown, probably need a shutdown domain
  init_rw_utmp(hald_t)
-+init_exec(hald_t)
++init_telinit(hald_t)
  
  libs_use_ld_so(hald_t)
  libs_use_shared_libs(hald_t)
+ libs_exec_ld_so(hald_t)
+ libs_exec_lib_files(hald_t)
+ 
++logging_send_audit_msg(hald_t)
+ logging_send_syslog_msg(hald_t)
+ logging_search_logs(hald_t)
+ 
+@@ -142,6 +183,7 @@
+ 
+ seutil_read_config(hald_t)
+ seutil_read_default_contexts(hald_t)
++seutil_read_file_contexts(hald_t)
+ 
+ sysnet_read_config(hald_t)
+ 
+@@ -149,12 +191,16 @@
+ userdom_dontaudit_search_sysadm_home_dirs(hald_t)
+ 
+ ifdef(`targeted_policy',`
+-	term_dontaudit_use_console(hald_t)
+ 	term_dontaudit_use_generic_ptys(hald_t)
+ 	files_dontaudit_read_root_files(hald_t)
+ ')
+ 
+ optional_policy(`
++	alsa_domtrans(hald_t)
++	alsa_read_rw_config(hald_t)
++')
++
++optional_policy(`
+ 	bootloader_domtrans(hald_t)
+ ')
+ 
+@@ -240,3 +286,103 @@
+ optional_policy(`
+ 	vbetool_domtrans(hald_t)
+ ')
++
++########################################
++#
++# Hal acl local policy
++#
++
++allow hald_acl_t self:capability { dac_override fowner };
++allow hald_acl_t self:fifo_file read_fifo_file_perms;
++
++domtrans_pattern(hald_t, hald_acl_exec_t, hald_acl_t)
++allow hald_t hald_acl_t:process signal;
++allow hald_acl_t hald_t:unix_stream_socket connectto;
++
++manage_dirs_pattern(hald_acl_t,hald_var_lib_t,hald_var_lib_t)
++manage_files_pattern(hald_acl_t,hald_var_lib_t,hald_var_lib_t)
++files_search_var_lib(hald_acl_t)
++
++corecmd_exec_bin(hald_acl_t)
++
++dev_getattr_all_chr_files(hald_acl_t)
++dev_getattr_generic_usb_dev(hald_acl_t)
++dev_getattr_video_dev(hald_acl_t)
++dev_setattr_video_dev(hald_acl_t)
++dev_getattr_sound_dev(hald_acl_t)
++dev_setattr_sound_dev(hald_acl_t)
++dev_setattr_generic_usb_dev(hald_acl_t)
++dev_setattr_usbfs_files(hald_acl_t)
++
++files_read_usr_files(hald_acl_t)
++files_read_etc_files(hald_acl_t)
++
++storage_getattr_removable_dev(hald_acl_t)
++storage_setattr_removable_dev(hald_acl_t)
++
++auth_use_nsswitch(hald_acl_t)
++
++libs_use_ld_so(hald_acl_t)
++libs_use_shared_libs(hald_acl_t)
++
++miscfiles_read_localization(hald_acl_t)
++
++ifdef(`targeted_policy',`
++	term_dontaudit_use_console(hald_acl_t)
++	term_dontaudit_use_generic_ptys(hald_acl_t)
++')
++
++########################################
++#
++# Local hald mac policy
++#
++
++domtrans_pattern(hald_t, hald_mac_exec_t, hald_mac_t)
++allow hald_t hald_mac_t:process signal;
++allow hald_mac_t hald_t:unix_stream_socket connectto;
++
++manage_dirs_pattern(hald_mac_t,hald_var_lib_t,hald_var_lib_t)
++manage_files_pattern(hald_mac_t,hald_var_lib_t,hald_var_lib_t)
++files_search_var_lib(hald_mac_t)
++
++dev_write_raw_memory(hald_mac_t)
++
++files_read_usr_files(hald_mac_t)
++
++libs_use_ld_so(hald_mac_t)
++libs_use_shared_libs(hald_mac_t)
++
++miscfiles_read_localization(hald_mac_t)
++
++ifdef(`targeted_policy',`
++	term_dontaudit_use_console(hald_mac_t)
++	term_dontaudit_use_generic_ptys(hald_mac_t)
++')
++
++########################################
++#
++# Local hald sonypic policy
++#
++
++domtrans_pattern(hald_t, hald_sonypic_exec_t, hald_sonypic_t)
++allow hald_t hald_sonypic_t:process signal;
++allow hald_sonypic_t hald_t:unix_stream_socket connectto;
++
++dev_read_video_dev(hald_sonypic_t)
++dev_write_video_dev(hald_sonypic_t)
++
++manage_dirs_pattern(hald_sonypic_t,hald_var_lib_t,hald_var_lib_t)
++manage_files_pattern(hald_sonypic_t,hald_var_lib_t,hald_var_lib_t)
++files_search_var_lib(hald_sonypic_t)
++
++files_read_usr_files(hald_sonypic_t)
++
++libs_use_ld_so(hald_sonypic_t)
++libs_use_shared_libs(hald_sonypic_t)
++
++miscfiles_read_localization(hald_sonypic_t)
++
++ifdef(`targeted_policy',`
++	term_dontaudit_use_console(hald_sonypic_t)
++	term_dontaudit_use_generic_ptys(hald_sonypic_t)
++')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.te serefpolicy-2.4.6/policy/modules/services/inetd.te
 --- nsaserefpolicy/policy/modules/services/inetd.te	2006-11-29 12:04:49.000000000 -0500
 +++ serefpolicy-2.4.6/policy/modules/services/inetd.te	2007-05-31 14:33:45.000000000 -0400
@@ -6816,7 +7290,7 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-2.4.6/policy/modules/services/kerberos.te
 --- nsaserefpolicy/policy/modules/services/kerberos.te	2006-11-29 12:04:49.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/kerberos.te	2007-05-22 12:40:26.000000000 -0400
++++ serefpolicy-2.4.6/policy/modules/services/kerberos.te	2007-06-27 11:42:22.000000000 -0400
 @@ -69,7 +69,7 @@
  
  allow kadmind_t krb5kdc_conf_t:dir search;
@@ -6826,7 +7300,33 @@
  
  allow kadmind_t krb5kdc_principal_t:file { getattr lock read write setattr };
  
-@@ -156,14 +156,22 @@
+@@ -86,6 +86,7 @@
+ kernel_read_kernel_sysctls(kadmind_t)
+ kernel_list_proc(kadmind_t)
+ kernel_read_proc_symlinks(kadmind_t)
++kernel_read_system_state(kadmind_t)
+ 
+ corenet_non_ipsec_sendrecv(kadmind_t)
+ corenet_tcp_sendrecv_all_if(kadmind_t)
+@@ -114,6 +115,9 @@
+ domain_use_interactive_fds(kadmind_t)
+ 
+ files_read_etc_files(kadmind_t)
++files_read_usr_symlinks(kadmind_t)
++files_read_usr_files(kadmind_t)
++files_read_var_files(kadmind_t)
+ 
+ init_use_fds(kadmind_t)
+ init_use_script_ptys(kadmind_t)
+@@ -126,6 +130,7 @@
+ miscfiles_read_localization(kadmind_t)
+ 
+ sysnet_read_config(kadmind_t)
++sysnet_use_ldap(kadmind_t)
+ 
+ userdom_dontaudit_use_unpriv_user_fds(kadmind_t)
+ userdom_dontaudit_search_sysadm_home_dirs(kadmind_t)
+@@ -156,14 +161,22 @@
  # Use capabilities. Surplus capabilities may be allowed.
  allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_override sys_nice };
  dontaudit krb5kdc_t self:capability sys_tty_config;
@@ -6851,7 +7351,7 @@
  can_exec(krb5kdc_t, krb5kdc_exec_t)
  
  allow krb5kdc_t krb5kdc_conf_t:dir search;
-@@ -189,6 +197,7 @@
+@@ -189,6 +202,7 @@
  kernel_list_proc(krb5kdc_t)
  kernel_read_proc_symlinks(krb5kdc_t)
  kernel_read_network_state(krb5kdc_t)
@@ -6859,6 +7359,14 @@
  
  corenet_non_ipsec_sendrecv(krb5kdc_t)
  corenet_tcp_sendrecv_all_if(krb5kdc_t)
+@@ -226,6 +240,7 @@
+ miscfiles_read_localization(krb5kdc_t)
+ 
+ sysnet_read_config(krb5kdc_t)
++sysnet_use_ldap(krb5kdc_t)
+ 
+ userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t)
+ userdom_dontaudit_search_sysadm_home_dirs(krb5kdc_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ktalk.fc serefpolicy-2.4.6/policy/modules/services/ktalk.fc
 --- nsaserefpolicy/policy/modules/services/ktalk.fc	2006-11-29 12:04:51.000000000 -0500
 +++ serefpolicy-2.4.6/policy/modules/services/ktalk.fc	2007-05-22 12:40:26.000000000 -0400
@@ -7235,8 +7743,16 @@
  	allow ypxfr_t $1:process sigchld;
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-2.4.6/policy/modules/services/nis.te
 --- nsaserefpolicy/policy/modules/services/nis.te	2006-11-29 12:04:49.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/nis.te	2007-06-04 11:06:56.000000000 -0400
-@@ -170,8 +170,8 @@
++++ serefpolicy-2.4.6/policy/modules/services/nis.te	2007-07-06 11:31:29.000000000 -0400
+@@ -139,6 +139,7 @@
+ # yppasswdd local policy
+ #
+ 
++allow yppasswdd_t self:capability dac_override;
+ dontaudit yppasswdd_t self:capability sys_tty_config;
+ allow yppasswdd_t self:fifo_file rw_file_perms;
+ allow yppasswdd_t self:process { setfscreate signal_perms };
+@@ -170,8 +171,8 @@
  corenet_udp_sendrecv_all_ports(yppasswdd_t)
  corenet_tcp_bind_all_nodes(yppasswdd_t)
  corenet_udp_bind_all_nodes(yppasswdd_t)
@@ -7247,7 +7763,7 @@
  corenet_dontaudit_tcp_bind_all_reserved_ports(yppasswdd_t)
  corenet_dontaudit_udp_bind_all_reserved_ports(yppasswdd_t)
  corenet_sendrecv_generic_server_packets(yppasswdd_t)
-@@ -275,6 +275,8 @@
+@@ -275,6 +276,8 @@
  corenet_udp_bind_all_nodes(ypserv_t)
  corenet_tcp_bind_reserved_port(ypserv_t)
  corenet_udp_bind_reserved_port(ypserv_t)
@@ -7256,7 +7772,7 @@
  corenet_dontaudit_tcp_bind_all_reserved_ports(ypserv_t)
  corenet_dontaudit_udp_bind_all_reserved_ports(ypserv_t)
  corenet_sendrecv_generic_server_packets(ypserv_t)
-@@ -291,6 +293,7 @@
+@@ -291,6 +294,7 @@
  domain_use_interactive_fds(ypserv_t)
  
  files_read_var_files(ypserv_t)
@@ -7264,7 +7780,7 @@
  
  init_use_fds(ypserv_t)
  init_use_script_ptys(ypserv_t)
-@@ -329,7 +332,19 @@
+@@ -329,7 +333,19 @@
  # ypxfr local policy
  #
  
@@ -7284,7 +7800,7 @@
  
  corenet_non_ipsec_sendrecv(ypxfr_t)
  corenet_tcp_sendrecv_all_if(ypxfr_t)
-@@ -342,10 +357,29 @@
+@@ -342,10 +358,29 @@
  corenet_udp_bind_all_nodes(ypxfr_t)
  corenet_tcp_bind_reserved_port(ypxfr_t)
  corenet_udp_bind_reserved_port(ypxfr_t)
@@ -7343,7 +7859,7 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-2.4.6/policy/modules/services/nscd.te
 --- nsaserefpolicy/policy/modules/services/nscd.te	2006-11-29 12:04:49.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/nscd.te	2007-06-04 14:59:43.000000000 -0400
++++ serefpolicy-2.4.6/policy/modules/services/nscd.te	2007-07-02 11:37:15.000000000 -0400
 @@ -28,15 +28,14 @@
  # Local policy
  #
@@ -7371,7 +7887,15 @@
  
  corenet_non_ipsec_sendrecv(nscd_t)
  corenet_tcp_sendrecv_all_if(nscd_t)
-@@ -100,14 +100,12 @@
+@@ -75,6 +75,7 @@
+ corenet_udp_sendrecv_all_nodes(nscd_t)
+ corenet_tcp_sendrecv_all_ports(nscd_t)
+ corenet_udp_sendrecv_all_ports(nscd_t)
++corenet_udp_bind_all_nodes(nscd_t)
+ corenet_tcp_connect_all_ports(nscd_t)
+ corenet_sendrecv_all_client_packets(nscd_t)
+ corenet_rw_tun_tap_dev(nscd_t)
+@@ -100,14 +101,12 @@
  
  logging_send_syslog_msg(nscd_t)
  
@@ -7386,7 +7910,7 @@
  sysnet_read_config(nscd_t)
  
  userdom_dontaudit_use_unpriv_user_fds(nscd_t)
-@@ -120,14 +118,9 @@
+@@ -120,14 +119,9 @@
  	term_dontaudit_use_unallocated_ttys(nscd_t)
  	term_dontaudit_use_generic_ptys(nscd_t)
  	files_dontaudit_read_root_files(nscd_t)
@@ -7404,7 +7928,7 @@
  ')
  
  optional_policy(`
-@@ -138,3 +131,10 @@
+@@ -138,3 +132,12 @@
  	xen_dontaudit_rw_unix_stream_sockets(nscd_t)
  	xen_append_log(nscd_t)
  ')
@@ -7414,6 +7938,8 @@
 +		samba_append_log(nscd_t)
 +		samba_dontaudit_use_fds(nscd_t)
 +	')
++	samba_read_config(nscd_t)
++	samba_read_var_files(nscd_t)
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-2.4.6/policy/modules/services/ntp.te
 --- nsaserefpolicy/policy/modules/services/ntp.te	2006-11-29 12:04:49.000000000 -0500
@@ -8437,7 +8963,7 @@
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-2.4.6/policy/modules/services/ricci.te
 --- nsaserefpolicy/policy/modules/services/ricci.te	2006-11-29 12:04:49.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/ricci.te	2007-05-22 12:40:26.000000000 -0400
++++ serefpolicy-2.4.6/policy/modules/services/ricci.te	2007-06-18 11:24:10.000000000 -0400
 @@ -136,6 +136,7 @@
  files_create_boot_flag(ricci_t)
  
@@ -8457,7 +8983,7 @@
  	dbus_system_bus_client_template(ricci,ricci_t)
  	dbus_send_system_bus(ricci_t)
  	oddjob_dbus_chat(ricci_t)
-@@ -334,6 +339,10 @@
+@@ -334,6 +339,14 @@
  ')
  
  optional_policy(`
@@ -8465,10 +8991,14 @@
 +')
 +
 +optional_policy(`
++	rpm_dontaudit_use_script_fds(ricci_modclusterd_t)
++')
++
++optional_policy(`
  	unconfined_use_fds(ricci_modclusterd_t)
  ')
  
-@@ -387,6 +396,8 @@
+@@ -387,6 +400,8 @@
  files_search_usr(ricci_modrpm_t)
  files_read_etc_files(ricci_modrpm_t)
  
@@ -8477,7 +9007,7 @@
  miscfiles_read_localization(ricci_modrpm_t)
  
  optional_policy(`
-@@ -416,6 +427,9 @@
+@@ -416,6 +431,9 @@
  files_read_etc_files(ricci_modservice_t)
  files_read_etc_runtime_files(ricci_modservice_t)
  files_search_usr(ricci_modservice_t)
@@ -8487,7 +9017,7 @@
  
  consoletype_exec(ricci_modservice_t)
  
-@@ -462,6 +476,7 @@
+@@ -462,6 +480,7 @@
  files_manage_etc_files(ricci_modstorage_t)
  files_read_etc_runtime_files(ricci_modstorage_t)
  files_read_usr_files(ricci_modstorage_t)
@@ -8495,7 +9025,7 @@
  
  storage_raw_read_fixed_disk(ricci_modstorage_t)
  
-@@ -475,13 +490,18 @@
+@@ -475,13 +494,18 @@
  logging_send_syslog_msg(ricci_modstorage_t)
  
  lvm_domtrans(ricci_modstorage_t)
@@ -8701,7 +9231,7 @@
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-2.4.6/policy/modules/services/samba.if
 --- nsaserefpolicy/policy/modules/services/samba.if	2006-11-29 12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/samba.if	2007-06-11 14:33:13.000000000 -0400
++++ serefpolicy-2.4.6/policy/modules/services/samba.if	2007-07-03 12:51:53.000000000 -0400
 @@ -140,6 +140,7 @@
  	')
  
@@ -8746,7 +9276,35 @@
  ##	Execute samba log in the caller domain.
  ## </summary>
  ## <param name="domain">
-@@ -266,6 +289,27 @@
+@@ -246,6 +269,27 @@
+ ########################################
+ ## <summary>
+ ##	Allow the specified domain to
++##	read samba /var files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`samba_read_var_files',`
++	gen_require(`
++		type samba_var_t;
++	')
++
++	files_search_var($1)
++	files_search_var_lib($1)
++	read_files_pattern($1,samba_var_t,samba_var_t)
++')
++
++########################################
++## <summary>
++##	Allow the specified domain to
+ ##	read and write samba /var files.
+ ## </summary>
+ ## <param name="domain">
+@@ -266,6 +310,27 @@
  
  ########################################
  ## <summary>
@@ -8774,7 +9332,7 @@
  ##	Allow the specified domain to write to smbmount tcp sockets.
  ## </summary>
  ## <param name="domain">
-@@ -395,3 +439,39 @@
+@@ -395,3 +460,39 @@
  	allow $1 winbind_var_run_t:sock_file { getattr read write };
  	allow $1 winbind_t:unix_stream_socket connectto;
  ')
@@ -8816,7 +9374,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-2.4.6/policy/modules/services/samba.te
 --- nsaserefpolicy/policy/modules/services/samba.te	2006-11-29 12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/samba.te	2007-06-11 09:42:56.000000000 -0400
++++ serefpolicy-2.4.6/policy/modules/services/samba.te	2007-07-03 11:14:53.000000000 -0400
 @@ -10,6 +10,13 @@
  type nmbd_exec_t;
  init_daemon_domain(nmbd_t,nmbd_exec_t)
@@ -9003,16 +9561,18 @@
  ')
  
  optional_policy(`
-@@ -614,6 +640,8 @@
+@@ -614,15 +640,19 @@
  # Winbind local policy
  #
  
 +
-+allow winbind_t self:capability setuid;
++allow winbind_t self:capability { dac_override ipc_lock setuid };
  dontaudit winbind_t self:capability sys_tty_config;
  allow winbind_t self:process signal_perms;
  allow winbind_t self:fifo_file { read write };
-@@ -623,6 +651,9 @@
+ allow winbind_t self:unix_dgram_socket create_socket_perms;
+ allow winbind_t self:unix_stream_socket create_stream_socket_perms;
+-allow winbind_t self:netlink_route_socket r_netlink_socket_perms;
  allow winbind_t self:tcp_socket create_stream_socket_perms;
  allow winbind_t self:udp_socket create_socket_perms;
  
@@ -9022,9 +9582,20 @@
  allow winbind_t samba_etc_t:dir r_dir_perms;
  allow winbind_t samba_etc_t:lnk_file { getattr read };
  allow winbind_t samba_etc_t:file r_file_perms;
-@@ -677,10 +708,12 @@
+@@ -655,6 +685,8 @@
+ kernel_list_proc(winbind_t)
+ kernel_read_proc_symlinks(winbind_t)
+ 
++corecmd_exec_bin(winbind_t)
++
+ corenet_tcp_sendrecv_all_if(winbind_t)
+ corenet_udp_sendrecv_all_if(winbind_t)
+ corenet_raw_sendrecv_all_if(winbind_t)
+@@ -676,11 +708,14 @@
+ 
  term_dontaudit_use_console(winbind_t)
  
++auth_use_nsswitch(winbind_t)
  auth_domtrans_chk_passwd(winbind_t)
 +auth_domtrans_upd_passwd(winbind_t)
  
@@ -9035,7 +9606,35 @@
  
  init_use_fds(winbind_t)
  init_use_script_ptys(winbind_t)
-@@ -743,6 +776,8 @@
+@@ -692,13 +727,13 @@
+ 
+ miscfiles_read_localization(winbind_t)
+ 
+-sysnet_read_config(winbind_t)
+-sysnet_dns_name_resolve(winbind_t)
+-
+ userdom_dontaudit_use_unpriv_user_fds(winbind_t)
+ userdom_dontaudit_search_sysadm_home_dirs(winbind_t)
+ userdom_priveleged_home_dir_manager(winbind_t)
+ 
++allow winbind_t smbd_tmp_t:dir rw_dir_perms;
++allow winbind_t smbd_tmp_t:file rw_file_perms;
++
+ ifdef(`targeted_policy', `
+ 	term_dontaudit_use_unallocated_ttys(winbind_t)
+ 	term_dontaudit_use_generic_ptys(winbind_t)
+@@ -710,10 +745,6 @@
+ ')
+ 
+ optional_policy(`
+-	nscd_socket_use(winbind_t)
+-')
+-
+-optional_policy(`
+ 	seutil_sigchld_newrole(winbind_t)
+ ')
+ 
+@@ -743,6 +774,8 @@
  
  domain_use_interactive_fds(winbind_helper_t)
  
@@ -9044,7 +9643,7 @@
  libs_use_ld_so(winbind_helper_t)
  libs_use_shared_libs(winbind_helper_t)
  
-@@ -763,3 +798,24 @@
+@@ -763,3 +796,24 @@
  	squid_read_log(winbind_helper_t)
  	squid_append_log(winbind_helper_t)
  ')
@@ -9324,13 +9923,16 @@
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-2.4.6/policy/modules/services/spamassassin.fc
 --- nsaserefpolicy/policy/modules/services/spamassassin.fc	2006-11-29 12:04:49.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/spamassassin.fc	2007-05-22 12:40:26.000000000 -0400
-@@ -8,6 +8,8 @@
++++ serefpolicy-2.4.6/policy/modules/services/spamassassin.fc	2007-06-18 10:50:37.000000000 -0400
+@@ -8,6 +8,11 @@
  
  /var/spool/spamassassin(/.*)?	gen_context(system_u:object_r:spamd_spool_t,s0)
  
 +/var/lib/spamassassin(/.*)?	gen_context(system_u:object_r:spamd_var_lib_t,s0)
 +
++/var/run/spamassassin(/.*)?	gen_context(system_u:object_r:spamd_var_run_t,s0)
++/var/run/spamass-milter(/.*)?	gen_context(system_u:object_r:spamd_var_run_t,s0)
++
  ifdef(`strict_policy',`
  HOME_DIR/\.spamassassin(/.*)?	gen_context(system_u:object_r:ROLE_spamassassin_home_t,s0)
  ')
@@ -9385,7 +9987,7 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-2.4.6/policy/modules/services/spamassassin.te
 --- nsaserefpolicy/policy/modules/services/spamassassin.te	2006-11-29 12:04:49.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/spamassassin.te	2007-05-22 12:40:26.000000000 -0400
++++ serefpolicy-2.4.6/policy/modules/services/spamassassin.te	2007-06-18 10:51:14.000000000 -0400
 @@ -8,7 +8,7 @@
  
  # spamassassin client executable
@@ -9415,7 +10017,7 @@
  
  ########################################
  #
-@@ -57,6 +61,9 @@
+@@ -57,12 +61,15 @@
  allow spamd_t spamd_spool_t:dir create_dir_perms;
  files_spool_filetrans(spamd_t,spamd_spool_t, { file dir })
  
@@ -9425,6 +10027,13 @@
  allow spamd_t spamd_tmp_t:dir create_dir_perms;
  allow spamd_t spamd_tmp_t:file create_file_perms;
  files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
+ 
+ allow spamd_t spamd_var_run_t:file create_file_perms;
+-allow spamd_t spamd_var_run_t:dir rw_dir_perms;
++allow spamd_t spamd_var_run_t:dir create_dir_perms;
+ files_pid_filetrans(spamd_t,spamd_var_run_t,file)
+ 
+ kernel_read_all_sysctls(spamd_t)
 @@ -78,6 +85,7 @@
  corenet_tcp_bind_all_nodes(spamd_t)
  corenet_tcp_bind_spamd_port(spamd_t)
@@ -9529,12 +10138,24 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-2.4.6/policy/modules/services/squid.te
 --- nsaserefpolicy/policy/modules/services/squid.te	2006-11-29 12:04:49.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/squid.te	2007-05-22 12:40:26.000000000 -0400
-@@ -180,3 +180,14 @@
- #squid requires the following when run in diskd mode, the recommended setting
- allow squid_t tmpfs_t:file { read write };
- ') dnl end TODO
-+
++++ serefpolicy-2.4.6/policy/modules/services/squid.te	2007-07-01 21:13:34.000000000 -0400
+@@ -98,6 +98,8 @@
+ 
+ fs_getattr_all_fs(squid_t)
+ fs_search_auto_mountpoints(squid_t)
++#squid requires the following when run in diskd mode, the recommended setting
++fs_rw_tmpfs_files(squid_t)
+ 
+ selinux_dontaudit_getattr_dir(squid_t)
+ 
+@@ -176,7 +178,13 @@
+ 	udev_read_db(squid_t)
+ ')
+ 
+-ifdef(`TODO',`
+-#squid requires the following when run in diskd mode, the recommended setting
+-allow squid_t tmpfs_t:file { read write };
+-') dnl end TODO
 +optional_policy(`
 +	apache_content_template(squid)
 +	corenet_tcp_connect_http_cache_port(httpd_squid_script_t)
@@ -9919,7 +10540,7 @@
  /tmp/\.X11-unix/.*	-s	<<none>>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-2.4.6/policy/modules/services/xserver.if
 --- nsaserefpolicy/policy/modules/services/xserver.if	2006-11-29 12:04:49.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/xserver.if	2007-05-23 09:22:42.000000000 -0400
++++ serefpolicy-2.4.6/policy/modules/services/xserver.if	2007-07-03 12:46:50.000000000 -0400
 @@ -45,7 +45,7 @@
  	# execheap needed until the X module loader is fixed.
  	# NVIDIA Needs execstack
@@ -9929,7 +10550,16 @@
  	dontaudit $1_xserver_t self:capability chown;
  	allow $1_xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  	allow $1_xserver_t self:fd use;
-@@ -93,6 +93,8 @@
+@@ -86,6 +86,8 @@
+ 	allow $1_xserver_t xserver_log_t:dir r_dir_perms;
+ 	logging_log_filetrans($1_xserver_t,xserver_log_t,file)
+ 
++	domain_mmap_low($1_xserver_t)
++
+ 	kernel_read_system_state($1_xserver_t)
+ 	kernel_read_device_sysctls($1_xserver_t)
+ 	kernel_read_modprobe_sysctls($1_xserver_t)
+@@ -93,6 +95,8 @@
  	kernel_read_kernel_sysctls($1_xserver_t)
  	kernel_write_proc_files($1_xserver_t)
  
@@ -9938,7 +10568,7 @@
  	# Run helper programs in $1_xserver_t.
  	corecmd_search_sbin($1_xserver_t)
  	corecmd_exec_bin($1_xserver_t)
-@@ -170,6 +172,11 @@
+@@ -170,6 +174,11 @@
  	')
  
  	optional_policy(`
@@ -9950,7 +10580,7 @@
  		apm_stream_connect($1_xserver_t)
  	')
  
-@@ -279,6 +286,8 @@
+@@ -279,6 +288,8 @@
  	allow $1_xauth_t $1_xserver_t:fifo_file rw_file_perms;
  	allow $1_xauth_t $1_xserver_t:process sigchld;
  
@@ -9959,7 +10589,7 @@
  	allow $1_xserver_t $1_xauth_home_t:file { getattr read };
  
  	domain_auto_trans($2, xserver_exec_t, $1_xserver_t)
-@@ -425,6 +434,8 @@
+@@ -425,6 +436,8 @@
  	allow $2 $1_iceauth_home_t:file manage_file_perms;
  	allow $2 $1_iceauth_home_t:file { relabelfrom relabelto };
  
@@ -9968,7 +10598,7 @@
  	fs_search_auto_mountpoints($1_iceauth_t)
  
  	libs_use_ld_so($1_iceauth_t)
-@@ -548,7 +559,7 @@
+@@ -548,7 +561,7 @@
  
  	gen_require(`
  		type xdm_t, xdm_tmp_t;
@@ -9977,7 +10607,7 @@
  	')
  
  	allow $2 self:shm create_shm_perms;
-@@ -557,6 +568,7 @@
+@@ -557,6 +570,7 @@
  
  	# Read .Xauthority file
  	allow $2 $1_xauth_home_t:file { getattr read };
@@ -9985,7 +10615,7 @@
  
  	# for when /tmp/.X11-unix is created by the system
  	allow $2 xdm_t:fd use;
-@@ -578,6 +590,8 @@
+@@ -578,6 +592,8 @@
  	xserver_rw_session_template($1,$2,$3)
  	xserver_use_user_fonts($1,$2)
  
@@ -9994,7 +10624,7 @@
  	# Client write xserver shm
  	tunable_policy(`allow_write_xshm',`
  		allow $2 $1_xserver_t:shm rw_shm_perms;
-@@ -906,10 +920,12 @@
+@@ -906,10 +922,12 @@
  
  	domain_auto_trans($1,xserver_exec_t,xdm_xserver_t)
  
@@ -10007,7 +10637,7 @@
  ')
  
  ########################################
-@@ -1024,6 +1040,7 @@
+@@ -1024,6 +1042,7 @@
  	logging_search_logs($1)
  	allow $1 xserver_log_t:dir rw_dir_perms;
  	allow $1 xserver_log_t:file unlink;
@@ -10015,7 +10645,7 @@
  ')
  
  ########################################
-@@ -1062,6 +1079,7 @@
+@@ -1062,6 +1081,7 @@
  		type xdm_xserver_tmp_t;
  	')
  
@@ -10023,7 +10653,7 @@
  	allow $1 xdm_xserver_tmp_t:file { getattr read };
  ')
  
-@@ -1080,6 +1098,7 @@
+@@ -1080,6 +1100,7 @@
  		type xdm_tmp_t;
  	')
  
@@ -10031,7 +10661,7 @@
  	allow $1 xdm_tmp_t:dir search_dir_perms;
  	allow $1 xdm_tmp_t:file { getattr read };
  ')
-@@ -1160,3 +1179,171 @@
+@@ -1160,3 +1181,189 @@
  	allow $1 xdm_xserver_tmp_t:sock_file write;
  	allow $1 xdm_xserver_t:unix_stream_socket connectto;
  ')
@@ -10171,6 +10801,24 @@
 +
 +########################################
 +## <summary>
++##	Get the attributes of xauth executable
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`xserver_getattr_xauth',`
++	gen_require(`
++		type xauth_exec_t;
++	')
++
++	allow $1 xauth_exec_t:file getattr;
++')
++
++########################################
++## <summary>
 +##	Transition to a user Xauthority domain.
 +## </summary>
 +## <desc>
@@ -12333,7 +12981,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-2.4.6/policy/modules/system/mount.te
 --- nsaserefpolicy/policy/modules/system/mount.te	2006-11-29 12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/mount.te	2007-05-22 12:40:26.000000000 -0400
++++ serefpolicy-2.4.6/policy/modules/system/mount.te	2007-07-01 20:54:25.000000000 -0400
 @@ -9,6 +9,7 @@
  type mount_t;
  type mount_exec_t;
@@ -12354,7 +13002,16 @@
  
  allow mount_t mount_tmp_t:file create_file_perms;
  allow mount_t mount_tmp_t:dir create_dir_perms;
-@@ -64,6 +66,7 @@
+@@ -40,6 +42,8 @@
+ kernel_read_system_state(mount_t)
+ kernel_read_kernel_sysctls(mount_t)
+ kernel_dontaudit_getattr_core_if(mount_t)
++kernel_search_debugfs(mount_t)
++kernel_read_unlabeled_state(mount_t)
+ 
+ dev_getattr_all_blk_files(mount_t)
+ dev_list_all_dev_nodes(mount_t)
+@@ -64,6 +68,7 @@
  fs_read_tmpfs_symlinks(mount_t)
  
  term_use_all_terms(mount_t)
@@ -12362,7 +13019,16 @@
  
  # required for mount.smbfs
  corecmd_exec_sbin(mount_t)
-@@ -117,11 +120,16 @@
+@@ -91,6 +96,8 @@
+ init_use_fds(mount_t)
+ init_use_script_ptys(mount_t)
+ init_dontaudit_getattr_initctl(mount_t)
++init_stream_connect_script(mount_t)
++init_rw_script_stream_sockets(mount_t)
+ 
+ libs_use_ld_so(mount_t)
+ libs_use_shared_libs(mount_t)
+@@ -117,11 +124,16 @@
  	')
  ')
  
@@ -12381,7 +13047,7 @@
  	')
  ')
  
-@@ -163,14 +171,6 @@
+@@ -163,14 +175,6 @@
  	apm_use_fds(mount_t)
  ')
  
@@ -12396,7 +13062,7 @@
  # for kernel package installation
  optional_policy(`
  	rpm_rw_pipes(mount_t)
-@@ -184,6 +184,11 @@
+@@ -184,6 +188,11 @@
  	nscd_socket_use(mount_t)
  ')
  
@@ -12957,6 +13623,18 @@
 +	ssh_sigchld(load_policy_t)
 +	ssh_rw_stream_sockets(load_policy_t)
 +')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-2.4.6/policy/modules/system/sysnetwork.if
+--- nsaserefpolicy/policy/modules/system/sysnetwork.if	2006-11-29 12:04:51.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/sysnetwork.if	2007-06-18 15:38:25.000000000 -0400
+@@ -532,6 +532,8 @@
+ 
+ 	files_search_etc($1)
+ 	allow $1 net_conf_t:file r_file_perms;
++	# LDAP Configuration using encrypted requires
++	dev_read_urand($1)
+ ')
+ 
+ ########################################
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-2.4.6/policy/modules/system/sysnetwork.te
 --- nsaserefpolicy/policy/modules/system/sysnetwork.te	2006-11-29 12:04:51.000000000 -0500
 +++ serefpolicy-2.4.6/policy/modules/system/sysnetwork.te	2007-05-22 12:40:26.000000000 -0400
@@ -13089,7 +13767,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-2.4.6/policy/modules/system/udev.te
 --- nsaserefpolicy/policy/modules/system/udev.te	2006-11-29 12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/udev.te	2007-06-12 11:13:55.000000000 -0400
++++ serefpolicy-2.4.6/policy/modules/system/udev.te	2007-06-28 07:26:03.000000000 -0400
 @@ -70,7 +70,7 @@
  
  allow udev_t udev_var_run_t:file create_file_perms;
@@ -13099,7 +13777,26 @@
  
  kernel_read_system_state(udev_t)
  kernel_getattr_core_if(udev_t)
-@@ -144,8 +144,11 @@
+@@ -84,12 +84,18 @@
+ kernel_dgram_send(udev_t)
+ kernel_signal(udev_t)
+ 
++#https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182
++kernel_rw_net_sysctls(udev_t)
++kernel_read_network_state(udev_t)
++
+ corecmd_exec_all_executables(udev_t)
+ 
+ dev_rw_sysfs(udev_t)
+ dev_manage_all_dev_nodes(udev_t)
+ dev_rw_generic_files(udev_t)
+ dev_delete_generic_files(udev_t)
++dev_search_usbfs_dirs(udev_t)
++dev_relabel_all_dev_nodes(udev_t)
+ 
+ domain_read_all_domains_state(udev_t)
+ domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these 
+@@ -144,8 +150,11 @@
  seutil_read_file_contexts(udev_t)
  seutil_domtrans_restorecon(udev_t)
  
@@ -13111,6 +13808,28 @@
  
  userdom_use_sysadm_ttys(udev_t)
  userdom_dontaudit_search_all_users_home_content(udev_t)
+@@ -186,6 +195,10 @@
+ ')
+ 
+ optional_policy(`
++	fstools_domtrans(udev_t)
++')
++
++optional_policy(`
+ 	hal_dgram_send(udev_t)
+ ')
+ 
+@@ -198,3 +211,10 @@
+ optional_policy(`
+ 	xserver_read_xdm_pid(udev_t)
+ ')
++
++optional_policy(`
++	xen_manage_log(udev_t)
++	kernel_write_xen_state(udev_t)
++	kernel_read_xen_state(udev_t)
++	xen_read_image_files(udev_t)
++')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-2.4.6/policy/modules/system/unconfined.fc
 --- nsaserefpolicy/policy/modules/system/unconfined.fc	2006-11-29 12:04:51.000000000 -0500
 +++ serefpolicy-2.4.6/policy/modules/system/unconfined.fc	2007-05-22 12:40:26.000000000 -0400
@@ -13126,7 +13845,7 @@
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-2.4.6/policy/modules/system/unconfined.if
 --- nsaserefpolicy/policy/modules/system/unconfined.if	2006-11-29 12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/unconfined.if	2007-05-22 12:40:26.000000000 -0400
++++ serefpolicy-2.4.6/policy/modules/system/unconfined.if	2007-06-22 11:15:09.000000000 -0400
 @@ -31,6 +31,7 @@
  	allow $1 self:nscd *;
  	allow $1 self:dbus *;
@@ -13160,6 +13879,13 @@
  ##	Connect to the unconfined domain using
  ##	a unix domain stream socket.
  ## </summary>
+@@ -541,3 +560,6 @@
+ 
+ 	allow $1 unconfined_t:dbus acquire_svc;
+ ')
++
++
++
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-2.4.6/policy/modules/system/unconfined.te
 --- nsaserefpolicy/policy/modules/system/unconfined.te	2006-11-29 12:04:51.000000000 -0500
 +++ serefpolicy-2.4.6/policy/modules/system/unconfined.te	2007-05-22 12:40:26.000000000 -0400
@@ -14361,7 +15087,7 @@
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-2.4.6/policy/modules/system/xen.if
 --- nsaserefpolicy/policy/modules/system/xen.if	2006-11-29 12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/xen.if	2007-06-11 08:26:34.000000000 -0400
++++ serefpolicy-2.4.6/policy/modules/system/xen.if	2007-06-15 13:12:08.000000000 -0400
 @@ -77,6 +77,7 @@
  	')
  
@@ -14370,9 +15096,56 @@
  	allow $1 xend_var_log_t:file { getattr append };
  	dontaudit $1 xend_var_log_t:file write;
  ')
+@@ -163,3 +164,46 @@
+ 	allow xm_t $1:fifo_file rw_file_perms;
+ 	allow xm_t $1:process sigchld;
+ ')
++
++########################################
++## <summary>
++##	Allow the specified domain to manage
++##	xend log files.
++## </summary>
++## <param name="domain">
++## 	<summary>
++##	Domain allowed to transition.
++## 	</summary>
++## </param>
++#
++interface(`xen_manage_log',`
++	gen_require(`
++		type var_log_t, xend_var_log_t;
++	')
++
++	logging_search_logs($1)
++	allow $1 xend_var_log_t:dir create_dir_perms;
++	allow $1 xend_var_log_t:file create_file_perms;
++	dontaudit $1 xend_var_log_t:file write;
++')
++
++########################################
++## <summary>
++##	Allow the specified domain to read
++##	xend image files.
++## </summary>
++## <param name="domain">
++## 	<summary>
++##	Domain allowed to transition.
++## 	</summary>
++## </param>
++#
++interface(`xen_read_image_files',`
++	gen_require(`
++		type xen_image_t, xend_var_lib_t;
++	')
++
++	files_list_var_lib($1)
++	allow $1 xend_var_lib_t:dir search_dir_perms;
++	read_files_pattern($1,xen_image_t,xen_image_t)
++')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-2.4.6/policy/modules/system/xen.te
 --- nsaserefpolicy/policy/modules/system/xen.te	2006-11-29 12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/xen.te	2007-06-11 08:20:44.000000000 -0400
++++ serefpolicy-2.4.6/policy/modules/system/xen.te	2007-06-15 13:12:32.000000000 -0400
 @@ -20,12 +20,15 @@
  type xenctl_t;
  files_type(xenctl_t)
@@ -14482,6 +15255,15 @@
  term_create_pty(xenconsoled_t,xen_devpts_t);
  term_use_generic_ptys(xenconsoled_t)
  term_use_console(xenconsoled_t)
+@@ -248,7 +271,7 @@
+ 
+ miscfiles_read_localization(xenconsoled_t)
+ 
+-xen_append_log(xenconsoled_t)
++xen_manage_log(xenconsoled_t)
+ xen_stream_connect_xenstore(xenconsoled_t)
+ 
+ ########################################
 @@ -283,6 +306,12 @@
  
  files_read_usr_files(xenstored_t)


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/FC-6/selinux-policy.spec,v
retrieving revision 1.370
retrieving revision 1.371
diff -u -r1.370 -r1.371
--- selinux-policy.spec	14 Jun 2007 13:49:50 -0000	1.370
+++ selinux-policy.spec	6 Jul 2007 15:35:03 -0000	1.371
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 2.4.6
-Release: 75%{?dist}
+Release: 79%{?dist}
 License: GPL
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -360,6 +360,24 @@
 %endif
 
 %changelog
+* Fri Jul 7 2007 Dan Walsh <dwalsh redhat com> 2.4.6-79
+- Allow hal to write to pm-suspend
+Resolves:#245926
+
+* Sun Jul 1 2007 Dan Walsh <dwalsh redhat com> 2.4.6-78
+- Added fixes for gfs init script
+Resolves:#246194
+
+* Mon Jun 11 2007 Dan Walsh <dwalsh redhat com> 2.4.6-77
+- More fixes add mmap_zero for new kernel
+Resolves:#244690
+
+* Mon Jun 11 2007 Dan Walsh <dwalsh redhat com> 2.4.6-76
+- Allow xenconsole to manage xen log files
+- add mmap_zero for new kernel
+- Fixes for RHEL5
+Resolves:#244690
+
 * Thu May 31 2007 Dan Walsh <dwalsh redhat com> 2.4.6-75
 - Allow samba to remove log files
 


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]