rpms/selinux-policy/devel .cvsignore, 1.105, 1.106 policy-20070219.patch, 1.11, 1.12 selinux-policy.spec, 1.404, 1.405 sources, 1.111, 1.112
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Thu Mar 1 21:57:49 UTC 2007
- Previous message (by thread): rpms/thunderbird/FC-6 firefox-1.5.0.10-nss-system-nspr.patch, NONE, 1.1 firefox-1.5.0.10-with-system-nss.patch, NONE, 1.1 firefox-1.5-pango-printing.patch, 1.3, 1.4 sources, 1.20, 1.21 thunderbird.spec, 1.93, 1.94 firefox-1.1-nss-system-nspr.patch, 1.1, NONE firefox-1.5-with-system-nss.patch, 1.1, NONE
- Next message (by thread): rpms/selinux-policy/FC-6 policy-20061106.patch, 1.22, 1.23 selinux-policy.spec, 1.346, 1.347
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv12122
Modified Files:
.cvsignore policy-20070219.patch selinux-policy.spec sources
Log Message:
* Thu Mar 1 2007 Dan Walsh <dwalsh at redhat.com> 2.5.7-1
- Update to latest from upstream
- Add fail2ban policy
Index: .cvsignore
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/.cvsignore,v
retrieving revision 1.105
retrieving revision 1.106
diff -u -r1.105 -r1.106
--- .cvsignore 28 Feb 2007 21:23:19 -0000 1.105
+++ .cvsignore 1 Mar 2007 21:57:47 -0000 1.106
@@ -107,3 +107,4 @@
serefpolicy-2.5.4.tgz
serefpolicy-2.5.5.tgz
serefpolicy-2.5.6.tgz
+serefpolicy-2.5.7.tgz
policy-20070219.patch:
Rules.modular | 10 +
policy/flask/access_vectors | 4
policy/global_booleans | 2
policy/global_tunables | 65 ++++++-
policy/mls | 33 +++-
policy/modules/admin/acct.te | 1
policy/modules/admin/consoletype.te | 8
policy/modules/admin/dmesg.te | 1
policy/modules/admin/kudzu.te | 3
policy/modules/admin/netutils.te | 3
policy/modules/admin/rpm.fc | 3
policy/modules/admin/rpm.if | 44 +++++
policy/modules/admin/rpm.te | 2
policy/modules/admin/su.if | 6
policy/modules/admin/sudo.if | 5
policy/modules/admin/sudo.te | 1
policy/modules/admin/usermanage.te | 20 ++
policy/modules/apps/gnome.if | 25 ++-
policy/modules/apps/gpg.fc | 2
policy/modules/apps/gpg.if | 1
policy/modules/apps/loadkeys.if | 44 +----
policy/modules/apps/mozilla.if | 1
policy/modules/kernel/corecommands.if | 38 ++++
policy/modules/kernel/corenetwork.if.in | 78 ++++++++-
policy/modules/kernel/corenetwork.te.in | 15 +
policy/modules/kernel/corenetwork.te.m4 | 4
policy/modules/kernel/devices.if | 36 ++++
policy/modules/kernel/domain.if | 18 ++
policy/modules/kernel/domain.te | 22 ++
policy/modules/kernel/files.if | 63 +++++++
policy/modules/kernel/filesystem.if | 20 ++
policy/modules/kernel/kernel.if | 23 ++
policy/modules/kernel/kernel.te | 2
policy/modules/kernel/mls.if | 20 ++
policy/modules/kernel/mls.te | 3
policy/modules/kernel/selinux.if | 38 ++++
policy/modules/kernel/storage.fc | 1
policy/modules/kernel/storage.if | 2
policy/modules/kernel/terminal.if | 2
policy/modules/kernel/terminal.te | 1
policy/modules/services/apache.fc | 23 ++
policy/modules/services/apache.if | 158 +++++++++++++++++++
policy/modules/services/apache.te | 18 ++
policy/modules/services/automount.te | 1
policy/modules/services/ccs.te | 1
policy/modules/services/consolekit.fc | 2
policy/modules/services/consolekit.if | 46 +++++
policy/modules/services/consolekit.te | 62 +++++++
policy/modules/services/cpucontrol.te | 1
policy/modules/services/cron.fc | 1
policy/modules/services/cron.if | 33 +---
policy/modules/services/cron.te | 43 ++++-
policy/modules/services/cvs.te | 1
policy/modules/services/dbus.if | 58 ++++++-
policy/modules/services/dhcp.te | 2
policy/modules/services/fail2ban.fc | 4
policy/modules/services/fail2ban.if | 87 ++++++++++
policy/modules/services/fail2ban.te | 77 +++++++++
policy/modules/services/ftp.te | 5
policy/modules/services/hal.fc | 6
policy/modules/services/hal.te | 93 ++++++++++-
policy/modules/services/inetd.te | 5
policy/modules/services/mta.te | 2
policy/modules/services/nis.if | 4
policy/modules/services/nscd.if | 20 ++
policy/modules/services/nscd.te | 3
policy/modules/services/pegasus.if | 27 +++
policy/modules/services/pegasus.te | 5
policy/modules/services/postfix.te | 2
policy/modules/services/procmail.te | 13 +
policy/modules/services/pyzor.if | 22 ++
policy/modules/services/pyzor.te | 9 +
policy/modules/services/radius.te | 1
policy/modules/services/ricci.te | 10 -
policy/modules/services/rpc.te | 26 ++-
policy/modules/services/rsync.te | 1
policy/modules/services/samba.if | 21 ++
policy/modules/services/samba.te | 6
policy/modules/services/setroubleshoot.te | 4
policy/modules/services/smartmon.te | 1
policy/modules/services/spamassassin.fc | 1
policy/modules/services/spamassassin.if | 41 +++++
policy/modules/services/spamassassin.te | 15 +
policy/modules/services/squid.fc | 1
policy/modules/services/squid.if | 2
policy/modules/services/squid.te | 12 +
policy/modules/services/ssh.fc | 2
policy/modules/services/ssh.if | 39 ++++
policy/modules/services/ssh.te | 5
policy/modules/services/xserver.if | 2
policy/modules/services/xserver.te | 4
policy/modules/system/application.fc | 1
policy/modules/system/application.if | 113 +++++++++++++
policy/modules/system/application.te | 9 +
policy/modules/system/authlogin.if | 87 ++++++++--
policy/modules/system/authlogin.te | 3
policy/modules/system/fstools.fc | 1
policy/modules/system/fstools.te | 1
policy/modules/system/getty.te | 3
policy/modules/system/hostname.te | 14 +
policy/modules/system/init.if | 62 +++++++
policy/modules/system/init.te | 26 ++-
policy/modules/system/ipsec.if | 100 ++++++++++++
policy/modules/system/iptables.te | 9 -
policy/modules/system/locallogin.te | 6
policy/modules/system/logging.te | 8
policy/modules/system/lvm.if | 23 ++
policy/modules/system/lvm.te | 17 +-
policy/modules/system/modutils.te | 3
policy/modules/system/mount.te | 10 -
policy/modules/system/selinuxutil.fc | 2
policy/modules/system/selinuxutil.if | 119 ++++++++++++++
policy/modules/system/selinuxutil.te | 147 ++++-------------
policy/modules/system/unconfined.fc | 1
policy/modules/system/unconfined.te | 15 +
policy/modules/system/userdomain.if | 246 ++++++++++++++++--------------
policy/modules/system/userdomain.te | 38 +++-
policy/modules/system/xen.te | 26 +++
policy/support/obj_perm_sets.spt | 2
119 files changed, 2386 insertions(+), 404 deletions(-)
Index: policy-20070219.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/policy-20070219.patch,v
retrieving revision 1.11
retrieving revision 1.12
diff -u -r1.11 -r1.12
--- policy-20070219.patch 1 Mar 2007 16:30:20 -0000 1.11
+++ policy-20070219.patch 1 Mar 2007 21:57:47 -0000 1.12
@@ -1,6 +1,6 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors serefpolicy-2.5.7/policy/flask/access_vectors
--- nsaserefpolicy/policy/flask/access_vectors 2007-02-26 09:43:33.000000000 -0500
-+++ serefpolicy-2.5.7/policy/flask/access_vectors 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/flask/access_vectors 2007-03-01 11:40:30.000000000 -0500
@@ -598,6 +598,8 @@
shmempwd
shmemgrp
@@ -21,7 +21,7 @@
class key
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_booleans serefpolicy-2.5.7/policy/global_booleans
--- nsaserefpolicy/policy/global_booleans 2006-11-16 17:15:26.000000000 -0500
-+++ serefpolicy-2.5.7/policy/global_booleans 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/global_booleans 2007-03-01 11:40:30.000000000 -0500
@@ -4,7 +4,6 @@
# file should be used.
#
@@ -40,7 +40,7 @@
## <p>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-2.5.7/policy/global_tunables
--- nsaserefpolicy/policy/global_tunables 2007-02-19 11:32:54.000000000 -0500
-+++ serefpolicy-2.5.7/policy/global_tunables 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/global_tunables 2007-03-01 11:40:30.000000000 -0500
@@ -162,7 +162,6 @@
## </desc>
gen_tunable(allow_smbd_anon_write,false)
@@ -154,7 +154,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mls serefpolicy-2.5.7/policy/mls
--- nsaserefpolicy/policy/mls 2006-11-16 17:15:26.000000000 -0500
-+++ serefpolicy-2.5.7/policy/mls 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/mls 2007-03-01 13:36:15.000000000 -0500
@@ -89,12 +89,14 @@
mlsconstrain { file lnk_file fifo_file dir chr_file blk_file sock_file } { write create setattr relabelfrom append unlink link rename mounton }
(( l1 eq l2 ) or
@@ -194,7 +194,7 @@
(( l1 dom l2 ) or
(( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsnetread ));
-@@ -177,8 +191,9 @@
+@@ -177,13 +191,14 @@
( t1 == mlsnetread ));
# the socket "write" ops
@@ -206,6 +206,12 @@
(( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsnetwrite ));
+ # used by netlabel to restrict normal domains to same level connections
+-mlsconstrain { tcp_socket udp_socket } recvfrom
++mlsconstrain { tcp_socket udp_socket rawip_socket } recvfrom
+ (( l1 eq l2 ) or
+ (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsnetread ));
@@ -274,7 +289,8 @@
# the netif/node "write" ops (implicit single level socket doing the write)
@@ -228,7 +234,7 @@
mlsconstrain association { polmatch }
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/acct.te serefpolicy-2.5.7/policy/modules/admin/acct.te
--- nsaserefpolicy/policy/modules/admin/acct.te 2007-01-02 12:57:51.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/admin/acct.te 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/admin/acct.te 2007-03-01 11:40:30.000000000 -0500
@@ -9,6 +9,7 @@
type acct_t;
type acct_exec_t;
@@ -239,7 +245,7 @@
logging_log_file(acct_data_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-2.5.7/policy/modules/admin/consoletype.te
--- nsaserefpolicy/policy/modules/admin/consoletype.te 2007-02-19 11:32:54.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/admin/consoletype.te 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/admin/consoletype.te 2007-03-01 11:40:30.000000000 -0500
@@ -8,7 +8,12 @@
type consoletype_t;
@@ -264,7 +270,7 @@
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.te serefpolicy-2.5.7/policy/modules/admin/dmesg.te
--- nsaserefpolicy/policy/modules/admin/dmesg.te 2006-11-16 17:15:26.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/admin/dmesg.te 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/admin/dmesg.te 2007-03-01 11:40:30.000000000 -0500
@@ -10,6 +10,7 @@
type dmesg_t;
type dmesg_exec_t;
@@ -275,7 +281,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kudzu.te serefpolicy-2.5.7/policy/modules/admin/kudzu.te
--- nsaserefpolicy/policy/modules/admin/kudzu.te 2007-01-02 12:57:51.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/admin/kudzu.te 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/admin/kudzu.te 2007-03-01 11:40:30.000000000 -0500
@@ -103,6 +103,9 @@
init_use_fds(kudzu_t)
init_use_script_ptys(kudzu_t)
@@ -288,7 +294,7 @@
libs_use_shared_libs(kudzu_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-2.5.7/policy/modules/admin/netutils.te
--- nsaserefpolicy/policy/modules/admin/netutils.te 2007-01-02 12:57:51.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/admin/netutils.te 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/admin/netutils.te 2007-03-01 11:40:30.000000000 -0500
@@ -22,6 +22,7 @@
type traceroute_t;
type traceroute_exec_t;
@@ -308,7 +314,7 @@
corenet_non_ipsec_sendrecv(netutils_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-2.5.7/policy/modules/admin/rpm.fc
--- nsaserefpolicy/policy/modules/admin/rpm.fc 2006-11-16 17:15:26.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/admin/rpm.fc 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/admin/rpm.fc 2007-03-01 11:40:30.000000000 -0500
@@ -21,6 +21,9 @@
/usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -321,7 +327,7 @@
/var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-2.5.7/policy/modules/admin/rpm.if
--- nsaserefpolicy/policy/modules/admin/rpm.if 2007-01-02 12:57:51.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/admin/rpm.if 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/admin/rpm.if 2007-03-01 11:40:30.000000000 -0500
@@ -270,3 +270,47 @@
dontaudit $1 rpm_var_lib_t:file manage_file_perms;
dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
@@ -372,7 +378,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-2.5.7/policy/modules/admin/rpm.te
--- nsaserefpolicy/policy/modules/admin/rpm.te 2007-02-19 11:32:54.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/admin/rpm.te 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/admin/rpm.te 2007-03-01 11:40:30.000000000 -0500
@@ -9,6 +9,8 @@
type rpm_t;
type rpm_exec_t;
@@ -384,7 +390,7 @@
domain_system_change_exemption(rpm_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-2.5.7/policy/modules/admin/sudo.if
--- nsaserefpolicy/policy/modules/admin/sudo.if 2007-02-19 11:32:54.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/admin/sudo.if 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/admin/sudo.if 2007-03-01 11:40:30.000000000 -0500
@@ -37,7 +37,6 @@
gen_require(`
@@ -409,7 +415,7 @@
domain_sigchld_interactive_fds($1_sudo_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.te serefpolicy-2.5.7/policy/modules/admin/sudo.te
--- nsaserefpolicy/policy/modules/admin/sudo.te 2007-02-19 11:32:54.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/admin/sudo.te 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/admin/sudo.te 2007-03-01 11:40:30.000000000 -0500
@@ -7,5 +7,6 @@
type sudo_exec_t;
@@ -419,7 +425,7 @@
# Remaining policy in per user domain template.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-2.5.7/policy/modules/admin/su.if
--- nsaserefpolicy/policy/modules/admin/su.if 2007-02-19 11:32:54.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/admin/su.if 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/admin/su.if 2007-03-01 11:40:30.000000000 -0500
@@ -71,7 +71,7 @@
files_search_var_lib($1_su_t)
files_dontaudit_getattr_tmp_dirs($1_su_t)
@@ -449,7 +455,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-2.5.7/policy/modules/admin/usermanage.te
--- nsaserefpolicy/policy/modules/admin/usermanage.te 2007-02-19 11:32:54.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/admin/usermanage.te 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/admin/usermanage.te 2007-03-01 11:40:30.000000000 -0500
@@ -263,6 +263,7 @@
optional_policy(`
rpm_use_fds(groupadd_t)
@@ -507,7 +513,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-2.5.7/policy/modules/apps/gnome.if
--- nsaserefpolicy/policy/modules/apps/gnome.if 2007-02-19 11:32:52.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/apps/gnome.if 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/apps/gnome.if 2007-03-01 11:40:30.000000000 -0500
@@ -105,6 +105,10 @@
')
@@ -555,7 +561,7 @@
## This is a templated interface, and should only
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc serefpolicy-2.5.7/policy/modules/apps/gpg.fc
--- nsaserefpolicy/policy/modules/apps/gpg.fc 2006-11-16 17:15:07.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/apps/gpg.fc 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/apps/gpg.fc 2007-03-01 11:40:30.000000000 -0500
@@ -7,6 +7,4 @@
/usr/lib/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0)
/usr/lib/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0)
@@ -565,7 +571,7 @@
-')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-2.5.7/policy/modules/apps/gpg.if
--- nsaserefpolicy/policy/modules/apps/gpg.if 2007-01-02 12:57:22.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/apps/gpg.if 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/apps/gpg.if 2007-03-01 11:40:30.000000000 -0500
@@ -89,6 +89,7 @@
manage_files_pattern($1_gpg_t,$1_gpg_secret_t,$1_gpg_secret_t)
@@ -576,7 +582,7 @@
domtrans_pattern($2,gpg_exec_t,$1_gpg_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.if serefpolicy-2.5.7/policy/modules/apps/loadkeys.if
--- nsaserefpolicy/policy/modules/apps/loadkeys.if 2007-01-02 12:57:22.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/apps/loadkeys.if 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/apps/loadkeys.if 2007-03-01 11:40:30.000000000 -0500
@@ -11,16 +11,12 @@
## </param>
#
@@ -645,7 +651,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-2.5.7/policy/modules/apps/mozilla.if
--- nsaserefpolicy/policy/modules/apps/mozilla.if 2007-02-19 11:32:52.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/apps/mozilla.if 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/apps/mozilla.if 2007-03-01 11:40:30.000000000 -0500
@@ -147,6 +147,7 @@
corenet_dontaudit_tcp_bind_generic_port($1_mozilla_t)
@@ -656,25 +662,8 @@
dev_dontaudit_rw_dri($1_mozilla_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-2.5.7/policy/modules/kernel/corecommands.if
--- nsaserefpolicy/policy/modules/kernel/corecommands.if 2007-02-19 11:32:51.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/kernel/corecommands.if 2007-03-01 10:20:27.000000000 -0500
-@@ -928,7 +928,15 @@
- type bin_t, sbin_t;
- ')
-
-- can_exec($1,exec_type)
-+ # Need this dontaudit or command completion fires hundreds of avcs
-+ dontaudit $1 exec_type:file execute;
-+ corecmd_exec_bin($1)
-+ corecmd_exec_sbin($1)
-+ corecmd_exec_shell($1)
-+ corecmd_exec_ls($1)
-+ corecmd_exec_chroot($1)
-+ application_exec($1)
-+
- list_dirs_pattern($1,{ bin_t sbin_t },{ bin_t sbin_t })
- read_lnk_files_pattern($1,{ bin_t sbin_t },{ bin_t sbin_t })
- ')
-@@ -990,3 +998,41 @@
++++ serefpolicy-2.5.7/policy/modules/kernel/corecommands.if 2007-03-01 11:40:30.000000000 -0500
+@@ -990,3 +990,41 @@
allow $1 exec_type:file { getattr read execute };
')
@@ -718,7 +707,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-2.5.7/policy/modules/kernel/corenetwork.if.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in 2007-02-19 11:32:51.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/kernel/corenetwork.if.in 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/kernel/corenetwork.if.in 2007-03-01 11:40:30.000000000 -0500
@@ -1034,10 +1034,10 @@
#
interface(`corenet_tcp_sendrecv_reserved_port',`
@@ -857,7 +846,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-2.5.7/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2007-02-19 11:32:51.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/kernel/corenetwork.te.in 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/kernel/corenetwork.te.in 2007-03-01 11:40:30.000000000 -0500
@@ -43,11 +43,16 @@
sid port gen_context(system_u:object_r:port_t,s0)
@@ -900,7 +889,7 @@
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.m4 serefpolicy-2.5.7/policy/modules/kernel/corenetwork.te.m4
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.m4 2006-11-16 17:15:04.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/kernel/corenetwork.te.m4 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/kernel/corenetwork.te.m4 2007-03-01 11:40:30.000000000 -0500
@@ -55,8 +55,8 @@
define(`declare_ports',`dnl
ifelse(eval($3 < 1024),1,`
@@ -914,7 +903,7 @@
ifelse(`$5',`',`',`declare_ports($1,shiftn(4,$*))')dnl
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-2.5.7/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2007-01-02 12:57:13.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/kernel/devices.if 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/kernel/devices.if 2007-03-01 11:40:30.000000000 -0500
@@ -2449,6 +2449,24 @@
########################################
@@ -964,7 +953,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-2.5.7/policy/modules/kernel/domain.if
--- nsaserefpolicy/policy/modules/kernel/domain.if 2007-02-19 11:32:51.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/kernel/domain.if 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/kernel/domain.if 2007-03-01 11:40:30.000000000 -0500
@@ -1254,3 +1254,21 @@
typeattribute $1 can_change_object_identity;
typeattribute $1 set_curr_context;
@@ -989,7 +978,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-2.5.7/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2007-02-19 11:32:51.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/kernel/domain.te 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/kernel/domain.te 2007-03-01 11:40:30.000000000 -0500
@@ -144,3 +144,25 @@
# act on all domains keys
@@ -1018,7 +1007,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.5.7/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2007-02-26 14:17:21.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/kernel/files.if 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/kernel/files.if 2007-03-01 11:40:30.000000000 -0500
@@ -110,7 +110,14 @@
## </param>
#
@@ -1136,7 +1125,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-2.5.7/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2007-02-19 11:32:51.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/kernel/filesystem.if 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/kernel/filesystem.if 2007-03-01 11:40:30.000000000 -0500
@@ -1110,11 +1110,31 @@
type dosfs_t;
')
@@ -1171,7 +1160,7 @@
## <desc>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-2.5.7/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2007-02-19 11:32:51.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/kernel/kernel.if 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/kernel/kernel.if 2007-03-01 11:40:30.000000000 -0500
@@ -1830,6 +1830,26 @@
########################################
@@ -1211,7 +1200,7 @@
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-2.5.7/policy/modules/kernel/kernel.te
--- nsaserefpolicy/policy/modules/kernel/kernel.te 2007-02-19 11:32:51.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/kernel/kernel.te 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/kernel/kernel.te 2007-03-01 11:40:30.000000000 -0500
@@ -138,6 +138,8 @@
type unlabeled_t;
sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
@@ -1223,7 +1212,7 @@
sid file_labels gen_context(system_u:object_r:unlabeled_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mls.if serefpolicy-2.5.7/policy/modules/kernel/mls.if
--- nsaserefpolicy/policy/modules/kernel/mls.if 2006-11-16 17:15:04.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/kernel/mls.if 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/kernel/mls.if 2007-03-01 11:40:30.000000000 -0500
@@ -154,6 +154,26 @@
########################################
## <summary>
@@ -1253,7 +1242,7 @@
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mls.te serefpolicy-2.5.7/policy/modules/kernel/mls.te
--- nsaserefpolicy/policy/modules/kernel/mls.te 2007-01-02 12:57:13.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/kernel/mls.te 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/kernel/mls.te 2007-03-01 11:40:30.000000000 -0500
@@ -18,6 +18,7 @@
attribute mlsnetreadtoclr;
attribute mlsnetwrite;
@@ -1273,7 +1262,7 @@
attribute privrangetrans;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-2.5.7/policy/modules/kernel/selinux.if
--- nsaserefpolicy/policy/modules/kernel/selinux.if 2007-02-27 14:37:10.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/kernel/selinux.if 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/kernel/selinux.if 2007-03-01 11:40:30.000000000 -0500
@@ -51,6 +51,44 @@
########################################
@@ -1321,7 +1310,7 @@
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-2.5.7/policy/modules/kernel/storage.fc
--- nsaserefpolicy/policy/modules/kernel/storage.fc 2006-11-16 17:15:04.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/kernel/storage.fc 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/kernel/storage.fc 2007-03-01 11:40:30.000000000 -0500
@@ -42,6 +42,7 @@
/dev/sjcd -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/sonycd -b gen_context(system_u:object_r:removable_device_t,s0)
@@ -1332,7 +1321,7 @@
/dev/xvd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.if serefpolicy-2.5.7/policy/modules/kernel/storage.if
--- nsaserefpolicy/policy/modules/kernel/storage.if 2007-01-02 12:57:13.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/kernel/storage.if 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/kernel/storage.if 2007-03-01 11:40:30.000000000 -0500
@@ -100,6 +100,7 @@
dev_list_all_dev_nodes($1)
@@ -1351,7 +1340,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-2.5.7/policy/modules/kernel/terminal.if
--- nsaserefpolicy/policy/modules/kernel/terminal.if 2007-02-20 16:35:52.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/kernel/terminal.if 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/kernel/terminal.if 2007-03-01 11:40:30.000000000 -0500
@@ -1052,7 +1052,7 @@
')
@@ -1363,7 +1352,7 @@
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.te serefpolicy-2.5.7/policy/modules/kernel/terminal.te
--- nsaserefpolicy/policy/modules/kernel/terminal.te 2007-02-20 16:35:52.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/kernel/terminal.te 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/kernel/terminal.te 2007-03-01 11:40:30.000000000 -0500
@@ -28,6 +28,7 @@
type devpts_t;
files_mountpoint(devpts_t)
@@ -1374,7 +1363,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-2.5.7/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2007-02-23 16:50:01.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/services/apache.fc 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/services/apache.fc 2007-03-01 11:40:30.000000000 -0500
@@ -1,10 +1,5 @@
# temporary hack till genhomedircon is fixed
-ifdef(`targeted_policy',`
@@ -1422,7 +1411,7 @@
+/var/lib/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_script_rw_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-2.5.7/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2007-01-02 12:57:43.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/services/apache.if 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/services/apache.if 2007-03-01 11:40:30.000000000 -0500
@@ -268,6 +268,9 @@
')
@@ -1608,7 +1597,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-2.5.7/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2007-02-23 16:50:01.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/services/apache.te 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/services/apache.te 2007-03-01 11:40:30.000000000 -0500
@@ -171,6 +171,7 @@
allow httpd_t httpd_modules_t:dir list_dir_perms;
mmap_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t)
@@ -1647,7 +1636,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-2.5.7/policy/modules/services/automount.te
--- nsaserefpolicy/policy/modules/services/automount.te 2007-02-19 11:32:53.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/services/automount.te 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/services/automount.te 2007-03-01 11:40:30.000000000 -0500
@@ -69,6 +69,7 @@
files_mounton_all_mountpoints(automount_t)
files_mount_all_file_type_fs(automount_t)
@@ -1658,7 +1647,7 @@
fs_unmount_all_fs(automount_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.te serefpolicy-2.5.7/policy/modules/services/ccs.te
--- nsaserefpolicy/policy/modules/services/ccs.te 2007-02-19 11:32:53.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/services/ccs.te 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/services/ccs.te 2007-03-01 11:40:30.000000000 -0500
@@ -33,6 +33,7 @@
allow ccs_t self:capability { ipc_lock sys_nice sys_resource sys_admin };
@@ -1669,13 +1658,13 @@
allow ccs_t self:unix_dgram_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.fc serefpolicy-2.5.7/policy/modules/services/consolekit.fc
--- nsaserefpolicy/policy/modules/services/consolekit.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/services/consolekit.fc 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/services/consolekit.fc 2007-03-01 11:40:30.000000000 -0500
@@ -0,0 +1,2 @@
+
+/usr/sbin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-2.5.7/policy/modules/services/consolekit.if
--- nsaserefpolicy/policy/modules/services/consolekit.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/services/consolekit.if 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/services/consolekit.if 2007-03-01 11:40:30.000000000 -0500
@@ -0,0 +1,46 @@
+
+## <summary>policy for consolekit</summary>
@@ -1725,7 +1714,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-2.5.7/policy/modules/services/consolekit.te
--- nsaserefpolicy/policy/modules/services/consolekit.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/services/consolekit.te 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/services/consolekit.te 2007-03-01 11:40:30.000000000 -0500
@@ -0,0 +1,62 @@
+policy_module(consolekit,1.0.0)
+
@@ -1791,7 +1780,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cpucontrol.te serefpolicy-2.5.7/policy/modules/services/cpucontrol.te
--- nsaserefpolicy/policy/modules/services/cpucontrol.te 2007-01-02 12:57:43.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/services/cpucontrol.te 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/services/cpucontrol.te 2007-03-01 11:40:30.000000000 -0500
@@ -91,6 +91,7 @@
kernel_read_system_state(cpuspeed_t)
kernel_read_kernel_sysctls(cpuspeed_t)
@@ -1802,7 +1791,7 @@
domain_use_interactive_fds(cpuspeed_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-2.5.7/policy/modules/services/cron.fc
--- nsaserefpolicy/policy/modules/services/cron.fc 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/services/cron.fc 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/services/cron.fc 2007-03-01 11:40:30.000000000 -0500
@@ -45,3 +45,4 @@
/var/spool/fcron/systab\.orig -- gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
@@ -1810,7 +1799,7 @@
+/var/lib/misc(/.*)? gen_context(system_u:object_r:crond_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-2.5.7/policy/modules/services/cron.if
--- nsaserefpolicy/policy/modules/services/cron.if 2007-01-02 12:57:43.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/services/cron.if 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/services/cron.if 2007-03-01 11:40:30.000000000 -0500
@@ -35,6 +35,7 @@
#
template(`cron_per_role_template',`
@@ -1921,7 +1910,7 @@
# fcron wants an instant update of a crontab change for the administrator
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-2.5.7/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te 2007-01-02 12:57:43.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/services/cron.te 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/services/cron.te 2007-03-01 11:40:30.000000000 -0500
@@ -25,6 +25,9 @@
type cron_log_t;
logging_log_file(cron_log_t)
@@ -2037,7 +2026,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-2.5.7/policy/modules/services/cvs.te
--- nsaserefpolicy/policy/modules/services/cvs.te 2007-01-02 12:57:43.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/services/cvs.te 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/services/cvs.te 2007-03-01 11:40:30.000000000 -0500
@@ -9,6 +9,7 @@
type cvs_t;
type cvs_exec_t;
@@ -2048,7 +2037,7 @@
type cvs_data_t; # customizable
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-2.5.7/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if 2007-02-19 11:32:53.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/services/dbus.if 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/services/dbus.if 2007-03-01 11:40:30.000000000 -0500
@@ -69,7 +69,7 @@
# Local policy
#
@@ -2134,7 +2123,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.te serefpolicy-2.5.7/policy/modules/services/dhcp.te
--- nsaserefpolicy/policy/modules/services/dhcp.te 2007-01-02 12:57:43.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/services/dhcp.te 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/services/dhcp.te 2007-03-01 11:40:30.000000000 -0500
@@ -125,6 +125,8 @@
dbus_system_bus_client_template(dhcpd,dhcpd_t)
dbus_connect_system_bus(dhcpd_t)
@@ -2146,7 +2135,7 @@
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.fc serefpolicy-2.5.7/policy/modules/services/fail2ban.fc
--- nsaserefpolicy/policy/modules/services/fail2ban.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/services/fail2ban.fc 2007-03-01 11:14:04.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/services/fail2ban.fc 2007-03-01 11:40:30.000000000 -0500
@@ -0,0 +1,4 @@
+
+/usr/bin/fail2ban -- gen_context(system_u:object_r:fail2ban_exec_t,s0)
@@ -2154,7 +2143,7 @@
+/var/run/fail2ban.pid -- gen_context(system_u:object_r:fail2ban_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.if serefpolicy-2.5.7/policy/modules/services/fail2ban.if
--- nsaserefpolicy/policy/modules/services/fail2ban.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/services/fail2ban.if 2007-03-01 11:14:04.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/services/fail2ban.if 2007-03-01 11:40:30.000000000 -0500
@@ -0,0 +1,87 @@
+
+## <summary>policy for fail2ban</summary>
@@ -2245,7 +2234,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.te serefpolicy-2.5.7/policy/modules/services/fail2ban.te
--- nsaserefpolicy/policy/modules/services/fail2ban.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/services/fail2ban.te 2007-03-01 11:16:42.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/services/fail2ban.te 2007-03-01 11:40:30.000000000 -0500
@@ -0,0 +1,77 @@
+policy_module(fail2ban,1.0.0)
+
@@ -2326,7 +2315,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-2.5.7/policy/modules/services/ftp.te
--- nsaserefpolicy/policy/modules/services/ftp.te 2007-02-28 14:03:21.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/services/ftp.te 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/services/ftp.te 2007-03-01 11:40:30.000000000 -0500
@@ -190,10 +190,15 @@
userdom_manage_all_users_home_content_dirs(ftpd_t)
userdom_manage_all_users_home_content_files(ftpd_t)
@@ -2345,7 +2334,7 @@
tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-2.5.7/policy/modules/services/hal.fc
--- nsaserefpolicy/policy/modules/services/hal.fc 2007-01-02 12:57:43.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/services/hal.fc 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/services/hal.fc 2007-03-01 11:40:30.000000000 -0500
@@ -8,4 +8,10 @@
/var/lib/hal(/.*)? gen_context(system_u:object_r:hald_var_lib_t,s0)
@@ -2359,7 +2348,7 @@
+/usr/libexec/hald-addon-macbookpro-backlight -- gen_context(system_u:object_r:hald_mac_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-2.5.7/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2007-02-19 11:32:53.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/services/hal.te 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/services/hal.te 2007-03-01 11:40:30.000000000 -0500
@@ -16,9 +16,24 @@
type hald_var_run_t;
files_pid_file(hald_var_run_t)
@@ -2514,7 +2503,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.te serefpolicy-2.5.7/policy/modules/services/inetd.te
--- nsaserefpolicy/policy/modules/services/inetd.te 2007-02-19 11:32:53.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/services/inetd.te 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/services/inetd.te 2007-03-01 11:40:30.000000000 -0500
@@ -140,8 +140,8 @@
mls_fd_use_all_levels(inetd_t)
mls_fd_share_all_levels(inetd_t)
@@ -2537,7 +2526,7 @@
manage_dirs_pattern(inetd_child_t,inetd_child_tmp_t,inetd_child_tmp_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-2.5.7/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2007-02-19 11:32:53.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/services/mta.te 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/services/mta.te 2007-03-01 11:40:30.000000000 -0500
@@ -27,6 +27,7 @@
type sendmail_exec_t;
@@ -2556,7 +2545,7 @@
apache_dontaudit_append_log(system_mail_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-2.5.7/policy/modules/services/nis.if
--- nsaserefpolicy/policy/modules/services/nis.if 2007-02-19 11:32:53.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/services/nis.if 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/services/nis.if 2007-03-01 11:40:30.000000000 -0500
@@ -48,8 +48,8 @@
corenet_udp_bind_all_nodes($1)
corenet_tcp_bind_generic_port($1)
@@ -2570,7 +2559,7 @@
corenet_tcp_connect_portmap_port($1)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-2.5.7/policy/modules/services/nscd.if
--- nsaserefpolicy/policy/modules/services/nscd.if 2007-01-02 12:57:43.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/services/nscd.if 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/services/nscd.if 2007-03-01 11:40:30.000000000 -0500
@@ -173,3 +173,23 @@
allow $1 nscd_t:nscd *;
@@ -2597,7 +2586,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-2.5.7/policy/modules/services/nscd.te
--- nsaserefpolicy/policy/modules/services/nscd.te 2007-02-19 11:32:53.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/services/nscd.te 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/services/nscd.te 2007-03-01 11:40:30.000000000 -0500
@@ -117,6 +117,9 @@
term_dontaudit_use_unallocated_ttys(nscd_t)
term_dontaudit_use_generic_ptys(nscd_t)
@@ -2610,7 +2599,7 @@
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.if serefpolicy-2.5.7/policy/modules/services/pegasus.if
--- nsaserefpolicy/policy/modules/services/pegasus.if 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/services/pegasus.if 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/services/pegasus.if 2007-03-01 11:40:30.000000000 -0500
@@ -1 +1,28 @@
## <summary>The Open Group Pegasus CIM/WBEM Server.</summary>
+
@@ -2642,7 +2631,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-2.5.7/policy/modules/services/pegasus.te
--- nsaserefpolicy/policy/modules/services/pegasus.te 2007-01-02 12:57:43.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/services/pegasus.te 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/services/pegasus.te 2007-03-01 11:40:30.000000000 -0500
@@ -99,13 +99,12 @@
auth_use_nsswitch(pegasus_t)
@@ -2659,20 +2648,9 @@
files_read_var_lib_symlinks(pegasus_t)
hostname_exec(pegasus_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-2.5.7/policy/modules/services/postfix.fc
---- nsaserefpolicy/policy/modules/services/postfix.fc 2006-11-16 17:15:20.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/services/postfix.fc 2007-03-01 10:20:27.000000000 -0500
-@@ -9,6 +9,7 @@
- /usr/libexec/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
- /usr/libexec/postfix/showq -- gen_context(system_u:object_r:postfix_showq_exec_t,s0)
- /usr/libexec/postfix/smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
-+/usr/libexec/postfix/lmtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
- /usr/libexec/postfix/scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
- /usr/libexec/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
- /usr/libexec/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-2.5.7/policy/modules/services/postfix.te
---- nsaserefpolicy/policy/modules/services/postfix.te 2007-01-02 12:57:43.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/services/postfix.te 2007-03-01 10:20:27.000000000 -0500
+--- nsaserefpolicy/policy/modules/services/postfix.te 2007-03-01 16:15:29.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/services/postfix.te 2007-03-01 11:40:30.000000000 -0500
@@ -173,6 +173,8 @@
mta_rw_aliases(postfix_master_t)
mta_read_sendmail_bin(postfix_master_t)
@@ -2682,17 +2660,9 @@
ifdef(`targeted_policy',`
term_dontaudit_use_unallocated_ttys(postfix_master_t)
term_dontaudit_use_generic_ptys(postfix_master_t)
-@@ -386,6 +388,7 @@
-
- postfix_list_spool(postfix_pickup_t)
-
-+allow postfix_pickup_t postfix_spool_maildrop_t:dir r_dir_perms;
- read_files_pattern(postfix_pickup_t,postfix_spool_maildrop_t,postfix_spool_maildrop_t)
- delete_files_pattern(postfix_pickup_t,postfix_spool_maildrop_t,postfix_spool_maildrop_t)
-
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-2.5.7/policy/modules/services/procmail.te
--- nsaserefpolicy/policy/modules/services/procmail.te 2007-01-02 12:57:43.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/services/procmail.te 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/services/procmail.te 2007-03-01 11:40:30.000000000 -0500
@@ -10,15 +10,19 @@
type procmail_exec_t;
domain_type(procmail_t)
@@ -2737,7 +2707,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-2.5.7/policy/modules/services/pyzor.if
--- nsaserefpolicy/policy/modules/services/pyzor.if 2007-01-02 12:57:43.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/services/pyzor.if 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/services/pyzor.if 2007-03-01 11:40:30.000000000 -0500
@@ -64,6 +64,10 @@
## </param>
#
@@ -2773,7 +2743,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-2.5.7/policy/modules/services/pyzor.te
--- nsaserefpolicy/policy/modules/services/pyzor.te 2007-02-19 11:32:53.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/services/pyzor.te 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/services/pyzor.te 2007-03-01 11:40:30.000000000 -0500
@@ -26,6 +26,9 @@
type pyzor_var_lib_t;
files_type(pyzor_var_lib_t)
@@ -2797,9 +2767,20 @@
kernel_read_kernel_sysctls(pyzor_t)
kernel_read_system_state(pyzor_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radius.te serefpolicy-2.5.7/policy/modules/services/radius.te
+--- nsaserefpolicy/policy/modules/services/radius.te 2007-01-02 12:57:43.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/services/radius.te 2007-03-01 13:19:03.000000000 -0500
+@@ -36,6 +36,7 @@
+ allow radiusd_t self:unix_stream_socket create_stream_socket_perms;
+ allow radiusd_t self:tcp_socket create_stream_socket_perms;
+ allow radiusd_t self:udp_socket create_socket_perms;
++allow radiusd_t self:netlink_route_socket r_netlink_socket_perms;
+
+ allow radiusd_t radiusd_etc_t:dir r_dir_perms;
+ read_files_pattern(radiusd_t,radiusd_etc_t,radiusd_etc_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-2.5.7/policy/modules/services/ricci.te
--- nsaserefpolicy/policy/modules/services/ricci.te 2007-02-19 11:32:53.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/services/ricci.te 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/services/ricci.te 2007-03-01 11:40:30.000000000 -0500
@@ -420,6 +420,7 @@
files_read_etc_runtime_files(ricci_modservice_t)
files_search_usr(ricci_modservice_t)
@@ -2839,7 +2820,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-2.5.7/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te 2007-02-19 11:32:53.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/services/rpc.te 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/services/rpc.te 2007-03-01 11:40:30.000000000 -0500
@@ -120,16 +120,20 @@
# GSSD local policy
#
@@ -2899,7 +2880,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-2.5.7/policy/modules/services/rsync.te
--- nsaserefpolicy/policy/modules/services/rsync.te 2007-01-02 12:57:43.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/services/rsync.te 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/services/rsync.te 2007-03-01 11:40:30.000000000 -0500
@@ -9,6 +9,7 @@
type rsync_t;
type rsync_exec_t;
@@ -2910,7 +2891,7 @@
type rsync_data_t;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-2.5.7/policy/modules/services/samba.if
--- nsaserefpolicy/policy/modules/services/samba.if 2007-01-02 12:57:43.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/services/samba.if 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/services/samba.if 2007-03-01 11:40:30.000000000 -0500
@@ -177,6 +177,27 @@
########################################
@@ -2941,7 +2922,7 @@
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-2.5.7/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2007-02-23 16:50:01.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/services/samba.te 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/services/samba.te 2007-03-01 11:40:30.000000000 -0500
@@ -278,6 +278,10 @@
userdom_dontaudit_use_unpriv_user_fds(smbd_t)
userdom_use_unpriv_users_fds(smbd_t)
@@ -2964,7 +2945,7 @@
allow nmbd_t samba_log_t:dir setattr;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-2.5.7/policy/modules/services/setroubleshoot.te
--- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2007-02-19 11:32:53.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/services/setroubleshoot.te 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/services/setroubleshoot.te 2007-03-01 11:40:30.000000000 -0500
@@ -74,8 +74,10 @@
files_read_usr_files(setroubleshootd_t)
files_read_etc_files(setroubleshootd_t)
@@ -2989,7 +2970,7 @@
term_dontaudit_use_generic_ptys(setroubleshootd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-2.5.7/policy/modules/services/smartmon.te
--- nsaserefpolicy/policy/modules/services/smartmon.te 2007-01-02 12:57:43.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/services/smartmon.te 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/services/smartmon.te 2007-03-01 11:40:30.000000000 -0500
@@ -60,6 +60,7 @@
fs_search_auto_mountpoints(fsdaemon_t)
@@ -3000,7 +2981,7 @@
storage_raw_write_fixed_disk(fsdaemon_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-2.5.7/policy/modules/services/spamassassin.fc
--- nsaserefpolicy/policy/modules/services/spamassassin.fc 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/services/spamassassin.fc 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/services/spamassassin.fc 2007-03-01 11:40:30.000000000 -0500
@@ -7,6 +7,7 @@
/usr/sbin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0)
@@ -3011,7 +2992,7 @@
HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:ROLE_spamassassin_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-2.5.7/policy/modules/services/spamassassin.if
--- nsaserefpolicy/policy/modules/services/spamassassin.if 2007-02-19 11:32:53.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/services/spamassassin.if 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/services/spamassassin.if 2007-03-01 11:40:30.000000000 -0500
@@ -496,3 +496,44 @@
dontaudit $1 spamd_tmp_t:sock_file getattr;
@@ -3059,7 +3040,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-2.5.7/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2007-02-19 11:32:53.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/services/spamassassin.te 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/services/spamassassin.te 2007-03-01 11:40:30.000000000 -0500
@@ -8,7 +8,7 @@
# spamassassin client executable
@@ -3126,7 +3107,7 @@
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.fc serefpolicy-2.5.7/policy/modules/services/squid.fc
--- nsaserefpolicy/policy/modules/services/squid.fc 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/services/squid.fc 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/services/squid.fc 2007-03-01 11:40:30.000000000 -0500
@@ -12,3 +12,4 @@
/var/run/squid\.pid -- gen_context(system_u:object_r:squid_var_run_t,s0)
@@ -3134,7 +3115,7 @@
+/usr/lib/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_squid_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.if serefpolicy-2.5.7/policy/modules/services/squid.if
--- nsaserefpolicy/policy/modules/services/squid.if 2007-01-02 12:57:43.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/services/squid.if 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/services/squid.if 2007-03-01 11:40:30.000000000 -0500
@@ -36,7 +36,7 @@
')
@@ -3146,7 +3127,7 @@
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-2.5.7/policy/modules/services/squid.te
--- nsaserefpolicy/policy/modules/services/squid.te 2007-01-02 12:57:43.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/services/squid.te 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/services/squid.te 2007-03-01 11:40:30.000000000 -0500
@@ -81,6 +81,8 @@
corenet_tcp_bind_ftp_port(squid_t)
corenet_tcp_bind_gopher_port(squid_t)
@@ -3179,7 +3160,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.fc serefpolicy-2.5.7/policy/modules/services/ssh.fc
--- nsaserefpolicy/policy/modules/services/ssh.fc 2006-11-16 17:15:20.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/services/ssh.fc 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/services/ssh.fc 2007-03-01 11:40:30.000000000 -0500
@@ -12,8 +12,6 @@
/var/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0)
@@ -3191,7 +3172,7 @@
-')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-2.5.7/policy/modules/services/ssh.if
--- nsaserefpolicy/policy/modules/services/ssh.if 2007-02-19 11:32:53.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/services/ssh.if 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/services/ssh.if 2007-03-01 11:40:30.000000000 -0500
@@ -728,3 +728,42 @@
dontaudit $1 sshd_key_t:file { getattr read };
@@ -3237,7 +3218,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-2.5.7/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2007-02-19 11:32:53.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/services/ssh.te 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/services/ssh.te 2007-03-01 11:40:30.000000000 -0500
@@ -10,11 +10,11 @@
# Type for the ssh-agent executable.
@@ -3262,7 +3243,7 @@
tunable_policy(`ssh_sysadm_login',`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-2.5.7/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2007-02-19 11:32:53.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/services/xserver.if 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/services/xserver.if 2007-03-01 11:40:30.000000000 -0500
@@ -826,7 +826,7 @@
type xdm_t;
')
@@ -3274,7 +3255,7 @@
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-2.5.7/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2007-02-19 11:32:53.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/services/xserver.te 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/services/xserver.te 2007-03-01 11:40:30.000000000 -0500
@@ -345,6 +345,10 @@
')
@@ -3288,17 +3269,38 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.fc serefpolicy-2.5.7/policy/modules/system/application.fc
--- nsaserefpolicy/policy/modules/system/application.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/system/application.fc 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/system/application.fc 2007-03-01 11:40:30.000000000 -0500
@@ -0,0 +1 @@
+# No application file contexts.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.if serefpolicy-2.5.7/policy/modules/system/application.if
--- nsaserefpolicy/policy/modules/system/application.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/system/application.if 2007-03-01 10:20:27.000000000 -0500
-@@ -0,0 +1,41 @@
++++ serefpolicy-2.5.7/policy/modules/system/application.if 2007-03-01 12:02:52.000000000 -0500
+@@ -0,0 +1,113 @@
+## <summary>Policy for application domains</summary>
+
+########################################
+## <summary>
++## Make the specified type usable as an application domain.
++## </summary>
++## <param name="type">
++## <summary>
++## Type to be used as a domain type.
++## </summary>
++## </param>
++#
++interface(`application_type',`
++ gen_require(`
++ attribute application_type;
++ ')
++
++ typeattribute $1 application_type;
++
++ # start with basic domain
++ domain_type($1)
++')
++
++########################################
++## <summary>
+## Make the specified type usable for files
+## that are exectuables, such as binary programs.
+## This does not include shared libraries.
@@ -3336,19 +3338,73 @@
+
+ can_exec($1, application_exec_type)
+')
++
++########################################
++## <summary>
++## Execute all executable files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`application_exec_all',`
++ # Need this dontaudit or command completion fires hundreds of avcs
++ corecmd_dontaudit_exec_all_executables($1)
++ corecmd_exec_bin($1)
++ corecmd_exec_sbin($1)
++ corecmd_exec_shell($1)
++ corecmd_exec_ls($1)
++ corecmd_exec_chroot($1)
++ application_exec($1)
++')
++
++########################################
++## <summary>
++## Create a domain which can be started by users
++## </summary>
++## <param name="domain">
++## <summary>
++## Type to be used as a domain.
++## </summary>
++## </param>
++## <param name="entry_point">
++## <summary>
++## Type of the program to be used as an entry point to this domain.
++## </summary>
++## </param>
++#
++interface(`application_domain',`
++
++ application_type($1)
++ application_executable_file($2)
++ domain_entry_file($1,$2)
++ role system_r types $1;
++
++ optional_policy(`
++ ssh_sigchld($1)
++ ssh_rw_stream_sockets($1)
++ ')
++
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-2.5.7/policy/modules/system/application.te
--- nsaserefpolicy/policy/modules/system/application.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/system/application.te 2007-03-01 10:20:27.000000000 -0500
-@@ -0,0 +1,6 @@
++++ serefpolicy-2.5.7/policy/modules/system/application.te 2007-03-01 11:57:33.000000000 -0500
+@@ -0,0 +1,9 @@
+
+policy_module(application,1.0.0)
+
++# Attribute of user applications
++attribute application_type;
++
+# Executables to be run by user
+attribute application_exec_type;
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-2.5.7/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2007-02-19 11:32:53.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/system/authlogin.if 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/system/authlogin.if 2007-03-01 11:40:30.000000000 -0500
@@ -152,21 +152,12 @@
## </param>
#
@@ -3478,7 +3534,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-2.5.7/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te 2007-02-19 11:32:53.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/system/authlogin.te 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/system/authlogin.te 2007-03-01 11:40:30.000000000 -0500
@@ -9,6 +9,7 @@
attribute can_read_shadow_passwords;
attribute can_write_shadow_passwords;
@@ -3498,7 +3554,7 @@
corecmd_search_sbin(system_chkpwd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-2.5.7/policy/modules/system/fstools.fc
--- nsaserefpolicy/policy/modules/system/fstools.fc 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/system/fstools.fc 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/system/fstools.fc 2007-03-01 11:40:30.000000000 -0500
@@ -19,7 +19,6 @@
/sbin/mkfs.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
@@ -3509,7 +3565,7 @@
/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-2.5.7/policy/modules/system/fstools.te
--- nsaserefpolicy/policy/modules/system/fstools.te 2007-02-19 11:32:53.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/system/fstools.te 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/system/fstools.te 2007-03-01 11:40:30.000000000 -0500
@@ -9,6 +9,7 @@
type fsadm_t;
type fsadm_exec_t;
@@ -3520,7 +3576,7 @@
type fsadm_log_t;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.te serefpolicy-2.5.7/policy/modules/system/getty.te
--- nsaserefpolicy/policy/modules/system/getty.te 2007-02-19 11:32:53.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/system/getty.te 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/system/getty.te 2007-03-01 11:40:30.000000000 -0500
@@ -33,7 +33,8 @@
#
@@ -3533,7 +3589,7 @@
allow getty_t self:fifo_file rw_fifo_file_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-2.5.7/policy/modules/system/hostname.te
--- nsaserefpolicy/policy/modules/system/hostname.te 2007-01-02 12:57:49.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/system/hostname.te 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/system/hostname.te 2007-03-01 11:40:30.000000000 -0500
@@ -8,8 +8,12 @@
type hostname_t;
@@ -3562,7 +3618,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-2.5.7/policy/modules/system/init.if
--- nsaserefpolicy/policy/modules/system/init.if 2007-02-26 14:17:21.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/system/init.if 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/system/init.if 2007-03-01 11:40:30.000000000 -0500
@@ -202,11 +202,14 @@
gen_require(`
type initrc_t;
@@ -3643,7 +3699,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-2.5.7/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2007-02-26 14:17:21.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/system/init.te 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/system/init.te 2007-03-01 11:40:30.000000000 -0500
@@ -205,8 +205,7 @@
allow initrc_t initrc_devpts_t:chr_file rw_term_perms;
term_create_pty(initrc_t,initrc_devpts_t)
@@ -3703,7 +3759,7 @@
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.if serefpolicy-2.5.7/policy/modules/system/ipsec.if
--- nsaserefpolicy/policy/modules/system/ipsec.if 2007-01-02 12:57:49.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/system/ipsec.if 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/system/ipsec.if 2007-03-01 11:40:30.000000000 -0500
@@ -111,3 +111,103 @@
files_search_pids($1)
manage_files_pattern($1,ipsec_var_run_t,ipsec_var_run_t)
@@ -3810,7 +3866,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-2.5.7/policy/modules/system/iptables.te
--- nsaserefpolicy/policy/modules/system/iptables.te 2007-02-19 11:32:53.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/system/iptables.te 2007-03-01 11:15:04.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/system/iptables.te 2007-03-01 11:40:30.000000000 -0500
@@ -77,9 +77,10 @@
userdom_use_all_users_fds(iptables_t)
@@ -3834,7 +3890,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-2.5.7/policy/modules/system/locallogin.te
--- nsaserefpolicy/policy/modules/system/locallogin.te 2007-01-02 12:57:49.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/system/locallogin.te 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/system/locallogin.te 2007-03-01 11:40:30.000000000 -0500
@@ -48,6 +48,8 @@
allow local_login_t self:msgq create_msgq_perms;
allow local_login_t self:msg { send receive };
@@ -3864,7 +3920,7 @@
corecmd_read_sbin_symlinks(local_login_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-2.5.7/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2007-02-23 16:50:01.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/system/logging.te 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/system/logging.te 2007-03-01 11:40:30.000000000 -0500
@@ -328,6 +328,9 @@
corenet_tcp_bind_all_nodes(syslogd_t)
corenet_tcp_bind_rsh_port(syslogd_t)
@@ -3886,7 +3942,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.if serefpolicy-2.5.7/policy/modules/system/lvm.if
--- nsaserefpolicy/policy/modules/system/lvm.if 2007-01-02 12:57:49.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/system/lvm.if 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/system/lvm.if 2007-03-01 11:40:30.000000000 -0500
@@ -63,10 +63,31 @@
#
interface(`lvm_read_config',`
@@ -3922,7 +3978,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-2.5.7/policy/modules/system/lvm.te
--- nsaserefpolicy/policy/modules/system/lvm.te 2007-02-19 11:32:53.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/system/lvm.te 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/system/lvm.te 2007-03-01 11:40:30.000000000 -0500
@@ -46,7 +46,7 @@
allow clvmd_t self:capability { sys_admin mknod };
@@ -3984,7 +4040,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-2.5.7/policy/modules/system/modutils.te
--- nsaserefpolicy/policy/modules/system/modutils.te 2007-02-19 11:32:53.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/system/modutils.te 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/system/modutils.te 2007-03-01 11:40:30.000000000 -0500
@@ -54,6 +54,8 @@
can_exec(insmod_t, insmod_exec_t)
@@ -4004,7 +4060,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-2.5.7/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2007-01-02 12:57:49.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/system/mount.te 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/system/mount.te 2007-03-01 11:40:30.000000000 -0500
@@ -9,6 +9,7 @@
type mount_t;
type mount_exec_t;
@@ -4041,7 +4097,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-2.5.7/policy/modules/system/selinuxutil.fc
--- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/system/selinuxutil.fc 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/system/selinuxutil.fc 2007-03-01 11:40:30.000000000 -0500
@@ -40,7 +40,9 @@
/usr/sbin/setfiles.* -- gen_context(system_u:object_r:setfiles_exec_t,s0)
/usr/sbin/setsebool -- gen_context(system_u:object_r:semanage_exec_t,s0)
@@ -4054,7 +4110,7 @@
# /var/run
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-2.5.7/policy/modules/system/selinuxutil.if
--- nsaserefpolicy/policy/modules/system/selinuxutil.if 2007-01-02 12:57:49.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/system/selinuxutil.if 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/system/selinuxutil.if 2007-03-01 11:40:30.000000000 -0500
@@ -616,7 +616,7 @@
gen_require(`
type selinux_config_t;
@@ -4201,7 +4257,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-2.5.7/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2007-02-19 11:32:53.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/system/selinuxutil.te 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/system/selinuxutil.te 2007-03-01 12:03:00.000000000 -0500
@@ -1,10 +1,8 @@
policy_module(selinuxutil,1.4.1)
@@ -4215,26 +4271,103 @@
')
########################################
-@@ -108,6 +106,18 @@
- domain_entry_file(semanage_t, semanage_exec_t)
- role system_r types semanage_t;
+@@ -26,11 +24,8 @@
+ files_type(selinux_config_t)
+ type checkpolicy_t, can_write_binary_policy;
+-domain_type(checkpolicy_t)
+-role system_r types checkpolicy_t;
+-
+ type checkpolicy_exec_t;
+-domain_entry_file(checkpolicy_t,checkpolicy_exec_t)
++application_domain(checkpolicy_t, checkpolicy_exec_t)
+
+ #
+ # default_context_t is the type applied to
+@@ -47,20 +42,15 @@
+ files_type(file_context_t)
+
+ type load_policy_t;
+-domain_type(load_policy_t)
+-role system_r types load_policy_t;
+-
+ type load_policy_exec_t;
+-domain_entry_file(load_policy_t,load_policy_exec_t)
++application_domain(load_policy_t,load_policy_exec_t)
+
+ type newrole_t;
++type newrole_exec_t;
++application_domain(newrole_t,newrole_exec_t)
++domain_interactive_fd(newrole_t)
+ domain_role_change_exemption(newrole_t)
+ domain_obj_id_change_exemption(newrole_t)
+-domain_type(newrole_t)
+-domain_interactive_fd(newrole_t)
+-
+-type newrole_exec_t;
+-domain_entry_file(newrole_t,newrole_exec_t)
+
+ #
+ # policy_config_t is the type of /etc/security/selinux/*
+@@ -83,30 +73,34 @@
+ type restorecon_exec_t;
+ domain_obj_id_change_exemption(restorecon_t)
+ init_system_domain(restorecon_t,restorecon_exec_t)
+-role system_r types restorecon_t;
++application_type($1)
+
+ type restorecond_t;
+ type restorecond_exec_t;
+ init_daemon_domain(restorecond_t,restorecond_exec_t)
+ domain_obj_id_change_exemption(restorecond_t)
+-role system_r types restorecond_t;
+
+ type restorecond_var_run_t;
+ files_pid_file(restorecond_var_run_t)
+
+ type run_init_t;
+ type run_init_exec_t;
+-domain_type(run_init_t)
+-domain_entry_file(run_init_t,run_init_exec_t)
++application_domain(run_init_t)
+ domain_system_change_exemption(run_init_t)
+
+ type semanage_t;
+-domain_type(semanage_t)
++type semanage_exec_t;
++application_domain(semanage_t, semanage_exec_t)
+ domain_interactive_fd(semanage_t)
+
+-type semanage_exec_t;
+-domain_entry_file(semanage_t, semanage_exec_t)
+-role system_r types semanage_t;
+type semanage_gui_t;
-+domain_type(semanage_gui_t)
-+domain_interactive_fd(semanage_gui_t)
-+
+type semanage_gui_exec_t;
-+domain_entry_file(semanage_gui_t, semanage_gui_exec_t)
-+role system_r types semanage_gui_t;
++application_domain(semanage_gui_t, semanage_gui_exec_t)
++domain_interactive_fd(semanage_gui_t)
+
+ifdef(`targeted_policy',`
+init_system_domain(semanage_t, semanage_exec_t)
+')
-+
+
type semanage_store_t;
files_type(semanage_store_t)
+@@ -121,12 +115,9 @@
+ files_type(semanage_trans_lock_t)
-@@ -195,6 +205,7 @@
+ type setfiles_t, can_relabelto_binary_policy;
+-domain_obj_id_change_exemption(setfiles_t)
+-domain_type(setfiles_t)
+-role system_r types setfiles_t;
+-
+ type setfiles_exec_t;
+-domain_entry_file(setfiles_t,setfiles_exec_t)
++application_domain(setfiles_t,setfiles_exec_t)
++domain_obj_id_change_exemption(setfiles_t)
+
+ ifdef(`distro_redhat',`
+ init_system_domain(setfiles_t,setfiles_exec_t)
+@@ -195,6 +186,7 @@
fs_getattr_xattr_fs(load_policy_t)
mls_file_read_up(load_policy_t)
@@ -4242,7 +4375,7 @@
selinux_get_fs_mount(load_policy_t)
selinux_load_policy(load_policy_t)
-@@ -310,15 +321,13 @@
+@@ -310,15 +302,13 @@
userdom_dontaudit_search_all_users_home_content(newrole_t)
userdom_search_all_users_home_dirs(newrole_t)
@@ -4265,7 +4398,7 @@
tunable_policy(`allow_polyinstantiation',`
files_polyinstantiate_all(newrole_t)
-@@ -557,82 +566,12 @@
+@@ -557,82 +547,12 @@
########################################
#
@@ -4352,27 +4485,14 @@
########################################
#
-@@ -707,3 +646,17 @@
+@@ -707,3 +627,4 @@
unconfined_dontaudit_read_pipes(setfiles_t)
')
')
+
-+optional_policy(`
-+ ssh_sigchld(run_init_t)
-+ ssh_rw_stream_sockets(run_init_t)
-+ ssh_sigchld(setfiles_t)
-+ ssh_rw_stream_sockets(setfiles_t)
-+ ssh_sigchld(semanage_t)
-+ ssh_rw_stream_sockets(semanage_t)
-+ ssh_sigchld(restorecon_t)
-+ ssh_rw_stream_sockets(restorecon_t)
-+ ssh_sigchld(load_policy_t)
-+ ssh_rw_stream_sockets(load_policy_t)
-+')
-+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-2.5.7/policy/modules/system/unconfined.fc
--- nsaserefpolicy/policy/modules/system/unconfined.fc 2007-02-19 11:32:53.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/system/unconfined.fc 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/system/unconfined.fc 2007-03-01 11:40:30.000000000 -0500
@@ -10,4 +10,5 @@
/usr/bin/valgrind -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
/usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
@@ -4381,7 +4501,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-2.5.7/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2007-02-19 11:32:53.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/system/unconfined.te 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/system/unconfined.te 2007-03-01 11:40:30.000000000 -0500
@@ -50,6 +50,8 @@
userdom_unconfined(unconfined_t)
userdom_priveleged_home_dir_manager(unconfined_t)
@@ -4431,7 +4551,7 @@
init_dbus_chat_script(unconfined_execmem_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-2.5.7/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-02-19 11:32:53.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/system/userdomain.if 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/system/userdomain.if 2007-03-01 11:44:07.000000000 -0500
@@ -115,6 +115,10 @@
# Allow making the stack executable via mprotect.
allow $1_t self:process execstack;
@@ -4451,6 +4571,15 @@
init_read_utmp($1_t)
# The library functions always try to open read-write first,
+@@ -995,7 +1000,7 @@
+ manage_fifo_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
+ filetrans_pattern(privhome,$1_home_dir_t,$1_home_t,{ dir file lnk_file sock_file fifo_file })
+
+- corecmd_exec_all_executables($1_t)
++ application_exec_all($1_t)
+
+ # port access is audited even if dac would not have allowed it, so dontaudit it here
+ corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
@@ -1368,11 +1373,7 @@
## <rolecap/>
#
@@ -4835,7 +4964,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-2.5.7/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2007-02-19 11:32:53.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/system/userdomain.te 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/system/userdomain.te 2007-03-01 11:40:30.000000000 -0500
@@ -24,6 +24,9 @@
# users home directory contents
attribute home_type;
@@ -4926,7 +5055,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-2.5.7/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te 2007-01-02 12:57:49.000000000 -0500
-+++ serefpolicy-2.5.7/policy/modules/system/xen.te 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/modules/system/xen.te 2007-03-01 11:40:30.000000000 -0500
@@ -166,8 +166,13 @@
files_manage_etc_runtime_files(xend_t)
files_etc_filetrans_etc_runtime(xend_t,file)
@@ -4981,7 +5110,7 @@
+fs_read_dos_files(xend_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-2.5.7/policy/support/obj_perm_sets.spt
--- nsaserefpolicy/policy/support/obj_perm_sets.spt 2007-01-02 12:57:51.000000000 -0500
-+++ serefpolicy-2.5.7/policy/support/obj_perm_sets.spt 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/policy/support/obj_perm_sets.spt 2007-03-01 11:40:30.000000000 -0500
@@ -215,7 +215,7 @@
define(`getattr_file_perms',`{ getattr }')
define(`setattr_file_perms',`{ setattr }')
@@ -4993,7 +5122,7 @@
define(`write_file_perms',`{ getattr write append lock ioctl }')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-2.5.7/Rules.modular
--- nsaserefpolicy/Rules.modular 2006-11-16 17:15:29.000000000 -0500
-+++ serefpolicy-2.5.7/Rules.modular 2007-03-01 10:20:27.000000000 -0500
++++ serefpolicy-2.5.7/Rules.modular 2007-03-01 11:40:30.000000000 -0500
@@ -219,6 +219,16 @@
########################################
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.404
retrieving revision 1.405
diff -u -r1.404 -r1.405
--- selinux-policy.spec 1 Mar 2007 16:30:20 -0000 1.404
+++ selinux-policy.spec 1 Mar 2007 21:57:47 -0000 1.405
@@ -166,7 +166,7 @@
%description
SELinux Reference Policy - modular.
-Based off of reference policy: Checked out revision 2202.
+Based off of reference policy: Checked out revision 2204.
%prep
%setup -q -n serefpolicy-%{version}
Index: sources
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/sources,v
retrieving revision 1.111
retrieving revision 1.112
diff -u -r1.111 -r1.112
--- sources 28 Feb 2007 21:23:19 -0000 1.111
+++ sources 1 Mar 2007 21:57:47 -0000 1.112
@@ -1 +1 @@
-93a369ee1cbb25856d699acfc94cfb11 serefpolicy-2.5.6.tgz
+5209f5a625764686415aac33935756f5 serefpolicy-2.5.7.tgz
- Previous message (by thread): rpms/thunderbird/FC-6 firefox-1.5.0.10-nss-system-nspr.patch, NONE, 1.1 firefox-1.5.0.10-with-system-nss.patch, NONE, 1.1 firefox-1.5-pango-printing.patch, 1.3, 1.4 sources, 1.20, 1.21 thunderbird.spec, 1.93, 1.94 firefox-1.1-nss-system-nspr.patch, 1.1, NONE firefox-1.5-with-system-nss.patch, 1.1, NONE
- Next message (by thread): rpms/selinux-policy/FC-6 policy-20061106.patch, 1.22, 1.23 selinux-policy.spec, 1.346, 1.347
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-cvs-commits
mailing list