rpms/selinux-policy/FC-6 policy-20061106.patch, 1.53, 1.54 policy-apcupsd.patch, 1.3, 1.4 policy-fusermount.patch, 1.4, 1.5 selinux-policy.spec, 1.373, 1.374
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Tue Sep 4 14:00:32 UTC 2007
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy/FC-6
In directory cvs.devel.redhat.com:/tmp/cvs-serv29656
Modified Files:
policy-20061106.patch policy-apcupsd.patch
policy-fusermount.patch selinux-policy.spec
Log Message:
* Sat Sep 1 2007 Dan Walsh <dwalsh at redhat.com> 2.4.6-88
- Cleanup of fusermount/mount-ntfs and apcupsd to match rawhide
- Allow cimserver to create pegasus_data directories
Resolves: #213809
- Allow dmidecode to search sysfs_t
Resolves: #263141
policy-20061106.patch:
Rules.modular | 10
config/appconfig-strict-mcs/seusers | 1
config/appconfig-strict-mls/default_contexts | 6
config/appconfig-strict-mls/seusers | 1
config/appconfig-strict/seusers | 1
man/man8/kerberos_selinux.8 | 2
policy/flask/access_vectors | 21
policy/flask/security_classes | 8
policy/global_tunables | 94 +++-
policy/mls | 31 +
policy/modules/admin/acct.te | 1
policy/modules/admin/alsa.fc | 3
policy/modules/admin/alsa.te | 15
policy/modules/admin/amanda.if | 17
policy/modules/admin/amanda.te | 11
policy/modules/admin/amtu.fc | 3
policy/modules/admin/amtu.if | 57 ++
policy/modules/admin/amtu.te | 56 ++
policy/modules/admin/backup.te | 5
policy/modules/admin/bootloader.fc | 5
policy/modules/admin/bootloader.te | 15
policy/modules/admin/consoletype.te | 21
policy/modules/admin/ddcprobe.te | 10
policy/modules/admin/dmesg.te | 7
policy/modules/admin/dmidecode.te | 6
policy/modules/admin/firstboot.if | 24 -
policy/modules/admin/kudzu.te | 14
policy/modules/admin/logrotate.te | 5
policy/modules/admin/logwatch.te | 22
policy/modules/admin/netutils.te | 19
policy/modules/admin/portage.te | 5
policy/modules/admin/prelink.te | 25 -
policy/modules/admin/quota.fc | 7
policy/modules/admin/quota.te | 24 -
policy/modules/admin/readahead.te | 2
policy/modules/admin/rpm.fc | 3
policy/modules/admin/rpm.if | 104 ++++
policy/modules/admin/rpm.te | 49 --
policy/modules/admin/su.if | 38 +
policy/modules/admin/su.te | 2
policy/modules/admin/sudo.if | 13
policy/modules/admin/tripwire.te | 11
policy/modules/admin/usbmodules.te | 5
policy/modules/admin/usermanage.if | 2
policy/modules/admin/usermanage.te | 58 ++
policy/modules/admin/vbetool.te | 1
policy/modules/admin/vpn.te | 1
policy/modules/apps/ethereal.te | 5
policy/modules/apps/evolution.if | 107 ++++
policy/modules/apps/evolution.te | 1
policy/modules/apps/games.fc | 1
policy/modules/apps/gnome.fc | 2
policy/modules/apps/gnome.if | 108 ++++
policy/modules/apps/gnome.te | 5
policy/modules/apps/gpg.if | 1
policy/modules/apps/java.fc | 2
policy/modules/apps/java.if | 70 +++
policy/modules/apps/java.te | 2
policy/modules/apps/loadkeys.if | 39 -
policy/modules/apps/mozilla.if | 208 +++++++--
policy/modules/apps/mplayer.if | 84 +++
policy/modules/apps/mplayer.te | 1
policy/modules/apps/slocate.te | 7
policy/modules/apps/thunderbird.if | 81 +++
policy/modules/apps/userhelper.if | 20
policy/modules/apps/webalizer.te | 6
policy/modules/apps/wine.fc | 1
policy/modules/apps/yam.te | 5
policy/modules/kernel/corecommands.fc | 30 +
policy/modules/kernel/corecommands.if | 77 +++
policy/modules/kernel/corenetwork.if.in | 140 ++++++
policy/modules/kernel/corenetwork.te.in | 16
policy/modules/kernel/devices.fc | 11
policy/modules/kernel/devices.if | 56 ++
policy/modules/kernel/devices.te | 8
policy/modules/kernel/domain.if | 80 +++
policy/modules/kernel/domain.te | 26 +
policy/modules/kernel/files.fc | 3
policy/modules/kernel/files.if | 279 +++++++++++-
policy/modules/kernel/filesystem.if | 62 ++
policy/modules/kernel/filesystem.te | 30 +
policy/modules/kernel/kernel.if | 84 +++
policy/modules/kernel/kernel.te | 22
policy/modules/kernel/mls.if | 28 +
policy/modules/kernel/mls.te | 6
policy/modules/kernel/storage.fc | 4
policy/modules/kernel/storage.if | 2
policy/modules/kernel/terminal.fc | 2
policy/modules/kernel/terminal.if | 21
policy/modules/kernel/terminal.te | 1
policy/modules/services/aide.fc | 3
policy/modules/services/aide.te | 11
policy/modules/services/amavis.if | 19
policy/modules/services/amavis.te | 4
policy/modules/services/apache.fc | 18
policy/modules/services/apache.if | 157 ++++++
policy/modules/services/apache.te | 61 ++
policy/modules/services/apm.te | 3
policy/modules/services/arpwatch.te | 5
policy/modules/services/audioentropy.te | 4
policy/modules/services/automount.fc | 1
policy/modules/services/automount.te | 15
policy/modules/services/avahi.if | 40 +
policy/modules/services/avahi.te | 10
policy/modules/services/bind.fc | 1
policy/modules/services/bind.te | 12
policy/modules/services/bluetooth.te | 10
policy/modules/services/ccs.fc | 1
policy/modules/services/ccs.te | 25 -
policy/modules/services/clamav.te | 3
policy/modules/services/courier.te | 1
policy/modules/services/cron.fc | 6
policy/modules/services/cron.if | 105 ++--
policy/modules/services/cron.te | 58 ++
policy/modules/services/cups.fc | 5
policy/modules/services/cups.te | 19
policy/modules/services/cvs.te | 2
policy/modules/services/cyrus.te | 6
policy/modules/services/dbus.fc | 1
policy/modules/services/dbus.if | 66 ++
policy/modules/services/dbus.te | 4
policy/modules/services/dcc.te | 9
policy/modules/services/dhcp.te | 3
policy/modules/services/dovecot.fc | 2
policy/modules/services/dovecot.if | 44 +
policy/modules/services/dovecot.te | 73 ++-
policy/modules/services/fail2ban.fc | 3
policy/modules/services/fail2ban.if | 80 +++
policy/modules/services/fail2ban.te | 74 +++
policy/modules/services/ftp.te | 21
policy/modules/services/hal.fc | 14
policy/modules/services/hal.if | 160 ++++++
policy/modules/services/hal.te | 177 +++++++
policy/modules/services/inetd.te | 34 +
policy/modules/services/irqbalance.te | 4
policy/modules/services/kerberos.if | 25 +
policy/modules/services/kerberos.te | 21
policy/modules/services/ktalk.fc | 3
policy/modules/services/ktalk.te | 5
policy/modules/services/lpd.if | 75 ++-
policy/modules/services/lpd.te | 5
policy/modules/services/mailman.if | 20
policy/modules/services/mailman.te | 1
policy/modules/services/mta.fc | 1
policy/modules/services/mta.if | 20
policy/modules/services/mta.te | 3
policy/modules/services/munin.te | 5
policy/modules/services/nagios.fc | 6
policy/modules/services/nagios.te | 14
policy/modules/services/networkmanager.fc | 2
policy/modules/services/networkmanager.te | 2
policy/modules/services/nis.fc | 7
policy/modules/services/nis.if | 8
policy/modules/services/nis.te | 39 +
policy/modules/services/nscd.if | 20
policy/modules/services/nscd.te | 31 -
policy/modules/services/ntp.te | 10
policy/modules/services/oav.te | 5
policy/modules/services/oddjob.te | 5
policy/modules/services/openca.if | 4
policy/modules/services/openca.te | 2
policy/modules/services/openct.te | 2
policy/modules/services/openvpn.te | 20
policy/modules/services/pcscd.fc | 9
policy/modules/services/pcscd.if | 62 ++
policy/modules/services/pcscd.te | 79 +++
policy/modules/services/pegasus.if | 31 +
policy/modules/services/pegasus.te | 13
policy/modules/services/portmap.te | 5
policy/modules/services/portslave.te | 1
policy/modules/services/postfix.fc | 2
policy/modules/services/postfix.if | 45 +
policy/modules/services/postfix.te | 94 ++++
policy/modules/services/ppp.te | 2
policy/modules/services/procmail.te | 32 +
policy/modules/services/pyzor.if | 18
policy/modules/services/pyzor.te | 13
policy/modules/services/radius.te | 3
policy/modules/services/radvd.te | 2
policy/modules/services/rhgb.if | 76 +++
policy/modules/services/rhgb.te | 3
policy/modules/services/ricci.te | 26 +
policy/modules/services/rlogin.te | 11
policy/modules/services/rpc.fc | 1
policy/modules/services/rpc.if | 3
policy/modules/services/rpc.te | 27 -
policy/modules/services/rshd.te | 1
policy/modules/services/rsync.te | 1
policy/modules/services/samba.fc | 6
policy/modules/services/samba.if | 101 ++++
policy/modules/services/samba.te | 100 +++-
policy/modules/services/sasl.te | 14
policy/modules/services/sendmail.if | 22
policy/modules/services/sendmail.te | 22
policy/modules/services/setroubleshoot.if | 20
policy/modules/services/setroubleshoot.te | 2
policy/modules/services/smartmon.te | 1
policy/modules/services/snmp.if | 17
policy/modules/services/snmp.te | 20
policy/modules/services/soundserver.te | 4
policy/modules/services/spamassassin.fc | 5
policy/modules/services/spamassassin.if | 42 +
policy/modules/services/spamassassin.te | 26 -
policy/modules/services/squid.fc | 2
policy/modules/services/squid.if | 21
policy/modules/services/squid.te | 16
policy/modules/services/ssh.if | 83 +++
policy/modules/services/ssh.te | 14
policy/modules/services/telnet.te | 3
policy/modules/services/tftp.te | 3
policy/modules/services/uucp.fc | 1
policy/modules/services/uucp.if | 67 ++
policy/modules/services/uucp.te | 44 +
policy/modules/services/uwimap.te | 1
policy/modules/services/xserver.fc | 2
policy/modules/services/xserver.if | 211 +++++++++
policy/modules/services/xserver.te | 12
policy/modules/system/authlogin.fc | 1
policy/modules/system/authlogin.if | 180 +++++++
policy/modules/system/authlogin.te | 47 +-
policy/modules/system/clock.te | 18
policy/modules/system/fstools.fc | 1
policy/modules/system/fstools.if | 19
policy/modules/system/fstools.te | 18
policy/modules/system/getty.te | 14
policy/modules/system/hostname.te | 19
policy/modules/system/init.if | 75 +++
policy/modules/system/init.te | 51 ++
policy/modules/system/ipsec.fc | 5
policy/modules/system/ipsec.if | 99 ++++
policy/modules/system/ipsec.te | 121 +++++
policy/modules/system/iptables.te | 28 -
policy/modules/system/libraries.fc | 44 +
policy/modules/system/libraries.te | 11
policy/modules/system/locallogin.if | 37 +
policy/modules/system/locallogin.te | 11
policy/modules/system/logging.fc | 5
policy/modules/system/logging.if | 61 ++
policy/modules/system/logging.te | 36 +
policy/modules/system/lvm.fc | 2
policy/modules/system/lvm.if | 44 +
policy/modules/system/lvm.te | 95 +++-
policy/modules/system/miscfiles.fc | 3
policy/modules/system/miscfiles.if | 79 +++
policy/modules/system/modutils.te | 38 +
policy/modules/system/mount.te | 37 +
policy/modules/system/netlabel.te | 10
policy/modules/system/pcmcia.te | 5
policy/modules/system/raid.te | 16
policy/modules/system/selinuxutil.fc | 10
policy/modules/system/selinuxutil.if | 124 +++++
policy/modules/system/selinuxutil.te | 138 ++---
policy/modules/system/sysnetwork.if | 2
policy/modules/system/sysnetwork.te | 14
policy/modules/system/tzdata.fc | 3
policy/modules/system/tzdata.if | 23
policy/modules/system/tzdata.te | 51 ++
policy/modules/system/udev.te | 22
policy/modules/system/unconfined.fc | 4
policy/modules/system/unconfined.if | 22
policy/modules/system/unconfined.te | 23
policy/modules/system/userdomain.if | 622 +++++++++++++++++++++++----
policy/modules/system/userdomain.te | 117 ++---
policy/modules/system/xen.fc | 2
policy/modules/system/xen.if | 64 ++
policy/modules/system/xen.te | 65 ++
policy/support/*Warnings* | 189 ++++++++
policy/support/file_patterns.spt | 534 +++++++++++++++++++++++
policy/support/misc_macros.spt | 8
policy/support/obj_perm_sets.spt | 144 ++++++
270 files changed, 8331 insertions(+), 842 deletions(-)
Index: policy-20061106.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/FC-6/policy-20061106.patch,v
retrieving revision 1.53
retrieving revision 1.54
diff -u -r1.53 -r1.54
--- policy-20061106.patch 17 Jul 2007 20:21:05 -0000 1.53
+++ policy-20061106.patch 4 Sep 2007 14:00:29 -0000 1.54
@@ -363,6 +363,62 @@
type acct_data_t;
logging_log_file(acct_data_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.fc serefpolicy-2.4.6/policy/modules/admin/alsa.fc
+--- nsaserefpolicy/policy/modules/admin/alsa.fc 2006-11-29 12:04:48.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/admin/alsa.fc 2007-08-24 16:06:30.000000000 -0400
+@@ -1,4 +1,7 @@
+
+ /etc/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
++/etc/asound(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
++/etc/asound\.state gen_context(system_u:object_r:alsa_etc_rw_t,s0)
+
+ /usr/bin/ainit -- gen_context(system_u:object_r:alsa_exec_t,s0)
++/sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-2.4.6/policy/modules/admin/alsa.te
+--- nsaserefpolicy/policy/modules/admin/alsa.te 2006-11-29 12:04:48.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/admin/alsa.te 2007-08-24 16:05:49.000000000 -0400
+@@ -20,19 +20,26 @@
+ # Local policy
+ #
+
+-allow alsa_t self:capability { setgid setuid ipc_owner };
++allow alsa_t self:capability { dac_read_search dac_override setgid setuid ipc_owner };
+ dontaudit alsa_t self:capability sys_admin;
+ allow alsa_t self:sem create_sem_perms;
+ allow alsa_t self:shm create_shm_perms;
+ allow alsa_t self:unix_stream_socket create_stream_socket_perms;
+ allow alsa_t self:unix_dgram_socket create_socket_perms;
+
++dev_read_sound(alsa_t)
++dev_write_sound(alsa_t)
++
++files_etc_filetrans(alsa_t, alsa_etc_rw_t, file)
+ allow alsa_t alsa_etc_rw_t:dir rw_dir_perms;
+ allow alsa_t alsa_etc_rw_t:file create_file_perms;
+ allow alsa_t alsa_etc_rw_t:lnk_file create_lnk_perms;
+
++files_search_home(alsa_t)
+ files_read_etc_files(alsa_t)
+
++kernel_read_system_state(alsa_t)
++
+ term_use_generic_ptys(alsa_t)
+ term_dontaudit_use_unallocated_ttys(alsa_t)
+
+@@ -45,7 +52,13 @@
+
+ userdom_manage_unpriv_user_semaphores(alsa_t)
+ userdom_manage_unpriv_user_shared_mem(alsa_t)
++userdom_search_generic_user_home_dirs(alsa_t)
+
+ optional_policy(`
+ nscd_socket_use(alsa_t)
+ ')
++
++optional_policy(`
++ hal_use_fds(alsa_t)
++ hal_write_log(alsa_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.if serefpolicy-2.4.6/policy/modules/admin/amanda.if
--- nsaserefpolicy/policy/modules/admin/amanda.if 2006-11-29 12:04:48.000000000 -0500
+++ serefpolicy-2.4.6/policy/modules/admin/amanda.if 2007-05-22 12:40:26.000000000 -0400
@@ -584,7 +640,7 @@
/sbin/ybin.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/bootloader.te serefpolicy-2.4.6/policy/modules/admin/bootloader.te
--- nsaserefpolicy/policy/modules/admin/bootloader.te 2006-11-29 12:04:48.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/admin/bootloader.te 2007-07-06 09:36:29.000000000 -0400
++++ serefpolicy-2.4.6/policy/modules/admin/bootloader.te 2007-08-24 15:55:40.000000000 -0400
@@ -93,6 +93,8 @@
fs_manage_dos_files(bootloader_t)
@@ -604,13 +660,14 @@
# new file system defaults to file_t, granting file_t access is still bad.
files_manage_isid_type_dirs(bootloader_t)
files_manage_isid_type_files(bootloader_t)
-@@ -218,3 +217,12 @@
+@@ -218,3 +217,13 @@
userdom_dontaudit_search_staff_home_dirs(bootloader_t)
userdom_dontaudit_search_sysadm_home_dirs(bootloader_t)
')
+
+optional_policy(`
+ hal_dontaudit_append_lib_files(bootloader_t)
++ hal_write_log(bootloader_t)
+')
+
+optional_policy(`
@@ -714,8 +771,16 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmidecode.te serefpolicy-2.4.6/policy/modules/admin/dmidecode.te
--- nsaserefpolicy/policy/modules/admin/dmidecode.te 2006-11-29 12:04:48.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/admin/dmidecode.te 2007-05-22 12:40:26.000000000 -0400
-@@ -38,3 +38,8 @@
++++ serefpolicy-2.4.6/policy/modules/admin/dmidecode.te 2007-08-30 10:26:48.000000000 -0400
+@@ -22,6 +22,7 @@
+
+ # Allow dmidecode to read /dev/mem
+ dev_read_raw_memory(dmidecode_t)
++dev_search_sysfs(dmidecode_t)
+
+ mls_file_read_up(dmidecode_t)
+
+@@ -38,3 +39,8 @@
term_use_generic_ptys(dmidecode_t)
term_use_unallocated_ttys(dmidecode_t)
')
@@ -959,7 +1024,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-2.4.6/policy/modules/admin/prelink.te
--- nsaserefpolicy/policy/modules/admin/prelink.te 2006-11-29 12:04:49.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/admin/prelink.te 2007-07-06 11:23:21.000000000 -0400
++++ serefpolicy-2.4.6/policy/modules/admin/prelink.te 2007-08-09 14:23:13.000000000 -0400
@@ -18,31 +18,39 @@
type prelink_log_t;
logging_log_file(prelink_log_t)
@@ -1003,15 +1068,17 @@
corecmd_manage_all_executables(prelink_t)
corecmd_relabel_all_executables(prelink_t)
-@@ -57,6 +65,7 @@
+@@ -57,6 +65,9 @@
files_write_non_security_dirs(prelink_t)
files_read_etc_files(prelink_t)
files_read_etc_runtime_files(prelink_t)
+files_dontaudit_read_all_symlinks(prelink_t)
++files_manage_usr_files(prelink_t)
++files_relabelfrom_usr_files(prelink_t)
fs_getattr_xattr_fs(prelink_t)
-@@ -79,11 +88,15 @@
+@@ -79,11 +90,15 @@
ifdef(`targeted_policy',`
term_use_unallocated_ttys(prelink_t)
term_use_generic_ptys(prelink_t)
@@ -1729,6 +1796,15 @@
rpm_rw_pipes(useradd_t)
+ rpm_dontaudit_rw_tmp_files(useradd_t)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-2.4.6/policy/modules/admin/vbetool.te
+--- nsaserefpolicy/policy/modules/admin/vbetool.te 2006-11-29 12:04:49.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/admin/vbetool.te 2007-08-24 16:33:16.000000000 -0400
+@@ -32,4 +32,5 @@
+
+ optional_policy(`
+ hal_rw_pid_files(vbetool_t)
++ hal_write_log(vbetool_t)
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te serefpolicy-2.4.6/policy/modules/admin/vpn.te
--- nsaserefpolicy/policy/modules/admin/vpn.te 2006-11-29 12:04:48.000000000 -0500
+++ serefpolicy-2.4.6/policy/modules/admin/vpn.te 2007-05-22 12:40:26.000000000 -0400
@@ -3722,8 +3798,16 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-2.4.6/policy/modules/kernel/files.fc
--- nsaserefpolicy/policy/modules/kernel/files.fc 2006-11-29 12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/kernel/files.fc 2007-05-22 12:40:26.000000000 -0400
-@@ -228,6 +228,8 @@
++++ serefpolicy-2.4.6/policy/modules/kernel/files.fc 2007-08-28 09:44:16.000000000 -0400
+@@ -45,7 +45,6 @@
+ /etc -d gen_context(system_u:object_r:etc_t,s0)
+ /etc/.* gen_context(system_u:object_r:etc_t,s0)
+ /etc/\.fstab\.hal\..+ -- gen_context(system_u:object_r:etc_runtime_t,s0)
+-/etc/asound\.state -- gen_context(system_u:object_r:etc_runtime_t,s0)
+ /etc/blkid(/.*)? gen_context(system_u:object_r:etc_runtime_t,s0)
+ /etc/fstab\.REVOKE -- gen_context(system_u:object_r:etc_runtime_t,s0)
+ /etc/HOSTNAME -- gen_context(system_u:object_r:etc_runtime_t,s0)
+@@ -228,6 +227,8 @@
/var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
@@ -3734,7 +3818,7 @@
/var/lib/nfs/rpc_pipefs(/.*)? <<none>>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.4.6/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2006-11-29 12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/kernel/files.if 2007-05-22 12:40:26.000000000 -0400
++++ serefpolicy-2.4.6/policy/modules/kernel/files.if 2007-08-27 09:58:30.000000000 -0400
@@ -353,8 +353,7 @@
########################################
@@ -3810,7 +3894,7 @@
allow $1 mountpoint:file { getattr mounton };
')
-@@ -3242,6 +3276,25 @@
+@@ -3242,6 +3276,80 @@
########################################
## <summary>
@@ -3833,10 +3917,65 @@
+
+########################################
+## <summary>
++## dontaudit Add and remove entries from /usr directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_dontaudit_rw_usr_dirs',`
++ gen_require(`
++ type usr_t;
++ ')
++
++ dontaudit $1 usr_t:dir rw_dir_perms;
++')
++
++########################################
++## <summary>
++## Create, read, write, and delete files in the /usr directory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_manage_usr_files',`
++ gen_require(`
++ type usr_t;
++ ')
++
++ manage_files_pattern($1, usr_t, usr_t)
++')
++
++########################################
++## <summary>
++## Relabel a file from the type used in /usr.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_relabelfrom_usr_files',`
++ gen_require(`
++ type usr_t;
++ ')
++
++ relabelfrom_files_pattern($1,usr_t,usr_t)
++')
++
++
++########################################
++## <summary>
## Get the attributes of files in /usr.
## </summary>
## <param name="domain">
-@@ -3543,6 +3596,24 @@
+@@ -3543,6 +3651,24 @@
########################################
## <summary>
@@ -3861,7 +4000,7 @@
## Do not audit attempts to search
## the contents of /var.
## </summary>
-@@ -3612,7 +3683,7 @@
+@@ -3612,7 +3738,7 @@
type var_t;
')
@@ -3870,7 +4009,7 @@
allow $1 var_t:file r_file_perms;
')
-@@ -3823,7 +3894,8 @@
+@@ -3823,7 +3949,8 @@
type var_t, var_lib_t;
')
@@ -3880,7 +4019,7 @@
allow $1 var_lib_t:file r_file_perms;
')
-@@ -4471,14 +4543,16 @@
+@@ -4471,14 +4598,16 @@
type poly_t;
')
@@ -3899,7 +4038,7 @@
# Need to give access to the polyinstantiated subdirectories
allow $1 polymember:dir search_dir_perms;
-@@ -4491,11 +4565,13 @@
+@@ -4491,11 +4620,13 @@
allow $1 self:process setfscreate;
allow $1 polymember: dir { create setattr relabelto };
allow $1 polydir: dir { write add_name };
@@ -3914,7 +4053,7 @@
')
########################################
-@@ -4559,3 +4635,133 @@
+@@ -4559,3 +4690,133 @@
typealias etc_runtime_t alias $1;
')
@@ -4239,7 +4378,7 @@
+fs_associate(noxattrfs)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-2.4.6/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2006-11-29 12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/kernel/kernel.if 2007-05-22 12:40:26.000000000 -0400
++++ serefpolicy-2.4.6/policy/modules/kernel/kernel.if 2007-08-29 06:08:16.000000000 -0400
@@ -1855,6 +1855,26 @@
########################################
@@ -4709,7 +4848,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-2.4.6/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2006-11-29 12:04:49.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/apache.fc 2007-05-22 12:40:26.000000000 -0400
++++ serefpolicy-2.4.6/policy/modules/services/apache.fc 2007-08-20 15:02:07.000000000 -0400
@@ -21,7 +21,6 @@
/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
@@ -4726,7 +4865,7 @@
/var/cache/php-eaccelerator(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
/var/cache/php-mmcache(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
/var/cache/rt3(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-@@ -75,8 +75,23 @@
+@@ -75,8 +75,24 @@
ifdef(`strict_policy',`
/var/spool/cron/apache -- gen_context(system_u:object_r:user_cron_spool_t,s0)
')
@@ -4750,6 +4889,7 @@
+/usr/share/bugzilla(/.*)? -d gen_context(system_u:object_r:httpd_bugzilla_content_t,s0)
+/usr/share/bugzilla(/.*)? -- gen_context(system_u:object_r:httpd_bugzilla_script_exec_t,s0)
+/var/lib/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_script_rw_t,s0)
++/var/www/html/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-2.4.6/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2006-11-29 12:04:51.000000000 -0500
+++ serefpolicy-2.4.6/policy/modules/services/apache.if 2007-05-22 12:40:26.000000000 -0400
@@ -4937,7 +5077,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-2.4.6/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2006-11-29 12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/apache.te 2007-07-03 10:49:14.000000000 -0400
++++ serefpolicy-2.4.6/policy/modules/services/apache.te 2007-08-27 09:58:14.000000000 -0400
@@ -129,7 +129,7 @@
# Apache server local policy
#
@@ -5019,7 +5159,41 @@
tunable_policy(`httpd_tty_comm',`
# cjp: this is redundant:
term_use_controlling_term(httpd_helper_t)
-@@ -645,7 +662,8 @@
+@@ -515,7 +532,6 @@
+ allow httpd_suexec_t self:capability { setuid setgid };
+ allow httpd_suexec_t self:process signal_perms;
+ allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
+-allow httpd_suexec_t self:netlink_route_socket r_netlink_socket_perms;
+
+ ifdef(`targeted_policy',`
+ gen_tunable(httpd_suexec_disable_trans,false)
+@@ -537,6 +553,10 @@
+ allow httpd_suexec_t httpd_suexec_tmp_t:file create_file_perms;
+ files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
+
++auth_use_nsswitch(httpd_suexec_t)
++
++can_exec(httpd_suexec_t, httpd_sys_script_exec_t)
++
+ kernel_read_kernel_sysctls(httpd_suexec_t)
+ kernel_list_proc(httpd_suexec_t)
+ kernel_read_proc_symlinks(httpd_suexec_t)
+@@ -628,14 +648,6 @@
+ nagios_domtrans_cgi(httpd_suexec_t)
+ ')
+
+-optional_policy(`
+- nis_use_ypbind(httpd_suexec_t)
+-')
+-
+-optional_policy(`
+- nscd_socket_use(httpd_suexec_t)
+-')
+-
+ ########################################
+ #
+ # Apache system script local policy
+@@ -645,7 +657,8 @@
dontaudit httpd_sys_script_t httpd_config_t:dir search;
@@ -5029,7 +5203,7 @@
allow httpd_sys_script_t squirrelmail_spool_t:dir r_dir_perms;
allow httpd_sys_script_t squirrelmail_spool_t:file r_file_perms;
-@@ -659,6 +677,8 @@
+@@ -659,6 +672,8 @@
# Should we add a boolean?
apache_domtrans_rotatelogs(httpd_sys_script_t)
@@ -5038,15 +5212,17 @@
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file { getattr append };
')
-@@ -695,6 +715,7 @@
+@@ -694,7 +709,9 @@
+ ')
optional_policy(`
++ files_dontaudit_rw_usr_dirs(httpd_t)
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
+ snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
########################################
-@@ -704,6 +725,8 @@
+@@ -704,6 +721,8 @@
allow httpd_rotatelogs_t httpd_log_t:dir rw_dir_perms;
allow httpd_rotatelogs_t httpd_log_t:file manage_file_perms;
@@ -5055,7 +5231,7 @@
kernel_read_kernel_sysctls(httpd_rotatelogs_t)
kernel_dontaudit_list_proc(httpd_rotatelogs_t)
-@@ -714,9 +737,27 @@
+@@ -714,9 +733,27 @@
libs_use_ld_so(httpd_rotatelogs_t)
libs_use_shared_libs(httpd_rotatelogs_t)
@@ -5173,7 +5349,7 @@
# /usr
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-2.4.6/policy/modules/services/automount.te
--- nsaserefpolicy/policy/modules/services/automount.te 2006-11-29 12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/automount.te 2007-07-01 21:22:12.000000000 -0400
++++ serefpolicy-2.4.6/policy/modules/services/automount.te 2007-08-21 13:39:00.000000000 -0400
@@ -13,8 +13,7 @@
type automount_var_run_t;
files_pid_file(automount_var_run_t)
@@ -5219,6 +5395,18 @@
dev_read_urand(automount_t)
domain_use_interactive_fds(automount_t)
+@@ -190,6 +188,11 @@
+ ')
+
+ optional_policy(`
++ samba_read_config(automount_t)
++ samba_read_var_files(automount_t)
++')
++
++optional_policy(`
+ seutil_sigchld_newrole(automount_t)
+ ')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.if serefpolicy-2.4.6/policy/modules/services/avahi.if
--- nsaserefpolicy/policy/modules/services/avahi.if 2006-11-29 12:04:49.000000000 -0500
+++ serefpolicy-2.4.6/policy/modules/services/avahi.if 2007-05-22 12:40:26.000000000 -0400
@@ -5320,8 +5508,28 @@
/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-2.4.6/policy/modules/services/bind.te
--- nsaserefpolicy/policy/modules/services/bind.te 2006-11-29 12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/bind.te 2007-05-22 12:40:26.000000000 -0400
-@@ -236,6 +236,7 @@
++++ serefpolicy-2.4.6/policy/modules/services/bind.te 2007-08-20 15:22:49.000000000 -0400
+@@ -159,6 +159,8 @@
+ allow named_t named_zone_t:lnk_file create_lnk_perms;
+ ')
+
++auth_use_nsswitch(named_t)
++
+ optional_policy(`
+ gen_require(`
+ class dbus send_msg;
+@@ -180,6 +182,10 @@
+ ')
+
+ optional_policy(`
++ kerberos_use(named_t)
++')
++
++optional_policy(`
+ # this seems like fds that arent being
+ # closed. these should probably be
+ # dontaudits instead.
+@@ -236,6 +242,7 @@
corenet_tcp_sendrecv_all_nodes(ndc_t)
corenet_tcp_sendrecv_all_ports(ndc_t)
corenet_tcp_connect_rndc_port(ndc_t)
@@ -5329,7 +5537,7 @@
corenet_sendrecv_rndc_client_packets(ndc_t)
fs_getattr_xattr_fs(ndc_t)
-@@ -281,3 +282,8 @@
+@@ -281,3 +288,8 @@
optional_policy(`
ppp_dontaudit_use_fds(ndc_t)
')
@@ -6054,7 +6262,7 @@
corecmd_exec_sbin(cvs_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.te serefpolicy-2.4.6/policy/modules/services/cyrus.te
--- nsaserefpolicy/policy/modules/services/cyrus.te 2006-11-29 12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/cyrus.te 2007-05-22 12:40:26.000000000 -0400
++++ serefpolicy-2.4.6/policy/modules/services/cyrus.te 2007-08-20 15:53:13.000000000 -0400
@@ -115,6 +115,7 @@
userdom_use_sysadm_ptys(cyrus_t)
@@ -6074,6 +6282,14 @@
ldap_stream_connect(cyrus_t)
')
+@@ -144,6 +149,7 @@
+
+ optional_policy(`
+ snmp_read_snmp_var_lib_files(cyrus_t)
++ snmp_dontaudit_write_snmp_var_lib_files(cyrus_t)
+ ')
+
+ optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.fc serefpolicy-2.4.6/policy/modules/services/dbus.fc
--- nsaserefpolicy/policy/modules/services/dbus.fc 2006-11-29 12:04:49.000000000 -0500
+++ serefpolicy-2.4.6/policy/modules/services/dbus.fc 2007-05-22 12:40:26.000000000 -0400
@@ -6258,8 +6474,8 @@
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-2.4.6/policy/modules/services/dovecot.fc
--- nsaserefpolicy/policy/modules/services/dovecot.fc 2006-11-29 12:04:49.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/dovecot.fc 2007-05-22 12:40:26.000000000 -0400
-@@ -21,6 +21,7 @@
++++ serefpolicy-2.4.6/policy/modules/services/dovecot.fc 2007-07-23 09:13:01.000000000 -0400
+@@ -21,12 +21,14 @@
ifdef(`distro_redhat', `
/usr/libexec/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
@@ -6267,6 +6483,13 @@
')
#
+ # /var
+ #
+ /var/run/dovecot(-login)?(/.*)? gen_context(system_u:object_r:dovecot_var_run_t,s0)
++/var/run/dovecot/login/ssl-parameters.dat -- gen_context(system_u:object_r:dovecot_var_lib_t,s0)
+
+ /var/lib/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_lib_t,s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.if serefpolicy-2.4.6/policy/modules/services/dovecot.if
--- nsaserefpolicy/policy/modules/services/dovecot.if 2006-11-29 12:04:49.000000000 -0500
+++ serefpolicy-2.4.6/policy/modules/services/dovecot.if 2007-05-22 12:40:26.000000000 -0400
@@ -6320,7 +6543,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-2.4.6/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te 2006-11-29 12:04:49.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/dovecot.te 2007-05-29 09:07:25.000000000 -0400
++++ serefpolicy-2.4.6/policy/modules/services/dovecot.te 2007-08-13 07:14:07.000000000 -0400
@@ -15,6 +15,12 @@
domain_entry_file(dovecot_auth_t,dovecot_auth_exec_t)
role system_r types dovecot_auth_t;
@@ -6424,7 +6647,7 @@
files_read_usr_symlinks(dovecot_auth_t)
files_search_tmp(dovecot_auth_t)
files_read_var_lib_files(dovecot_t)
-@@ -195,12 +204,45 @@
+@@ -195,12 +204,54 @@
seutil_dontaudit_search_config(dovecot_auth_t)
@@ -6449,6 +6672,15 @@
+ postfix_create_pivate_sockets(dovecot_auth_t)
+')
+
++# for gssapi (kerberos)
++userdom_list_unpriv_users_tmp(dovecot_auth_t)
++userdom_read_unpriv_users_tmp_files(dovecot_auth_t)
++userdom_read_unpriv_users_tmp_symlinks(dovecot_auth_t)
++
++ifdef(`targeted_policy',`
++ files_manage_generic_tmp_files(dovecot_auth_t)
++')
++
+########################################
+#
+# dovecot deliver local policy
@@ -6740,7 +6972,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-2.4.6/policy/modules/services/hal.if
--- nsaserefpolicy/policy/modules/services/hal.if 2006-11-29 12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/hal.if 2007-07-06 09:29:44.000000000 -0400
++++ serefpolicy-2.4.6/policy/modules/services/hal.if 2007-08-24 16:01:18.000000000 -0400
@@ -15,12 +15,44 @@
type hald_t, hald_exec_t;
')
@@ -6929,7 +7161,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-2.4.6/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2006-11-29 12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/hal.te 2007-07-06 09:29:37.000000000 -0400
++++ serefpolicy-2.4.6/policy/modules/services/hal.te 2007-08-09 14:46:17.000000000 -0400
@@ -1,5 +1,5 @@
-policy_module(hal,1.4.1)
@@ -7054,7 +7286,7 @@
fs_list_auto_mountpoints(hald_t)
files_getattr_all_mountpoints(hald_t)
-@@ -119,19 +161,18 @@
+@@ -119,19 +161,19 @@
auth_use_nsswitch(hald_t)
@@ -7066,6 +7298,7 @@
#hal runs shutdown, probably need a shutdown domain
init_rw_utmp(hald_t)
+init_telinit(hald_t)
++init_dontaudit_use_fds(hald_t)
libs_use_ld_so(hald_t)
libs_use_shared_libs(hald_t)
@@ -7076,7 +7309,7 @@
logging_send_syslog_msg(hald_t)
logging_search_logs(hald_t)
-@@ -142,6 +183,7 @@
+@@ -142,6 +184,7 @@
seutil_read_config(hald_t)
seutil_read_default_contexts(hald_t)
@@ -7084,7 +7317,7 @@
sysnet_read_config(hald_t)
-@@ -149,12 +191,16 @@
+@@ -149,12 +192,16 @@
userdom_dontaudit_search_sysadm_home_dirs(hald_t)
ifdef(`targeted_policy',`
@@ -7102,7 +7335,7 @@
bootloader_domtrans(hald_t)
')
-@@ -240,3 +286,103 @@
+@@ -240,3 +287,103 @@
optional_policy(`
vbetool_domtrans(hald_t)
')
@@ -7674,7 +7907,7 @@
## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-2.4.6/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2006-11-29 12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/mta.te 2007-07-11 15:53:52.000000000 -0400
++++ serefpolicy-2.4.6/policy/modules/services/mta.te 2007-09-01 07:19:50.000000000 -0400
@@ -27,6 +27,7 @@
type sendmail_exec_t;
@@ -7713,25 +7946,48 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-2.4.6/policy/modules/services/nagios.fc
--- nsaserefpolicy/policy/modules/services/nagios.fc 2006-11-29 12:04:49.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/nagios.fc 2007-05-29 10:50:25.000000000 -0400
-@@ -5,12 +5,11 @@
++++ serefpolicy-2.4.6/policy/modules/services/nagios.fc 2007-09-01 07:24:55.000000000 -0400
+@@ -5,12 +5,14 @@
/usr/bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0)
/usr/lib(64)?/cgi-bin/netsaint/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0)
-/usr/lib(64)?/nagios/cgi/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0)
+/usr/lib(64)?/nagios/cgi-bin/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0)
++/usr/lib(64)?/cgi-bin/nagios(/.+)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
/var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
/var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
++/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0)
++
ifdef(`distro_debian',`
/usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
-/usr/lib/cgi-bin/nagios/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-2.4.6/policy/modules/services/nagios.te
--- nsaserefpolicy/policy/modules/services/nagios.te 2006-11-29 12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/nagios.te 2007-05-29 10:53:31.000000000 -0400
-@@ -75,8 +75,10 @@
++++ serefpolicy-2.4.6/policy/modules/services/nagios.te 2007-09-01 07:23:11.000000000 -0400
+@@ -26,6 +26,9 @@
+ type nagios_var_run_t;
+ files_pid_file(nagios_var_run_t)
+
++type nagios_spool_t;
++files_type(nagios_spool_t)
++
+ type nrpe_t;
+ type nrpe_exec_t;
+ init_daemon_domain(nrpe_t,nrpe_exec_t)
+@@ -62,6 +65,9 @@
+ allow nagios_t nagios_var_run_t:dir rw_dir_perms;
+ files_pid_filetrans(nagios_t,nagios_var_run_t,file)
+
++allow nagios_t nagios_spool_t:dir search_dir_perms;
++allow nagios_t nagios_spool_t:fifo_file rw_file_perms;
++
+ kernel_read_system_state(nagios_t)
+ kernel_read_kernel_sysctls(nagios_t)
+
+@@ -75,8 +81,10 @@
corenet_udp_sendrecv_all_nodes(nagios_t)
corenet_tcp_sendrecv_all_ports(nagios_t)
corenet_udp_sendrecv_all_ports(nagios_t)
@@ -7742,7 +7998,7 @@
domain_use_interactive_fds(nagios_t)
# for ps
-@@ -120,14 +122,10 @@
+@@ -120,14 +128,10 @@
netutils_domtrans_ping(nagios_t)
netutils_signal_ping(nagios_t)
netutils_kill_ping(nagios_t)
@@ -8036,25 +8292,42 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-2.4.6/policy/modules/services/ntp.te
--- nsaserefpolicy/policy/modules/services/ntp.te 2006-11-29 12:04:49.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/ntp.te 2007-07-17 16:18:58.000000000 -0400
-@@ -36,10 +36,12 @@
++++ serefpolicy-2.4.6/policy/modules/services/ntp.te 2007-08-24 16:30:10.000000000 -0400
+@@ -36,6 +36,7 @@
dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice };
allow ntpd_t self:process { signal_perms setcap setsched setrlimit };
allow ntpd_t self:fifo_file { read write getattr };
-+allow ntpd_t self:shm rw_shm_perms;
++allow ntpd_t self:shm create_shm_perms;
allow ntpd_t self:unix_dgram_socket create_socket_perms;
allow ntpd_t self:unix_stream_socket create_socket_perms;
allow ntpd_t self:tcp_socket create_stream_socket_perms;
- allow ntpd_t self:udp_socket create_socket_perms;
-+allow ntpd_t self:shm create_shm_perms;
+@@ -83,6 +84,8 @@
- allow ntpd_t ntp_drift_t:dir rw_dir_perms;
- allow ntpd_t ntp_drift_t:file create_file_perms;
-@@ -137,6 +139,7 @@
+ fs_getattr_all_fs(ntpd_t)
+ fs_search_auto_mountpoints(ntpd_t)
++# Necessary to communicate with gpsd devices
++fs_rw_tmpfs_files(ntpd_t)
+
+ term_dontaudit_use_console(ntpd_t)
+
+@@ -118,6 +121,8 @@
+ userdom_list_sysadm_home_dirs(ntpd_t)
+ userdom_dontaudit_list_sysadm_home_dirs(ntpd_t)
+
++term_use_ptmx(ntpd_t)
++
+ ifdef(`targeted_policy', `
+ term_dontaudit_use_unallocated_ttys(ntpd_t)
+ term_dontaudit_use_generic_ptys(ntpd_t)
+@@ -137,6 +142,11 @@
optional_policy(`
firstboot_dontaudit_use_fds(ntpd_t)
+ firstboot_dontaudit_rw_pipes(ntpd_t)
++')
++
++optional_policy(`
++ hal_dontaudit_write_log(ntpd_t)
')
optional_policy(`
@@ -8389,8 +8662,8 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-2.4.6/policy/modules/services/pegasus.te
--- nsaserefpolicy/policy/modules/services/pegasus.te 2006-11-29 12:04:49.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/pegasus.te 2007-05-22 12:40:26.000000000 -0400
-@@ -30,13 +30,13 @@
++++ serefpolicy-2.4.6/policy/modules/services/pegasus.te 2007-09-01 07:02:07.000000000 -0400
+@@ -30,20 +30,20 @@
# Local policy
#
@@ -8406,6 +8679,14 @@
allow pegasus_t self:tcp_socket create_stream_socket_perms;
allow pegasus_t pegasus_conf_t:dir rw_dir_perms;
+ allow pegasus_t pegasus_conf_t:file { r_file_perms link unlink };
+ allow pegasus_t pegasus_conf_t:lnk_file r_file_perms;
+
+-allow pegasus_t pegasus_data_t:dir rw_dir_perms;
++allow pegasus_t pegasus_data_t:dir create_dir_perms;
+ allow pegasus_t pegasus_data_t:file create_file_perms;
+ allow pegasus_t pegasus_data_t:lnk_file create_lnk_perms;
+ type_transition pegasus_t pegasus_conf_t:{ file dir } pegasus_data_t;
@@ -100,13 +100,13 @@
auth_use_nsswitch(pegasus_t)
@@ -8952,7 +9233,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radius.te serefpolicy-2.4.6/policy/modules/services/radius.te
--- nsaserefpolicy/policy/modules/services/radius.te 2006-11-29 12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/radius.te 2007-05-22 12:40:26.000000000 -0400
++++ serefpolicy-2.4.6/policy/modules/services/radius.te 2007-07-23 10:49:52.000000000 -0400
@@ -36,6 +36,7 @@
allow radiusd_t self:unix_stream_socket create_stream_socket_perms;
allow radiusd_t self:tcp_socket create_stream_socket_perms;
@@ -8969,6 +9250,14 @@
corecmd_exec_bin(radiusd_t)
corecmd_exec_shell(radiusd_t)
+@@ -104,6 +106,7 @@
+ logging_send_syslog_msg(radiusd_t)
+
+ miscfiles_read_localization(radiusd_t)
++miscfiles_read_certs(radiusd_t)
+
+ sysnet_read_config(radiusd_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radvd.te serefpolicy-2.4.6/policy/modules/services/radvd.te
--- nsaserefpolicy/policy/modules/services/radvd.te 2006-11-29 12:04:49.000000000 -0500
+++ serefpolicy-2.4.6/policy/modules/services/radvd.te 2007-05-22 12:40:26.000000000 -0400
@@ -9497,7 +9786,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-2.4.6/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2006-11-29 12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/samba.te 2007-07-03 11:14:53.000000000 -0400
++++ serefpolicy-2.4.6/policy/modules/services/samba.te 2007-08-23 17:07:52.000000000 -0400
@@ -10,6 +10,13 @@
type nmbd_exec_t;
init_daemon_domain(nmbd_t,nmbd_exec_t)
@@ -9580,10 +9869,14 @@
ifdef(`hide_broken_symptoms', `
files_dontaudit_getattr_default_dirs(smbd_t)
files_dontaudit_getattr_boot_dirs(smbd_t)
-@@ -302,6 +320,10 @@
+@@ -302,6 +320,14 @@
')
optional_policy(`
++ kerberos_read_keytab(smbd_t)
++')
++
++optional_policy(`
+ lpd_exec_lpr(smbd_t)
+')
+
@@ -9591,7 +9884,7 @@
cups_read_rw_config(smbd_t)
cups_stream_connect(smbd_t)
')
-@@ -348,8 +370,8 @@
+@@ -348,8 +374,8 @@
allow nmbd_t samba_etc_t:dir { search getattr };
allow nmbd_t samba_etc_t:file { getattr read };
@@ -9602,7 +9895,7 @@
allow nmbd_t samba_var_t:dir rw_dir_perms;
allow nmbd_t samba_var_t:file { lock unlink create write setattr read getattr rename };
-@@ -374,6 +396,7 @@
+@@ -374,6 +400,7 @@
corenet_udp_bind_nmbd_port(nmbd_t)
corenet_sendrecv_nmbd_server_packets(nmbd_t)
corenet_sendrecv_nmbd_client_packets(nmbd_t)
@@ -9610,7 +9903,7 @@
dev_read_sysfs(nmbd_t)
dev_getattr_mtrr_dev(nmbd_t)
-@@ -387,6 +410,7 @@
+@@ -387,6 +414,7 @@
files_read_usr_files(nmbd_t)
files_read_etc_files(nmbd_t)
@@ -9618,7 +9911,7 @@
init_use_fds(nmbd_t)
init_use_script_ptys(nmbd_t)
-@@ -449,6 +473,8 @@
+@@ -449,6 +477,8 @@
allow smbmount_t samba_var_t:file create_file_perms;
allow smbmount_t samba_var_t:lnk_file create_lnk_perms;
@@ -9627,7 +9920,7 @@
kernel_read_system_state(smbmount_t)
corenet_tcp_sendrecv_all_if(smbmount_t)
-@@ -502,7 +528,7 @@
+@@ -502,7 +532,7 @@
userdom_use_sysadm_ttys(smbmount_t)
optional_policy(`
@@ -9636,7 +9929,7 @@
')
optional_policy(`
-@@ -522,10 +548,9 @@
+@@ -522,10 +552,9 @@
allow swat_t self:process signal_perms;
allow swat_t self:fifo_file rw_file_perms;
allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
@@ -9648,7 +9941,7 @@
allow swat_t nmbd_exec_t:file { execute read };
-@@ -533,7 +558,7 @@
+@@ -533,7 +562,7 @@
allow swat_t samba_etc_t:file { getattr write read };
allow swat_t samba_log_t:dir search;
@@ -9657,7 +9950,7 @@
allow swat_t smbd_exec_t:file execute ;
-@@ -566,9 +591,8 @@
+@@ -566,9 +595,8 @@
corenet_raw_sendrecv_all_nodes(swat_t)
corenet_tcp_sendrecv_all_ports(swat_t)
corenet_udp_sendrecv_all_ports(swat_t)
@@ -9668,7 +9961,7 @@
dev_read_urand(swat_t)
-@@ -578,6 +602,7 @@
+@@ -578,6 +606,7 @@
fs_getattr_xattr_fs(swat_t)
auth_domtrans_chk_passwd(swat_t)
@@ -9676,7 +9969,7 @@
libs_use_ld_so(swat_t)
libs_use_shared_libs(swat_t)
-@@ -591,6 +616,7 @@
+@@ -591,6 +620,7 @@
optional_policy(`
cups_read_rw_config(swat_t)
@@ -9684,7 +9977,7 @@
')
optional_policy(`
-@@ -614,15 +640,19 @@
+@@ -614,15 +644,19 @@
# Winbind local policy
#
@@ -9705,7 +9998,7 @@
allow winbind_t samba_etc_t:dir r_dir_perms;
allow winbind_t samba_etc_t:lnk_file { getattr read };
allow winbind_t samba_etc_t:file r_file_perms;
-@@ -655,6 +685,8 @@
+@@ -655,6 +689,8 @@
kernel_list_proc(winbind_t)
kernel_read_proc_symlinks(winbind_t)
@@ -9714,7 +10007,7 @@
corenet_tcp_sendrecv_all_if(winbind_t)
corenet_udp_sendrecv_all_if(winbind_t)
corenet_raw_sendrecv_all_if(winbind_t)
-@@ -676,11 +708,14 @@
+@@ -676,11 +712,14 @@
term_dontaudit_use_console(winbind_t)
@@ -9729,7 +10022,7 @@
init_use_fds(winbind_t)
init_use_script_ptys(winbind_t)
-@@ -692,13 +727,13 @@
+@@ -692,13 +731,13 @@
miscfiles_read_localization(winbind_t)
@@ -9746,7 +10039,7 @@
ifdef(`targeted_policy', `
term_dontaudit_use_unallocated_ttys(winbind_t)
term_dontaudit_use_generic_ptys(winbind_t)
-@@ -710,10 +745,6 @@
+@@ -710,10 +749,6 @@
')
optional_policy(`
@@ -9757,7 +10050,7 @@
seutil_sigchld_newrole(winbind_t)
')
-@@ -743,6 +774,8 @@
+@@ -743,6 +778,8 @@
domain_use_interactive_fds(winbind_helper_t)
@@ -9766,7 +10059,7 @@
libs_use_ld_so(winbind_helper_t)
libs_use_shared_libs(winbind_helper_t)
-@@ -763,3 +796,24 @@
+@@ -763,3 +800,24 @@
squid_read_log(winbind_helper_t)
squid_append_log(winbind_helper_t)
')
@@ -9887,8 +10180,50 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-2.4.6/policy/modules/services/sendmail.te
--- nsaserefpolicy/policy/modules/services/sendmail.te 2006-11-29 12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/sendmail.te 2007-05-22 12:40:26.000000000 -0400
-@@ -140,6 +140,10 @@
++++ serefpolicy-2.4.6/policy/modules/services/sendmail.te 2007-08-29 06:23:45.000000000 -0400
+@@ -32,7 +32,6 @@
+ allow sendmail_t self:unix_dgram_socket create_socket_perms;
+ allow sendmail_t self:tcp_socket create_stream_socket_perms;
+ allow sendmail_t self:udp_socket create_socket_perms;
+-allow sendmail_t self:netlink_route_socket r_netlink_socket_perms;
+
+ allow sendmail_t sendmail_log_t:file create_file_perms;
+ allow sendmail_t sendmail_log_t:dir { rw_dir_perms setattr };
+@@ -45,6 +44,8 @@
+ allow sendmail_t sendmail_var_run_t:file manage_file_perms;
+ files_pid_filetrans(sendmail_t,sendmail_var_run_t,file)
+
++auth_use_nsswitch(sendmail_t)
++
+ kernel_read_kernel_sysctls(sendmail_t)
+ # for piping mail to a command
+ kernel_read_system_state(sendmail_t)
+@@ -93,9 +94,6 @@
+
+ miscfiles_read_localization(sendmail_t)
+
+-sysnet_dns_name_resolve(sendmail_t)
+-sysnet_read_config(sendmail_t)
+-
+ userdom_dontaudit_use_unpriv_user_fds(sendmail_t)
+ userdom_dontaudit_search_sysadm_home_dirs(sendmail_t)
+
+@@ -115,14 +113,6 @@
+ ')
+
+ optional_policy(`
+- nis_use_ypbind(sendmail_t)
+-')
+-
+-optional_policy(`
+- nscd_socket_use(sendmail_t)
+-')
+-
+-optional_policy(`
+ postfix_exec_master(sendmail_t)
+ postfix_read_config(sendmail_t)
+ postfix_search_spool(sendmail_t)
+@@ -140,6 +130,10 @@
udev_read_db(sendmail_t)
')
@@ -9899,7 +10234,7 @@
ifdef(`TODO',`
allow sendmail_t etc_mail_t:dir rw_dir_perms;
allow sendmail_t etc_mail_t:file create_file_perms;
-@@ -152,9 +156,5 @@
+@@ -152,9 +146,5 @@
# When sendmail runs as user_mail_domain, it needs some extra permissions
# to update /etc/mail/statistics.
allow user_mail_domain etc_mail_t:file rw_file_perms;
@@ -9966,7 +10301,7 @@
storage_raw_write_fixed_disk(fsdaemon_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.if serefpolicy-2.4.6/policy/modules/services/snmp.if
--- nsaserefpolicy/policy/modules/services/snmp.if 2006-11-29 12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/snmp.if 2007-05-22 12:40:26.000000000 -0400
++++ serefpolicy-2.4.6/policy/modules/services/snmp.if 2007-08-20 15:52:57.000000000 -0400
@@ -65,3 +65,20 @@
dontaudit $1 snmpd_var_lib_t:file r_file_perms;
dontaudit $1 snmpd_var_lib_t:lnk_file { getattr read };
@@ -9990,8 +10325,16 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-2.4.6/policy/modules/services/snmp.te
--- nsaserefpolicy/policy/modules/services/snmp.te 2006-11-29 12:04:49.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/snmp.te 2007-05-22 12:40:26.000000000 -0400
-@@ -77,6 +77,7 @@
++++ serefpolicy-2.4.6/policy/modules/services/snmp.te 2007-08-29 06:10:08.000000000 -0400
+@@ -51,6 +51,7 @@
+
+ kernel_read_device_sysctls(snmpd_t)
+ kernel_read_kernel_sysctls(snmpd_t)
++kernel_read_fs_sysctls(snmpd_t)
+ kernel_read_net_sysctls(snmpd_t)
+ kernel_read_proc_symlinks(snmpd_t)
+ kernel_read_system_state(snmpd_t)
+@@ -77,6 +78,7 @@
dev_read_sysfs(snmpd_t)
dev_read_urand(snmpd_t)
dev_read_rand(snmpd_t)
@@ -9999,11 +10342,13 @@
domain_use_interactive_fds(snmpd_t)
domain_signull_all_domains(snmpd_t)
-@@ -87,9 +88,10 @@
+@@ -85,11 +87,10 @@
+ files_read_etc_files(snmpd_t)
+ files_read_usr_files(snmpd_t)
files_read_etc_runtime_files(snmpd_t)
- files_search_home(snmpd_t)
- files_getattr_boot_dirs(snmpd_t)
-+files_dontaudit_getattr_home_dir(snmpd_t)
+-files_search_home(snmpd_t)
+-files_getattr_boot_dirs(snmpd_t)
++files_getattr_all_dirs(snmpd_t)
+fs_getattr_all_dirs(snmpd_t)
fs_getattr_all_fs(snmpd_t)
@@ -10011,7 +10356,7 @@
fs_search_auto_mountpoints(snmpd_t)
storage_dontaudit_read_fixed_disk(snmpd_t)
-@@ -138,11 +140,12 @@
+@@ -138,11 +139,12 @@
')
optional_policy(`
@@ -10026,7 +10371,7 @@
')
optional_policy(`
-@@ -150,9 +153,17 @@
+@@ -150,9 +152,17 @@
')
optional_policy(`
@@ -10044,6 +10389,20 @@
+optional_policy(`
udev_read_db(snmpd_t)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soundserver.te serefpolicy-2.4.6/policy/modules/services/soundserver.te
+--- nsaserefpolicy/policy/modules/services/soundserver.te 2006-11-29 12:04:49.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/soundserver.te 2007-08-24 16:10:31.000000000 -0400
+@@ -112,6 +112,10 @@
+ ')
+
+ optional_policy(`
++ alsa_domtrans(soundd_t)
++')
++
++optional_policy(`
+ seutil_sigchld_newrole(soundd_t)
+ ')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-2.4.6/policy/modules/services/spamassassin.fc
--- nsaserefpolicy/policy/modules/services/spamassassin.fc 2006-11-29 12:04:49.000000000 -0500
+++ serefpolicy-2.4.6/policy/modules/services/spamassassin.fc 2007-06-18 10:50:37.000000000 -0400
@@ -10481,8 +10840,16 @@
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.te serefpolicy-2.4.6/policy/modules/services/tftp.te
--- nsaserefpolicy/policy/modules/services/tftp.te 2006-11-29 12:04:49.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/tftp.te 2007-05-22 12:40:26.000000000 -0400
-@@ -54,6 +54,8 @@
++++ serefpolicy-2.4.6/policy/modules/services/tftp.te 2007-08-22 08:29:04.000000000 -0400
+@@ -26,6 +26,7 @@
+ allow tftpd_t self:udp_socket create_socket_perms;
+ allow tftpd_t self:unix_dgram_socket create_socket_perms;
+ allow tftpd_t self:unix_stream_socket create_stream_socket_perms;
++allow tftpd_t self:netlink_route_socket r_netlink_socket_perms;
+ dontaudit tftpd_t self:capability sys_tty_config;
+
+ allow tftpd_t tftpdir_t:dir { getattr read search };
+@@ -54,6 +55,8 @@
dev_read_sysfs(tftpd_t)
@@ -11313,7 +11680,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-2.4.6/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te 2006-11-29 12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/authlogin.te 2007-06-04 11:28:31.000000000 -0400
++++ serefpolicy-2.4.6/policy/modules/system/authlogin.te 2007-08-07 09:22:58.000000000 -0400
@@ -9,6 +9,13 @@
attribute can_read_shadow_passwords;
attribute can_write_shadow_passwords;
@@ -11328,7 +11695,18 @@
type chkpwd_exec_t;
corecmd_executable_file(chkpwd_exec_t)
-@@ -141,6 +148,7 @@
+@@ -98,7 +105,9 @@
+
+ kernel_read_system_state(pam_t)
+
+-fs_search_auto_mountpoints(pam_t)
++fs_list_auto_mountpoints(pam_console_t)
++fs_list_noxattr_fs(pam_console_t)
++fs_getattr_all_fs(pam_console_t)
+
+ term_use_all_user_ttys(pam_t)
+ term_use_all_user_ptys(pam_t)
+@@ -141,6 +150,7 @@
allow pam_console_t pam_var_console_t:lnk_file { getattr read };
allow pam_console_t pam_var_console_t:file r_file_perms;
dontaudit pam_console_t pam_var_console_t:file write;
@@ -11336,7 +11714,7 @@
kernel_read_kernel_sysctls(pam_console_t)
kernel_use_fds(pam_console_t)
-@@ -162,6 +170,8 @@
+@@ -162,6 +172,8 @@
dev_setattr_mouse_dev(pam_console_t)
dev_getattr_power_mgmt_dev(pam_console_t)
dev_setattr_power_mgmt_dev(pam_console_t)
@@ -11345,7 +11723,7 @@
dev_getattr_scanner_dev(pam_console_t)
dev_setattr_scanner_dev(pam_console_t)
dev_getattr_sound_dev(pam_console_t)
-@@ -172,8 +182,6 @@
+@@ -172,8 +184,6 @@
dev_setattr_xserver_misc_dev(pam_console_t)
dev_read_urand(pam_console_t)
@@ -11354,7 +11732,7 @@
mls_file_read_up(pam_console_t)
mls_file_write_down(pam_console_t)
-@@ -203,6 +211,7 @@
+@@ -203,6 +213,7 @@
files_read_etc_runtime_files(pam_console_t)
fs_list_auto_mountpoints(pam_console_t)
@@ -11362,7 +11740,7 @@
init_use_fds(pam_console_t)
init_use_script_ptys(pam_console_t)
-@@ -252,7 +261,7 @@
+@@ -252,7 +263,7 @@
# System check password local policy
#
@@ -11371,7 +11749,7 @@
allow system_chkpwd_t shadow_t:file { getattr read };
-@@ -265,6 +274,7 @@
+@@ -265,6 +276,7 @@
userdom_dontaudit_use_unpriv_users_ttys(system_chkpwd_t)
userdom_dontaudit_use_unpriv_users_ptys(system_chkpwd_t)
@@ -11379,7 +11757,7 @@
########################################
#
-@@ -306,3 +316,30 @@
+@@ -306,3 +318,30 @@
xserver_use_xdm_fds(utempter_t)
xserver_rw_xdm_pipes(utempter_t)
')
@@ -11489,7 +11867,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-2.4.6/policy/modules/system/fstools.te
--- nsaserefpolicy/policy/modules/system/fstools.te 2006-11-29 12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/fstools.te 2007-05-22 12:40:26.000000000 -0400
++++ serefpolicy-2.4.6/policy/modules/system/fstools.te 2007-08-21 13:50:28.000000000 -0400
@@ -9,7 +9,7 @@
type fsadm_t;
type fsadm_exec_t;
@@ -11517,7 +11895,7 @@
kernel_read_system_state(fsadm_t)
kernel_read_kernel_sysctls(fsadm_t)
-@@ -190,3 +190,8 @@
+@@ -190,3 +190,15 @@
fs_dontaudit_write_ramfs_pipes(fsadm_t)
rhgb_stub(fsadm_t)
')
@@ -11526,6 +11904,13 @@
+ ssh_sigchld(fsadm_t)
+ ssh_rw_stream_sockets(fsadm_t)
+')
++
++optional_policy(`
++ xen_append_log(fsadm_t)
++ xen_rw_image_files(fsadm_t)
++')
++
++fs_manage_nfs_files(fsadm_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.te serefpolicy-2.4.6/policy/modules/system/getty.te
--- nsaserefpolicy/policy/modules/system/getty.te 2006-11-29 12:04:51.000000000 -0500
+++ serefpolicy-2.4.6/policy/modules/system/getty.te 2007-05-22 12:40:26.000000000 -0400
@@ -11603,8 +11988,24 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-2.4.6/policy/modules/system/init.if
--- nsaserefpolicy/policy/modules/system/init.if 2006-11-29 12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/init.if 2007-06-07 15:57:22.000000000 -0400
-@@ -221,11 +221,14 @@
++++ serefpolicy-2.4.6/policy/modules/system/init.if 2007-08-10 16:25:06.000000000 -0400
+@@ -110,6 +110,15 @@
+
+ role system_r types $1;
+
++ # daemons started from init will
++ # inherit fds from init for the console
++ init_dontaudit_use_fds($1)
++ term_dontaudit_use_console($1)
++
++ # init script ptys are the stdin/out/err
++ # when using run_init
++ init_use_script_ptys($1)
++
+ ifdef(`direct_sysadm_daemon',`
+ domain_auto_trans(direct_run_init,$2,$1)
+
+@@ -221,11 +230,14 @@
gen_require(`
type initrc_t;
role system_r;
@@ -11619,7 +12020,7 @@
role system_r types $1;
domain_auto_trans(initrc_t,$2,$1)
-@@ -518,6 +521,7 @@
+@@ -518,6 +530,7 @@
dev_list_all_dev_nodes($1)
allow $1 initctl_t:fifo_file rw_file_perms;
@@ -11627,7 +12028,7 @@
')
########################################
-@@ -1290,7 +1294,7 @@
+@@ -1290,7 +1303,7 @@
type initrc_var_run_t;
')
@@ -11636,7 +12037,7 @@
')
########################################
-@@ -1311,3 +1315,63 @@
+@@ -1311,3 +1324,63 @@
files_search_pids($1)
allow $1 initrc_var_run_t:file create_file_perms;
')
@@ -12139,8 +12540,17 @@
+dev_read_urand(racoon_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-2.4.6/policy/modules/system/iptables.te
--- nsaserefpolicy/policy/modules/system/iptables.te 2006-11-29 12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/iptables.te 2007-05-29 12:04:33.000000000 -0400
-@@ -52,11 +52,12 @@
++++ serefpolicy-2.4.6/policy/modules/system/iptables.te 2007-07-19 09:15:39.000000000 -0400
+@@ -37,6 +37,8 @@
+
+ allow iptables_t self:rawip_socket create_socket_perms;
+
++auth_use_nsswitch(iptables_t)
++
+ kernel_read_system_state(iptables_t)
+ kernel_read_network_state(iptables_t)
+ kernel_read_kernel_sysctls(iptables_t)
+@@ -52,11 +54,12 @@
mls_file_read_up(iptables_t)
@@ -12154,7 +12564,7 @@
init_use_fds(iptables_t)
init_use_script_ptys(iptables_t)
-@@ -78,14 +79,23 @@
+@@ -78,23 +81,23 @@
userdom_use_all_users_fds(iptables_t)
ifdef(`targeted_policy', `
@@ -12164,24 +12574,28 @@
+ term_use_generic_ptys(iptables_t)
files_dontaudit_read_root_files(iptables_t)
+ unconfined_rw_pipes(iptables_t)
-+')
-+
-+optional_policy(`
-+ nscd_socket_use(iptables_t)
-+')
-+
-+optional_policy(`
-+ fail2ban_append_log(iptables_t)
')
optional_policy(`
- firstboot_use_fds(iptables_t)
+- firstboot_use_fds(iptables_t)
- firstboot_write_pipes(iptables_t)
++ fail2ban_append_log(iptables_t)
+ ')
+
+ optional_policy(`
+- modutils_domtrans_insmod(iptables_t)
++ firstboot_use_fds(iptables_t)
+ firstboot_rw_pipes(iptables_t)
')
optional_policy(`
-@@ -104,3 +114,12 @@
+- # for iptables -L
+- nis_use_ypbind(iptables_t)
++ modutils_domtrans_insmod(iptables_t)
+ ')
+
+ optional_policy(`
+@@ -104,3 +107,12 @@
optional_policy(`
udev_read_db(iptables_t)
')
@@ -12196,18 +12610,19 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-2.4.6/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2006-11-29 12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/libraries.fc 2007-05-22 12:40:26.000000000 -0400
-@@ -79,6 +79,9 @@
++++ serefpolicy-2.4.6/policy/modules/system/libraries.fc 2007-08-07 09:12:46.000000000 -0400
+@@ -79,6 +79,10 @@
/opt/netbeans(.*/)?jdk.*/linux/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:shlib_t,s0)
/opt/(.*/)?jre/.+\.jar -- gen_context(system_u:object_r:shlib_t,s0)
-+/opt/ibm/java2-ppc64-50/jre/bin/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/opt/ibm/java.*/jre/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
++/opt/ibm/java.*/jre/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/cxoffice/lib/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/f-secure/fspms/libexec/librapi.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
ifdef(`distro_gentoo',`
# despite the extensions, they are actually libs
-@@ -129,27 +132,36 @@
+@@ -129,27 +133,36 @@
/usr/(.*/)?nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/win32/.* -- gen_context(system_u:object_r:shlib_t,s0)
@@ -12246,7 +12661,7 @@
/usr/X11R6/lib/libGL\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/X11R6/lib/libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -157,6 +169,7 @@
+@@ -157,6 +170,7 @@
/usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xorg/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xorg/modules/drivers/fglrx_drv\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -12254,7 +12669,7 @@
/usr/lib(64)?/xorg/modules/extensions/nvidia(-[^/]*)?/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
ifdef(`distro_redhat',`
-@@ -167,19 +180,15 @@
+@@ -167,19 +181,15 @@
# Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv
# HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php
@@ -12278,7 +12693,7 @@
/usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xorg/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/X11R6/lib/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -243,9 +252,13 @@
+@@ -243,9 +253,13 @@
/usr/lib(64)?/libmp3lame\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
# Flash plugin, Macromedia
@@ -12292,7 +12707,7 @@
# Jai, Sun Microsystems (Jpackage SPRM)
/usr/lib(64)?/libmlib_jai\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -258,10 +271,9 @@
+@@ -258,10 +272,9 @@
/usr/lib(64)?/vmware/(.*/)?VmPerl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
# Java, Sun Microsystems (JPackage SRPM)
@@ -12306,7 +12721,7 @@
/usr/(local/)?Adobe/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(local/)?Adobe/(.*/)?intellinux/sidecars/* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -300,3 +312,6 @@
+@@ -300,3 +313,6 @@
/var/spool/postfix/lib(64)?/lib.*\.so.* -- gen_context(system_u:object_r:shlib_t,s0)
/var/spool/postfix/lib(64)?/[^/]*/lib.*\.so.* -- gen_context(system_u:object_r:shlib_t,s0)
/var/spool/postfix/lib(64)?/devfsd/.+\.so.* -- gen_context(system_u:object_r:shlib_t,s0)
@@ -12514,8 +12929,8 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-2.4.6/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2006-11-29 12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/logging.te 2007-05-22 12:40:26.000000000 -0400
-@@ -53,9 +53,11 @@
++++ serefpolicy-2.4.6/policy/modules/system/logging.te 2007-08-28 13:43:27.000000000 -0400
+@@ -53,18 +53,19 @@
type var_log_t;
logging_log_file(var_log_t)
@@ -12527,17 +12942,26 @@
')
########################################
-@@ -63,8 +65,7 @@
- # Auditd local policy
+ #
+-# Auditd local policy
++# Auditctl local policy
#
-allow auditctl_t self:capability { audit_write audit_control };
-allow auditctl_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv };
-+allow auditctl_t self:capability fsetid;
++allow auditctl_t self:capability { fsetid dac_read_search dac_override };
libs_use_ld_so(auditctl_t)
libs_use_shared_libs(auditctl_t)
-@@ -93,6 +94,7 @@
+@@ -76,6 +77,7 @@
+
+ # Needed for adding watches
+ files_getattr_all_dirs(auditctl_t)
++files_getattr_all_files(auditctl_t)
+ files_read_etc_files(auditctl_t)
+
+ kernel_read_kernel_sysctls(auditctl_t)
+@@ -93,6 +95,7 @@
locallogin_dontaudit_use_fds(auditctl_t)
@@ -12545,7 +12969,7 @@
logging_send_syslog_msg(auditctl_t)
ifdef(`targeted_policy',`
-@@ -105,12 +107,11 @@
+@@ -105,12 +108,11 @@
# Auditd local policy
#
@@ -12559,7 +12983,7 @@
allow auditd_t self:fifo_file rw_file_perms;
allow auditd_t auditd_etc_t:dir r_dir_perms;
-@@ -156,6 +157,7 @@
+@@ -156,6 +158,7 @@
init_write_initctl(auditd_t)
init_dontaudit_use_script_ptys(auditd_t)
@@ -12567,7 +12991,7 @@
logging_send_syslog_msg(auditd_t)
libs_use_ld_so(auditd_t)
-@@ -275,7 +277,7 @@
+@@ -275,7 +278,7 @@
allow syslogd_t self:unix_dgram_socket sendto;
allow syslogd_t self:fifo_file rw_file_perms;
allow syslogd_t self:udp_socket create_socket_perms;
@@ -12576,7 +13000,7 @@
# Create and bind to /dev/log or /var/run/log.
allow syslogd_t devlog_t:sock_file create_file_perms;
files_pid_filetrans(syslogd_t,devlog_t,sock_file)
-@@ -311,6 +313,10 @@
+@@ -311,6 +314,10 @@
fs_search_auto_mountpoints(syslogd_t)
@@ -12587,7 +13011,7 @@
term_write_console(syslogd_t)
# Allow syslog to a terminal
term_write_unallocated_ttys(syslogd_t)
-@@ -326,6 +332,18 @@
+@@ -326,6 +333,18 @@
corenet_udp_sendrecv_all_ports(syslogd_t)
corenet_udp_bind_all_nodes(syslogd_t)
corenet_udp_bind_syslogd_port(syslogd_t)
@@ -12606,7 +13030,7 @@
# syslog-ng can send or receive logs
corenet_sendrecv_syslogd_client_packets(syslogd_t)
corenet_sendrecv_syslogd_server_packets(syslogd_t)
-@@ -398,3 +416,8 @@
+@@ -398,3 +417,8 @@
# log to the xconsole
xserver_rw_console(syslogd_t)
')
@@ -13032,7 +13456,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-2.4.6/policy/modules/system/modutils.te
--- nsaserefpolicy/policy/modules/system/modutils.te 2006-11-29 12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/modutils.te 2007-07-10 12:27:12.000000000 -0400
++++ serefpolicy-2.4.6/policy/modules/system/modutils.te 2007-08-24 16:32:10.000000000 -0400
@@ -54,6 +54,8 @@
can_exec(insmod_t, insmod_exec_t)
@@ -13042,7 +13466,7 @@
kernel_load_module(insmod_t)
kernel_read_system_state(insmod_t)
kernel_write_proc_files(insmod_t)
-@@ -117,10 +119,6 @@
+@@ -117,15 +119,23 @@
kernel_domtrans_to(insmod_t,insmod_exec_t)
}
@@ -13053,7 +13477,24 @@
ifdef(`targeted_policy',`
unconfined_domain(insmod_t)
')
-@@ -142,9 +140,16 @@
+
+ optional_policy(`
++ alsa_domtrans(insmod_t)
++')
++
++optional_policy(`
++ firstboot_dontaudit_rw_pipes(insmod_t)
++')
++
++optional_policy(`
++ hal_write_log(insmod_t)
++')
++
++optional_policy(`
+ hotplug_search_config(insmod_t)
+ ')
+
+@@ -142,9 +152,16 @@
')
optional_policy(`
@@ -13070,7 +13511,7 @@
ifdef(`hide_broken_symptoms',`
xserver_dontaudit_rw_xdm_xserver_tcp_sockets(insmod_t)
-@@ -153,6 +158,7 @@
+@@ -153,6 +170,7 @@
optional_policy(`
rpm_rw_pipes(insmod_t)
@@ -13078,7 +13519,7 @@
')
optional_policy(`
-@@ -179,6 +185,7 @@
+@@ -179,6 +197,7 @@
files_read_kernel_symbol_table(depmod_t)
files_read_kernel_modules(depmod_t)
@@ -13086,7 +13527,7 @@
fs_getattr_xattr_fs(depmod_t)
-@@ -209,6 +216,8 @@
+@@ -209,6 +228,8 @@
ifdef(`targeted_policy', `
term_use_unallocated_ttys(depmod_t)
term_use_generic_ptys(depmod_t)
@@ -13095,7 +13536,7 @@
')
optional_policy(`
-@@ -289,3 +298,12 @@
+@@ -289,3 +310,12 @@
term_use_generic_ptys(update_modules_t)
term_use_unallocated_ttys(update_modules_t)
')
@@ -13110,7 +13551,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-2.4.6/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2006-11-29 12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/mount.te 2007-07-01 20:54:25.000000000 -0400
++++ serefpolicy-2.4.6/policy/modules/system/mount.te 2007-08-24 16:32:46.000000000 -0400
@@ -9,6 +9,7 @@
type mount_t;
type mount_exec_t;
@@ -13203,6 +13644,16 @@
########################################
#
# Unconfined mount local policy
+@@ -193,3 +202,9 @@
+ files_etc_filetrans_etc_runtime(unconfined_mount_t,file)
+ unconfined_domain(unconfined_mount_t)
+ ')
++
++optional_policy(`
++ hal_write_log(mount_t)
++ hal_use_fds(mount_t)
++ hal_rw_pipes(mount_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/netlabel.te serefpolicy-2.4.6/policy/modules/system/netlabel.te
--- nsaserefpolicy/policy/modules/system/netlabel.te 2006-11-29 12:04:51.000000000 -0500
+++ serefpolicy-2.4.6/policy/modules/system/netlabel.te 2007-05-22 12:40:26.000000000 -0400
@@ -13766,7 +14217,7 @@
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-2.4.6/policy/modules/system/sysnetwork.te
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2006-11-29 12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/sysnetwork.te 2007-05-22 12:40:26.000000000 -0400
++++ serefpolicy-2.4.6/policy/modules/system/sysnetwork.te 2007-08-22 08:37:23.000000000 -0400
@@ -175,6 +175,8 @@
dbus_connect_system_bus(dhcpc_t)
dbus_send_system_bus(dhcpc_t)
@@ -13776,7 +14227,15 @@
optional_policy(`
networkmanager_dbus_chat(dhcpc_t)
')
-@@ -280,6 +282,7 @@
+@@ -270,6 +272,7 @@
+ allow ifconfig_t self:sem create_sem_perms;
+ allow ifconfig_t self:msgq create_msgq_perms;
+ allow ifconfig_t self:msg { send receive };
++allow ifconfig_t net_conf_t:file r_file_perms;
+
+ # Create UDP sockets, necessary when called from dhcpc
+ allow ifconfig_t self:udp_socket create_socket_perms;
+@@ -280,6 +283,7 @@
allow ifconfig_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_read };
allow ifconfig_t self:tcp_socket { create ioctl };
files_read_etc_files(ifconfig_t);
@@ -13784,7 +14243,7 @@
kernel_use_fds(ifconfig_t)
kernel_read_system_state(ifconfig_t)
-@@ -333,6 +336,9 @@
+@@ -333,6 +337,9 @@
ifdef(`targeted_policy',`
term_use_generic_ptys(ifconfig_t)
term_use_unallocated_ttys(ifconfig_t)
@@ -13794,7 +14253,7 @@
')
optional_policy(`
-@@ -353,3 +359,10 @@
+@@ -353,3 +360,10 @@
xen_append_log(ifconfig_t)
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
')
@@ -13974,7 +14433,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-2.4.6/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2006-11-29 12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/unconfined.if 2007-06-22 11:15:09.000000000 -0400
++++ serefpolicy-2.4.6/policy/modules/system/unconfined.if 2007-08-15 06:19:32.000000000 -0400
@@ -31,6 +31,7 @@
allow $1 self:nscd *;
allow $1 self:dbus *;
@@ -14017,7 +14476,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-2.4.6/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2006-11-29 12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/unconfined.te 2007-05-22 12:40:26.000000000 -0400
++++ serefpolicy-2.4.6/policy/modules/system/unconfined.te 2007-08-29 06:26:03.000000000 -0400
@@ -48,6 +48,10 @@
userdom_priveleged_home_dir_manager(unconfined_t)
@@ -15205,7 +15664,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.fc serefpolicy-2.4.6/policy/modules/system/xen.fc
--- nsaserefpolicy/policy/modules/system/xen.fc 2006-11-29 12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/xen.fc 2007-05-22 12:40:26.000000000 -0400
++++ serefpolicy-2.4.6/policy/modules/system/xen.fc 2007-08-29 23:03:13.000000000 -0400
@@ -8,6 +8,7 @@
/usr/sbin/xm -- gen_context(system_u:object_r:xm_exec_t,s0)
@@ -15214,9 +15673,17 @@
/var/lib/xend(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0)
/var/lib/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_lib_t,s0)
+@@ -17,6 +18,7 @@
+ /var/log/xend-debug\.log -- gen_context(system_u:object_r:xend_var_log_t,s0)
+
+ /var/run/xenconsoled\.pid -- gen_context(system_u:object_r:xenconsoled_var_run_t,s0)
++/var/run/libvirt(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0)
+ /var/run/xend(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0)
+ /var/run/xend\.pid -- gen_context(system_u:object_r:xend_var_run_t,s0)
+ /var/run/xenstore\.pid -- gen_context(system_u:object_r:xenstored_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-2.4.6/policy/modules/system/xen.if
--- nsaserefpolicy/policy/modules/system/xen.if 2006-11-29 12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/xen.if 2007-06-15 13:12:08.000000000 -0400
++++ serefpolicy-2.4.6/policy/modules/system/xen.if 2007-07-25 10:36:53.000000000 -0400
@@ -77,6 +77,7 @@
')
@@ -15225,7 +15692,7 @@
allow $1 xend_var_log_t:file { getattr append };
dontaudit $1 xend_var_log_t:file write;
')
-@@ -163,3 +164,46 @@
+@@ -163,3 +164,66 @@
allow xm_t $1:fifo_file rw_file_perms;
allow xm_t $1:process sigchld;
')
@@ -15272,9 +15739,29 @@
+ allow $1 xend_var_lib_t:dir search_dir_perms;
+ read_files_pattern($1,xen_image_t,xen_image_t)
+')
++########################################
++## <summary>
++## Allow the specified domain to read/write
++## xend image files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`xen_rw_image_files',`
++ gen_require(`
++ type xen_image_t, xend_var_lib_t;
++ ')
++
++ files_list_var_lib($1)
++ allow $1 xend_var_lib_t:dir search_dir_perms;
++ rw_files_pattern($1,xen_image_t,xen_image_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-2.4.6/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te 2006-11-29 12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/xen.te 2007-06-15 13:12:32.000000000 -0400
++++ serefpolicy-2.4.6/policy/modules/system/xen.te 2007-08-10 16:23:05.000000000 -0400
@@ -20,12 +20,15 @@
type xenctl_t;
files_type(xenctl_t)
@@ -15373,7 +15860,7 @@
netutils_domtrans(xend_t)
optional_policy(`
-@@ -236,6 +255,10 @@
+@@ -236,19 +255,24 @@
files_read_usr_files(xenconsoled_t)
@@ -15384,7 +15871,13 @@
term_create_pty(xenconsoled_t,xen_devpts_t);
term_use_generic_ptys(xenconsoled_t)
term_use_console(xenconsoled_t)
-@@ -248,7 +271,7 @@
+
+ init_use_fds(xenconsoled_t)
+ init_use_script_ptys(xenconsoled_t)
++init_use_script_fds(xenconsoled_t)
+
+ libs_use_ld_so(xenconsoled_t)
+ libs_use_shared_libs(xenconsoled_t)
miscfiles_read_localization(xenconsoled_t)
@@ -15393,7 +15886,7 @@
xen_stream_connect_xenstore(xenconsoled_t)
########################################
-@@ -283,6 +306,12 @@
+@@ -283,6 +307,12 @@
files_read_usr_files(xenstored_t)
@@ -15406,7 +15899,13 @@
term_use_generic_ptys(xenstored_t)
term_use_console(xenconsoled_t)
-@@ -317,6 +346,11 @@
+@@ -312,11 +342,17 @@
+
+ allow xm_t xend_var_lib_t:dir rw_dir_perms;
+ allow xm_t xend_var_lib_t:fifo_file create_file_perms;
++allow xm_t xend_var_lib_t:sock_file create_file_perms;
+ allow xm_t xend_var_lib_t:file create_file_perms;
+ files_search_var_lib(xm_t)
allow xm_t xen_image_t:dir rw_dir_perms;
allow xm_t xen_image_t:file r_file_perms;
@@ -15418,15 +15917,18 @@
kernel_read_system_state(xm_t)
kernel_read_kernel_sysctls(xm_t)
-@@ -325,6 +359,7 @@
+@@ -325,7 +361,10 @@
corecmd_exec_bin(xm_t)
corecmd_exec_sbin(xm_t)
+corecmd_exec_sbin(xm_t)
++corecmd_exec_shell(xm_t)
++corenet_non_ipsec_sendrecv(xm_t)
corenet_tcp_sendrecv_generic_if(xm_t)
corenet_tcp_sendrecv_all_nodes(xm_t)
-@@ -353,3 +388,17 @@
+ corenet_tcp_connect_soundd_port(xm_t)
+@@ -353,3 +392,17 @@
xen_append_log(xm_t)
xen_stream_connect(xm_t)
xen_stream_connect_xenstore(xm_t)
policy-apcupsd.patch:
apcupsd.fc | 10 +++++
apcupsd.if | 108 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
apcupsd.te | 122 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 240 insertions(+)
Index: policy-apcupsd.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/FC-6/policy-apcupsd.patch,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- policy-apcupsd.patch 20 Apr 2007 15:31:18 -0000 1.3
+++ policy-apcupsd.patch 4 Sep 2007 14:00:30 -0000 1.4
@@ -1,6 +1,7 @@
---- serefpolicy-2.4.6/policy/modules/services/apcupsd.te.apcupsd 2007-04-10 14:44:39.000000000 -0400
-+++ serefpolicy-2.4.6/policy/modules/services/apcupsd.te 2007-04-20 09:22:51.000000000 -0400
-@@ -0,0 +1,92 @@
+diff -up /dev/null serefpolicy-2.4.6/policy/modules/services/apcupsd.te
+--- /dev/null 2007-09-02 13:37:21.567001794 -0400
++++ serefpolicy-2.4.6/policy/modules/services/apcupsd.te 2007-09-04 09:40:59.000000000 -0400
+@@ -0,0 +1,122 @@
+policy_module(apcupsd,1.0.0)
+
+########################################
@@ -10,7 +11,6 @@
+
+type apcupsd_t;
+type apcupsd_exec_t;
-+domain_type(apcupsd_t)
+init_daemon_domain(apcupsd_t, apcupsd_exec_t)
+
+type apcupsd_lock_t;
@@ -19,6 +19,9 @@
+type apcupsd_log_t;
+logging_log_file(apcupsd_log_t)
+
++type apcupsd_tmp_t;
++files_tmp_file(apcupsd_tmp_t)
++
+type apcupsd_var_run_t;
+files_pid_file(apcupsd_var_run_t)
+
@@ -30,46 +33,74 @@
+# Init script handling
+init_use_fds(apcupsd_t)
+init_use_script_ptys(apcupsd_t)
-+domain_use_interactive_fds(apcupsd_t)
+
++allow apcupsd_t self:capability { dac_override setgid sys_tty_config };
+allow apcupsd_t self:process signal;
+allow apcupsd_t self:fifo_file rw_file_perms;
+allow apcupsd_t self:unix_stream_socket create_stream_socket_perms;
+allow apcupsd_t self:tcp_socket create_stream_socket_perms;
+
-+corenet_tcp_bind_apcupsd_port(apcupsd_t)
-+corenet_tcp_bind_all_nodes(apcupsd_t)
++allow apcupsd_t apcupsd_lock_t:file manage_file_perms;
++files_lock_filetrans(apcupsd_t,apcupsd_lock_t,file)
++
++allow apcupsd_t apcupsd_log_t:dir setattr;
++manage_files_pattern(apcupsd_t,apcupsd_log_t,apcupsd_log_t)
++logging_log_filetrans(apcupsd_t,apcupsd_log_t,{ file dir })
++
++manage_files_pattern(apcupsd_t,apcupsd_tmp_t,apcupsd_tmp_t)
++files_tmp_filetrans(apcupsd_t,apcupsd_tmp_t,file)
++
++manage_files_pattern(apcupsd_t,apcupsd_var_run_t,apcupsd_var_run_t)
++files_pid_filetrans(apcupsd_t,apcupsd_var_run_t, file)
++
++corecmd_exec_bin(apcupsd_t)
++corecmd_exec_shell(apcupsd_t)
++
+corenet_tcp_sendrecv_generic_if(apcupsd_t)
+corenet_tcp_sendrecv_all_nodes(apcupsd_t)
+corenet_tcp_sendrecv_all_ports(apcupsd_t)
++corenet_tcp_bind_all_nodes(apcupsd_t)
++corenet_tcp_bind_apcupsd_port(apcupsd_t)
++corenet_sendrecv_apcupsd_server_packets(apcupsd_t)
++corenet_tcp_connect_apcupsd_port(apcupsd_t)
+
+dev_rw_generic_usb_dev(apcupsd_t)
+
++# Init script handling
++domain_use_interactive_fds(apcupsd_t)
++
+files_read_etc_files(apcupsd_t)
+files_search_locks(apcupsd_t)
++# Creates /etc/nologin
++files_manage_etc_runtime_files(apcupsd_t)
++files_etc_filetrans_etc_runtime(apcupsd_t,file)
++
++#apcupsd runs shutdown, probably need a shutdown domain
++init_rw_utmp(apcupsd_t)
++init_telinit(apcupsd_t)
++
++kernel_read_system_state(apcupsd_t)
+
+libs_use_ld_so(apcupsd_t)
+libs_use_shared_libs(apcupsd_t)
+
++logging_send_syslog_msg(apcupsd_t)
++
+miscfiles_read_localization(apcupsd_t)
+
-+ifdef(`targeted_policy',`
-+ term_dontaudit_use_unallocated_ttys(apcupsd_t)
-+ term_dontaudit_use_generic_ptys(apcupsd_t)
-+')
++userdom_use_unpriv_users_ttys(apcupsd_t)
++userdom_use_unpriv_users_ptys(apcupsd_t)
+
-+allow apcupsd_t apcupsd_lock_t:file manage_file_perms;
-+files_lock_filetrans(apcupsd_t,apcupsd_lock_t,file)
-+
-+allow apcupsd_t apcupsd_log_t:file manage_file_perms;
-+allow apcupsd_t apcupsd_log_t:dir { rw_dir_perms setattr };
-+logging_log_filetrans(apcupsd_t,apcupsd_log_t,{ file dir })
++term_use_generic_ptys(apcupsd_t)
++term_use_unallocated_ttys(apcupsd_t)
+
-+allow apcupsd_t apcupsd_var_run_t:file manage_file_perms;
-+allow apcupsd_t apcupsd_var_run_t:dir rw_dir_perms;
-+files_pid_filetrans(apcupsd_t,apcupsd_var_run_t, file)
++optional_policy(`
++ hostname_exec(apcupsd_t)
++')
+
-+logging_send_syslog_msg(apcupsd_t)
++optional_policy(`
++ mta_send_mail(apcupsd_t)
++')
+
+########################################
+#
@@ -93,8 +124,9 @@
+corenet_udp_sendrecv_all_nodes(httpd_apcupsd_cgi_script_t)
+corenet_udp_sendrecv_all_ports(httpd_apcupsd_cgi_script_t)
+
---- serefpolicy-2.4.6/policy/modules/services/apcupsd.if.apcupsd 2007-04-10 14:44:42.000000000 -0400
-+++ serefpolicy-2.4.6/policy/modules/services/apcupsd.if 2007-04-10 14:43:06.000000000 -0400
+diff -up /dev/null serefpolicy-2.4.6/policy/modules/services/apcupsd.if
+--- /dev/null 2007-09-02 13:37:21.567001794 -0400
++++ serefpolicy-2.4.6/policy/modules/services/apcupsd.if 2007-08-10 09:53:24.000000000 -0400
@@ -0,0 +1,108 @@
+
+## <summary>policy for apcupsd</summary>
@@ -204,12 +236,14 @@
+ allow httpd_apcupsd_cgi_script_t $1:fifo_file rw_file_perms;
+ allow httpd_apcupsd_cgi_script_t $1:process sigchld;
+')
---- serefpolicy-2.4.6/policy/modules/services/apcupsd.fc.apcupsd 2007-04-10 14:44:36.000000000 -0400
-+++ serefpolicy-2.4.6/policy/modules/services/apcupsd.fc 2007-04-10 14:43:06.000000000 -0400
-@@ -0,0 +1,9 @@
+diff -up /dev/null serefpolicy-2.4.6/policy/modules/services/apcupsd.fc
+--- /dev/null 2007-09-02 13:37:21.567001794 -0400
++++ serefpolicy-2.4.6/policy/modules/services/apcupsd.fc 2007-09-04 09:42:18.000000000 -0400
+@@ -0,0 +1,10 @@
+
+/usr/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0)
-+/var/log/apcupsd\.events.* -- gen_context(system_u:object_r:apcupsd_log_t,s0)
++/var/log/apcupsd\.events.* -- gen_context(system_u:object_r:apcupsd_log_t,s0)
++/var/log/apcupsd\.status.* -- gen_context(system_u:object_r:apcupsd_log_t,s0)
+/var/run/apcupsd\.pid -- gen_context(system_u:object_r:apcupsd_var_run_t,s0)
+
+/var/www/apcupsd/multimon.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
policy-fusermount.patch:
kernel/files.fc | 1 +
kernel/filesystem.te | 6 ++++++
system/fusermount.fc | 6 ++++++
system/fusermount.if | 41 +++++++++++++++++++++++++++++++++++++++++
system/fusermount.te | 46 ++++++++++++++++++++++++++++++++++++++++++++++
system/mount.fc | 2 --
system/mount.if | 1 +
system/mount.te | 44 ++++++++++++++++++++++++++++++++------------
8 files changed, 133 insertions(+), 14 deletions(-)
Index: policy-fusermount.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/FC-6/policy-fusermount.patch,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- policy-fusermount.patch 17 May 2007 17:52:41 -0000 1.4
+++ policy-fusermount.patch 4 Sep 2007 14:00:30 -0000 1.5
@@ -1,5 +1,6 @@
---- /dev/null 2007-05-03 14:48:40.015638131 -0400
-+++ serefpolicy-2.4.6/policy/modules/system/fusermount.fc 2007-04-03 09:09:12.000000000 -0400
+diff -up /dev/null serefpolicy-2.4.6/policy/modules/system/fusermount.fc
+--- /dev/null 2007-09-02 13:37:21.567001794 -0400
++++ serefpolicy-2.4.6/policy/modules/system/fusermount.fc 2007-08-10 09:53:24.000000000 -0400
@@ -0,0 +1,6 @@
+# fusermount executable will have:
+# label: system_u:object_r:fusermount_exec_t
@@ -7,20 +8,41 @@
+# MCS categories: <none>
+
+/usr/bin/fusermount -- gen_context(system_u:object_r:fusermount_exec_t,s0)
---- serefpolicy-2.4.6/policy/modules/system/mount.te.fusermount 2007-04-03 09:09:12.000000000 -0400
-+++ serefpolicy-2.4.6/policy/modules/system/mount.te 2007-05-04 10:36:21.000000000 -0400
-@@ -12,6 +12,10 @@ init_system_domain(mount_t,mount_exec_t)
+diff -up serefpolicy-2.4.6/policy/modules/system/mount.te.fusermount serefpolicy-2.4.6/policy/modules/system/mount.te
+--- serefpolicy-2.4.6/policy/modules/system/mount.te.fusermount 2007-08-10 09:53:24.000000000 -0400
++++ serefpolicy-2.4.6/policy/modules/system/mount.te 2007-09-04 09:53:42.000000000 -0400
+@@ -12,6 +12,9 @@ init_system_domain(mount_t,mount_exec_t)
userdom_executable_file(mount_exec_t)
role system_r types mount_t;
-+type mount_ntfs_t;
-+type mount_ntfs_exec_t;
-+init_system_domain(mount_ntfs_t, mount_ntfs_exec_t)
++typealias mount_t alias mount_ntfs_t;
++typealias mount_exec_t alias mount_ntfs_exec_t;
+
type mount_loopback_t; # customizable
files_type(mount_loopback_t)
-@@ -66,7 +70,6 @@ fs_rw_tmpfs_chr_files(mount_t)
+@@ -30,15 +33,18 @@ ifdef(`targeted_policy',`
+ #
+
+ # setuid/setgid needed to mount cifs
+-allow mount_t self:capability { ipc_lock sys_resource sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid };
++allow mount_t self:capability { fsetid ipc_lock sys_rawio sys_resource sys_admin dac_override chown sys_tty_config setuid setgid };
+
+ allow mount_t mount_loopback_t:file r_file_perms;
+-allow mount_t self:netlink_route_socket r_netlink_socket_perms;
+
+ allow mount_t mount_tmp_t:file create_file_perms;
+ allow mount_t mount_tmp_t:dir create_dir_perms;
+ files_tmp_filetrans(mount_t,mount_tmp_t,{ file dir })
+
++auth_use_nsswitch(mount_t)
++
++can_exec(mount_t, mount_exec_t)
++
+ kernel_read_system_state(mount_t)
+ kernel_read_kernel_sysctls(mount_t)
+ kernel_dontaudit_getattr_core_if(mount_t)
+@@ -68,7 +74,6 @@ fs_rw_tmpfs_chr_files(mount_t)
fs_read_tmpfs_symlinks(mount_t)
term_use_all_terms(mount_t)
@@ -28,111 +50,72 @@
# required for mount.smbfs
corecmd_exec_sbin(mount_t)
-@@ -198,3 +201,54 @@ ifdef(`targeted_policy',`
+@@ -162,13 +167,8 @@ optional_policy(`
+
+ fs_search_rpc(mount_t)
+
+- sysnet_dns_name_resolve(mount_t)
+-
+ rpc_stub(mount_t)
+
+- optional_policy(`
+- nis_use_ypbind(mount_t)
+- ')
+ ')
+
+ optional_policy(`
+@@ -185,10 +185,6 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- nscd_socket_use(mount_t)
+-')
+-
+-optional_policy(`
+ ssh_sigchld(mount_t)
+ ssh_rw_stream_sockets(mount_t)
+ ')
+@@ -201,4 +197,28 @@ optional_policy(`
+ ifdef(`targeted_policy',`
files_etc_filetrans_etc_runtime(unconfined_mount_t,file)
unconfined_domain(unconfined_mount_t)
- ')
++ optional_policy(`
++ hal_dbus_chat(unconfined_mount_t)
++ ')
++')
+
+########################################
+#
-+# mount_ntfs local policy
++# ntfs local policy
+#
-+allow mount_ntfs_t self:capability { setuid sys_admin };
-+allow mount_ntfs_t self:fifo_file { read write };
-+allow mount_ntfs_t self:unix_stream_socket create_stream_socket_perms;
-+allow mount_ntfs_t self:unix_dgram_socket { connect create };
-+
-+corecmd_read_bin_symlinks(mount_ntfs_t)
-+corecmd_exec_shell(mount_ntfs_t)
-+
-+files_read_etc_files(mount_ntfs_t)
-+
-+libs_use_ld_so(mount_ntfs_t)
-+libs_use_shared_libs(mount_ntfs_t)
-+
-+init_dontaudit_use_fds(mount_ntfs_t)
++allow mount_t self:fifo_file { read write };
++allow mount_t self:unix_stream_socket create_stream_socket_perms;
++allow mount_t self:unix_dgram_socket { connect create };
+
-+kernel_read_system_state(mount_ntfs_t)
++corecmd_exec_shell(mount_t)
+
-+logging_send_syslog_msg(mount_ntfs_t)
++fusermount_domtrans(mount_t)
++fusermount_use_fds(mount_t)
+
-+miscfiles_read_localization(mount_ntfs_t)
-+
-+modutils_domtrans_insmod(mount_ntfs_t)
-+
-+mount_ntfs_domtrans(mount_t)
-+
-+storage_raw_read_fixed_disk(mount_ntfs_t)
-+storage_raw_write_fixed_disk(mount_ntfs_t)
++modutils_domtrans_insmod(mount_t)
+
+optional_policy(`
-+ fusermount_domtrans(mount_ntfs_t)
-+ fusermount_use_fds(mount_ntfs_t)
-+')
-+
-+optional_policy(`
-+ nscd_socket_use(mount_ntfs_t)
-+')
-+
-+optional_policy(`
-+ hal_write_log(mount_ntfs_t)
-+ hal_use_fds(mount_ntfs_t)
-+')
-+
-+ifdef(`targeted_policy',`
-+ term_use_generic_ptys(mount_ntfs_t)
-+')
-+
++ hal_write_log(mount_t)
++ hal_use_fds(mount_t)
++ hal_rw_pipes(mount_t)
+ ')
+diff -up serefpolicy-2.4.6/policy/modules/system/mount.if.fusermount serefpolicy-2.4.6/policy/modules/system/mount.if
--- serefpolicy-2.4.6/policy/modules/system/mount.if.fusermount 2006-11-29 12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/mount.if 2007-04-03 09:09:12.000000000 -0400
-@@ -147,3 +147,44 @@ interface(`mount_domtrans_unconfined',`
++++ serefpolicy-2.4.6/policy/modules/system/mount.if 2007-09-04 09:56:01.000000000 -0400
+@@ -147,3 +147,4 @@ interface(`mount_domtrans_unconfined',`
refpolicywarn(`$0($1) has no effect in strict policy.')
')
')
+
-+########################################
-+## <summary>
-+## Execute a domain transition to run mount_ntfs.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed to transition.
-+## </summary>
-+## </param>
-+#
-+interface(`mount_ntfs_domtrans',`
-+ gen_require(`
-+ type mount_ntfs_t, mount_ntfs_exec_t;
-+ ')
-+
-+ domain_auto_trans($1,mount_ntfs_exec_t,mount_ntfs_t)
-+
-+ allow mount_ntfs_t $1:fd use;
-+ allow mount_ntfs_t $1:fifo_file rw_file_perms;
-+ allow mount_ntfs_t $1:process sigchld;
-+')
-+
-+########################################
-+## <summary>
-+## Allow the specified domain to read/write to
-+## init scripts with a unix domain stream sockets.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`mount_ntfs_rw_stream_sockets',`
-+ gen_require(`
-+ type mount_ntfs_t;
-+ ')
-+
-+ allow $1 mount_ntfs_t:unix_stream_socket { read write };
-+')
---- /dev/null 2007-05-03 14:48:40.015638131 -0400
-+++ serefpolicy-2.4.6/policy/modules/system/fusermount.te 2007-04-03 09:09:12.000000000 -0400
-@@ -0,0 +1,45 @@
+diff -up /dev/null serefpolicy-2.4.6/policy/modules/system/fusermount.te
+--- /dev/null 2007-09-02 13:37:21.567001794 -0400
++++ serefpolicy-2.4.6/policy/modules/system/fusermount.te 2007-09-04 09:46:40.000000000 -0400
+@@ -0,0 +1,46 @@
+policy_module(fusermount,1.0.0)
+
+########################################
@@ -169,17 +152,19 @@
+storage_raw_read_fixed_disk(fusermount_t)
+storage_raw_write_fixed_disk(fusermount_t)
+
-+optional_policy(`
-+ mount_ntfs_rw_stream_sockets(fusermount_t)
-+')
-+
+ifdef(`targeted_policy',`
+ term_use_generic_ptys(fusermount_t)
+ term_dontaudit_use_console(fusermount_t)
+')
+
---- /dev/null 2007-05-03 14:48:40.015638131 -0400
-+++ serefpolicy-2.4.6/policy/modules/system/fusermount.if 2007-04-03 09:09:12.000000000 -0400
++optional_policy(`
++ hal_write_log(fusermount_t)
++ hal_use_fds(fusermount_t)
++ hal_rw_pipes(fusermount_t)
++')
+diff -up /dev/null serefpolicy-2.4.6/policy/modules/system/fusermount.if
+--- /dev/null 2007-09-02 13:37:21.567001794 -0400
++++ serefpolicy-2.4.6/policy/modules/system/fusermount.if 2007-08-10 09:53:24.000000000 -0400
@@ -0,0 +1,41 @@
+## <summary>policy for fusermount</summary>
+
@@ -222,17 +207,18 @@
+
+ allow $1 fusermount_t:fd use;
+')
+diff -up serefpolicy-2.4.6/policy/modules/system/mount.fc.fusermount serefpolicy-2.4.6/policy/modules/system/mount.fc
--- serefpolicy-2.4.6/policy/modules/system/mount.fc.fusermount 2006-11-29 12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/mount.fc 2007-04-03 09:09:12.000000000 -0400
-@@ -1,4 +1,3 @@
++++ serefpolicy-2.4.6/policy/modules/system/mount.fc 2007-09-04 09:48:11.000000000 -0400
+@@ -1,4 +1,2 @@
/bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
/bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
-
-/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0)
-+/sbin/mount.ntfs-3g -- gen_context(system_u:object_r:mount_ntfs_exec_t,s0)
---- serefpolicy-2.4.6/policy/modules/kernel/filesystem.te.fusermount 2007-04-03 09:09:12.000000000 -0400
-+++ serefpolicy-2.4.6/policy/modules/kernel/filesystem.te 2007-04-03 09:09:13.000000000 -0400
-@@ -60,6 +60,11 @@ type configfs_t;
+diff -up serefpolicy-2.4.6/policy/modules/kernel/filesystem.te.fusermount serefpolicy-2.4.6/policy/modules/kernel/filesystem.te
+--- serefpolicy-2.4.6/policy/modules/kernel/filesystem.te.fusermount 2007-08-10 09:53:24.000000000 -0400
++++ serefpolicy-2.4.6/policy/modules/kernel/filesystem.te 2007-08-10 09:53:24.000000000 -0400
+@@ -61,6 +61,11 @@ type configfs_t;
fs_type(configfs_t)
genfscon configfs / gen_context(system_u:object_r:configfs_t,s0)
@@ -244,16 +230,17 @@
type eventpollfs_t;
fs_type(eventpollfs_t)
# change to task SID 20060628
-@@ -69,6 +74,7 @@ type fusefs_t;
- fs_type(fusefs_t)
+@@ -71,6 +76,7 @@ fs_type(fusefs_t)
allow fusefs_t self:filesystem associate;
+ fs_noxattr_type(fusefs_t)
genfscon fuse / gen_context(system_u:object_r:fusefs_t,s0)
+genfscon fuseblk / gen_context(system_u:object_r:fusefs_t,s0)
type futexfs_t;
fs_type(futexfs_t)
---- serefpolicy-2.4.6/policy/modules/kernel/files.fc.fusermount 2007-04-03 09:09:12.000000000 -0400
-+++ serefpolicy-2.4.6/policy/modules/kernel/files.fc 2007-04-03 09:09:13.000000000 -0400
+diff -up serefpolicy-2.4.6/policy/modules/kernel/files.fc.fusermount serefpolicy-2.4.6/policy/modules/kernel/files.fc
+--- serefpolicy-2.4.6/policy/modules/kernel/files.fc.fusermount 2007-08-10 09:53:24.000000000 -0400
++++ serefpolicy-2.4.6/policy/modules/kernel/files.fc 2007-08-10 09:53:24.000000000 -0400
@@ -54,6 +54,7 @@ ifdef(`distro_suse',`
/etc/issue\.net -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/localtime -l gen_context(system_u:object_r:etc_t,s0)
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/FC-6/selinux-policy.spec,v
retrieving revision 1.373
retrieving revision 1.374
diff -u -r1.373 -r1.374
--- selinux-policy.spec 17 Jul 2007 20:21:05 -0000 1.373
+++ selinux-policy.spec 4 Sep 2007 14:00:30 -0000 1.374
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 2.4.6
-Release: 80%{?dist}
+Release: 88%{?dist}
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -358,6 +358,46 @@
%endif
%changelog
+* Sat Sep 1 2007 Dan Walsh <dwalsh at redhat.com> 2.4.6-88
+- Cleanup of fusermount/mount-ntfs and apcupsd to match rawhide
+- Allow cimserver to create pegasus_data directories
+Resolves: #213809
+- Allow dmidecode to search sysfs_t
+Resolves: #263141
+
+* Wed Aug 21 2007 Dan Walsh <dwalsh at redhat.com> 2.4.6-87
+- Change to context on /var/run/libvirt
+Resolves: #249069
+
+* Wed Aug 21 2007 Dan Walsh <dwalsh at redhat.com> 2.4.6-86
+- More fixes for snmp
+Resolves: #246431
+
+* Tue Aug 21 2007 Dan Walsh <dwalsh at redhat.com> 2.4.6-85
+- Fix duplicate /etc/asound.state
+- Allow auditctl to getattr on all files
+Resolves: #249754
+
+* Mon Aug 20 2007 Dan Walsh <dwalsh at redhat.com> 2.4.6-84
+- Allow dovecot read of /tmp files for kerberos
+#Resolves:#251841
+- Fix apache policy for virtual hosting
+#Resolves #253309
+- Allow Xen to run on nfs
+Resolves: #253744
+
+* Thu Aug 16 2007 Steve Grubb <sgrubb at redhat.com> 2.4.6-83
+- Add set_loginuid permission to ftpd_t
+Resolves:#220085
+
+* Tue Aug 7 2007 Dan Walsh <dwalsh at redhat.com> 2.4.6-82
+- Fix java specifications for IBM
+- Fix xen startup problems
+Resolves:#249895
+
+* Tue Jul 18 2007 Dan Walsh <dwalsh at redhat.com> 2.4.6-81
+- Fixes for apcupsd
+
* Tue Jul 17 2007 Dan Walsh <dwalsh at redhat.com> 2.4.6-80
- Allow ntp to create shm
More information about the fedora-cvs-commits
mailing list