rpms/selinux-policy/devel modules-mls.conf, 1.2, 1.3 policy-20051208.patch, 1.13, 1.14 selinux-policy.spec, 1.51, 1.52
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Thu Dec 15 23:19:11 UTC 2005
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv22897
Modified Files:
modules-mls.conf policy-20051208.patch selinux-policy.spec
Log Message:
* Thu Dec 14 2005 Dan Walsh <dwalsh at redhat.com> 2.1.5-4
- Fixes to allow automount to use portmap
- Fixes to start kernel in s0-s15:c0.c255
Index: modules-mls.conf
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/modules-mls.conf,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- modules-mls.conf 22 Nov 2005 18:59:41 -0000 1.2
+++ modules-mls.conf 15 Dec 2005 23:19:08 -0000 1.3
@@ -283,6 +283,13 @@
cpucontrol = base
# Layer: services
+# Module: vbetool
+#
+# run real-mode video BIOS code to alter hardware state
+#
+vbetool = base
+
+# Layer: services
# Module: bind
#
# Berkeley internet name domain DNS server.
@@ -383,6 +390,13 @@
telnet = base
# Layer: services
+# Module: irqbalance
+#
+# IRQ balancing daemon
+#
+irqbalance = base
+
+# Layer: services
# Module: mailman
#
# Mailman is for managing electronic mail discussion and e-newsletter lists
@@ -453,6 +467,13 @@
inn = base
# Layer: services
+# Module: sysstat
+#
+# Policy for sysstat. Reports on various system states
+#
+sysstat = base
+
+# Layer: services
# Module: comsat
#
# Comsat, a biff server.
@@ -474,6 +495,13 @@
zebra = base
# Layer: services
+# Module: xfs
+#
+# X Windows Font Server
+#
+xfs = off
+
+# Layer: services
# Module: ktalk
#
# KDE Talk daemon
@@ -502,6 +530,13 @@
cyrus = base
# Layer: services
+# Module: rdisc
+#
+# Network router discovery daemon
+#
+rdisc = base
+
+# Layer: services
# Module: xdm
#
# X windows login display manager
@@ -551,6 +586,13 @@
postfix = base
# Layer: services
+# Module: fetchmail
+#
+# Remote-mail retrieval and forwarding utility
+#
+fetchmail = base
+
+# Layer: services
# Module: ntp
#
# Network time protocol daemon
@@ -600,6 +642,13 @@
rsync = base
# Layer: services
+# Module: automount
+#
+# Filesystem automounter service.
+#
+automount = base
+
+# Layer: services
# Module: kerberos
#
# MIT Kerberos admin and KDC
@@ -873,3 +922,9 @@
#
ipsec = base
+# Layer: apps
+# Module: java
+#
+# java executable
+#
+java = off
policy-20051208.patch:
Makefile | 2 -
config/appconfig-strict-mcs/default_type | 6 +--
config/appconfig-strict-mls/default_type | 6 +--
config/appconfig-targeted-mcs/default_type | 2 -
config/appconfig-targeted-mls/default_type | 2 -
policy/flask/initial_sids | 17 -----------
policy/global_tunables | 3 +
policy/modules/admin/kudzu.te | 2 +
policy/modules/admin/logrotate.te | 4 ++
policy/modules/admin/rpm.fc | 1
policy/modules/admin/rpm.te | 7 ++++
policy/modules/admin/tmpreaper.te | 3 +
policy/modules/apps/java.fc | 4 ++
policy/modules/apps/java.if | 23 +++++++++++++++
policy/modules/apps/java.te | 24 +++++++++++++++
policy/modules/apps/webalizer.te | 1
policy/modules/kernel/corenetwork.te.in | 2 +
policy/modules/kernel/devices.fc | 9 +++--
policy/modules/kernel/files.fc | 24 +++++++--------
policy/modules/kernel/kernel.te | 39 ++++++-------------------
policy/modules/kernel/mls.te | 2 +
policy/modules/kernel/selinux.te | 2 -
policy/modules/kernel/storage.fc | 44 ++++++++++++++---------------
policy/modules/services/automount.te | 9 ++++-
policy/modules/services/cvs.fc | 2 +
policy/modules/services/cvs.te | 6 +++
policy/modules/services/remotelogin.te | 1
policy/modules/services/sasl.te | 8 +++--
policy/modules/services/ssh.te | 10 +++---
policy/modules/system/authlogin.if | 12 +++++++
policy/modules/system/authlogin.te | 1
policy/modules/system/getty.te | 3 +
policy/modules/system/iptables.te | 2 +
policy/modules/system/libraries.fc | 17 ++++++++++-
policy/modules/system/locallogin.te | 1
policy/modules/system/logging.fc | 4 +-
policy/modules/system/logging.te | 5 +++
policy/modules/system/selinuxutil.fc | 8 ++---
policy/modules/system/udev.fc | 1
policy/modules/system/udev.te | 3 +
policy/modules/system/unconfined.te | 5 ++-
policy/users | 8 +++--
42 files changed, 219 insertions(+), 116 deletions(-)
Index: policy-20051208.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/policy-20051208.patch,v
retrieving revision 1.13
retrieving revision 1.14
diff -u -r1.13 -r1.14
--- policy-20051208.patch 15 Dec 2005 03:31:43 -0000 1.13
+++ policy-20051208.patch 15 Dec 2005 23:19:08 -0000 1.14
@@ -1,6 +1,6 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-strict-mcs/default_type serefpolicy-2.1.6/config/appconfig-strict-mcs/default_type
--- nsaserefpolicy/config/appconfig-strict-mcs/default_type 2005-11-14 18:24:05.000000000 -0500
-+++ serefpolicy-2.1.6/config/appconfig-strict-mcs/default_type 2005-12-14 15:54:33.000000000 -0500
++++ serefpolicy-2.1.6/config/appconfig-strict-mcs/default_type 2005-12-15 11:49:35.000000000 -0500
@@ -1,3 +1,3 @@
-sysadm_r:sysadm_t:s0
-staff_r:staff_t:s0
@@ -10,7 +10,7 @@
+user_r:user_t
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-strict-mls/default_type serefpolicy-2.1.6/config/appconfig-strict-mls/default_type
--- nsaserefpolicy/config/appconfig-strict-mls/default_type 2005-11-14 18:24:05.000000000 -0500
-+++ serefpolicy-2.1.6/config/appconfig-strict-mls/default_type 2005-12-14 15:54:33.000000000 -0500
++++ serefpolicy-2.1.6/config/appconfig-strict-mls/default_type 2005-12-15 11:49:35.000000000 -0500
@@ -1,3 +1,3 @@
-sysadm_r:sysadm_t:s0
-staff_r:staff_t:s0
@@ -20,19 +20,19 @@
+user_r:user_t
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-targeted-mcs/default_type serefpolicy-2.1.6/config/appconfig-targeted-mcs/default_type
--- nsaserefpolicy/config/appconfig-targeted-mcs/default_type 2005-11-14 18:24:05.000000000 -0500
-+++ serefpolicy-2.1.6/config/appconfig-targeted-mcs/default_type 2005-12-14 15:54:33.000000000 -0500
++++ serefpolicy-2.1.6/config/appconfig-targeted-mcs/default_type 2005-12-15 11:49:35.000000000 -0500
@@ -1 +1 @@
-system_r:unconfined_t:s0
+system_r:unconfined_t
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-targeted-mls/default_type serefpolicy-2.1.6/config/appconfig-targeted-mls/default_type
--- nsaserefpolicy/config/appconfig-targeted-mls/default_type 2005-11-14 18:24:05.000000000 -0500
-+++ serefpolicy-2.1.6/config/appconfig-targeted-mls/default_type 2005-12-14 15:54:33.000000000 -0500
++++ serefpolicy-2.1.6/config/appconfig-targeted-mls/default_type 2005-12-15 11:49:35.000000000 -0500
@@ -1 +1 @@
-system_r:unconfined_t:s0
+system_r:unconfined_t
diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-2.1.6/Makefile
--- nsaserefpolicy/Makefile 2005-12-09 23:35:04.000000000 -0500
-+++ serefpolicy-2.1.6/Makefile 2005-12-14 15:54:33.000000000 -0500
++++ serefpolicy-2.1.6/Makefile 2005-12-15 11:49:35.000000000 -0500
@@ -92,7 +92,7 @@
# enable MLS if requested.
@@ -42,9 +42,40 @@
override CHECKPOLICY += -M
override CHECKMODULE += -M
endif
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/initial_sids serefpolicy-2.1.6/policy/flask/initial_sids
+--- nsaserefpolicy/policy/flask/initial_sids 2005-11-14 18:24:05.000000000 -0500
++++ serefpolicy-2.1.6/policy/flask/initial_sids 2005-12-15 11:59:25.000000000 -0500
+@@ -9,27 +9,10 @@
+ sid unlabeled
+ sid fs
+ sid file
+-sid file_labels
+-sid init
+-sid any_socket
+ sid port
+ sid netif
+-sid netmsg
+ sid node
+-sid igmp_packet
+-sid icmp_socket
+-sid tcp_socket
+-sid sysctl_modprobe
+ sid sysctl
+-sid sysctl_fs
+-sid sysctl_kernel
+-sid sysctl_net
+-sid sysctl_net_unix
+-sid sysctl_vm
+-sid sysctl_dev
+-sid kmod
+-sid policy
+-sid scmp_packet
+ sid devnull
+
+ # FLASK
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-2.1.6/policy/global_tunables
--- nsaserefpolicy/policy/global_tunables 2005-12-12 23:05:35.000000000 -0500
-+++ serefpolicy-2.1.6/policy/global_tunables 2005-12-14 17:06:11.000000000 -0500
++++ serefpolicy-2.1.6/policy/global_tunables 2005-12-15 11:49:35.000000000 -0500
@@ -42,6 +42,9 @@
## Allow sasl to read shadow
gen_tunable(allow_saslauthd_read_shadow,false)
@@ -55,9 +86,82 @@
## Allow samba to modify public files
## used for public file transfer services.
gen_tunable(allow_smbd_anon_write,false)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kudzu.te serefpolicy-2.1.6/policy/modules/admin/kudzu.te
+--- nsaserefpolicy/policy/modules/admin/kudzu.te 2005-12-09 23:35:04.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/admin/kudzu.te 2005-12-15 15:43:51.000000000 -0500
+@@ -47,6 +47,8 @@
+ kernel_rw_hotplug_sysctl(kudzu_t)
+ kernel_rw_kernel_sysctl(kudzu_t)
+
++mls_file_read_up(kudzu_t)
++
+ bootloader_read_kernel_modules(kudzu_t)
+
+ dev_list_sysfs(kudzu_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-2.1.6/policy/modules/admin/logrotate.te
+--- nsaserefpolicy/policy/modules/admin/logrotate.te 2005-12-09 23:35:04.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/admin/logrotate.te 2005-12-15 15:01:11.000000000 -0500
+@@ -67,6 +67,10 @@
+ kernel_read_system_state(logrotate_t)
+ kernel_read_kernel_sysctl(logrotate_t)
+
++mls_file_read_up(logrotate_t)
++mls_file_write_down(logrotate_t)
++mls_file_upgrade(logrotate_t)
++
+ dev_read_urand(logrotate_t)
+
+ fs_search_auto_mountpoints(logrotate_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-2.1.6/policy/modules/admin/rpm.fc
+--- nsaserefpolicy/policy/modules/admin/rpm.fc 2005-11-14 18:24:06.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/admin/rpm.fc 2005-12-15 18:10:14.000000000 -0500
+@@ -1,5 +1,6 @@
+
+ /bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0)
++/usr/bin/smart -- gen_context(system_u:object_r:rpm_exec_t,s0)
+
+ /usr/bin/apt-get -- gen_context(system_u:object_r:rpm_exec_t,s0)
+ /usr/bin/apt-shell -- gen_context(system_u:object_r:rpm_exec_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-2.1.6/policy/modules/admin/rpm.te
+--- nsaserefpolicy/policy/modules/admin/rpm.te 2005-12-14 10:38:49.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/admin/rpm.te 2005-12-15 15:00:51.000000000 -0500
+@@ -114,6 +114,10 @@
+ fs_getattr_all_fs(rpm_t)
+ fs_search_auto_mountpoints(rpm_t)
+
++mls_file_read_up(rpm_t)
++mls_file_write_down(rpm_t)
++mls_file_upgrade(rpm_t)
++
+ selinux_get_fs_mount(rpm_t)
+ selinux_validate_context(rpm_t)
+ selinux_compute_access_vector(rpm_t)
+@@ -269,6 +273,9 @@
+ fs_unmount_xattr_fs(rpm_script_t)
+ fs_search_auto_mountpoints(rpm_script_t)
+
++mls_file_read_up(rpm_script_t)
++mls_file_write_down(rpm_script_t)
++
+ selinux_get_fs_mount(rpm_script_t)
+ selinux_validate_context(rpm_script_t)
+ selinux_compute_access_vector(rpm_script_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-2.1.6/policy/modules/admin/tmpreaper.te
+--- nsaserefpolicy/policy/modules/admin/tmpreaper.te 2005-12-09 23:35:04.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/admin/tmpreaper.te 2005-12-15 14:59:37.000000000 -0500
+@@ -39,6 +39,9 @@
+ miscfiles_read_localization(tmpreaper_t)
+ miscfiles_delete_man_pages(tmpreaper_t)
+
++mls_file_read_up(tmpreaper_t)
++mls_file_write_down(tmpreaper_t)
++
+ cron_system_entry(tmpreaper_t,tmpreaper_exec_t)
+
+ ifdef(`TODO',`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-2.1.6/policy/modules/apps/java.fc
--- nsaserefpolicy/policy/modules/apps/java.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/apps/java.fc 2005-12-14 22:09:02.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/apps/java.fc 2005-12-15 11:49:35.000000000 -0500
@@ -0,0 +1,4 @@
+
+/usr/.*/java -- gen_context(system_u:object_r:java_exec_t,s0)
@@ -65,7 +169,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-2.1.6/policy/modules/apps/java.if
--- nsaserefpolicy/policy/modules/apps/java.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/apps/java.if 2005-12-14 21:38:10.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/apps/java.if 2005-12-15 11:49:35.000000000 -0500
@@ -0,0 +1,23 @@
+## <summary>Load keyboard mappings.</summary>
+
@@ -92,7 +196,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-2.1.6/policy/modules/apps/java.te
--- nsaserefpolicy/policy/modules/apps/java.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/apps/java.te 2005-12-14 21:36:06.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/apps/java.te 2005-12-15 11:49:35.000000000 -0500
@@ -0,0 +1,24 @@
+policy_module(java,1.0.0)
+
@@ -120,7 +224,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/webalizer.te serefpolicy-2.1.6/policy/modules/apps/webalizer.te
--- nsaserefpolicy/policy/modules/apps/webalizer.te 2005-12-09 23:35:04.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/apps/webalizer.te 2005-12-14 15:54:33.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/apps/webalizer.te 2005-12-15 11:49:35.000000000 -0500
@@ -87,6 +87,7 @@
sysnet_read_config(webalizer_t)
@@ -129,10 +233,243 @@
apache_read_log(webalizer_t)
apache_manage_sys_content(webalizer_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-2.1.6/policy/modules/kernel/corenetwork.te.in
+--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2005-12-02 17:53:26.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/kernel/corenetwork.te.in 2005-12-15 12:49:36.000000000 -0500
+@@ -166,5 +166,7 @@
+ type netif_t, netif_type;
+ sid netif gen_context(system_u:object_r:netif_t,s0)
+
++type netif_lo_t, netif_type;
++
+ #network_interface(lo, lo,s0)
+ #network_interface(eth0, eth0,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-2.1.6/policy/modules/kernel/devices.fc
+--- nsaserefpolicy/policy/modules/kernel/devices.fc 2005-11-14 18:24:07.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/kernel/devices.fc 2005-12-15 13:30:24.000000000 -0500
+@@ -17,10 +17,10 @@
+ /dev/full -c gen_context(system_u:object_r:null_device_t,s0)
+ /dev/irlpt[0-9]+ -c gen_context(system_u:object_r:printer_device_t,s0)
+ /dev/js.* -c gen_context(system_u:object_r:mouse_device_t,s0)
+-/dev/kmem -c gen_context(system_u:object_r:memory_device_t,s0)
++/dev/kmem -c gen_context(system_u:object_r:memory_device_t,s15:c0.c255)
+ /dev/logibm -c gen_context(system_u:object_r:mouse_device_t,s0)
+ /dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
+-/dev/mem -c gen_context(system_u:object_r:memory_device_t,s0)
++/dev/mem -c gen_context(system_u:object_r:memory_device_t,s15:c0.c255)
+ /dev/microcode -c gen_context(system_u:object_r:cpu_device_t,s0)
+ /dev/midi.* -c gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/mixer.* -c gen_context(system_u:object_r:sound_device_t,s0)
+@@ -28,11 +28,11 @@
+ /dev/mpu401.* -c gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/null -c gen_context(system_u:object_r:null_device_t,s0)
+ /dev/nvidia.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
+-/dev/nvram -c gen_context(system_u:object_r:memory_device_t,s0)
++/dev/nvram -c gen_context(system_u:object_r:memory_device_t,s15:c0.c255)
+ /dev/par.* -c gen_context(system_u:object_r:printer_device_t,s0)
+ /dev/patmgr[01] -c gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/pmu -c gen_context(system_u:object_r:power_device_t,s0)
+-/dev/port -c gen_context(system_u:object_r:memory_device_t,s0)
++/dev/port -c gen_context(system_u:object_r:memory_device_t,s15:c0.c255)
+ /dev/psaux -c gen_context(system_u:object_r:mouse_device_t,s0)
+ /dev/rmidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/radeon -c gen_context(system_u:object_r:dri_device_t,s0)
+@@ -70,6 +70,7 @@
+
+ /dev/mapper/control -c gen_context(system_u:object_r:lvm_control_t,s0)
+
++/dev/pts -d gen_context(system_u:object_r:devpts_t,s15:c0.c255)
+ /dev/pts(/.*)? <<none>>
+
+ /dev/s(ou)?nd/.* -c gen_context(system_u:object_r:sound_device_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-2.1.6/policy/modules/kernel/files.fc
+--- nsaserefpolicy/policy/modules/kernel/files.fc 2005-12-01 17:57:16.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/kernel/files.fc 2005-12-15 18:13:19.000000000 -0500
+@@ -24,7 +24,7 @@
+ # /boot
+ #
+ /boot/\.journal <<none>>
+-/boot/lost\+found -d gen_context(system_u:object_r:lost_found_t,s0)
++/boot/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c255)
+ /boot/lost\+found/.* <<none>>
+
+ #
+@@ -88,9 +88,9 @@
+ # HOME_ROOT
+ # expanded by genhomedircon
+ #
+-HOME_ROOT -d gen_context(system_u:object_r:home_root_t,s0)
++HOME_ROOT -d gen_context(system_u:object_r:home_root_t,s15:c0.c255)
+ HOME_ROOT/\.journal <<none>>
+-HOME_ROOT/lost\+found -d gen_context(system_u:object_r:lost_found_t,s0)
++HOME_ROOT/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c255)
+ HOME_ROOT/lost\+found/.* <<none>>
+
+ #
+@@ -102,7 +102,7 @@
+ #
+ # /lost+found
+ #
+-/lost\+found -d gen_context(system_u:object_r:lost_found_t,s0)
++/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c255)
+ /lost\+found/.* <<none>>
+
+ #
+@@ -149,11 +149,11 @@
+ #
+ # /tmp
+ #
+-/tmp -d gen_context(system_u:object_r:tmp_t,s0)
++/tmp -d gen_context(system_u:object_r:tmp_t,s15:c0.c255)
+ /tmp/.* <<none>>
+ /tmp/\.journal <<none>>
+
+-/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,s0)
++/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c255)
+ /tmp/lost\+found/.* <<none>>
+
+ #
+@@ -170,19 +170,19 @@
+
+ /usr/local/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
+
+-/usr/local/lost\+found -d gen_context(system_u:object_r:lost_found_t,s0)
++/usr/local/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c255)
+ /usr/local/lost\+found/.* <<none>>
+
+ /usr/local/src(/.*)? gen_context(system_u:object_r:src_t,s0)
+
+-/usr/lost\+found -d gen_context(system_u:object_r:lost_found_t,s0)
++/usr/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c255)
+ /usr/lost\+found/.* <<none>>
+
+ /usr/share(/.*)?/lib(64)?(/.*)? gen_context(system_u:object_r:usr_t,s0)
+
+ /usr/src(/.*)? gen_context(system_u:object_r:src_t,s0)
+
+-/usr/tmp -d gen_context(system_u:object_r:tmp_t,s0)
++/usr/tmp -d gen_context(system_u:object_r:tmp_t,s15:c0.c255)
+ /usr/tmp/.* <<none>>
+
+ #
+@@ -201,7 +201,7 @@
+
+ /var/lock(/.*)? gen_context(system_u:object_r:var_lock_t,s0)
+
+-/var/lost\+found -d gen_context(system_u:object_r:lost_found_t,s0)
++/var/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c255)
+ /var/lost\+found/.* <<none>>
+
+ /var/run(/.*)? gen_context(system_u:object_r:var_run_t,s0)
+@@ -209,8 +209,8 @@
+
+ /var/spool(/.*)? gen_context(system_u:object_r:var_spool_t,s0)
+
+-/var/tmp -d gen_context(system_u:object_r:tmp_t,s0)
++/var/tmp -d gen_context(system_u:object_r:tmp_t,s15:c0.c255)
+ /var/tmp/.* <<none>>
+-/var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,s0)
++/var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c255)
+ /var/tmp/lost\+found/.* <<none>>
+ /var/tmp/vi\.recover -d gen_context(system_u:object_r:tmp_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-2.1.6/policy/modules/kernel/kernel.te
+--- nsaserefpolicy/policy/modules/kernel/kernel.te 2005-12-09 23:35:04.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/kernel/kernel.te 2005-12-15 12:53:58.000000000 -0500
+@@ -38,7 +38,7 @@
+ domain_base_type(kernel_t)
+ mls_rangetrans_source(kernel_t)
+ role system_r types kernel_t;
+-sid kernel gen_context(system_u:system_r:kernel_t,s0 - s9:c0.c127)
++sid kernel gen_context(system_u:system_r:kernel_t,s15:c0.c255)
+
+ #
+ # DebugFS
+@@ -61,13 +61,13 @@
+
+ # kernel message interface
+ type proc_kmsg_t, proc_type;
+-genfscon proc /kmsg gen_context(system_u:object_r:proc_kmsg_t,s0)
++genfscon proc /kmsg gen_context(system_u:object_r:proc_kmsg_t,s15:c0.c255)
+ neverallow ~can_receive_kernel_messages proc_kmsg_t:file ~getattr;
+
+ # /proc kcore: inaccessible
+ type proc_kcore_t, proc_type;
+ neverallow { domain -kern_unconfined } proc_kcore_t:file ~getattr;
+-genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,s0)
++genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,s15:c0.c255)
+
+ type proc_mdstat_t, proc_type;
+ genfscon proc /mdstat gen_context(system_u:object_r:proc_mdstat_t,s0)
+@@ -96,11 +96,11 @@
+ # /proc/sys/fs directory and files
+ type sysctl_fs_t, sysctl_type;
+ files_mountpoint(sysctl_fs_t)
+-genfscon proc /sys/fs gen_context(system_u:object_r:sysctl_fs_t,s0)
++genfscon proc /sys/fs gen_context(system_u:object_r:sysctl_fs_t,s15:c0.c255)
+
+ # /proc/sys/kernel directory and files
+ type sysctl_kernel_t, sysctl_type;
+-genfscon proc /sys/kernel gen_context(system_u:object_r:sysctl_kernel_t,s0)
++genfscon proc /sys/kernel gen_context(system_u:object_r:sysctl_kernel_t,s15:c0.c255)
+
+ # /proc/sys/kernel/modprobe file
+ type sysctl_modprobe_t, sysctl_type;
+@@ -112,19 +112,19 @@
+
+ # /proc/sys/net directory and files
+ type sysctl_net_t, sysctl_type;
+-genfscon proc /sys/net gen_context(system_u:object_r:sysctl_net_t,s0)
++genfscon proc /sys/net gen_context(system_u:object_r:sysctl_net_t,s15:c0.c255)
+
+ # /proc/sys/net/unix directory and files
+ type sysctl_net_unix_t, sysctl_type;
+-genfscon proc /sys/net/unix gen_context(system_u:object_r:sysctl_net_unix_t,s0)
++genfscon proc /sys/net/unix gen_context(system_u:object_r:sysctl_net_unix_t,s15:c0.c255)
+
+ # /proc/sys/vm directory and files
+ type sysctl_vm_t, sysctl_type;
+-genfscon proc /sys/vm gen_context(system_u:object_r:sysctl_vm_t,s0)
++genfscon proc /sys/vm gen_context(system_u:object_r:sysctl_vm_t,s15:c0.c255)
+
+ # /proc/sys/dev directory and files
+ type sysctl_dev_t, sysctl_type;
+-genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
++genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s15:c0.c255)
+
+ #
+ # unlabeled_t is the type of unlabeled objects.
+@@ -132,26 +132,7 @@
+ # have labels that are no longer valid are treated as having this type.
+ #
+ type unlabeled_t;
+-sid unlabeled gen_context(system_u:object_r:unlabeled_t,s0)
+-
+-# These initial sids are no longer used, and can be removed:
+-sid any_socket gen_context(system_u:object_r:unlabeled_t,s0)
+-sid file_labels gen_context(system_u:object_r:unlabeled_t,s0)
+-sid icmp_socket gen_context(system_u:object_r:unlabeled_t,s0)
+-sid igmp_packet gen_context(system_u:object_r:unlabeled_t,s0)
+-sid init gen_context(system_u:object_r:unlabeled_t,s0)
+-sid kmod gen_context(system_u:object_r:unlabeled_t,s0)
+-sid netmsg gen_context(system_u:object_r:unlabeled_t,s0)
+-sid policy gen_context(system_u:object_r:unlabeled_t,s0)
+-sid scmp_packet gen_context(system_u:object_r:unlabeled_t,s0)
+-sid sysctl_modprobe gen_context(system_u:object_r:unlabeled_t,s0)
+-sid sysctl_fs gen_context(system_u:object_r:unlabeled_t,s0)
+-sid sysctl_kernel gen_context(system_u:object_r:unlabeled_t,s0)
+-sid sysctl_net gen_context(system_u:object_r:unlabeled_t,s0)
+-sid sysctl_net_unix gen_context(system_u:object_r:unlabeled_t,s0)
+-sid sysctl_vm gen_context(system_u:object_r:unlabeled_t,s0)
+-sid sysctl_dev gen_context(system_u:object_r:unlabeled_t,s0)
+-sid tcp_socket gen_context(system_u:object_r:unlabeled_t,s0)
++sid unlabeled gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
+
+ ########################################
+ #
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mls.te serefpolicy-2.1.6/policy/modules/kernel/mls.te
--- nsaserefpolicy/policy/modules/kernel/mls.te 2005-12-13 15:51:49.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/kernel/mls.te 2005-12-14 15:54:33.000000000 -0500
-@@ -79,6 +79,7 @@
++++ serefpolicy-2.1.6/policy/modules/kernel/mls.te 2005-12-15 12:08:25.000000000 -0500
+@@ -79,9 +79,11 @@
# these might be targeted_policy only
range_transition unconfined_t su_exec_t s0 - s0:c0.c255;
range_transition unconfined_t initrc_exec_t s0;
@@ -140,9 +477,148 @@
')
ifdef(`enable_mls',`
+ # run init with maximum MLS range
+ range_transition kernel_t init_exec_t s0 - s15:c0.c255;
++range_transition initrc_t auditd_exec_t s15:c0.c255;
+ ')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.te serefpolicy-2.1.6/policy/modules/kernel/selinux.te
+--- nsaserefpolicy/policy/modules/kernel/selinux.te 2005-12-09 23:35:04.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/kernel/selinux.te 2005-12-15 11:49:35.000000000 -0500
+@@ -18,7 +18,7 @@
+ type security_t;
+ fs_type(security_t)
+ mls_trusted_object(security_t)
+-sid security gen_context(system_u:object_r:security_t,s0)
++sid security gen_context(system_u:object_r:security_t,s15:c0.c255)
+ genfscon selinuxfs / gen_context(system_u:object_r:security_t,s0)
+
+ neverallow ~can_load_policy security_t:security load_policy;
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-2.1.6/policy/modules/kernel/storage.fc
+--- nsaserefpolicy/policy/modules/kernel/storage.fc 2005-11-14 18:24:07.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/kernel/storage.fc 2005-12-15 13:27:21.000000000 -0500
+@@ -5,35 +5,35 @@
+ /dev/n?osst[0-3].* -c gen_context(system_u:object_r:tape_device_t,s0)
+ /dev/n?pt[0-9]+ -c gen_context(system_u:object_r:tape_device_t,s0)
+ /dev/n?tpqic[12].* -c gen_context(system_u:object_r:tape_device_t,s0)
+-/dev/[shmx]d[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s0)
++/dev/[shmx]d[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
+ /dev/aztcd -b gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/bpcd -b gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/cdu.* -b gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/cm20.* -b gen_context(system_u:object_r:removable_device_t,s0)
+-/dev/dasd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s0)
+-/dev/dm-[0-9]+ -b gen_context(system_u:object_r:fixed_disk_device_t,s0)
++/dev/dasd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
++/dev/dm-[0-9]+ -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
+ /dev/fd[^/]+ -b gen_context(system_u:object_r:removable_device_t,s0)
+-/dev/flash[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s0)
++/dev/flash[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
+ /dev/gscd -b gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/hitcd -b gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/ht[0-1] -b gen_context(system_u:object_r:tape_device_t,s0)
+-/dev/initrd -b gen_context(system_u:object_r:fixed_disk_device_t,s0)
+-/dev/jsfd -b gen_context(system_u:object_r:fixed_disk_device_t,s0)
+-/dev/jsflash -c gen_context(system_u:object_r:fixed_disk_device_t,s0)
+-/dev/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,s0)
+-/dev/lvm -c gen_context(system_u:object_r:fixed_disk_device_t,s0)
++/dev/initrd -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
++/dev/jsfd -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
++/dev/jsflash -c gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
++/dev/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
++/dev/lvm -c gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
+ /dev/mcdx? -b gen_context(system_u:object_r:removable_device_t,s0)
+-/dev/nb[^/]+ -b gen_context(system_u:object_r:fixed_disk_device_t,s0)
++/dev/nb[^/]+ -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
+ /dev/optcd -b gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/p[fg][0-3] -b gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/pcd[0-3] -b gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/pd[a-d][^/]* -b gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/pg[0-3] -c gen_context(system_u:object_r:removable_device_t,s0)
+-/dev/ram.* -b gen_context(system_u:object_r:fixed_disk_device_t,s0)
+-/dev/rawctl -c gen_context(system_u:object_r:fixed_disk_device_t,s0)
+-/dev/rd.* -b gen_context(system_u:object_r:fixed_disk_device_t,s0)
++/dev/ram.* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
++/dev/rawctl -c gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
++/dev/rd.* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
+ ifdef(`distro_redhat', `
+-/dev/root -b gen_context(system_u:object_r:fixed_disk_device_t,s0)
++/dev/root -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
+ ')
+ /dev/s(cd|r)[^/]* -b gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/sbpcd.* -b gen_context(system_u:object_r:removable_device_t,s0)
+@@ -41,21 +41,21 @@
+ /dev/sjcd -b gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/sonycd -b gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/tape.* -c gen_context(system_u:object_r:tape_device_t,s0)
+-/dev/ubd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s0)
++/dev/ubd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
+
+-/dev/ataraid/.* -b gen_context(system_u:object_r:fixed_disk_device_t,s0)
++/dev/ataraid/.* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
+
+-/dev/cciss/[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s0)
++/dev/cciss/[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
+
+-/dev/i2o/hd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s0)
++/dev/i2o/hd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
+
+-/dev/ida/[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s0)
++/dev/ida/[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
+
+ /dev/md/.* -b gen_context(system_u:object_r:fixed_disk_device_t,s0)
+-/dev/mapper/.* -b gen_context(system_u:object_r:fixed_disk_device_t,s0)
++/dev/mapper/.* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
+
+-/dev/raw/raw[0-9]+ -c gen_context(system_u:object_r:fixed_disk_device_t,s0)
++/dev/raw/raw[0-9]+ -c gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
+
+-/dev/scramdisk/.* -b gen_context(system_u:object_r:fixed_disk_device_t,s0)
++/dev/scramdisk/.* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
+
+ /dev/usb/rio500 -c gen_context(system_u:object_r:removable_device_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-2.1.6/policy/modules/services/automount.te
+--- nsaserefpolicy/policy/modules/services/automount.te 2005-12-13 15:51:49.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/services/automount.te 2005-12-15 11:49:35.000000000 -0500
+@@ -28,7 +28,7 @@
+ # Local policy
+ #
+
+-allow automount_t self:capability { sys_nice dac_override };
++allow automount_t self:capability { net_bind_service sys_nice dac_override };
+ dontaudit automount_t self:capability sys_tty_config;
+ allow automount_t self:process { signal_perms getpgid setpgid setsched };
+ allow automount_t self:fifo_file rw_file_perms;
+@@ -65,7 +65,7 @@
+
+ bootloader_getattr_boot_dir(automount_t)
+
+-corecmd_search_sbin(automount_t)
++corecmd_exec_sbin(automount_t)
+ corecmd_exec_bin(automount_t)
+ corecmd_exec_shell(automount_t)
+
+@@ -81,6 +81,10 @@
+ corenet_tcp_bind_all_nodes(automount_t)
+ corenet_udp_bind_all_nodes(automount_t)
+
++corenet_tcp_connect_portmap_port(automount_t)
++corenet_tcp_connect_all_ports(automount_t)
++corenet_dontaudit_tcp_connect_all_reserved_ports(automount_t)
++
+ dev_read_sysfs(automount_t)
+ # for SSP
+ dev_read_urand(automount_t)
+@@ -113,6 +117,7 @@
+ libs_use_shared_libs(automount_t)
+
+ logging_send_syslog_msg(automount_t)
++logging_search_logs(automount_t)
+
+ miscfiles_read_localization(automount_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.fc serefpolicy-2.1.6/policy/modules/services/cvs.fc
--- nsaserefpolicy/policy/modules/services/cvs.fc 2005-11-14 18:24:07.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/services/cvs.fc 2005-12-14 15:54:33.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/services/cvs.fc 2005-12-15 11:49:35.000000000 -0500
@@ -1,2 +1,4 @@
/usr/bin/cvs -- gen_context(system_u:object_r:cvs_exec_t,s0)
@@ -150,7 +626,7 @@
+/opt/cvs(/.*)? gen_context(system_u:object_r:cvs_data_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-2.1.6/policy/modules/services/cvs.te
--- nsaserefpolicy/policy/modules/services/cvs.te 2005-12-09 23:35:05.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/services/cvs.te 2005-12-14 17:24:39.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/services/cvs.te 2005-12-15 11:49:35.000000000 -0500
@@ -86,6 +86,12 @@
mta_send_mail(cvs_t)
@@ -164,9 +640,20 @@
optional_policy(`kerberos',`
kerberos_use(cvs_t)
kerberos_read_keytab(cvs_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/remotelogin.te serefpolicy-2.1.6/policy/modules/services/remotelogin.te
+--- nsaserefpolicy/policy/modules/services/remotelogin.te 2005-12-09 23:35:06.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/services/remotelogin.te 2005-12-15 15:02:19.000000000 -0500
+@@ -106,6 +106,7 @@
+
+ logging_send_syslog_msg(remote_login_t)
+
++mls_file_read_up(remote_login_t)
+ mls_file_write_down(remote_login_t)
+ mls_file_upgrade(remote_login_t)
+ mls_file_downgrade(remote_login_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-2.1.6/policy/modules/services/sasl.te
--- nsaserefpolicy/policy/modules/services/sasl.te 2005-12-09 23:35:06.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/services/sasl.te 2005-12-14 17:23:48.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/services/sasl.te 2005-12-15 11:49:35.000000000 -0500
@@ -88,9 +88,11 @@
')
@@ -182,9 +669,36 @@
optional_policy(`mysql',`
mysql_search_db_dir(saslauthd_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-2.1.6/policy/modules/services/ssh.te
+--- nsaserefpolicy/policy/modules/services/ssh.te 2005-12-09 23:35:06.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/services/ssh.te 2005-12-15 14:57:46.000000000 -0500
+@@ -91,10 +91,6 @@
+
+ seutil_read_config(sshd_t)
+
+- ifdef(`targeted_policy',`
+- unconfined_domain_template(sshd_t)
+- ')
+-
+ tunable_policy(`ssh_sysadm_login',`
+ # Relabel and access ptys created by sshd
+ # ioctl is necessary for logout() processing for utmp entry and for w to
+@@ -115,6 +111,12 @@
+ rpm_use_script_fd(sshd_t)
+ ')
+
++ mls_file_read_up(sshd_t)
++ mls_file_write_down(sshd_t)
++ mls_file_upgrade(sshd_t)
++ mls_file_downgrade(sshd_t)
++ mls_process_set_level(sshd_t)
++
+ ifdef(`TODO',`
+ tunable_policy(`ssh_sysadm_login',`
+ # Relabel and access ptys created by sshd
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-2.1.6/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2005-12-08 15:57:16.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/system/authlogin.if 2005-12-14 17:23:21.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/system/authlogin.if 2005-12-15 11:49:35.000000000 -0500
@@ -320,15 +320,25 @@
## </param>
#
@@ -212,9 +726,45 @@
')
########################################
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-2.1.6/policy/modules/system/authlogin.te
+--- nsaserefpolicy/policy/modules/system/authlogin.te 2005-12-09 23:35:06.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/system/authlogin.te 2005-12-15 15:11:31.000000000 -0500
+@@ -211,6 +211,7 @@
+ logging_send_syslog_msg(pam_console_t)
+
+ mls_file_read_up(pam_console_t)
++mls_file_write_down(pam_console_t)
+
+ seutil_read_file_contexts(pam_console_t)
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.te serefpolicy-2.1.6/policy/modules/system/getty.te
+--- nsaserefpolicy/policy/modules/system/getty.te 2005-12-09 23:35:06.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/system/getty.te 2005-12-15 14:50:35.000000000 -0500
+@@ -63,6 +63,9 @@
+ kernel_list_proc(getty_t)
+ kernel_read_proc_symlinks(getty_t)
+
++mls_file_read_up(getty_t)
++mls_file_write_down(getty_t)
++
+ dev_read_sysfs(getty_t)
+
+ fs_search_auto_mountpoints(getty_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-2.1.6/policy/modules/system/iptables.te
+--- nsaserefpolicy/policy/modules/system/iptables.te 2005-12-09 23:35:07.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/system/iptables.te 2005-12-15 15:43:34.000000000 -0500
+@@ -43,6 +43,8 @@
+ kernel_read_modprobe_sysctl(iptables_t)
+ kernel_use_fd(iptables_t)
+
++mls_file_read_up(iptables_t)
++
+ dev_read_sysfs(iptables_t)
+
+ fs_getattr_xattr_fs(iptables_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-2.1.6/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2005-12-14 10:38:50.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/system/libraries.fc 2005-12-14 17:46:06.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/system/libraries.fc 2005-12-15 11:49:35.000000000 -0500
@@ -11,6 +11,20 @@
/emul/ia32-linux/lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
/emul/ia32-linux/lib/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
@@ -250,9 +800,83 @@
/var/lib/samba/bin/.*\.so(\.[^/]*)* -l gen_context(system_u:object_r:lib_t,s0)
')
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-2.1.6/policy/modules/system/locallogin.te
+--- nsaserefpolicy/policy/modules/system/locallogin.te 2005-12-09 23:35:08.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/system/locallogin.te 2005-12-15 15:02:59.000000000 -0500
+@@ -152,6 +152,7 @@
+
+ miscfiles_read_localization(local_login_t)
+
++mls_file_read_up(local_login_t)
+ mls_file_write_down(local_login_t)
+ mls_file_upgrade(local_login_t)
+ mls_file_downgrade(local_login_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-2.1.6/policy/modules/system/logging.fc
+--- nsaserefpolicy/policy/modules/system/logging.fc 2005-11-14 18:24:06.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/system/logging.fc 2005-12-15 13:53:23.000000000 -0500
+@@ -20,9 +20,9 @@
+ ')
+
+ /var/log(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+-/var/log/audit.log -- gen_context(system_u:object_r:auditd_log_t,s0)
++/var/log/audit.log -- gen_context(system_u:object_r:auditd_log_t,s15:c0.c255)
+
+-/var/log/audit(/.*)? gen_context(system_u:object_r:auditd_log_t,s0)
++/var/log/audit(/.*)? gen_context(system_u:object_r:auditd_log_t,s15:c0.c255)
+
+ /var/run/klogd\.pid -- gen_context(system_u:object_r:klogd_var_run_t,s0)
+ /var/run/log -s gen_context(system_u:object_r:devlog_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-2.1.6/policy/modules/system/logging.te
+--- nsaserefpolicy/policy/modules/system/logging.te 2005-12-09 23:35:08.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/system/logging.te 2005-12-15 15:42:12.000000000 -0500
+@@ -71,6 +71,8 @@
+ kernel_read_kernel_sysctl(auditctl_t)
+ kernel_read_proc_symlinks(auditctl_t)
+
++mls_file_read_up(auditctl_t)
++
+ domain_read_all_domains_state(auditctl_t)
+ domain_use_wide_inherit_fd(auditctl_t)
+
+@@ -155,6 +157,7 @@
+ miscfiles_read_localization(auditd_t)
+
+ mls_file_read_up(auditd_t)
++mls_rangetrans_target(auditd_t)
+
+ seutil_dontaudit_read_config(auditd_t)
+
+@@ -227,6 +230,8 @@
+
+ miscfiles_read_localization(klogd_t)
+
++mls_file_read_up(klogd_t)
++
+ userdom_dontaudit_search_sysadm_home_dir(klogd_t)
+
+ optional_policy(`udev',`
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-2.1.6/policy/modules/system/selinuxutil.fc
+--- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2005-11-14 18:24:05.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/system/selinuxutil.fc 2005-12-15 13:34:20.000000000 -0500
+@@ -7,11 +7,11 @@
+
+ /etc/selinux/([^/]*/)?contexts(/.*)? gen_context(system_u:object_r:default_context_t,s0)
+
+-/etc/selinux/([^/]*/)?contexts/files(/.*)? gen_context(system_u:object_r:file_context_t,s0)
++/etc/selinux/([^/]*/)?contexts/files(/.*)? gen_context(system_u:object_r:file_context_t,s15:c0.c255)
+
+-/etc/selinux/([^/]*/)?policy(/.*)? gen_context(system_u:object_r:policy_config_t,s0)
+-
+-/etc/selinux/([^/]*/)?src(/.*)? gen_context(system_u:object_r:policy_src_t,s0)
++/etc/selinux/([^/]*/)?policy(/.*)? gen_context(system_u:object_r:policy_config_t,s15:c0.c255)
++/etc/selinux/([^/]*/)?seusers -- gen_context(system_u:object_r:selinux_config_t,s15:c0.c255)
++/etc/selinux/([^/]*/)?users(/.*)? -- gen_context(system_u:object_r:selinux_config_t,s15:c0.c255)
+
+ #
+ # /root
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.fc serefpolicy-2.1.6/policy/modules/system/udev.fc
--- nsaserefpolicy/policy/modules/system/udev.fc 2005-11-14 18:24:06.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/system/udev.fc 2005-12-14 15:54:33.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/system/udev.fc 2005-12-15 11:49:35.000000000 -0500
@@ -17,3 +17,4 @@
/sbin/wait_for_sysfs -- gen_context(system_u:object_r:udev_exec_t,s0)
@@ -260,7 +884,7 @@
+/lib/udev/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-2.1.6/policy/modules/system/udev.te
--- nsaserefpolicy/policy/modules/system/udev.te 2005-12-09 23:35:08.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/system/udev.te 2005-12-14 15:54:33.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/system/udev.te 2005-12-15 11:49:35.000000000 -0500
@@ -39,7 +39,7 @@
# Local policy
#
@@ -280,7 +904,7 @@
kernel_signal(udev_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-2.1.6/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2005-12-14 10:38:50.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/system/unconfined.te 2005-12-14 21:39:22.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/system/unconfined.te 2005-12-15 11:49:35.000000000 -0500
@@ -57,6 +57,10 @@
bluetooth_domtrans_helper(unconfined_t)
')
@@ -302,13 +926,26 @@
optional_policy(`samba',`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-2.1.6/policy/users
--- nsaserefpolicy/policy/users 2005-12-05 22:35:02.000000000 -0500
-+++ serefpolicy-2.1.6/policy/users 2005-12-14 15:54:33.000000000 -0500
-@@ -27,6 +27,8 @@
++++ serefpolicy-2.1.6/policy/users 2005-12-15 13:15:09.000000000 -0500
+@@ -26,7 +26,9 @@
+ ifdef(`targeted_policy',`
gen_user(user_u, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
',`
- gen_user(user_u, user_r, s0, s0 - s15:c0.c255, c0.c255)
-+gen_user(staff_u, staff_r sysadm_r, s0, s0 - s15:c0.c255, c0.c255)
+-gen_user(user_u, user_r, s0, s0 - s15:c0.c255, c0.c255)
++gen_user(user_u, user_r, s0, s0 - s0, c0)
++gen_user(staff_u, staff_r secadm_r sysadm_r, s0, s0 - s15:c0.c255, c0.c255)
+gen_user(sysadm_u, sysadm_r, s0, s0 - s15:c0.c255, c0.c255)
')
#
+@@ -40,8 +42,8 @@
+ gen_user(root, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
+ ',`
+ ifdef(`direct_sysadm_daemon',`
+- gen_user(root, sysadm_r staff_r system_r, s0, s0 - s15:c0.c255, c0.c255)
++ gen_user(root, sysadm_r staff_r secadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
+ ',`
+- gen_user(root, sysadm_r staff_r, s0, s0 - s15:c0.c255, c0.c255)
++ gen_user(root, sysadm_r staff_r secadm_r , s0, s0 - s15:c0.c255, c0.c255)
+ ')
+ ')
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.51
retrieving revision 1.52
diff -u -r1.51 -r1.52
--- selinux-policy.spec 15 Dec 2005 03:31:43 -0000 1.51
+++ selinux-policy.spec 15 Dec 2005 23:19:08 -0000 1.52
@@ -7,7 +7,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 2.1.6
-Release: 3
+Release: 4
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -40,6 +40,7 @@
SELinux Reference policy targeted base module.
%define installCmds() \
+make NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} bare \
cp -f ${RPM_SOURCE_DIR}/modules-%1.conf ./policy/modules.conf \
cp -f ${RPM_SOURCE_DIR}/booleans-%1.conf ./policy/booleans.conf \
make NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} base.pp \
@@ -242,6 +243,10 @@
%changelog
+* Thu Dec 14 2005 Dan Walsh <dwalsh at redhat.com> 2.1.5-4
+- Fixes to allow automount to use portmap
+- Fixes to start kernel in s0-s15:c0.c255
+
* Wed Dec 14 2005 Dan Walsh <dwalsh at redhat.com> 2.1.5-3
- Add java unconfined/execmem policy
More information about the fedora-cvs-commits
mailing list