rpms/selinux-policy/devel policy-20060411.patch,1.8,1.9

fedora-cvs-commits at redhat.com fedora-cvs-commits at redhat.com
Thu Apr 20 17:32:31 UTC 2006 

Author: dwalsh

Update of /cvs/dist/rpms/selinux-policy/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv29473

Modified Files:
	policy-20060411.patch 
Log Message:
* Wed Apr 19 2006 Dan Walsh <dwalsh at redhat.com> 2.2.34-1
- Update to latest from upstream
- Allow selinux-policy to be removed and kernel not to crash


policy-20060411.patch:
 config/appconfig-strict-mls/default_type |    1 
 policy/modules/admin/netutils.te         |    2 -
 policy/modules/admin/usermanage.te       |    1 
 policy/modules/kernel/corecommands.fc    |    1 
 policy/modules/kernel/devices.if         |   20 +++++++++++++++++
 policy/modules/kernel/domain.te          |    1 
 policy/modules/kernel/files.if           |   35 +++++++++++++++++++++++++++++++
 policy/modules/kernel/kernel.te          |    1 
 policy/modules/kernel/terminal.if        |    2 -
 policy/modules/services/pegasus.te       |    8 +++++++
 policy/modules/services/samba.te         |    2 -
 policy/modules/system/authlogin.te       |    2 +
 policy/modules/system/init.te            |    1 
 policy/modules/system/libraries.fc       |   20 +++--------------
 policy/modules/system/logging.te         |    4 +--
 policy/modules/system/sysnetwork.te      |    2 +
 policy/modules/system/unconfined.if      |   18 +++++++++++++++
 policy/modules/system/userdomain.te      |   24 +++++++++++++++++++--
 policy/modules/system/xen.if             |   18 +++++++++++++++
 policy/modules/system/xen.te             |    1 
 policy/rolemap                           |    1 
 policy/users                             |    6 ++---
 22 files changed, 145 insertions(+), 26 deletions(-)

Index: policy-20060411.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/policy-20060411.patch,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -r1.8 -r1.9
--- policy-20060411.patch	19 Apr 2006 17:37:38 -0000	1.8
+++ policy-20060411.patch	20 Apr 2006 17:31:38 -0000	1.9
@@ -1,6 +1,48 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-strict-mls/default_type serefpolicy-2.2.34/config/appconfig-strict-mls/default_type
+--- nsaserefpolicy/config/appconfig-strict-mls/default_type	2006-01-06 17:55:17.000000000 -0500
++++ serefpolicy-2.2.34/config/appconfig-strict-mls/default_type	2006-04-20 09:56:58.000000000 -0400
+@@ -2,3 +2,4 @@
+ secadm_r:secadm_t
+ staff_r:staff_t
+ user_r:user_t
++auditadm_r:auditadm_t
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-2.2.34/policy/modules/admin/netutils.te
+--- nsaserefpolicy/policy/modules/admin/netutils.te	2006-04-06 14:05:24.000000000 -0400
++++ serefpolicy-2.2.34/policy/modules/admin/netutils.te	2006-04-20 09:56:58.000000000 -0400
+@@ -97,7 +97,7 @@
+ 
+ allow ping_t self:tcp_socket create_socket_perms;
+ allow ping_t self:udp_socket create_socket_perms;
+-allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
++allow ping_t self:{ rawip_socket packet_socket } { create ioctl read write bind getopt setopt };
+ 
+ corenet_tcp_sendrecv_all_if(ping_t)
+ corenet_udp_sendrecv_all_if(ping_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-2.2.34/policy/modules/admin/usermanage.te
+--- nsaserefpolicy/policy/modules/admin/usermanage.te	2006-04-18 22:49:59.000000000 -0400
++++ serefpolicy-2.2.34/policy/modules/admin/usermanage.te	2006-04-20 12:49:39.000000000 -0400
+@@ -514,6 +514,7 @@
+ # Add/remove user home directories
+ userdom_home_filetrans_generic_user_home_dir(useradd_t)
+ userdom_manage_generic_user_home_content_dirs(useradd_t)
++userdom_manage_generic_user_home_content_files(useradd_t)
+ userdom_manage_staff_home_dirs(useradd_t)
+ userdom_generic_user_home_dir_filetrans_generic_user_home_content(useradd_t,notdevfile_class_set)
+ 
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-2.2.34/policy/modules/kernel/corecommands.fc
+--- nsaserefpolicy/policy/modules/kernel/corecommands.fc	2006-04-18 22:49:59.000000000 -0400
++++ serefpolicy-2.2.34/policy/modules/kernel/corecommands.fc	2006-04-20 11:28:21.000000000 -0400
+@@ -177,6 +177,7 @@
+ ifdef(`distro_redhat', `
+ /usr/lib/.*/program(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
++/usr/share/authconfig/authconfig-tui\.py -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/cvs/contrib/rcs2log	--	gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/hwbrowser/hwbrowser -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/pwlib/make/ptlib-config --	gen_context(system_u:object_r:bin_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-2.2.34/policy/modules/kernel/devices.if
 --- nsaserefpolicy/policy/modules/kernel/devices.if	2006-04-18 22:49:59.000000000 -0400
-+++ serefpolicy-2.2.34/policy/modules/kernel/devices.if	2006-04-19 12:56:26.000000000 -0400
++++ serefpolicy-2.2.34/policy/modules/kernel/devices.if	2006-04-20 09:56:58.000000000 -0400
 @@ -2874,3 +2874,23 @@
  
  	typeattribute $1 devices_unconfined_type;
@@ -25,37 +67,21 @@
 +	dontaudit $1 device_node:dir_file_class_set getattr;
 +')
 +
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-2.2.34/policy/modules/kernel/domain.te
+--- nsaserefpolicy/policy/modules/kernel/domain.te	2006-04-20 08:17:36.000000000 -0400
++++ serefpolicy-2.2.34/policy/modules/kernel/domain.te	2006-04-20 09:56:58.000000000 -0400
+@@ -96,6 +96,7 @@
+ 	# workaround until role dominance is fixed in
+ 	# the module compiler
+ 	role secadm_r types domain;
++	role auditadm_r types domain;
+ 	role sysadm_r types domain;
+ 	role user_r types domain;
+ 	role staff_r types domain;
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.2.34/policy/modules/kernel/files.if
 --- nsaserefpolicy/policy/modules/kernel/files.if	2006-04-18 22:49:59.000000000 -0400
-+++ serefpolicy-2.2.34/policy/modules/kernel/files.if	2006-04-19 12:56:26.000000000 -0400
-@@ -1268,6 +1268,26 @@
- 
- ########################################
- ## <summary>
-+##     Read kernel files in the /boot directory.
-+## </summary>
-+## <param name="domain">
-+##     <summary>
-+##     Domain allowed access.
-+##     </summary>
-+## </param>
-+#
-+interface(`files_read_kernel_img',`
-+       gen_require(`
-+               type boot_t;
-+       ')
-+
-+       allow $1 boot_t:dir r_dir_perms;
-+       allow $1 boot_t:file { getattr read };
-+       allow $1 boot_t:lnk_file { getattr read };
-+')
-+
-+########################################
-+## <summary>
- ##	Install a kernel into the /boot directory.
- ## </summary>
- ## <param name="domain">
-@@ -1679,6 +1699,21 @@
++++ serefpolicy-2.2.34/policy/modules/kernel/files.if	2006-04-20 12:16:18.000000000 -0400
+@@ -1679,6 +1679,21 @@
  ')
  
  ########################################
@@ -77,20 +103,56 @@
  ## <summary>
  ##	Read files in /etc that are dynamically
  ##	created on boot, such as mtab.
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mls.te serefpolicy-2.2.34/policy/modules/kernel/mls.te
---- nsaserefpolicy/policy/modules/kernel/mls.te	2006-03-07 10:31:09.000000000 -0500
-+++ serefpolicy-2.2.34/policy/modules/kernel/mls.te	2006-04-19 12:56:26.000000000 -0400
-@@ -60,6 +60,7 @@
+@@ -3905,3 +3920,23 @@
+ 
+ 	typeattribute $1 files_unconfined_type;
+ ')
++
++########################################
++## <summary>
++##     Read kernel files in the /boot directory.
++## </summary>
++## <param name="domain">
++##     <summary>
++##     Domain allowed access.
++##     </summary>
++## </param>
++#
++interface(`files_read_kernel_img',`
++       gen_require(`
++               type boot_t;
++       ')
++
++       allow $1 boot_t:dir r_dir_perms;
++       allow $1 boot_t:file { getattr read };
++       allow $1 boot_t:lnk_file { getattr read };
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-2.2.34/policy/modules/kernel/kernel.te
+--- nsaserefpolicy/policy/modules/kernel/kernel.te	2006-04-18 22:49:59.000000000 -0400
++++ serefpolicy-2.2.34/policy/modules/kernel/kernel.te	2006-04-20 09:56:58.000000000 -0400
+@@ -28,6 +28,7 @@
  
  ifdef(`enable_mls',`
- range_transition initrc_t auditd_exec_t s15:c0.c255;
-+range_transition secadm_t auditctl_exec_t s15:c0.c255;
- range_transition kernel_t init_exec_t s0 - s15:c0.c255;
- range_transition kernel_t lvm_exec_t s0 - s15:c0.c255;
+ 	role secadm_r;
++	role auditadm_r;
  ')
+ 
+ #
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-2.2.34/policy/modules/kernel/terminal.if
+--- nsaserefpolicy/policy/modules/kernel/terminal.if	2006-02-13 17:05:45.000000000 -0500
++++ serefpolicy-2.2.34/policy/modules/kernel/terminal.if	2006-04-20 09:56:58.000000000 -0400
+@@ -174,7 +174,7 @@
+ 	')
+ 
+ 	dev_list_all_dev_nodes($1)
+-	allow $1 console_device_t:chr_file write;
++	allow $1 console_device_t:chr_file { getattr write append };
+ ')
+ 
+ ########################################
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-2.2.34/policy/modules/services/pegasus.te
 --- nsaserefpolicy/policy/modules/services/pegasus.te	2006-04-04 18:06:38.000000000 -0400
-+++ serefpolicy-2.2.34/policy/modules/services/pegasus.te	2006-04-19 12:56:26.000000000 -0400
++++ serefpolicy-2.2.34/policy/modules/services/pegasus.te	2006-04-20 09:56:58.000000000 -0400
 @@ -79,11 +79,16 @@
  corenet_tcp_connect_pegasus_https_port(pegasus_t)
  corenet_tcp_connect_generic_port(pegasus_t)
@@ -127,7 +189,7 @@
  optional_policy(`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-2.2.34/policy/modules/services/samba.te
 --- nsaserefpolicy/policy/modules/services/samba.te	2006-04-19 12:23:07.000000000 -0400
-+++ serefpolicy-2.2.34/policy/modules/services/samba.te	2006-04-19 12:56:26.000000000 -0400
++++ serefpolicy-2.2.34/policy/modules/services/samba.te	2006-04-20 09:56:58.000000000 -0400
 @@ -106,8 +106,8 @@
  files_tmp_filetrans(samba_net_t, samba_net_tmp_t, { file dir })
  
@@ -138,10 +200,22 @@
  
  kernel_read_proc_symlinks(samba_net_t)
  
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-2.2.34/policy/modules/system/authlogin.te
+--- nsaserefpolicy/policy/modules/system/authlogin.te	2006-04-19 12:23:07.000000000 -0400
++++ serefpolicy-2.2.34/policy/modules/system/authlogin.te	2006-04-20 13:08:28.000000000 -0400
+@@ -188,6 +188,8 @@
+ storage_setattr_scsi_generic_dev(pam_console_t)
+ 
+ term_use_console(pam_console_t)
++term_use_all_user_ttys(pam_console_t)
++term_use_all_user_ptys(pam_console_t)
+ term_setattr_console(pam_console_t)
+ term_getattr_unallocated_ttys(pam_console_t)
+ term_setattr_unallocated_ttys(pam_console_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-2.2.34/policy/modules/system/init.te
---- nsaserefpolicy/policy/modules/system/init.te	2006-04-18 22:50:00.000000000 -0400
-+++ serefpolicy-2.2.34/policy/modules/system/init.te	2006-04-19 12:56:26.000000000 -0400
-@@ -352,6 +352,7 @@
+--- nsaserefpolicy/policy/modules/system/init.te	2006-04-20 08:17:40.000000000 -0400
++++ serefpolicy-2.2.34/policy/modules/system/init.te	2006-04-20 09:56:58.000000000 -0400
+@@ -348,6 +348,7 @@
  files_mounton_isid_type_dirs(initrc_t)
  files_list_default(initrc_t)
  files_mounton_default(initrc_t)
@@ -151,8 +225,39 @@
  libs_use_ld_so(initrc_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-2.2.34/policy/modules/system/libraries.fc
 --- nsaserefpolicy/policy/modules/system/libraries.fc	2006-04-19 12:23:07.000000000 -0400
-+++ serefpolicy-2.2.34/policy/modules/system/libraries.fc	2006-04-19 12:56:29.000000000 -0400
-@@ -113,7 +113,7 @@
++++ serefpolicy-2.2.34/policy/modules/system/libraries.fc	2006-04-20 13:25:18.000000000 -0400
+@@ -66,13 +66,8 @@
+ 
+ /usr/(.*/)?nvidia/.*\.so(\..*)?		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+ 
+-/usr/lib(64)?/pgsql/test/regress/.*\.so	--	gen_context(system_u:object_r:shlib_t,s0)
+-
+ /usr/lib/win32/.*			--	gen_context(system_u:object_r:shlib_t,s0)
+ 
+-/usr/lib(64)?/im/.*\.so.*		--	gen_context(system_u:object_r:shlib_t,s0)
+-/usr/lib(64)?/iiim/.*\.so.*		--	gen_context(system_u:object_r:shlib_t,s0)
+-
+ /usr/(.*/)?lib(64)?(/.*)?/nvidia/.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/libsipphoneapi\.so.*	--	gen_context(system_u:object_r:texrel_shlib_t,s0)
+ /usr/lib(64)?/(nvidia/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+@@ -86,7 +81,6 @@
+ 
+ /usr/(local/)?lib(64)?/wine/.*\.so  		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/(local/)?lib/libfame-.*\.so.*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/local/.*\.so(\.[^/]*)*		--	gen_context(system_u:object_r:shlib_t,s0)
+ 
+ /usr/NX/lib/libXcomp.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/NX/lib/libjpeg.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+@@ -99,8 +93,6 @@
+ /usr/lib(64)?/xorg/modules/extensions/nvidia(-[^/]*)?/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ 
+ ifdef(`distro_redhat',`
+-/usr/lib(64)?/.*/program/.*\.so.*		gen_context(system_u:object_r:shlib_t,s0)
+-/usr/share/rhn/rhn_applet/eggtrayiconmodule\.so -- gen_context(system_u:object_r:shlib_t,s0)
+ 
+ # The following are libraries with text relocations in need of execmod permissions
+ # Some of them should be fixed and removed from this list
+@@ -113,7 +105,7 @@
  /usr/lib(64)?/libstdc\+\+\.so\.2\.7\.2\.8 --	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/libg\+\+\.so\.2\.7\.2\.8	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/libglide3\.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -161,9 +266,50 @@
  /usr/lib(64)?/libdv\.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/helix/plugins/oggfformat\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/helix/plugins/theorarend\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+@@ -198,16 +190,12 @@
+ /usr/(.*/)?jre.*/libdeploy.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/(.*/)?jre.*/libjvm.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+ 
+-/usr/(.*/)?intellinux/nppdf\.so		--	gen_context(system_u:object_r:texrel_shlib_t,s0)
+-/usr/(.*/)?intellinux/lib/\.so		--	gen_context(system_u:object_r:texrel_shlib_t,s0)
+-/usr/(.*/)?intellinux/plug_ins/.*\.api	--	gen_context(system_u:object_r:texrel_shlib_t,s0)
++/usr/(local/)?Adobe/(.*/)?intellinux/nppdf\.so	--	gen_context(system_u:object_r:texrel_shlib_t,s0)
++/usr/(local/)?Adobe/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:texrel_shlib_t,s0)
++/usr/(local/)?Adobe/.*\.api	--	gen_context(system_u:object_r:texrel_shlib_t,s0)
+ /usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ ') dnl end distro_redhat
+ 
+-ifdef(`distro_suse',`
+-/usr/lib(64)?/samba/classic/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
+-')
+-
+ #
+ # /var
+ #
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-2.2.34/policy/modules/system/logging.te
+--- nsaserefpolicy/policy/modules/system/logging.te	2006-04-06 15:32:43.000000000 -0400
++++ serefpolicy-2.2.34/policy/modules/system/logging.te	2006-04-20 11:57:49.000000000 -0400
+@@ -140,7 +140,7 @@
+ init_use_fds(auditd_t)
+ init_exec(auditd_t)
+ init_write_initctl(auditd_t)
+-init_use_script_ptys(auditd_t)
++init_dontaudit_use_script_ptys(auditd_t)
+ 
+ logging_send_syslog_msg(auditd_t)
+ 
+@@ -293,7 +293,7 @@
+ 
+ fs_search_auto_mountpoints(syslogd_t)
+ 
+-term_dontaudit_use_console(syslogd_t)
++term_write_console(syslogd_t)
+ # Allow syslog to a terminal
+ term_write_unallocated_ttys(syslogd_t)
+ 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-2.2.34/policy/modules/system/sysnetwork.te
 --- nsaserefpolicy/policy/modules/system/sysnetwork.te	2006-03-24 11:15:53.000000000 -0500
-+++ serefpolicy-2.2.34/policy/modules/system/sysnetwork.te	2006-04-19 12:56:26.000000000 -0400
++++ serefpolicy-2.2.34/policy/modules/system/sysnetwork.te	2006-04-20 09:56:58.000000000 -0400
 @@ -248,6 +248,7 @@
  
  optional_policy(`
@@ -180,7 +326,7 @@
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-2.2.34/policy/modules/system/unconfined.if
 --- nsaserefpolicy/policy/modules/system/unconfined.if	2006-04-12 13:44:38.000000000 -0400
-+++ serefpolicy-2.2.34/policy/modules/system/unconfined.if	2006-04-19 12:56:26.000000000 -0400
++++ serefpolicy-2.2.34/policy/modules/system/unconfined.if	2006-04-20 09:56:58.000000000 -0400
 @@ -224,6 +224,24 @@
  
  ########################################
@@ -206,20 +352,99 @@
  ##	Send generic signals to the unconfined domain.
  ## </summary>
  ## <param name="domain">
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-2.2.34/policy/modules/system/userdomain.if
---- nsaserefpolicy/policy/modules/system/userdomain.if	2006-04-18 22:50:01.000000000 -0400
-+++ serefpolicy-2.2.34/policy/modules/system/userdomain.if	2006-04-19 12:56:26.000000000 -0400
-@@ -4171,6 +4171,7 @@
- 		type user_home_dir_t;
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-2.2.34/policy/modules/system/userdomain.te
+--- nsaserefpolicy/policy/modules/system/userdomain.te	2006-04-20 08:17:40.000000000 -0400
++++ serefpolicy-2.2.34/policy/modules/system/userdomain.te	2006-04-20 10:08:22.000000000 -0400
+@@ -6,6 +6,7 @@
+ 
+ 	ifdef(`enable_mls',`
+ 		role secadm_r;
++		role auditadm_r;
  	')
- 
-+	allow $1 user_home_dir_t:dir create_dir_perms;
- 	files_home_filetrans($1,user_home_dir_t,dir)
  ')
  
+@@ -67,6 +68,7 @@
+ 	# Define some type aliases to help with compatibility with
+ 	# macros and domains from the "strict" policy.
+ 	unconfined_alias_domain(secadm_t)
++	unconfined_alias_domain(auditadm_t)
+ 	unconfined_alias_domain(sysadm_t)
+ 
+ 	# User home directory type.
+@@ -82,6 +84,7 @@
+ 
+ 	# compatibility for switching from strict
+ #	dominance { role secadm_r { role system_r; }}
++#	dominance { role auditadm_r { role system_r; }}
+ #	dominance { role sysadm_r { role system_r; }}
+ #	dominance { role user_r { role system_r; }}
+ #	dominance { role staff_r { role system_r; }}
+@@ -105,9 +108,10 @@
+ 
+ 	ifdef(`enable_mls',`
+ 		allow secadm_r system_r;
++		allow auditadm_r system_r;
+ 		allow secadm_r user_r;
+-		allow user_r secadm_r;
+ 		allow staff_r secadm_r;
++		allow staff_r auditadm_r;
+ 	')
+ 
+ 	optional_policy(`
+@@ -128,8 +132,19 @@
+ 
+ 	ifdef(`enable_mls',`
+ 		admin_user_template(secadm)
++		admin_user_template(auditadm)
++
++		role_change(staff,auditadm)
+ 		role_change(staff,secadm)
++
+ 		role_change(sysadm,secadm)
++		role_change(sysadm,auditadm)
++
++		role_change(auditadm,secadm)
++		role_change(auditadm,sysadm)
++
++		role_change(secadm,auditadm)
++		role_change(secadm,sysadm)
+ 	')
+ 
+ 	# this should be tunable_policy, but
+@@ -179,10 +194,13 @@
+ 		mls_file_downgrade(secadm_t)
+ 		init_exec(secadm_t)
+ 		logging_read_audit_log(secadm_t)
+-		logging_run_auditctl(secadm_t,secadm_r,{ secadm_tty_device_t secadm_devpts_t })
+ 		userdom_dontaudit_append_staff_home_content_files(secadm_t)
+ 		files_relabel_all_files(secadm_t)
+ 		auth_relabel_shadow(secadm_t)
++
++		corecmd_exec_shell(auditadm_t)
++		logging_read_audit_log(auditadm_t)
++		logging_run_auditctl(auditadm_t,auditadm_r,{ auditadm_tty_device_t auditadm_devpts_t })
+ 	', `
+ 		logging_read_audit_log(sysadm_t)
+ 		logging_run_auditctl(sysadm_t,sysadm_r,admin_terminal)
+@@ -236,6 +254,7 @@
+ 
+ 		ifdef(`enable_mls',`
+ 			consoletype_exec(secadm_t)
++			consoletype_exec(auditadm_t)
+ 		')
+ 	')
+ 
+@@ -248,6 +267,7 @@
+ 
+ 		ifdef(`enable_mls',`
+ 			dmesg_exec(secadm_t)
++			dmesg_exec(auditadm_t)
+ 		')
+ 	')
+ 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-2.2.34/policy/modules/system/xen.if
 --- nsaserefpolicy/policy/modules/system/xen.if	2006-03-23 16:08:51.000000000 -0500
-+++ serefpolicy-2.2.34/policy/modules/system/xen.if	2006-04-19 12:56:26.000000000 -0400
++++ serefpolicy-2.2.34/policy/modules/system/xen.if	2006-04-20 09:56:58.000000000 -0400
 @@ -47,6 +47,24 @@
  
  ########################################
@@ -247,7 +472,7 @@
  ## <param name="domain">
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-2.2.34/policy/modules/system/xen.te
 --- nsaserefpolicy/policy/modules/system/xen.te	2006-04-18 22:50:01.000000000 -0400
-+++ serefpolicy-2.2.34/policy/modules/system/xen.te	2006-04-19 12:56:26.000000000 -0400
++++ serefpolicy-2.2.34/policy/modules/system/xen.te	2006-04-20 09:56:58.000000000 -0400
 @@ -125,6 +125,7 @@
  
  files_read_etc_files(xend_t)
@@ -256,3 +481,36 @@
  
  storage_raw_read_fixed_disk(xend_t)
  
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/rolemap serefpolicy-2.2.34/policy/rolemap
+--- nsaserefpolicy/policy/rolemap	2006-01-26 15:38:41.000000000 -0500
++++ serefpolicy-2.2.34/policy/rolemap	2006-04-20 09:56:58.000000000 -0400
+@@ -15,5 +15,6 @@
+ 
+ 	ifdef(`enable_mls',`
+ 		secadm_r secadm secadm_t
++		auditadm_t auditadm auditadm_t
+ 	')
+ ')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-2.2.34/policy/users
+--- nsaserefpolicy/policy/users	2006-02-15 17:02:30.000000000 -0500
++++ serefpolicy-2.2.34/policy/users	2006-04-20 11:21:04.000000000 -0400
+@@ -29,7 +29,7 @@
+ gen_user(user_u, user, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
+ ',`
+ gen_user(user_u, user, user_r, s0, s0)
+-gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r'), s0, s0 - s15:c0.c255, c0.c255)
++gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - s15:c0.c255, c0.c255)
+ gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - s15:c0.c255, c0.c255)
+ ')
+ 
+@@ -44,8 +44,8 @@
+ 	gen_user(root, user, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
+ ',`
+ 	ifdef(`direct_sysadm_daemon',`
+-		gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r') system_r, s0, s0 - s15:c0.c255, c0.c255)
++		gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - s15:c0.c255, c0.c255)
+ 	',`
+-		gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r'), s0, s0 - s15:c0.c255, c0.c255)
++		gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - s15:c0.c255, c0.c255)
+ 	')
+ ')

More information about the fedora-cvs-commits mailing list