rpms/selinux-policy/FC-5 policy-20060411.patch,NONE,1.1

fedora-cvs-commits at redhat.com fedora-cvs-commits at redhat.com
Sat Apr 15 10:34:19 UTC 2006 

Author: dwalsh

Update of /cvs/dist/rpms/selinux-policy/FC-5
In directory cvs.devel.redhat.com:/tmp/cvs-serv26570

Added Files:
	policy-20060411.patch 
Log Message:
* Sat Apr 15 2006 Dan Walsh <dwalsh at redhat.com> 2.2.32-1.fc5
- Bump for fc5


policy-20060411.patch:
 Rules.modular                           |    2 -
 policy/mcs                              |    6 ++-
 policy/modules/admin/amanda.te          |    9 ++++
 policy/modules/admin/bootloader.te      |    1 
 policy/modules/admin/rpm.fc             |    1 
 policy/modules/admin/su.fc              |    2 -
 policy/modules/admin/usermanage.te      |    1 
 policy/modules/apps/java.fc             |    9 +---
 policy/modules/apps/java.te             |    1 
 policy/modules/apps/mono.te             |    6 +++
 policy/modules/kernel/corecommands.fc   |   20 ++++++----
 policy/modules/kernel/devices.fc        |    3 +
 policy/modules/kernel/devices.if        |   24 +++++++++++-
 policy/modules/kernel/files.fc          |   37 ++++++++++++-------
 policy/modules/kernel/files.if          |   27 ++++++++++++++
 policy/modules/kernel/kernel.if         |    3 +
 policy/modules/kernel/mcs.te            |    4 ++
 policy/modules/kernel/mls.te            |    1 
 policy/modules/services/avahi.te        |    1 
 policy/modules/services/bind.fc         |    1 
 policy/modules/services/ftp.te          |    1 
 policy/modules/services/hal.te          |    1 
 policy/modules/services/kerberos.fc     |    4 +-
 policy/modules/services/mailman.if      |   38 ++++++++++++++++++++
 policy/modules/services/postfix.te      |    5 ++
 policy/modules/services/postgresql.if   |    4 +-
 policy/modules/services/rpc.te          |    4 +-
 policy/modules/services/samba.if        |    1 
 policy/modules/services/samba.te        |   12 +++++-
 policy/modules/services/spamassassin.fc |    2 -
 policy/modules/services/tftp.fc         |    3 +
 policy/modules/services/xserver.if      |   21 +++++++++++
 policy/modules/system/authlogin.fc      |    3 +
 policy/modules/system/authlogin.te      |    4 ++
 policy/modules/system/daemontools.fc    |    3 +
 policy/modules/system/fstools.te        |    1 
 policy/modules/system/init.te           |    1 
 policy/modules/system/libraries.fc      |   60 +++++++++++++++++++-------------
 policy/modules/system/miscfiles.fc      |    2 -
 policy/modules/system/modutils.fc       |    6 ++-
 policy/modules/system/selinuxutil.if    |    4 +-
 policy/modules/system/unconfined.te     |    3 +
 policy/modules/system/userdomain.if     |   28 ++++++++++----
 policy/modules/system/xen.te            |    5 ++
 44 files changed, 293 insertions(+), 82 deletions(-)

--- NEW FILE policy-20060411.patch ---
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-2.2.32/policy/mcs
--- nsaserefpolicy/policy/mcs	2006-03-29 11:23:41.000000000 -0500
+++ serefpolicy-2.2.32/policy/mcs	2006-04-14 12:06:19.000000000 -0400
@@ -134,14 +134,18 @@
 # the high range of the file.  We use the high range of the process so
 # that processes can always simply run at s0.
 #
-# Only files are constrained by MCS at this stage.
+# Note that getattr on files is always permitted.
 #
 mlsconstrain file { write setattr append unlink link rename ioctl lock execute relabelfrom }
 	( h1 dom h2 );
 
+# New filesystem object labels must be dominated by the relabeling subject
+# clearance, also the objects are single-level.
 mlsconstrain file { create relabelto }
 	(( h1 dom h2 ) and ( l2 eq h2 ));
 
+# At this time we do not restrict "ps" type operations via MCS.  This
+# will probably change in future.
 mlsconstrain file { read }
 	(( h1 dom h2 ) or ( t2 == domain ) or ( t1 == mlsfileread ));
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.te serefpolicy-2.2.32/policy/modules/admin/amanda.te
--- nsaserefpolicy/policy/modules/admin/amanda.te	2006-03-24 11:15:40.000000000 -0500
+++ serefpolicy-2.2.32/policy/modules/admin/amanda.te	2006-04-14 14:29:14.000000000 -0400
@@ -9,6 +9,7 @@
 type amanda_t;
 type amanda_inetd_exec_t;
 inetd_udp_service_domain(amanda_t,amanda_inetd_exec_t)
+inetd_tcp_service_domain(amanda_t,amanda_inetd_exec_t)
 role system_r types amanda_t;
 
 type amanda_exec_t;
@@ -141,6 +142,10 @@
 corenet_non_ipsec_sendrecv(amanda_t)
 corenet_tcp_bind_all_nodes(amanda_t)
 corenet_udp_bind_all_nodes(amanda_t)
+corenet_tcp_bind_reserved_port(amanda_t)
+corenet_udp_bind_reserved_port(amanda_t)
+corenet_dontaudit_tcp_bind_all_reserved_ports(amanda_t)
+corenet_dontaudit_udp_bind_all_reserved_ports(amanda_t)
 
 dev_getattr_all_blk_files(amanda_t)
 dev_getattr_all_chr_files(amanda_t)
@@ -183,13 +188,15 @@
 
 optional_policy(`
 	nscd_socket_use(amanda_t)
+	nscd_socket_use(amanda_recover_t)
 ')
 
 ########################################
 #
 # Amanda recover local policy
 
-allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_override net_bind_service };
+allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_override };
+corenet_tcp_bind_reserved_port(amanda_recover_t)
 allow amanda_recover_t self:process { sigkill sigstop signal };
 allow amanda_recover_t self:fifo_file { getattr ioctl read write };
 allow amanda_recover_t self:unix_stream_socket { connect create read write };
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/bootloader.te serefpolicy-2.2.32/policy/modules/admin/bootloader.te
--- nsaserefpolicy/policy/modules/admin/bootloader.te	2006-04-04 18:06:37.000000000 -0400
+++ serefpolicy-2.2.32/policy/modules/admin/bootloader.te	2006-04-14 12:06:19.000000000 -0400
@@ -84,6 +84,7 @@
 dev_read_sysfs(bootloader_t)
 # for reading BIOS data
 dev_read_raw_memory(bootloader_t)
+mls_file_read_up(bootloader_t)
 
 fs_getattr_xattr_fs(bootloader_t)
 fs_read_tmpfs_symlinks(bootloader_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-2.2.32/policy/modules/admin/rpm.fc
--- nsaserefpolicy/policy/modules/admin/rpm.fc	2006-04-04 18:06:37.000000000 -0400
+++ serefpolicy-2.2.32/policy/modules/admin/rpm.fc	2006-04-14 12:06:19.000000000 -0400
@@ -10,6 +10,7 @@
 /usr/lib(64)?/rpm/rpmv		-- 	gen_context(system_u:object_r:bin_t,s0)
 
 /usr/share/yumex/yumex		--	gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/system-install-packages --	gen_context(system_u:object_r:rpm_exec_t,s0)
 
 ifdef(`distro_redhat', `
 /usr/bin/fedora-rmdevelrpms	--	gen_context(system_u:object_r:rpm_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.fc serefpolicy-2.2.32/policy/modules/admin/su.fc
--- nsaserefpolicy/policy/modules/admin/su.fc	2006-03-23 14:33:29.000000000 -0500
+++ serefpolicy-2.2.32/policy/modules/admin/su.fc	2006-04-14 12:06:19.000000000 -0400
@@ -1,5 +1,5 @@
 
 /bin/su			--	gen_context(system_u:object_r:su_exec_t,s0)
 
-/usr(/local)?/bin/ksu	--	gen_context(system_u:object_r:su_exec_t,s0)
+/usr/(local/)?bin/ksu	--	gen_context(system_u:object_r:su_exec_t,s0)
 /usr/bin/kdesu		--	gen_context(system_u:object_r:su_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-2.2.32/policy/modules/admin/usermanage.te
--- nsaserefpolicy/policy/modules/admin/usermanage.te	2006-04-04 18:06:38.000000000 -0400
+++ serefpolicy-2.2.32/policy/modules/admin/usermanage.te	2006-04-14 12:06:19.000000000 -0400
@@ -514,6 +514,7 @@
 # Add/remove user home directories
 userdom_home_filetrans_generic_user_home_dir(useradd_t)
 userdom_manage_generic_user_home_content_dirs(useradd_t)
+userdom_manage_staff_home_dir(useradd_t)
 userdom_generic_user_home_dir_filetrans_generic_user_home_content(useradd_t,notdevfile_class_set)
 
 mta_manage_spool(useradd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-2.2.32/policy/modules/apps/java.fc
--- nsaserefpolicy/policy/modules/apps/java.fc	2006-04-12 13:44:36.000000000 -0400
+++ serefpolicy-2.2.32/policy/modules/apps/java.fc	2006-04-14 12:06:19.000000000 -0400
@@ -1,11 +1,8 @@
 #
-# /opt
-#
-/opt(/.*)?/bin/java.* 	--	gen_context(system_u:object_r:java_exec_t,s0)
-
-#
 # /usr
 #
-/usr(/.*)?/bin/java.* 	--	gen_context(system_u:object_r:java_exec_t,s0)
+/usr/(.*/)?bin/java.* 	--	gen_context(system_u:object_r:java_exec_t,s0)
+/usr/lib(.*/)?bin/java([^/]*)? 	--	gen_context(system_u:object_r:java_exec_t,s0)
 /usr/bin/gcj-dbtool	--	gen_context(system_u:object_r:java_exec_t,s0)
 /usr/bin/gij		--	gen_context(system_u:object_r:java_exec_t,s0)
+/opt/(.*/)?bin/java([^/]*)? 	--	gen_context(system_u:object_r:java_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-2.2.32/policy/modules/apps/java.te
--- nsaserefpolicy/policy/modules/apps/java.te	2006-04-12 13:44:36.000000000 -0400
+++ serefpolicy-2.2.32/policy/modules/apps/java.te	2006-04-14 12:06:19.000000000 -0400
@@ -10,6 +10,7 @@
 domain_type(java_t)
 
 type java_exec_t;
+init_system_domain(java_t,java_exec_t)
 files_type(java_exec_t)
 
 ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-2.2.32/policy/modules/apps/mono.te
--- nsaserefpolicy/policy/modules/apps/mono.te	2006-04-12 13:44:36.000000000 -0400
+++ serefpolicy-2.2.32/policy/modules/apps/mono.te	2006-04-14 12:06:19.000000000 -0400
@@ -22,6 +22,8 @@
 	unconfined_domain_noaudit(mono_t)
 	role system_r types mono_t;
 
+	init_dbus_chat_script(mono_t)
+
 	optional_policy(`
 		avahi_dbus_chat(mono_t)
 	')
@@ -29,4 +31,8 @@
 	optional_policy(`
 		hal_dbus_chat(mono_t)
 	')
+	optional_policy(`
+		networkmanager_dbus_chat(mono_t)
+	')
+
 ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-2.2.32/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc	2006-04-10 17:05:08.000000000 -0400
+++ serefpolicy-2.2.32/policy/modules/kernel/corecommands.fc	2006-04-14 12:06:19.000000000 -0400
@@ -2,7 +2,8 @@
 #
 # /bin
 #
-/bin(/.*)?				gen_context(system_u:object_r:bin_t,s0)
+/bin				-d	gen_context(system_u:object_r:bin_t,s0)
+/bin/.*					gen_context(system_u:object_r:bin_t,s0)
 /bin/d?ash			--	gen_context(system_u:object_r:shell_exec_t,s0)
 /bin/bash			--	gen_context(system_u:object_r:shell_exec_t,s0)
 /bin/bash2			--	gen_context(system_u:object_r:shell_exec_t,s0)
@@ -86,27 +87,30 @@
 #
 # /sbin
 #
-/sbin(/.*)?				gen_context(system_u:object_r:sbin_t,s0)
+/sbin				-d	gen_context(system_u:object_r:sbin_t,s0)
+/sbin/.*				gen_context(system_u:object_r:sbin_t,s0)
 /sbin/mkfs\.cramfs		--	gen_context(system_u:object_r:sbin_t,s0)
 /sbin/insmod_ksymoops_clean	--	gen_context(system_u:object_r:sbin_t,s0)
 
 #
 # /opt
 #
-/opt(/.*)?/bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+/opt/(.*/)?bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 
-/opt(/.*)?/libexec(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+/opt/(.*/)?libexec(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 
-/opt(/.*)?/sbin(/.*)?			gen_context(system_u:object_r:sbin_t,s0)
+/opt/(.*/)?sbin(/.*)?			gen_context(system_u:object_r:sbin_t,s0)
 
 #
 # /usr
 #
-/usr(/.*)?/Bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+/usr/(.*/)?Bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 
-/usr(/.*)?/bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+/usr/(.*/)?bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(.*/)?bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 
-/usr(/.*)?/sbin(/.*)?			gen_context(system_u:object_r:sbin_t,s0)
+/usr/(.*/)?sbin(/.*)?			gen_context(system_u:object_r:sbin_t,s0)
+/usr/lib(.*/)?sbin(/.*)?		gen_context(system_u:object_r:sbin_t,s0)
 
 /usr/lib/ccache/bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/pgsql/test/regress/.*\.sh --	gen_context(system_u:object_r:bin_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-2.2.32/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc	2006-04-12 13:44:36.000000000 -0400
+++ serefpolicy-2.2.32/policy/modules/kernel/devices.fc	2006-04-14 12:06:19.000000000 -0400
@@ -1,5 +1,6 @@
 
-/dev(/.*)?			gen_context(system_u:object_r:device_t,s0)
+/dev			-d	gen_context(system_u:object_r:device_t,s0)
+/dev/.*				gen_context(system_u:object_r:device_t,s0)
 
 /dev/.*mouse.*		-c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/adsp		-c	gen_context(system_u:object_r:sound_device_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-2.2.32/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if	2006-04-12 13:44:36.000000000 -0400
+++ serefpolicy-2.2.32/policy/modules/kernel/devices.if	2006-04-14 12:06:19.000000000 -0400
@@ -2701,7 +2701,7 @@
 	')
 
 	allow $1 device_t:dir r_dir_perms;
-	allow $1 xen_device_t:chr_file r_file_perms;
+	allow $1 xen_device_t:chr_file rw_file_perms;
 ')
 
 ########################################
@@ -2720,7 +2720,7 @@
 	')
 
 	allow $1 device_t:dir r_dir_perms;
-	allow $1 xen_device_t:chr_file r_file_perms;
+	allow $1 xen_device_t:chr_file manage_file_perms;
 ')
 
 ########################################
@@ -2874,3 +2874,23 @@
 
 	typeattribute $1 devices_unconfined_type;
 ')
+
+########################################
+## <summary>
+##	Dontaudit getattr on all device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_getattr_all_device_nodes',`
+	gen_require(`
+		attribute device_node;
+	')
+
+	dontaudit $1 device_t:dir_file_class_set getattr;
+	dontaudit $1 device_node:dir_file_class_set getattr;
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-2.2.32/policy/modules/kernel/files.fc
--- nsaserefpolicy/policy/modules/kernel/files.fc	2006-03-23 14:33:29.000000000 -0500
+++ serefpolicy-2.2.32/policy/modules/kernel/files.fc	2006-04-14 12:06:19.000000000 -0400
@@ -25,7 +25,8 @@
 #
 # /boot
 #
-/boot(/.*)?			gen_context(system_u:object_r:boot_t,s0)
+/boot			-d	gen_context(system_u:object_r:boot_t,s0)
+/boot/.*			gen_context(system_u:object_r:boot_t,s0)
 /boot/\.journal			<<none>>
 /boot/lost\+found	-d	gen_context(system_u:object_r:lost_found_t,s15:c0.c255)
 /boot/lost\+found/.*		<<none>>
@@ -36,13 +37,15 @@
 #
 
 ifdef(`distro_redhat',`
-/emul(/.*)?			gen_context(system_u:object_r:usr_t,s0)
+/emul			-d	gen_context(system_u:object_r:usr_t,s0)
+/emul/.*			gen_context(system_u:object_r:usr_t,s0)
 ')
 
 #
 # /etc
 #
-/etc(/.*)?			gen_context(system_u:object_r:etc_t,s0)
+/etc			-d	gen_context(system_u:object_r:etc_t,s0)
+/etc/.*				gen_context(system_u:object_r:etc_t,s0)
 /etc/\.fstab\.hal\..+	--	gen_context(system_u:object_r:etc_runtime_t,s0)
 /etc/asound\.state	--	gen_context(system_u:object_r:etc_runtime_t,s0)
 /etc/blkid(/.*)?		gen_context(system_u:object_r:etc_runtime_t,s0)
@@ -104,7 +107,8 @@
 #
 # /lib(64)?
 #
-/lib(64)?/modules(/.*)?		gen_context(system_u:object_r:modules_object_t,s0)
+/lib/modules(/.*)?		gen_context(system_u:object_r:modules_object_t,s0)
+/lib64/modules(/.*)?		gen_context(system_u:object_r:modules_object_t,s0)
 
 #
 # /lost+found
@@ -139,29 +143,34 @@
 #
 # /opt
 #
-/opt(/.*)?			gen_context(system_u:object_r:usr_t,s0)
+/opt			-d	gen_context(system_u:object_r:usr_t,s0)
+/opt/.*				gen_context(system_u:object_r:usr_t,s0)
 
-/opt(/.*)?/var/lib(64)?(/.*)?	gen_context(system_u:object_r:var_lib_t,s0)
+/opt/(.*/)?var/lib(64)?(/.*)?	gen_context(system_u:object_r:var_lib_t,s0)
 
 #
 # /proc
 #
-/proc(/.*)?                     <<none>>
+/proc			-d	<<none>>
+/proc/.*			<<none>>
 
 #
 # /selinux
 #
-/selinux(/.*)?                  <<none>>
+/selinux		-d	<<none>>
+/selinux/.*			<<none>>
 
 #
 # /srv
 #
-/srv(/.*)?			gen_context(system_u:object_r:var_t,s0)
+/srv			-d	gen_context(system_u:object_r:var_t,s0)
+/srv/.*				gen_context(system_u:object_r:var_t,s0)
 
 #
 # /sys
 #
-/sys(/.*)?                      <<none>>
+/sys			-d	<<none>>
+/sys/.*				<<none>>
 
 #
 # /tmp
@@ -176,7 +185,8 @@
 #
 # /usr
 #
-/usr(/.*)?			gen_context(system_u:object_r:usr_t,s0)
+/usr			-d	gen_context(system_u:object_r:usr_t,s0)
+/usr/.*				gen_context(system_u:object_r:usr_t,s0)
 /usr/\.journal			<<none>>
 
 /usr/doc(/.*)?/lib(/.*)?		gen_context(system_u:object_r:usr_t,s0)
@@ -200,7 +210,7 @@
 /usr/share(/.*)?/lib(64)?(/.*)?	gen_context(system_u:object_r:usr_t,s0)
 
 /usr/src(/.*)?			gen_context(system_u:object_r:src_t,s0)
-/usr/src(/.*)?/lib(/.*)?		gen_context(system_u:object_r:usr_t,s0)
+/usr/src/kernels/.+/lib(/.*)?		gen_context(system_u:object_r:usr_t,s0)
 
 /usr/tmp			-d	gen_context(system_u:object_r:tmp_t,s0-s15:c0.c255)
 /usr/tmp/.*			<<none>>
@@ -208,7 +218,8 @@
 #
 # /var
 #
-/var(/.*)?			gen_context(system_u:object_r:var_t,s0)
+/var			-d	gen_context(system_u:object_r:var_t,s0)
+/var/.*				gen_context(system_u:object_r:var_t,s0)
 /var/\.journal			<<none>>
 
 /var/db/.*\.db		--	gen_context(system_u:object_r:etc_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.2.32/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if	2006-04-14 07:58:12.000000000 -0400
+++ serefpolicy-2.2.32/policy/modules/kernel/files.if	2006-04-14 12:06:19.000000000 -0400
@@ -948,6 +948,18 @@
 
 ########################################
 #
+# files_stat_all_mountpoints(domain)
+#
+interface(`files_stat_all_mountpoints',`
+	gen_require(`
+		attribute mountpoint;
+	')
+
+	allow $1 mountpoint:dir { getattr };
+')
+
+########################################
+#
 # files_list_root(domain)
 #
 interface(`files_list_root',`
@@ -1661,6 +1673,21 @@
 ')
 
 ########################################
+#
+# files_unlink_boot_flag(domain)
+#
+# /halt, /.autofsck, etc
+#
+interface(`files_unlink_boot_flag',`
+	gen_require(`
+		type root_t;
+	')
+
+	allow $1 root_t:file unlink;
+')
+
+
+########################################
 ## <summary>
 ##	Read files in /etc that are dynamically
 ##	created on boot, such as mtab.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-2.2.32/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if	2006-04-10 17:05:10.000000000 -0400
+++ serefpolicy-2.2.32/policy/modules/kernel/kernel.if	2006-04-14 12:06:19.000000000 -0400
@@ -1148,7 +1148,8 @@
 
 	allow $1 proc_t:dir search;
 	allow $1 sysctl_t:dir r_dir_perms;
-	allow $1 sysctl_vm_t:dir list_dir_perms;
+#hal needs allow hald_t sysctl_vm_t:dir write;
+	allow $1 sysctl_vm_t:dir rw_dir_perms;
 	allow $1 sysctl_vm_t:file rw_file_perms;
 ')
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mcs.te serefpolicy-2.2.32/policy/modules/kernel/mcs.te
--- nsaserefpolicy/policy/modules/kernel/mcs.te	2006-04-04 18:06:38.000000000 -0400
+++ serefpolicy-2.2.32/policy/modules/kernel/mcs.te	2006-04-14 12:06:19.000000000 -0400
@@ -32,6 +32,10 @@
 type xdm_exec_t;
 
 ifdef(`enable_mcs',`
+# The eventual plan is to have a range_transition to s0 for the daemon by
+# default and have the daemons which need to run with all categories be
+# exceptions.  But while range_transitions have to be in the base module
+# this is not possible.
 range_transition getty_t login_exec_t s0 - s0:c0.c255;
 range_transition init_t xdm_exec_t s0 - s0:c0.c255;
 range_transition initrc_t crond_exec_t s0 - s0:c0.c255;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mls.te serefpolicy-2.2.32/policy/modules/kernel/mls.te
--- nsaserefpolicy/policy/modules/kernel/mls.te	2006-03-07 10:31:09.000000000 -0500
+++ serefpolicy-2.2.32/policy/modules/kernel/mls.te	2006-04-14 12:06:19.000000000 -0400
@@ -60,6 +60,7 @@
 
 ifdef(`enable_mls',`
 range_transition initrc_t auditd_exec_t s15:c0.c255;
+range_transition secadm_t auditctl_exec_t s15:c0.c255;
 range_transition kernel_t init_exec_t s0 - s15:c0.c255;
 range_transition kernel_t lvm_exec_t s0 - s15:c0.c255;
 ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-2.2.32/policy/modules/services/avahi.te
--- nsaserefpolicy/policy/modules/services/avahi.te	2006-03-24 11:15:50.000000000 -0500
+++ serefpolicy-2.2.32/policy/modules/services/avahi.te	2006-04-14 12:06:19.000000000 -0400
@@ -92,6 +92,7 @@
 	dbus_system_bus_client_template(avahi,avahi_t)
 	dbus_connect_system_bus(avahi_t)
 	dbus_send_system_bus(avahi_t)
+	init_dbus_chat_script(avahi_t)
 ')
 
 optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.fc serefpolicy-2.2.32/policy/modules/services/bind.fc
--- nsaserefpolicy/policy/modules/services/bind.fc	2006-01-16 17:04:24.000000000 -0500
+++ serefpolicy-2.2.32/policy/modules/services/bind.fc	2006-04-14 12:06:19.000000000 -0400
@@ -29,6 +29,7 @@
 
 ifdef(`distro_redhat',`
 /etc/named\.conf		--	gen_context(system_u:object_r:named_conf_t,s0)
+/etc/named\.caching-nameserver\.conf		--	gen_context(system_u:object_r:named_conf_t,s0)
 /var/named(/.*)?			gen_context(system_u:object_r:named_zone_t,s0)
 /var/named/slaves(/.*)?		gen_context(system_u:object_r:named_cache_t,s0)
 /var/named/data(/.*)?		gen_context(system_u:object_r:named_cache_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-2.2.32/policy/modules/services/ftp.te
--- nsaserefpolicy/policy/modules/services/ftp.te	2006-04-12 13:44:37.000000000 -0400
+++ serefpolicy-2.2.32/policy/modules/services/ftp.te	2006-04-14 13:41:32.000000000 -0400
@@ -126,6 +126,7 @@
 seutil_dontaudit_search_config(ftpd_t)
 
 sysnet_read_config(ftpd_t)
+sysnet_use_ldap(ftpd_t)
 
 userdom_dontaudit_search_sysadm_home_dirs(ftpd_t)
 userdom_dontaudit_use_unpriv_user_fds(ftpd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-2.2.32/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te	2006-04-12 13:44:37.000000000 -0400
+++ serefpolicy-2.2.32/policy/modules/services/hal.te	2006-04-14 12:06:19.000000000 -0400
@@ -103,6 +103,7 @@
 fs_getattr_all_fs(hald_t)
 fs_search_all(hald_t)
 fs_list_auto_mountpoints(hald_t)
+files_stat_all_mountpoints(hald_t)
 
 mls_file_read_up(hald_t)
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.fc serefpolicy-2.2.32/policy/modules/services/kerberos.fc
--- nsaserefpolicy/policy/modules/services/kerberos.fc	2005-10-06 17:29:17.000000000 -0400
+++ serefpolicy-2.2.32/policy/modules/services/kerberos.fc	2006-04-14 12:06:19.000000000 -0400
@@ -5,8 +5,8 @@
 /etc/krb5kdc/kadm5.keytab 	--	gen_context(system_u:object_r:krb5_keytab_t,s0)
 /etc/krb5kdc/principal.*		gen_context(system_u:object_r:krb5kdc_principal_t,s0)
 
-/usr(/local)?(/kerberos)?/sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0)
-/usr(/local)?(/kerberos)?/sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
+/usr/(local/)?(kerberos/)?sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0)
+/usr/(local/)?(kerberos/)?sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
 
 /usr/local/var/krb5kdc(/.*)?		gen_context(system_u:object_r:krb5kdc_conf_t,s0)
 /usr/local/var/krb5kdc/principal.*	gen_context(system_u:object_r:krb5kdc_principal_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.if serefpolicy-2.2.32/policy/modules/services/mailman.if
--- nsaserefpolicy/policy/modules/services/mailman.if	2006-03-24 11:15:50.000000000 -0500
+++ serefpolicy-2.2.32/policy/modules/services/mailman.if	2006-04-14 12:06:19.000000000 -0400
@@ -200,6 +200,44 @@
 
 #######################################
 ## <summary>
+##	Allow domain to to create mailman data files and write the directory
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mailman_create_data_file',`
+	gen_require(`
+		type mailman_data_t;
+	')
+
+	allow $1 mailman_data_t:dir rw_dir_perms;
+	allow $1 mailman_data_t:file create_file_perms;
+')
+
+#######################################
+## <summary>
+##	Allow domain to to read mailman data files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mailman_read_data_file',`
+	gen_require(`
+		type mailman_data_t;
+	')
+
+	allow $1 mailman_data_t:dir search_dir_perms;
+	allow $1 mailman_data_t:file read_file_perms;
+')
+
+#######################################
+## <summary>
 ##	List the contents of mailman data directories.
 ## </summary>
 ## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-2.2.32/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te	2006-04-04 18:06:38.000000000 -0400
+++ serefpolicy-2.2.32/policy/modules/services/postfix.te	2006-04-14 14:54:13.000000000 -0400
@@ -305,6 +305,7 @@
 
 kernel_read_kernel_sysctls(postfix_map_t)
 kernel_dontaudit_list_proc(postfix_map_t)
+kernel_dontaudit_read_system_state(postfix_map_t)
 
 corenet_tcp_sendrecv_all_if(postfix_map_t)
 corenet_udp_sendrecv_all_if(postfix_map_t)
@@ -350,6 +351,7 @@
 ifdef(`targeted_policy',`
 	# FIXME: would be better to use a run interface
 	role system_r types postfix_map_t;
+	term_dontaudit_use_generic_ptys(postfix_map_t)
 ')
 
 tunable_policy(`read_default_t',`
@@ -408,6 +410,9 @@
 
 optional_policy(`
 	mailman_domtrans_queue(postfix_pipe_t)
+#	for postalias
+	mailman_create_data_file(postfix_master_t)
+	mailman_read_data_file(postfix_local_t)
 ')
 
 ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-2.2.32/policy/modules/services/postgresql.if
--- nsaserefpolicy/policy/modules/services/postgresql.if	2006-02-10 17:05:19.000000000 -0500
+++ serefpolicy-2.2.32/policy/modules/services/postgresql.if	2006-04-14 16:09:39.000000000 -0400
@@ -113,10 +113,12 @@
 #
 interface(`postgresql_stream_connect',`
 	gen_require(`
-		type postgresql_t, postgresql_var_run_t;
+		type postgresql_t, postgresql_var_run_t, postgresql_tmp_t;
 	')
 
 	files_search_pids($1)
 	allow $1 postgresql_t:unix_stream_socket connectto;
 	allow $1 postgresql_var_run_t:sock_file write;
+        # Some versions of postgresql put the sock file in /tmp
+	allow $1 postgresql_tmp_t:sock_file write;
 ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-2.2.32/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te	2006-03-24 11:15:50.000000000 -0500
+++ serefpolicy-2.2.32/policy/modules/services/rpc.te	2006-04-14 12:06:19.000000000 -0400
@@ -110,13 +110,13 @@
 portmap_udp_chat(nfsd_t)
 
 tunable_policy(`nfs_export_all_rw',`
-	auth_read_all_dirs_except_shadow(nfsd_t) 
 	fs_read_noxattr_fs_files(nfsd_t) 
+	auth_manage_all_files_except_shadow(nfsd_t)
 ')
 
 tunable_policy(`nfs_export_all_ro',`
-	auth_read_all_dirs_except_shadow(nfsd_t) 
 	fs_read_noxattr_fs_files(nfsd_t) 
+	auth_read_all_files_except_shadow(nfsd_t)
 ')
 
 ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-2.2.32/policy/modules/services/samba.if
--- nsaserefpolicy/policy/modules/services/samba.if	2006-02-21 14:35:36.000000000 -0500
+++ serefpolicy-2.2.32/policy/modules/services/samba.if	2006-04-14 12:06:19.000000000 -0400
@@ -33,6 +33,7 @@
 	')
 
 	tunable_policy(`samba_enable_home_dirs',`
+		userdom_manage_user_home_content_dirs($1,smbd_t)
 		userdom_manage_user_home_content_files($1,smbd_t)
 		userdom_manage_user_home_content_symlinks($1,smbd_t)
 		userdom_manage_user_home_content_sockets($1,smbd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-2.2.32/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te	2006-04-12 13:44:37.000000000 -0400
+++ serefpolicy-2.2.32/policy/modules/services/samba.te	2006-04-14 13:42:57.000000000 -0400
@@ -106,8 +106,8 @@
 files_tmp_filetrans(samba_net_t, samba_net_tmp_t, { file dir })
 
 allow samba_net_t samba_var_t:dir rw_dir_perms;
+allow samba_net_t samba_var_t:file create_file_perms;
 allow samba_net_t samba_var_t:lnk_file create_lnk_perms;
-allow samba_net_t samba_var_t:file create_lnk_perms;
 
 kernel_read_proc_symlinks(samba_net_t)
 
@@ -160,8 +160,10 @@
 	corenet_non_ipsec_sendrecv(samba_net_t)
 	corenet_tcp_bind_all_nodes(samba_net_t)
 	sysnet_read_config(samba_net_t)
+        corenet_tcp_connect_ldap_port(samba_net_t)
 ')
 
+
 optional_policy(`
 	nscd_socket_use(samba_net_t)
 ')
@@ -268,6 +270,7 @@
 
 init_use_fds(smbd_t)
 init_use_script_ptys(smbd_t)
+init_rw_utmp(smbd_t)
 
 libs_use_ld_so(smbd_t)
 libs_use_shared_libs(smbd_t)
@@ -333,6 +336,13 @@
 ')
 allow smbd_t mtrr_device_t:file getattr;
 
+# Support Samba sharing of NFS mount points
+bool samba_share_nfs false;
+if (samba_share_nfs) {
+fs_manage_nfs_dirs(smbd_t)
+fs_manage_nfs_files(smbd_t)
+}
+
 ########################################
 #
 # nmbd Local policy
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-2.2.32/policy/modules/services/spamassassin.fc
--- nsaserefpolicy/policy/modules/services/spamassassin.fc	2005-12-01 17:57:16.000000000 -0500
+++ serefpolicy-2.2.32/policy/modules/services/spamassassin.fc	2006-04-14 12:06:19.000000000 -0400
@@ -1,5 +1,5 @@
 
-/usr/bin/sa-learn	--	gen_context(system_u:object_r:spamd_exec_t,s0)
+/usr/bin/sa-learn	--	gen_context(system_u:object_r:spamc_exec_t,s0)
 /usr/bin/spamc		--	gen_context(system_u:object_r:spamc_exec_t,s0)
 /usr/bin/spamd		--	gen_context(system_u:object_r:spamd_exec_t,s0)
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.fc serefpolicy-2.2.32/policy/modules/services/tftp.fc
--- nsaserefpolicy/policy/modules/services/tftp.fc	2005-10-06 17:29:17.000000000 -0400
+++ serefpolicy-2.2.32/policy/modules/services/tftp.fc	2006-04-14 12:06:19.000000000 -0400
@@ -2,4 +2,5 @@
 /usr/sbin/atftpd	--	gen_context(system_u:object_r:tftpd_exec_t,s0)
 /usr/sbin/in\.tftpd	--	gen_context(system_u:object_r:tftpd_exec_t,s0)
 
-/tftpboot(/.*)?			gen_context(system_u:object_r:tftpdir_t,s0)
+/tftpboot		-d	gen_context(system_u:object_r:tftpdir_t,s0)
+/tftpboot/.*			gen_context(system_u:object_r:tftpdir_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-2.2.32/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if	2006-04-06 15:31:54.000000000 -0400
+++ serefpolicy-2.2.32/policy/modules/services/xserver.if	2006-04-14 12:06:19.000000000 -0400
@@ -1070,3 +1070,24 @@
 
 	dontaudit $1 xdm_xserver_t:tcp_socket { read write };
 ')
+
+########################################
+## <summary>
+##	Allow read and write to
+##	a XDM X server socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to allow
+##	</summary>
+## </param>
+#
+interface(`xserver_rw_xdm_sockets',`
+	gen_require(`
+		type xdm_xserver_tmp_t;
+	')
+
+	allow $1 xdm_xserver_tmp_t:dir search;
+	allow $1 xdm_xserver_tmp_t:sock_file { read write };
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-2.2.32/policy/modules/system/authlogin.fc
--- nsaserefpolicy/policy/modules/system/authlogin.fc	2006-01-19 17:48:34.000000000 -0500
+++ serefpolicy-2.2.32/policy/modules/system/authlogin.fc	2006-04-14 12:06:19.000000000 -0400
@@ -7,7 +7,8 @@
 /etc/passwd\.lock	--	gen_context(system_u:object_r:shadow_t,s0)
 /etc/shadow.*		--	gen_context(system_u:object_r:shadow_t,s0)
 
-/lib(64)?/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:pam_exec_t,s0)
+/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:pam_exec_t,s0)
+/lib64/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:pam_exec_t,s0)
 
 /sbin/pam_console_apply	 --	gen_context(system_u:object_r:pam_console_exec_t,s0)
 /sbin/pam_timestamp_check --	gen_context(system_u:object_r:pam_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-2.2.32/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te	2006-04-04 18:06:38.000000000 -0400
+++ serefpolicy-2.2.32/policy/modules/system/authlogin.te	2006-04-14 12:06:19.000000000 -0400
@@ -173,9 +173,13 @@
 dev_setattr_video_dev(pam_console_t)
 dev_getattr_xserver_misc_dev(pam_console_t)
 dev_setattr_xserver_misc_dev(pam_console_t)
+dev_read_urand(pam_console_t)
 
 fs_search_auto_mountpoints(pam_console_t)
 
+miscfiles_read_localization(pam_console_t)
+miscfiles_read_certs(pam_console_t)
+
 storage_getattr_fixed_disk_dev(pam_console_t)
 storage_setattr_fixed_disk_dev(pam_console_t)
 storage_getattr_removable_dev(pam_console_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemontools.fc serefpolicy-2.2.32/policy/modules/system/daemontools.fc
--- nsaserefpolicy/policy/modules/system/daemontools.fc	2006-04-05 11:35:09.000000000 -0400
+++ serefpolicy-2.2.32/policy/modules/system/daemontools.fc	2006-04-14 12:06:19.000000000 -0400
@@ -2,7 +2,8 @@
 # /service
 #
 
-/service(/.*)?			gen_context(system_u:object_r:svc_svc_t,s0)
+/service		-d	gen_context(system_u:object_r:svc_svc_t,s0)
+/service/.*			gen_context(system_u:object_r:svc_svc_t,s0)
 
 #
 # /usr
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-2.2.32/policy/modules/system/fstools.te
--- nsaserefpolicy/policy/modules/system/fstools.te	2006-04-04 18:06:38.000000000 -0400
+++ serefpolicy-2.2.32/policy/modules/system/fstools.te	2006-04-14 12:06:19.000000000 -0400
@@ -77,6 +77,7 @@
 dev_getattr_usbfs_dirs(fsadm_t)
 # Access to /dev/mapper/control
 dev_rw_lvm_control(fsadm_t)
+dev_dontaudit_getattr_all_device_nodes(fsadm_t)
 
 fs_search_auto_mountpoints(fsadm_t)
 fs_getattr_xattr_fs(fsadm_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-2.2.32/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te	2006-04-06 15:32:43.000000000 -0400
+++ serefpolicy-2.2.32/policy/modules/system/init.te	2006-04-14 12:06:19.000000000 -0400
@@ -352,6 +352,7 @@
 files_mounton_isid_type_dirs(initrc_t)
 files_list_default(initrc_t)
 files_mounton_default(initrc_t)
+files_unlink_boot_flag(initrc_t)
 
 libs_rw_ld_so_cache(initrc_t)
 libs_use_ld_so(initrc_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-2.2.32/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc	2006-04-12 13:44:38.000000000 -0400
+++ serefpolicy-2.2.32/policy/modules/system/libraries.fc	2006-04-14 12:06:19.000000000 -0400
@@ -24,17 +24,22 @@
 #
 # /lib(64)?
 #
-/lib(64)?(/.*)?					gen_context(system_u:object_r:lib_t,s0)
+/lib(/.*)?					gen_context(system_u:object_r:lib_t,s0)
+/lib64(/.*)?					gen_context(system_u:object_r:lib_t,s0)
 /lib(64)?/.*\.so(\.[^/]*)*		--	gen_context(system_u:object_r:shlib_t,s0)
 /lib(64)?(/.*)?/ld-[^/]*\.so(\.[^/]*)*	--	gen_context(system_u:object_r:ld_so_t,s0)
 
 #
 # /opt
 #
-/opt(/.*)?/lib(64)?(/.*)?			gen_context(system_u:object_r:lib_t,s0)
-/opt(/.*)?/lib(64)?/.*\.so(\.[^/]*)*	--	gen_context(system_u:object_r:shlib_t,s0)
-/opt/.*/jre.*/libdeploy.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/opt/.*/jre.*/libjvm.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/(.*/)?lib(/.*)?			gen_context(system_u:object_r:lib_t,s0)
+/opt/(.*/)?lib64(/.*)?			gen_context(system_u:object_r:lib_t,s0)
+/opt/(.*/)?lib/.*\.so		--	gen_context(system_u:object_r:shlib_t,s0)
+/opt/(.*/)?lib/.*\.so\.[^/]*	--	gen_context(system_u:object_r:shlib_t,s0)
+/opt/(.*/)?lib64/.*\.so		--	gen_context(system_u:object_r:shlib_t,s0)
+/opt/(.*/)?lib64/.*\.so\.[^/]*	--	gen_context(system_u:object_r:shlib_t,s0)
+/opt/(.*/)?jre.*/libdeploy.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/(.*/)?jre.*/libjvm.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 #
 # /sbin
@@ -44,18 +49,22 @@
 #
 # /usr
 #
-/usr(/.*)?/HelixPlayer/.*\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(.*/)?/HelixPlayer/.*\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
-/usr(/.*)?/java/.*\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr(/.*)?/java/.*\.jar			--	gen_context(system_u:object_r:shlib_t,s0)
-/usr(/.*)?/java/.*\.jsa			--	gen_context(system_u:object_r:shlib_t,s0)
+/usr/(.*/)?java/.*\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(.*/)?java/.*\.jar			--	gen_context(system_u:object_r:shlib_t,s0)
+/usr/(.*/)?java/.*\.jsa			--	gen_context(system_u:object_r:shlib_t,s0)
+
+/usr/(.*/)?lib(/.*)?			gen_context(system_u:object_r:lib_t,s0)
+/usr/(.*/)?lib64(/.*)?			gen_context(system_u:object_r:lib_t,s0)
+/usr/(.*/)?lib/.*\.so		--	gen_context(system_u:object_r:shlib_t,s0)
+/usr/(.*/)?lib/.*\.so\.[^/]*	--	gen_context(system_u:object_r:shlib_t,s0)
+/usr/(.*/)?lib64/.*\.so		--	gen_context(system_u:object_r:shlib_t,s0)
+/usr/(.*/)?lib64/.*\.so\.[^/]*	--	gen_context(system_u:object_r:shlib_t,s0)
 
-/usr(/.*)?/lib(64)?(/.*)?			gen_context(system_u:object_r:lib_t,s0)
-/usr(/.*)?/lib(64)?/.*\.so(\.[^/]*)*	--	gen_context(system_u:object_r:shlib_t,s0)
+/usr/(.*/)?lib(64)?(/.*)?/ld-[^/]*\.so(\.[^/]*)* gen_context(system_u:object_r:ld_so_t,s0)
 
-/usr(/.*)?/lib(64)?(/.*)?/ld-[^/]*\.so(\.[^/]*)* gen_context(system_u:object_r:ld_so_t,s0)
-
-/usr(/.*)?/nvidia/.*\.so(\..*)?		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(.*/)?nvidia/.*\.so(\..*)?		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 /usr/lib(64)?/pgsql/test/regress/.*\.so	--	gen_context(system_u:object_r:shlib_t,s0)
 
@@ -64,7 +73,7 @@
 /usr/lib(64)?/im/.*\.so.*		--	gen_context(system_u:object_r:shlib_t,s0)
 /usr/lib(64)?/iiim/.*\.so.*		--	gen_context(system_u:object_r:shlib_t,s0)
 
-/usr(/.*)?/lib(64)?(/.*)?/nvidia/.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(.*/)?lib(64)?(/.*)?/nvidia/.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libsipphoneapi\.so.*	--	gen_context(system_u:object_r:texrel_shlib_t,s0)
 /usr/lib(64)?/(nvidia/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/libGLU\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -74,9 +83,8 @@
 /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libGL(core)?\.so(\.[^/]*)*             --      	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)*              --      	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.*            --      	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/vmware(.*/)?/VmPerl\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
-/usr/(local/)?lib/wine/.*\.so  		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(local/)?lib(64)?/wine/.*\.so  		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/(local/)?lib/libfame-.*\.so.*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/local/.*\.so(\.[^/]*)*		--	gen_context(system_u:object_r:shlib_t,s0)
 
@@ -127,7 +135,7 @@
 /usr/lib(64)?/.*/program/libsvx680li\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/.*/program/libcomphelp4gcc3\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/.*/program/libsoffice\.so  --	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr(/.*)?/pcsc/drivers(/.*)?/lib(cm2020|cm4000|SCR24x)\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(.*/)?pcsc/drivers(/.*)?/lib(cm2020|cm4000|SCR24x)\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 /usr/lib(64)?/firefox.*\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(64)?/mozilla.*\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -180,15 +188,17 @@
 
 # vmware 
 /usr/lib(64)?/vmware/lib(/.*)?/libgdk-x11-.*\.so.*  -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/vmware/lib(/.*)?/HConfig.so  -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/vmware/(.*/)?VmPerl\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 # Java, Sun Microsystems (JPackage SRPM)
-/usr/.*/jre.*/libdeploy.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/.*/jre.*/libjvm.so			--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(.*/)?jre.*/libdeploy.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(.*/)?jre.*/libjvm.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
-/usr(/.*)?/intellinux/nppdf\.so		--	gen_context(system_u:object_r:texrel_shlib_t,s0)
-/usr(/.*)?/intellinux/lib/\.so		--	gen_context(system_u:object_r:texrel_shlib_t,s0)
-/usr(/.*)?/intellinux/plug_ins/.*\.api	--	gen_context(system_u:object_r:texrel_shlib_t,s0)
-/usr(/.*)?/intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(.*/)?intellinux/nppdf\.so		--	gen_context(system_u:object_r:texrel_shlib_t,s0)
+/usr/(.*/)?intellinux/lib/\.so		--	gen_context(system_u:object_r:texrel_shlib_t,s0)
+/usr/(.*/)?intellinux/plug_ins/.*\.api	--	gen_context(system_u:object_r:texrel_shlib_t,s0)
+/usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 ') dnl end distro_redhat
 
 ifdef(`distro_suse',`
@@ -214,3 +224,5 @@
 /var/spool/postfix/lib(64)?/lib.*\.so.*	--	gen_context(system_u:object_r:shlib_t,s0)
 /var/spool/postfix/lib(64)?/[^/]*/lib.*\.so.* -- gen_context(system_u:object_r:shlib_t,s0)
 /var/spool/postfix/lib(64)?/devfsd/.*\.so.* -- gen_context(system_u:object_r:shlib_t,s0)
+/usr/NX/lib/libXcomp.so.*	--  gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/NX/lib/libjpeg.so.* 	--  gen_context(system_u:object_r:textrel_shlib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.fc serefpolicy-2.2.32/policy/modules/system/miscfiles.fc
--- nsaserefpolicy/policy/modules/system/miscfiles.fc	2005-10-27 14:57:47.000000000 -0400
+++ serefpolicy-2.2.32/policy/modules/system/miscfiles.fc	2006-04-14 12:06:19.000000000 -0400
@@ -7,7 +7,7 @@
 #
 # /opt
 #
-/opt(/.*)?/man(/.*)?		gen_context(system_u:object_r:man_t,s0)
+/opt/(.*/)?man(/.*)?		gen_context(system_u:object_r:man_t,s0)
 
 #
 # /srv
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.fc serefpolicy-2.2.32/policy/modules/system/modutils.fc
--- nsaserefpolicy/policy/modules/system/modutils.fc	2005-10-06 17:29:17.000000000 -0400
+++ serefpolicy-2.2.32/policy/modules/system/modutils.fc	2006-04-14 12:06:19.000000000 -0400
@@ -2,9 +2,11 @@
 /etc/modules\.conf.*	--	gen_context(system_u:object_r:modules_conf_t,s0)
 /etc/modprobe\.conf.*	--	gen_context(system_u:object_r:modules_conf_t,s0)
 
-/lib(64)?/modules/[^/]+/modules\..+ -- gen_context(system_u:object_r:modules_dep_t,s0)
+/lib/modules/[^/]+/modules\..+ -- gen_context(system_u:object_r:modules_dep_t,s0)
+/lib64/modules/[^/]+/modules\..+ -- gen_context(system_u:object_r:modules_dep_t,s0)
 
-/lib(64)?/modules/modprobe\.conf -- gen_context(system_u:object_r:modules_conf_t,s0)
+/lib/modules/modprobe\.conf -- gen_context(system_u:object_r:modules_conf_t,s0)
+/lib64/modules/modprobe\.conf -- gen_context(system_u:object_r:modules_conf_t,s0)
 
 /sbin/depmod.*		--	gen_context(system_u:object_r:depmod_exec_t,s0)
 /sbin/generate-modprobe\.conf -- gen_context(system_u:object_r:update_modules_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-2.2.32/policy/modules/system/selinuxutil.if
--- nsaserefpolicy/policy/modules/system/selinuxutil.if	2006-03-29 14:18:17.000000000 -0500
+++ serefpolicy-2.2.32/policy/modules/system/selinuxutil.if	2006-04-14 12:06:19.000000000 -0400
@@ -697,8 +697,8 @@
 
 	files_search_etc($1)
 	allow $1 selinux_config_t:dir search;
-	allow $1 file_context_t:dir r_dir_perms;
-	allow $1 file_context_t:file rw_file_perms;
+	allow $1 file_context_t:dir rw_dir_perms;
+	allow $1 file_context_t:file create_file_perms;
 	allow $1 file_context_t:lnk_file { getattr read };
 ')
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-2.2.32/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te	2006-04-12 13:44:38.000000000 -0400
+++ serefpolicy-2.2.32/policy/modules/system/unconfined.te	2006-04-14 12:06:19.000000000 -0400
@@ -37,6 +37,7 @@
 	logging_domtrans_auditctl(unconfined_t)
 
 	seutil_domtrans_restorecon(unconfined_t)
+	seutil_domtrans_semanage(unconfined_t)
 
 	userdom_unconfined(unconfined_t)
 	userdom_priveleged_home_dir_manager(unconfined_t)
@@ -64,6 +65,8 @@
 	optional_policy(`
 		dbus_stub(unconfined_t)
 
+		init_dbus_chat_script(unconfined_t)
+
 		optional_policy(`
 			avahi_dbus_chat(unconfined_t)
 		')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-2.2.32/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if	2006-04-14 07:58:13.000000000 -0400
+++ serefpolicy-2.2.32/policy/modules/system/userdomain.if	2006-04-14 12:06:19.000000000 -0400
@@ -379,10 +379,6 @@
 	')
 
 	optional_policy(`
-		jabber_tcp_connect($1_t)
-	')
-
-	optional_policy(`
 		nis_use_ypbind($1_t)
 	')
 
@@ -408,10 +404,6 @@
 	')
 
 	optional_policy(`
-		perdition_tcp_connect($1_t)
-	')
-
-	optional_policy(`
 		portmap_tcp_connect($1_t)
 	')
 
@@ -4140,11 +4132,31 @@
 		type user_home_dir_t;
 	')
 
+	allow $1 user_home_dir_t:dir create_dir_perms;
 	files_home_filetrans($1,user_home_dir_t,dir)
 ')
 
 ########################################
 ## <summary>
+##	Create staff home directories
+##	with automatic file type transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_manage_staff_home_dir',`
+	gen_require(`
+		type staff_home_dir_t;
+	')
+
+	allow $1 staff_home_dir_t:dir create_dir_perms;
+')
+
+########################################
+## <summary>
 ##	Search generic user home directories.
 ## </summary>
 ## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-2.2.32/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te	2006-03-23 14:33:30.000000000 -0500
+++ serefpolicy-2.2.32/policy/modules/system/xen.te	2006-04-14 12:06:19.000000000 -0400
@@ -19,6 +19,8 @@
 # var/lib files
 type xend_var_lib_t;
 files_type(xend_var_lib_t)
+# for mounting an NFS store
+files_mountpoint(xend_var_lib_t)
 
 # log files
 type xend_var_log_t;
@@ -67,6 +69,8 @@
 allow xend_t self:tcp_socket create_stream_socket_perms;
 allow xend_t self:packet_socket create_socket_perms;
 
+files_read_kernel_symbol_table(xend_t)
+
 # pid file
 allow xend_t xend_var_run_t:file manage_file_perms;
 allow xend_t xend_var_run_t:sock_file manage_file_perms;
@@ -210,6 +214,7 @@
 dev_filetrans_xen(xenstored_t)
 
 term_dontaudit_use_generic_ptys(xenstored_t)
+dev_rw_xen(xenstored_t)
 
 init_use_fds(xenstored_t)
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-2.2.32/Rules.modular
--- nsaserefpolicy/Rules.modular	2006-03-23 14:33:29.000000000 -0500
+++ serefpolicy-2.2.32/Rules.modular	2006-04-14 14:21:43.000000000 -0400
@@ -208,7 +208,7 @@
 #
 $(APPDIR)/customizable_types: $(BASE_CONF)
 	@mkdir -p $(APPDIR)
-	$(verbose) $(GREP) '^[[:blank:]]*type .*customizable' $< | cut -d',' -f1 | cut -d' ' -f2 | $(SORT) -u > $(TMPDIR)/customizable_types
+	$(verbose) $(GREP) '^[[:blank:]]*type .*customizable' $< | cut -d';' -f1 | cut -d',' -f1 | cut -d' ' -f2 | $(SORT) -u > $(TMPDIR)/customizable_types
 	$(verbose) install -m 644 $(TMPDIR)/customizable_types $@ 
 
 ########################################

More information about the fedora-cvs-commits mailing list