rpms/selinux-policy/devel modules-targeted.conf, 1.21, 1.22 policy-20060411.patch, 1.12, 1.13 selinux-policy.spec, 1.181, 1.182
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Sat Apr 29 04:47:10 UTC 2006
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv12655
Modified Files:
modules-targeted.conf policy-20060411.patch
selinux-policy.spec
Log Message:
* Tue Apr 25 2006 Dan Walsh <dwalsh at redhat.com> 2.2.36-1
- Update to upstream
Index: modules-targeted.conf
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/modules-targeted.conf,v
retrieving revision 1.21
retrieving revision 1.22
diff -u -r1.21 -r1.22
--- modules-targeted.conf 10 Apr 2006 21:10:33 -0000 1.21
+++ modules-targeted.conf 29 Apr 2006 04:47:05 -0000 1.22
@@ -1043,3 +1043,17 @@
#
mono = base
+# Layer: services
+# Module: pyzor
+#
+# Spam Blocker
+#
+pyzor = base
+
+# Layer: services
+# Module: amavis
+#
+# Anti-virus
+#
+amavis = base
+
policy-20060411.patch:
config/appconfig-strict-mls/default_type | 1
policy/modules/apps/cdrecord.if | 2
policy/modules/apps/evolution.if | 2
policy/modules/apps/mono.te | 3
policy/modules/apps/mozilla.if | 2
policy/modules/apps/thunderbird.if | 2
policy/modules/kernel/corenetwork.if.in | 75 +++++++++++++++++++++
policy/modules/kernel/corenetwork.te.in | 1
policy/modules/kernel/corenetwork.te.m4 | 6 +
policy/modules/kernel/domain.te | 1
policy/modules/kernel/files.if | 15 ++++
policy/modules/kernel/filesystem.if | 38 +++++++++-
policy/modules/kernel/kernel.te | 1
policy/modules/services/amavis.te | 4 +
policy/modules/services/automount.te | 1
policy/modules/services/cups.te | 1
policy/modules/services/cyrus.if | 22 ++++++
policy/modules/services/postfix.te | 8 ++
policy/modules/services/procmail.te | 6 +
policy/modules/services/pyzor.fc | 6 +
policy/modules/services/pyzor.if | 46 +++++++++++++
policy/modules/services/pyzor.te | 109 +++++++++++++++++++++++++++++++
policy/modules/services/spamassassin.te | 19 ++---
policy/modules/system/authlogin.te | 2
policy/modules/system/init.te | 1
policy/modules/system/lvm.te | 3
policy/modules/system/mount.te | 2
policy/modules/system/selinuxutil.te | 4 +
policy/modules/system/sysnetwork.te | 1
policy/modules/system/unconfined.if | 40 +++++++++++
policy/modules/system/userdomain.te | 23 +++++-
policy/modules/system/xen.fc | 1
policy/modules/system/xen.if | 72 +++++++++++++++++++-
policy/modules/system/xen.te | 52 ++++++++++++++
policy/rolemap | 1
policy/users | 6 -
36 files changed, 548 insertions(+), 31 deletions(-)
Index: policy-20060411.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/policy-20060411.patch,v
retrieving revision 1.12
retrieving revision 1.13
diff -u -r1.12 -r1.13
--- policy-20060411.patch 25 Apr 2006 10:57:57 -0000 1.12
+++ policy-20060411.patch 29 Apr 2006 04:47:05 -0000 1.13
@@ -1,37 +1,38 @@
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-strict-mls/default_type serefpolicy-2.2.35/config/appconfig-strict-mls/default_type
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-strict-mls/default_type serefpolicy-2.2.36/config/appconfig-strict-mls/default_type
--- nsaserefpolicy/config/appconfig-strict-mls/default_type 2006-01-06 17:55:17.000000000 -0500
-+++ serefpolicy-2.2.35/config/appconfig-strict-mls/default_type 2006-04-24 20:16:38.000000000 -0400
++++ serefpolicy-2.2.36/config/appconfig-strict-mls/default_type 2006-04-28 22:53:54.000000000 -0400
@@ -2,3 +2,4 @@
secadm_r:secadm_t
staff_r:staff_t
user_r:user_t
+auditadm_r:auditadm_t
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-2.2.35/policy/modules/admin/netutils.te
---- nsaserefpolicy/policy/modules/admin/netutils.te 2006-04-06 14:05:24.000000000 -0400
-+++ serefpolicy-2.2.35/policy/modules/admin/netutils.te 2006-04-24 20:16:38.000000000 -0400
-@@ -97,7 +97,7 @@
-
- allow ping_t self:tcp_socket create_socket_perms;
- allow ping_t self:udp_socket create_socket_perms;
--allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
-+allow ping_t self:{ rawip_socket packet_socket } { create ioctl read write bind getopt setopt };
-
- corenet_tcp_sendrecv_all_if(ping_t)
- corenet_udp_sendrecv_all_if(ping_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-2.2.35/policy/modules/admin/usermanage.te
---- nsaserefpolicy/policy/modules/admin/usermanage.te 2006-04-18 22:49:59.000000000 -0400
-+++ serefpolicy-2.2.35/policy/modules/admin/usermanage.te 2006-04-24 20:16:38.000000000 -0400
-@@ -514,6 +514,7 @@
- # Add/remove user home directories
- userdom_home_filetrans_generic_user_home_dir(useradd_t)
- userdom_manage_generic_user_home_content_dirs(useradd_t)
-+userdom_manage_generic_user_home_content_files(useradd_t)
- userdom_manage_staff_home_dirs(useradd_t)
- userdom_generic_user_home_dir_filetrans_generic_user_home_content(useradd_t,notdevfile_class_set)
-
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-2.2.35/policy/modules/apps/mono.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cdrecord.if serefpolicy-2.2.36/policy/modules/apps/cdrecord.if
+--- nsaserefpolicy/policy/modules/apps/cdrecord.if 2006-04-18 22:49:59.000000000 -0400
++++ serefpolicy-2.2.36/policy/modules/apps/cdrecord.if 2006-04-28 22:53:54.000000000 -0400
+@@ -152,7 +152,7 @@
+ files_dontaudit_list_tmp($1_cdrecord_t)
+ files_dontaudit_list_home($1_cdrecord_t)
+ fs_dontaudit_list_removable($1_cdrecord_t)
+- fs_donaudit_read_removable_files($1_cdrecord_t)
++ fs_dontaudit_read_removable_files($1_cdrecord_t)
+ userdom_dontaudit_list_user_tmp($1,$1_cdrecord_t)
+ userdom_dontaudit_read_user_tmp_files($1,$1_cdrecord_t)
+ userdom_dontaudit_list_user_home_dirs($1,$1_cdrecord_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/evolution.if serefpolicy-2.2.36/policy/modules/apps/evolution.if
+--- nsaserefpolicy/policy/modules/apps/evolution.if 2006-04-20 08:17:35.000000000 -0400
++++ serefpolicy-2.2.36/policy/modules/apps/evolution.if 2006-04-28 22:53:54.000000000 -0400
+@@ -303,7 +303,7 @@
+ files_dontaudit_list_tmp($1_evolution_t)
+ files_dontaudit_list_home($1_evolution_t)
+ fs_dontaudit_list_removable($1_evolution_t)
+- fs_donaudit_read_removable_files($1_evolution_t)
++ fs_dontaudit_read_removable_files($1_evolution_t)
+ userdom_dontaudit_list_user_tmp($1,$1_evolution_t)
+ userdom_dontaudit_read_user_tmp_files($1,$1_evolution_t)
+ userdom_dontaudit_list_user_home_dirs($1,$1_evolution_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-2.2.36/policy/modules/apps/mono.te
--- nsaserefpolicy/policy/modules/apps/mono.te 2006-04-18 22:49:59.000000000 -0400
-+++ serefpolicy-2.2.35/policy/modules/apps/mono.te 2006-04-24 20:16:38.000000000 -0400
++++ serefpolicy-2.2.36/policy/modules/apps/mono.te 2006-04-28 22:53:54.000000000 -0400
@@ -20,8 +20,9 @@
ifdef(`targeted_policy',`
allow mono_t self:process { execheap execmem };
@@ -43,20 +44,142 @@
init_dbus_chat_script(mono_t)
optional_policy(`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-2.2.35/policy/modules/kernel/corecommands.fc
---- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2006-04-18 22:49:59.000000000 -0400
-+++ serefpolicy-2.2.35/policy/modules/kernel/corecommands.fc 2006-04-24 20:16:38.000000000 -0400
-@@ -177,6 +177,7 @@
- ifdef(`distro_redhat', `
- /usr/lib/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0)
- /usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/share/authconfig/authconfig-tui\.py -- gen_context(system_u:object_r:bin_t,s0)
- /usr/share/cvs/contrib/rcs2log -- gen_context(system_u:object_r:bin_t,s0)
- /usr/share/hwbrowser/hwbrowser -- gen_context(system_u:object_r:bin_t,s0)
- /usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-2.2.35/policy/modules/kernel/domain.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-2.2.36/policy/modules/apps/mozilla.if
+--- nsaserefpolicy/policy/modules/apps/mozilla.if 2006-03-24 11:15:44.000000000 -0500
++++ serefpolicy-2.2.36/policy/modules/apps/mozilla.if 2006-04-28 22:53:54.000000000 -0400
+@@ -249,7 +249,7 @@
+ files_dontaudit_list_tmp($1_mozilla_t)
+ files_dontaudit_list_home($1_mozilla_t)
+ fs_dontaudit_list_removable($1_mozilla_t)
+- fs_donaudit_read_removable_files($1_mozilla_t)
++ fs_dontaudit_read_removable_files($1_mozilla_t)
+ userdom_dontaudit_list_user_tmp($1,$1_mozilla_t)
+ userdom_dontaudit_read_user_tmp_files($1,$1_mozilla_t)
+ userdom_dontaudit_list_user_home_dirs($1,$1_mozilla_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/thunderbird.if serefpolicy-2.2.36/policy/modules/apps/thunderbird.if
+--- nsaserefpolicy/policy/modules/apps/thunderbird.if 2006-03-24 11:15:44.000000000 -0500
++++ serefpolicy-2.2.36/policy/modules/apps/thunderbird.if 2006-04-28 22:53:54.000000000 -0400
+@@ -216,7 +216,7 @@
+ files_dontaudit_list_home($1_thunderbird_t)
+
+ fs_dontaudit_list_removable($1_thunderbird_t)
+- fs_donaudit_read_removable_files($1_thunderbird_t)
++ fs_dontaudit_read_removable_files($1_thunderbird_t)
+
+ userdom_dontaudit_list_user_tmp($1,$1_thunderbird_t)
+ userdom_dontaudit_read_user_tmp_files($1,$1_thunderbird_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-2.2.36/policy/modules/kernel/corenetwork.if.in
+--- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in 2006-04-27 10:31:32.000000000 -0400
++++ serefpolicy-2.2.36/policy/modules/kernel/corenetwork.if.in 2006-04-28 22:53:54.000000000 -0400
+@@ -1259,3 +1259,78 @@
+
+ typeattribute $1 corenet_unconfined_type;
+ ')
++
++
++########################################
++## <summary>
++## Bind TCP sockets to all rpc ports.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`corenet_tcp_bind_all_rpc_ports',`
++ gen_require(`
++ attribute rpc_port_type;
++ ')
++
++ allow $1 rpc_port_type:tcp_socket name_bind;
++ allow $1 self:capability net_bind_service;
++')
++
++########################################
++## <summary>
++## Do not audit attempts to bind TCP sockets to all rpc ports.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process to not audit.
++## </summary>
++## </param>
++#
++interface(`corenet_dontaudit_tcp_bind_all_rpc_ports',`
++ gen_require(`
++ attribute rpc_port_type;
++ ')
++
++ dontaudit $1 rpc_port_type:tcp_socket name_bind;
++')
++
++########################################
++## <summary>
++## Bind UDP sockets to all rpc ports.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`corenet_udp_bind_all_rpc_ports',`
++ gen_require(`
++ attribute rpc_port_type;
++ ')
++
++ allow $1 rpc_port_type:udp_socket name_bind;
++ allow $1 self:capability net_bind_service;
++')
++
++########################################
++## <summary>
++## Do not audit attempts to bind UDP sockets to all rpc ports.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process to not audit.
++## </summary>
++## </param>
++#
++interface(`corenet_dontaudit_udp_bind_all_rpc_ports',`
++ gen_require(`
++ attribute rpc_port_type;
++ ')
++
++ dontaudit $1 rpc_port_type:udp_socket name_bind;
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-2.2.36/policy/modules/kernel/corenetwork.te.in
+--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2006-04-18 22:49:59.000000000 -0400
++++ serefpolicy-2.2.36/policy/modules/kernel/corenetwork.te.in 2006-04-28 22:53:54.000000000 -0400
+@@ -10,6 +10,7 @@
+ attribute node_type;
+ attribute port_type;
+ attribute reserved_port_type;
++attribute rpc_port_type;
+
+ attribute corenet_unconfined_type;
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.m4 serefpolicy-2.2.36/policy/modules/kernel/corenetwork.te.m4
+--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.m4 2006-01-16 13:55:42.000000000 -0500
++++ serefpolicy-2.2.36/policy/modules/kernel/corenetwork.te.m4 2006-04-28 22:53:54.000000000 -0400
+@@ -46,7 +46,11 @@
+ ') dnl end determine reserved capability depend
+
+ define(`declare_ports',`dnl
+-ifelse(eval($3 < 1024),1,`typeattribute $1 reserved_port_type;',`dnl')
++ifelse(eval($3 < 1024),1,`
++typeattribute $1 reserved_port_type;
++#bindresvport in glibc starts searching for reserved ports at 600
++ifelse(eval($3 >= 600),1,`typeattribute $1 rpc_port_type;',`dnl')
++',`dnl')
+ portcon $2 $3 gen_context(system_u:object_r:$1,$4)
+ ifelse(`$5',`',`',`declare_ports($1,shiftn(4,$*))')dnl
+ ')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-2.2.36/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2006-04-20 08:17:36.000000000 -0400
-+++ serefpolicy-2.2.35/policy/modules/kernel/domain.te 2006-04-24 20:16:38.000000000 -0400
++++ serefpolicy-2.2.36/policy/modules/kernel/domain.te 2006-04-28 22:53:54.000000000 -0400
@@ -96,6 +96,7 @@
# workaround until role dominance is fixed in
# the module compiler
@@ -65,10 +188,10 @@
role sysadm_r types domain;
role user_r types domain;
role staff_r types domain;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.2.35/policy/modules/kernel/files.if
---- nsaserefpolicy/policy/modules/kernel/files.if 2006-04-24 20:14:39.000000000 -0400
-+++ serefpolicy-2.2.35/policy/modules/kernel/files.if 2006-04-24 20:16:38.000000000 -0400
-@@ -1679,6 +1679,21 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.2.36/policy/modules/kernel/files.if
+--- nsaserefpolicy/policy/modules/kernel/files.if 2006-04-28 22:50:56.000000000 -0400
++++ serefpolicy-2.2.36/policy/modules/kernel/files.if 2006-04-28 22:53:54.000000000 -0400
+@@ -1699,6 +1699,21 @@
')
########################################
@@ -90,33 +213,9 @@
## <summary>
## Read files in /etc that are dynamically
## created on boot, such as mtab.
-@@ -3905,3 +3920,23 @@
-
- typeattribute $1 files_unconfined_type;
- ')
-+
-+########################################
-+## <summary>
-+## Read kernel files in the /boot directory.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_read_kernel_img',`
-+ gen_require(`
-+ type boot_t;
-+ ')
-+
-+ allow $1 boot_t:dir r_dir_perms;
-+ allow $1 boot_t:file { getattr read };
-+ allow $1 boot_t:lnk_file { getattr read };
-+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-2.2.35/policy/modules/kernel/filesystem.if
---- nsaserefpolicy/policy/modules/kernel/filesystem.if 2006-04-18 22:49:59.000000000 -0400
-+++ serefpolicy-2.2.35/policy/modules/kernel/filesystem.if 2006-04-24 20:16:38.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-2.2.36/policy/modules/kernel/filesystem.if
+--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2006-04-28 22:50:56.000000000 -0400
++++ serefpolicy-2.2.36/policy/modules/kernel/filesystem.if 2006-04-28 22:53:54.000000000 -0400
@@ -609,7 +609,7 @@
attribute noxattrfs;
')
@@ -135,7 +234,7 @@
allow $1 noxattrfs:lnk_file r_file_perms;
')
-@@ -1294,7 +1294,7 @@
+@@ -1277,7 +1277,7 @@
########################################
## <summary>
@@ -144,9 +243,52 @@
## </summary>
## <param name="domain">
## <summary>
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-2.2.35/policy/modules/kernel/kernel.te
+@@ -1491,7 +1491,7 @@
+ ## </summary>
+ ## </param>
+ #
+-interface(`fs_donaudit_read_removable_files',`
++interface(`fs_dontaudit_read_removable_files',`
+ gen_require(`
+ type removable_t;
+ ')
+@@ -3204,3 +3204,33 @@
+
+ typeattribute $1 filesystem_unconfined_type;
+ ')
++
++
++
++########################################
++## <summary>
++## Relabel all filesystem_types on the filesystem,
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the domain perfoming this action.
++## </summary>
++## </param>
++#
++interface(`fs_relabel_all_filesystem_types',`
++ gen_require(`
++ attribute filesystem_type;
++ ')
++
++ allow $1 { filesystem_type }:dir { r_dir_perms relabelfrom relabelto };
++ allow $1 { filesystem_type }:file { getattr relabelfrom relabelto };
++ allow $1 { filesystem_type }:lnk_file { getattr relabelfrom relabelto };
++ allow $1 { filesystem_type }:fifo_file { getattr relabelfrom relabelto };
++ allow $1 { filesystem_type }:sock_file { getattr relabelfrom relabelto };
++ allow $1 { filesystem_type }:blk_file { getattr relabelfrom };
++ allow $1 { filesystem_type }:chr_file { getattr relabelfrom };
++
++ # satisfy the assertions:
++ seutil_relabelto_bin_policy($1)
++')
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-2.2.36/policy/modules/kernel/kernel.te
--- nsaserefpolicy/policy/modules/kernel/kernel.te 2006-04-24 20:14:39.000000000 -0400
-+++ serefpolicy-2.2.35/policy/modules/kernel/kernel.te 2006-04-24 20:16:38.000000000 -0400
++++ serefpolicy-2.2.36/policy/modules/kernel/kernel.te 2006-04-28 22:53:54.000000000 -0400
@@ -28,6 +28,7 @@
ifdef(`enable_mls',`
@@ -155,21 +297,31 @@
')
#
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-2.2.35/policy/modules/kernel/terminal.if
---- nsaserefpolicy/policy/modules/kernel/terminal.if 2006-02-13 17:05:45.000000000 -0500
-+++ serefpolicy-2.2.35/policy/modules/kernel/terminal.if 2006-04-24 20:16:38.000000000 -0400
-@@ -174,7 +174,7 @@
- ')
-
- dev_list_all_dev_nodes($1)
-- allow $1 console_device_t:chr_file write;
-+ allow $1 console_device_t:chr_file { getattr write append };
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-2.2.36/policy/modules/services/amavis.te
+--- nsaserefpolicy/policy/modules/services/amavis.te 2006-03-24 11:15:50.000000000 -0500
++++ serefpolicy-2.2.36/policy/modules/services/amavis.te 2006-04-28 23:21:20.000000000 -0400
+@@ -146,3 +146,7 @@
+ spamassassin_exec(amavis_t)
+ spamassassin_exec_client(amavis_t)
')
-
- ########################################
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-2.2.35/policy/modules/services/cups.te
++
++optional_policy(`
++ pyzor_domtrans(amavis_t)
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-2.2.36/policy/modules/services/automount.te
+--- nsaserefpolicy/policy/modules/services/automount.te 2006-04-12 13:44:36.000000000 -0400
++++ serefpolicy-2.2.36/policy/modules/services/automount.te 2006-04-28 22:53:54.000000000 -0400
+@@ -86,6 +86,7 @@
+ # Automount execs showmount when you browse /net. This is required until
+ # Someone writes a showmount policy
+ corenet_tcp_bind_reserved_port(automount_t)
++corenet_tcp_bind_all_rpc_ports(automount_t)
+
+ dev_read_sysfs(automount_t)
+ # for SSP
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-2.2.36/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2006-04-12 13:44:36.000000000 -0400
-+++ serefpolicy-2.2.35/policy/modules/services/cups.te 2006-04-24 20:16:38.000000000 -0400
++++ serefpolicy-2.2.36/policy/modules/services/cups.te 2006-04-28 22:53:54.000000000 -0400
@@ -79,6 +79,7 @@
allow cupsd_t self:process { setsched signal_perms };
allow cupsd_t self:fifo_file rw_file_perms;
@@ -178,47 +330,78 @@
allow cupsd_t self:unix_dgram_socket create_socket_perms;
allow cupsd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
allow cupsd_t self:netlink_route_socket { r_netlink_socket_perms };
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-2.2.35/policy/modules/services/pegasus.te
---- nsaserefpolicy/policy/modules/services/pegasus.te 2006-04-04 18:06:38.000000000 -0400
-+++ serefpolicy-2.2.35/policy/modules/services/pegasus.te 2006-04-24 20:16:38.000000000 -0400
-@@ -79,11 +79,16 @@
- corenet_tcp_connect_pegasus_https_port(pegasus_t)
- corenet_tcp_connect_generic_port(pegasus_t)
-
-+corecmd_exec_sbin(pegasus_t)
-+corecmd_exec_bin(pegasus_t)
-+corecmd_exec_shell(pegasus_t)
-+
- dev_read_sysfs(pegasus_t)
- dev_read_urand(pegasus_t)
-
- fs_getattr_all_fs(pegasus_t)
- fs_search_auto_mountpoints(pegasus_t)
-+files_getattr_all_dirs(pegasus_t)
-
- term_dontaudit_use_console(pegasus_t)
-
-@@ -98,6 +103,8 @@
- files_read_var_lib_files(pegasus_t)
- files_read_var_lib_symlinks(pegasus_t)
-
-+hostname_exec(pegasus_t)
-+
- init_use_fds(pegasus_t)
- init_use_script_ptys(pegasus_t)
- init_rw_utmp(pegasus_t)
-@@ -116,6 +123,7 @@
- term_dontaudit_use_unallocated_ttys(pegasus_t)
- term_dontaudit_use_generic_ptys(pegasus_t)
- files_dontaudit_read_root_files(pegasus_t)
-+ unconfined_signull(pegasus_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.if serefpolicy-2.2.36/policy/modules/services/cyrus.if
+--- nsaserefpolicy/policy/modules/services/cyrus.if 2006-02-10 17:05:19.000000000 -0500
++++ serefpolicy-2.2.36/policy/modules/services/cyrus.if 2006-04-28 22:53:54.000000000 -0400
+@@ -20,3 +20,25 @@
+ allow $1 cyrus_var_lib_t:dir rw_dir_perms;
+ allow $1 cyrus_var_lib_t:file manage_file_perms;
+ ')
++
++
++########################################
++## <summary>
++## Connect to Cyrus using a unix domain stream socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`cyrus_stream_connect',`
++ gen_require(`
++ type cyrus_t, cyrus_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ allow $1 cyrus_var_lib_t:dir search;
++ allow $1 cyrus_var_lib_t:sock_file write;
++ allow $1 cyrus_t:unix_stream_socket connectto;
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-2.2.36/policy/modules/services/postfix.te
+--- nsaserefpolicy/policy/modules/services/postfix.te 2006-04-20 08:17:39.000000000 -0400
++++ serefpolicy-2.2.36/policy/modules/services/postfix.te 2006-04-28 22:53:54.000000000 -0400
+@@ -181,6 +181,10 @@
')
optional_policy(`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-2.2.35/policy/modules/services/procmail.te
++ cyrus_stream_connect(postfix_master_t)
++')
++
++optional_policy(`
+ nis_use_ypbind(postfix_master_t)
+ ')
+
+@@ -390,6 +394,7 @@
+ allow postfix_pickup_t postfix_public_t:fifo_file rw_file_perms;
+ allow postfix_pickup_t postfix_public_t:sock_file rw_file_perms;
+
++postfix_list_spool(postfix_pickup_t)
+ allow postfix_pickup_t postfix_spool_maildrop_t:dir rw_dir_perms;
+ allow postfix_pickup_t postfix_spool_maildrop_t:file r_file_perms;
+ allow postfix_pickup_t postfix_spool_maildrop_t:file unlink;
+@@ -430,6 +435,7 @@
+ allow postfix_postdrop_t postfix_public_t:dir search;
+ allow postfix_postdrop_t postfix_public_t:fifo_file rw_file_perms;
+
++postfix_list_spool(postfix_postdrop_t)
+ allow postfix_postdrop_t postfix_spool_maildrop_t:dir rw_dir_perms;
+ allow postfix_postdrop_t postfix_spool_maildrop_t:file create_file_perms;
+
+@@ -538,6 +544,8 @@
+
+ allow postfix_showq_t postfix_spool_t:file r_file_perms;
+
++postfix_list_spool(postfix_showq_t)
++
+ allow postfix_showq_t postfix_spool_maildrop_t:dir { getattr read search };
+ allow postfix_showq_t postfix_spool_maildrop_t:file { read getattr };
+ allow postfix_showq_t postfix_spool_maildrop_t:lnk_file { getattr read };
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-2.2.36/policy/modules/services/procmail.te
--- nsaserefpolicy/policy/modules/services/procmail.te 2006-03-24 11:15:50.000000000 -0500
-+++ serefpolicy-2.2.35/policy/modules/services/procmail.te 2006-04-24 20:16:38.000000000 -0400
-@@ -95,13 +95,13 @@
++++ serefpolicy-2.2.36/policy/modules/services/procmail.te 2006-04-28 23:05:02.000000000 -0400
+@@ -95,16 +95,20 @@
optional_policy(`
mta_read_config(procmail_t)
@@ -233,22 +416,229 @@
files_getattr_tmp_dirs(procmail_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-2.2.35/policy/modules/services/samba.te
---- nsaserefpolicy/policy/modules/services/samba.te 2006-04-19 12:23:07.000000000 -0400
-+++ serefpolicy-2.2.35/policy/modules/services/samba.te 2006-04-24 20:16:38.000000000 -0400
-@@ -106,8 +106,8 @@
- files_tmp_filetrans(samba_net_t, samba_net_tmp_t, { file dir })
-
- allow samba_net_t samba_var_t:dir rw_dir_perms;
-+allow samba_net_t samba_var_t:file create_file_perms;
- allow samba_net_t samba_var_t:lnk_file create_lnk_perms;
--allow samba_net_t samba_var_t:file create_lnk_perms;
+ spamassassin_exec(procmail_t)
+ spamassassin_exec_client(procmail_t)
+ ')
++
++optional_policy(`
++ pyzor_domtrans(procmail_t)
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-2.2.36/policy/modules/services/pyzor.fc
+--- nsaserefpolicy/policy/modules/services/pyzor.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-2.2.36/policy/modules/services/pyzor.fc 2006-04-28 23:11:40.000000000 -0400
+@@ -0,0 +1,6 @@
++/etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0)
++/usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0)
++/usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0)
++/var/lib/pyzord(/.*)? gen_context(system_u:object_r:pyzor_var_lib_t,s0)
++/var/log/pyzord.log -- gen_context(system_u:object_r:pyzord_log_t,s0)
++HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:ROLE_pyzor_home_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-2.2.36/policy/modules/services/pyzor.if
+--- nsaserefpolicy/policy/modules/services/pyzor.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-2.2.36/policy/modules/services/pyzor.if 2006-04-28 22:53:54.000000000 -0400
+@@ -0,0 +1,46 @@
++## <summary>Pyzor mail delivery agent</summary>
++
++########################################
++## <summary>
++## Execute pyzor with a domain transition.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`pyzor_domtrans',`
++ gen_require(`
++ type pyzor_exec_t, pyzor_t;
++ ')
++
++ files_search_usr($1)
++ corecmd_search_bin($1)
++ domain_auto_trans($1,pyzor_exec_t,pyzor_t)
++
++ allow $1 pyzor_t:fd use;
++ allow pyzor_t $1:fd use;
++ allow pyzor_t $1:fifo_file rw_file_perms;
++ allow pyzor_t $1:process sigchld;
++')
++
++########################################
++## <summary>
++## Execute pyzor in the caller domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`pyzor_exec',`
++ gen_require(`
++ type pyzor_exec_t;
++ ')
++
++ files_search_usr($1)
++ corecmd_search_bin($1)
++ can_exec($1,pyzor_exec_t)
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-2.2.36/policy/modules/services/pyzor.te
+--- nsaserefpolicy/policy/modules/services/pyzor.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-2.2.36/policy/modules/services/pyzor.te 2006-04-29 00:44:42.000000000 -0400
+@@ -0,0 +1,109 @@
++policy_module(pyzor,1.1.0)
++
++type pyzord_t;
++type pyzord_exec_t;
++domain_type(pyzord_t)
++init_daemon_domain(pyzord_t,pyzord_exec_t)
++role system_r types pyzord_t;
++
++type pyzor_t;
++type pyzor_exec_t;
++domain_type(pyzor_t)
++domain_entry_file(pyzor_t,pyzor_exec_t)
++role system_r types pyzor_t;
++
++type pyzor_var_lib_t;
++files_type(pyzor_var_lib_t)
++
++type pyzor_etc_t;
++files_type(pyzor_etc_t)
++
++type pyzord_log_t;
++logging_log_file(pyzord_log_t)
++
++########################################
++#
++# Local policy
++#
++
++allow pyzord_t self:udp_socket create_socket_perms;
++allow pyzord_t pyzor_port_t:udp_socket name_bind;
++
++allow pyzord_t pyzor_var_lib_t:file create_file_perms;
++allow pyzord_t pyzor_var_lib_t:dir { rw_dir_perms setattr };
++files_var_lib_filetrans(pyzord_t,pyzor_var_lib_t,{ file dir })
++
++allow pyzord_t pyzor_etc_t:file create_file_perms;
++allow pyzord_t pyzor_etc_t:dir r_dir_perms;
++
++allow pyzord_t pyzord_log_t:file create_file_perms;
++allow pyzord_t pyzord_log_t:dir { rw_dir_perms setattr };
++logging_log_filetrans(pyzord_t,pyzord_log_t, { file dir } )
++
++auth_use_nsswitch(pyzord_t)
++
++dev_read_urand(pyzord_t)
++
++can_exec(pyzord_t,pyzor_exec_t)
++
++corenet_raw_sendrecv_all_if(pyzord_t)
++corenet_udp_sendrecv_all_if(pyzord_t)
++corenet_udp_sendrecv_all_nodes(pyzord_t)
++corenet_raw_sendrecv_all_nodes(pyzord_t)
++corenet_udp_sendrecv_all_ports(pyzord_t)
++corenet_non_ipsec_sendrecv(pyzord_t)
++corenet_udp_bind_all_nodes(pyzord_t)
++corecmd_exec_bin(pyzord_t)
++
++files_read_etc_files(pyzord_t)
++
++kernel_read_kernel_sysctls(pyzord_t)
++kernel_read_system_state(pyzord_t)
++
++libs_use_ld_so(pyzord_t)
++libs_use_shared_libs(pyzord_t)
++
++miscfiles_read_localization(pyzord_t)
++
++term_dontaudit_use_generic_ptys(pyzord_t)
++
++# only works until we define a different type for maildir
++userdom_priveleged_home_dir_manager(pyzord_t)
++# Do not audit attempts to access /root.
++userdom_dontaudit_search_sysadm_home_dirs(pyzord_t)
++userdom_dontaudit_search_staff_home_dirs(pyzord_t)
++
++mta_manage_spool(pyzord_t)
++
++optional_policy(`
++ logging_send_syslog_msg(pyzord_t)
++')
++
++optional_policy(`
++ nscd_socket_use(pyzord_t)
++')
++
++########################################
++# pyzor defs
++########################################
++
++auth_use_nsswitch(pyzor_t)
++
++files_read_etc_files(pyzor_t)
++
++libs_use_ld_so(pyzor_t)
++libs_use_shared_libs(pyzor_t)
++
++miscfiles_read_localization(pyzor_t)
++
++files_search_var_lib(pyzor_t)
++allow pyzor_t pyzor_var_lib_t:dir r_dir_perms;
++allow pyzor_t pyzor_var_lib_t:file r_file_perms;
++
++optional_policy(`
++ spamassassin_read_spamd_tmp_files(pyzor_t)
++')
++
++optional_policy(`
++ amavis_manage_lib_files(pyzor_t)
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-2.2.36/policy/modules/services/spamassassin.te
+--- nsaserefpolicy/policy/modules/services/spamassassin.te 2006-04-20 08:17:39.000000000 -0400
++++ serefpolicy-2.2.36/policy/modules/services/spamassassin.te 2006-04-28 22:53:54.000000000 -0400
+@@ -128,6 +128,7 @@
+ userdom_manage_generic_user_home_content_files(spamd_t)
+ userdom_manage_generic_user_home_content_symlinks(spamd_t)
+ ')
++ unconfined_rw_semaphores(spamd_t)
+ ')
+
+ tunable_policy(`use_nfs_home_dirs',`
+@@ -143,6 +144,14 @@
+ ')
- kernel_read_proc_symlinks(samba_net_t)
+ optional_policy(`
++ postgresql_stream_connect(spamd_t)
++');
++
++optional_policy(`
++ pyzor_domtrans(spamd_t)
++')
++
++optional_policy(`
+ amavis_manage_lib_files(spamd_t)
+ ')
+
+@@ -167,12 +176,4 @@
+ udev_read_db(spamd_t)
+ ')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-2.2.35/policy/modules/system/authlogin.te
+-ifdef(`TODO',`
+-optional_policy(`
+-# for bayes tokens
+-allow spamd_t var_lib_t:dir { getattr search };
+-allow spamd_t amavisd_lib_t:dir rw_dir_perms;
+-allow spamd_t amavisd_lib_t:file create_file_perms;
+-allow spamd_t amavisd_lib_t:lnk_file create_lnk_perms;
+-')
+-') dnl end TODO
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-2.2.36/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te 2006-04-19 12:23:07.000000000 -0400
-+++ serefpolicy-2.2.35/policy/modules/system/authlogin.te 2006-04-24 20:16:38.000000000 -0400
++++ serefpolicy-2.2.36/policy/modules/system/authlogin.te 2006-04-28 22:53:54.000000000 -0400
@@ -188,6 +188,8 @@
storage_setattr_scsi_generic_dev(pam_console_t)
@@ -258,9 +648,9 @@
term_setattr_console(pam_console_t)
term_getattr_unallocated_ttys(pam_console_t)
term_setattr_unallocated_ttys(pam_console_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-2.2.35/policy/modules/system/init.te
---- nsaserefpolicy/policy/modules/system/init.te 2006-04-20 08:17:40.000000000 -0400
-+++ serefpolicy-2.2.35/policy/modules/system/init.te 2006-04-24 20:16:38.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-2.2.36/policy/modules/system/init.te
+--- nsaserefpolicy/policy/modules/system/init.te 2006-04-27 10:31:33.000000000 -0400
++++ serefpolicy-2.2.36/policy/modules/system/init.te 2006-04-28 22:53:54.000000000 -0400
@@ -348,6 +348,7 @@
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
@@ -269,93 +659,65 @@
libs_rw_ld_so_cache(initrc_t)
libs_use_ld_so(initrc_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-2.2.35/policy/modules/system/libraries.fc
---- nsaserefpolicy/policy/modules/system/libraries.fc 2006-04-24 20:14:40.000000000 -0400
-+++ serefpolicy-2.2.35/policy/modules/system/libraries.fc 2006-04-24 20:16:38.000000000 -0400
-@@ -71,13 +71,8 @@
-
- /usr/(.*/)?nvidia/.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-
--/usr/lib(64)?/pgsql/test/regress/.*\.so -- gen_context(system_u:object_r:shlib_t,s0)
--
- /usr/lib/win32/.* -- gen_context(system_u:object_r:shlib_t,s0)
-
--/usr/lib(64)?/im/.*\.so.* -- gen_context(system_u:object_r:shlib_t,s0)
--/usr/lib(64)?/iiim/.*\.so.* -- gen_context(system_u:object_r:shlib_t,s0)
--
- /usr/(.*/)?lib(64)?(/.*)?/nvidia/.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib(64)?/libsipphoneapi\.so.* -- gen_context(system_u:object_r:texrel_shlib_t,s0)
- /usr/lib(64)?/(nvidia/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -104,7 +99,6 @@
- /usr/lib(64)?/xorg/modules/extensions/nvidia(-[^/]*)?/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-
- ifdef(`distro_redhat',`
--/usr/lib(64)?/.*/program/.*\.so.* gen_context(system_u:object_r:shlib_t,s0)
- /usr/share/rhn/rhn_applet/eggtrayiconmodule\.so -- gen_context(system_u:object_r:shlib_t,s0)
-
- # The following are libraries with text relocations in need of execmod permissions
-@@ -118,7 +112,7 @@
- /usr/lib(64)?/libstdc\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib(64)?/libg\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib(64)?/libglide3\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
--/usr/lib(64)?/libglide-v[0-9]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib(64)?/libglide3-v[0-9]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib(64)?/libdv\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib(64)?/helix/plugins/oggfformat\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib(64)?/helix/plugins/theorarend\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -203,16 +197,12 @@
- /usr/(.*/)?jre.*/libdeploy.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/(.*/)?jre.*/libjvm.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-
--/usr/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:texrel_shlib_t,s0)
--/usr/(.*/)?intellinux/lib/\.so -- gen_context(system_u:object_r:texrel_shlib_t,s0)
--/usr/(.*/)?intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:texrel_shlib_t,s0)
-+/usr/(local/)?Adobe/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:texrel_shlib_t,s0)
-+/usr/(local/)?Adobe/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:texrel_shlib_t,s0)
-+/usr/(local/)?Adobe/.*\.api -- gen_context(system_u:object_r:texrel_shlib_t,s0)
- /usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- ') dnl end distro_redhat
-
--ifdef(`distro_suse',`
--/usr/lib(64)?/samba/classic/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
--')
--
- #
- # /var
- #
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-2.2.35/policy/modules/system/logging.te
---- nsaserefpolicy/policy/modules/system/logging.te 2006-04-06 15:32:43.000000000 -0400
-+++ serefpolicy-2.2.35/policy/modules/system/logging.te 2006-04-24 20:16:38.000000000 -0400
-@@ -140,7 +140,7 @@
- init_use_fds(auditd_t)
- init_exec(auditd_t)
- init_write_initctl(auditd_t)
--init_use_script_ptys(auditd_t)
-+init_dontaudit_use_script_ptys(auditd_t)
-
- logging_send_syslog_msg(auditd_t)
-
-@@ -293,7 +293,7 @@
-
- fs_search_auto_mountpoints(syslogd_t)
-
--term_dontaudit_use_console(syslogd_t)
-+term_write_console(syslogd_t)
- # Allow syslog to a terminal
- term_write_unallocated_ttys(syslogd_t)
-
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-2.2.35/policy/modules/system/sysnetwork.te
---- nsaserefpolicy/policy/modules/system/sysnetwork.te 2006-03-24 11:15:53.000000000 -0500
-+++ serefpolicy-2.2.35/policy/modules/system/sysnetwork.te 2006-04-24 20:36:46.000000000 -0400
-@@ -248,6 +248,7 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-2.2.36/policy/modules/system/lvm.te
+--- nsaserefpolicy/policy/modules/system/lvm.te 2006-03-24 11:15:53.000000000 -0500
++++ serefpolicy-2.2.36/policy/modules/system/lvm.te 2006-04-28 22:53:54.000000000 -0400
+@@ -205,9 +205,10 @@
+ fs_getattr_xattr_fs(lvm_t)
+ fs_search_auto_mountpoints(lvm_t)
+ fs_read_tmpfs_symlinks(lvm_t)
+-fs_donaudit_read_removable_files(lvm_t)
++fs_dontaudit_read_removable_files(lvm_t)
+
+ storage_relabel_fixed_disk(lvm_t)
++storage_dontaudit_read_removable_device(lvm_t)
+ # LVM creates block devices in /dev/mapper or /dev/<vg>
+ # depending on its version
+ # LVM(2) needs to create directores (/dev/mapper, /dev/<vg>)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-2.2.36/policy/modules/system/mount.te
+--- nsaserefpolicy/policy/modules/system/mount.te 2006-04-19 12:23:07.000000000 -0400
++++ serefpolicy-2.2.36/policy/modules/system/mount.te 2006-04-28 22:53:54.000000000 -0400
+@@ -126,6 +126,8 @@
+ corenet_udp_bind_generic_port(mount_t)
+ corenet_tcp_bind_reserved_port(mount_t)
+ corenet_udp_bind_reserved_port(mount_t)
++ corenet_tcp_bind_all_rpc_ports(mount_t)
++ corenet_udp_bind_all_rpc_ports(mount_t)
+ corenet_tcp_connect_all_ports(mount_t)
+
+ fs_search_rpc(mount_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-2.2.36/policy/modules/system/selinuxutil.te
+--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2006-04-04 18:06:38.000000000 -0400
++++ serefpolicy-2.2.36/policy/modules/system/selinuxutil.te 2006-04-28 22:53:54.000000000 -0400
+@@ -393,6 +393,8 @@
+ userdom_use_all_users_fds(restorecon_t)
- optional_policy(`
- xen_append_log(dhcpc_t)
-+ xen_dontaudit_rw_unix_stream_sockets(dhcpc_t)
- ')
-
- ########################################
-@@ -285,6 +286,7 @@
+ files_relabel_all_files(restorecon_t)
++fs_relabel_all_filesystem_types(restorecon_t)
++
+ files_list_all(restorecon_t)
+ # this is to satisfy the assertion:
+ auth_relabelto_shadow(restorecon_t)
+@@ -427,6 +429,7 @@
+
+ auth_relabel_all_files_except_shadow(restorecond_t )
+ auth_read_all_files_except_shadow(restorecond_t)
++fs_relabel_all_filesystem_types(restorecond_t)
+
+ kernel_use_fds(restorecond_t)
+ kernel_rw_pipes(restorecond_t)
+@@ -627,6 +630,7 @@
+ files_read_etc_files(setfiles_t)
+ files_list_all(setfiles_t)
+ files_relabel_all_files(setfiles_t)
++fs_relabel_all_filesystem_types(setfiles_t)
+
+ logging_send_syslog_msg(setfiles_t)
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-2.2.36/policy/modules/system/sysnetwork.te
+--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2006-04-27 10:31:34.000000000 -0400
++++ serefpolicy-2.2.36/policy/modules/system/sysnetwork.te 2006-04-28 22:53:54.000000000 -0400
+@@ -286,6 +286,7 @@
kernel_read_system_state(ifconfig_t)
kernel_read_network_state(ifconfig_t)
kernel_search_network_sysctl(ifconfig_t)
@@ -363,20 +725,15 @@
corenet_rw_tun_tap_dev(ifconfig_t)
-@@ -346,4 +348,5 @@
-
- optional_policy(`
- xen_append_log(ifconfig_t)
-+ xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
- ')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-2.2.35/policy/modules/system/unconfined.if
---- nsaserefpolicy/policy/modules/system/unconfined.if 2006-04-12 13:44:38.000000000 -0400
-+++ serefpolicy-2.2.35/policy/modules/system/unconfined.if 2006-04-24 20:16:38.000000000 -0400
-@@ -224,6 +224,24 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-2.2.36/policy/modules/system/unconfined.if
+--- nsaserefpolicy/policy/modules/system/unconfined.if 2006-04-27 10:31:34.000000000 -0400
++++ serefpolicy-2.2.36/policy/modules/system/unconfined.if 2006-04-28 22:53:54.000000000 -0400
+@@ -381,6 +381,27 @@
########################################
## <summary>
-+## Send a SIGNULL signal to the unconfined domain.
++## Send and receive messages from
++## unconfined_t over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -384,25 +741,29 @@
+## </summary>
+## </param>
+#
-+interface(`unconfined_signull',`
++interface(`unconfined_dbus_chat',`
+ gen_require(`
+ type unconfined_t;
++ class dbus send_msg;
+ ')
+
-+ allow $1 unconfined_t:process signull;
++ allow $1 unconfined_t:dbus send_msg;
++ allow unconfined_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
- ## Send generic signals to the unconfined domain.
+ ## Add an alias type to the unconfined domain.
## </summary>
- ## <param name="domain">
-@@ -363,6 +381,27 @@
-
- ########################################
- ## <summary>
-+## Send and receive messages from
-+## unconfined_t over dbus.
+ ## <desc>
+@@ -410,3 +431,22 @@
+ errprint(`Warning: $0($1) has no effect in strict policy.'__endline__)
+ ')
+ ')
++
++########################################
++## <summary>
++## Communicate with unconfined user SysV sempaphores.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -410,33 +771,18 @@
+## </summary>
+## </param>
+#
-+interface(`unconfined_dbus_chat',`
++interface(`unconfined_rw_semaphores',`
+ gen_require(`
-+ type unconfined_t;
-+ class dbus send_msg;
++ type unconfined_t;
+ ')
+
-+ allow $1 unconfined_t:dbus send_msg;
-+ allow unconfined_t $1:dbus send_msg;
++ allow $1 unconfined_t:sem rw_sem_perms;
+')
+
-+########################################
-+## <summary>
- ## Add an alias type to the unconfined domain.
- ## </summary>
- ## <desc>
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-2.2.35/policy/modules/system/userdomain.te
---- nsaserefpolicy/policy/modules/system/userdomain.te 2006-04-24 20:14:40.000000000 -0400
-+++ serefpolicy-2.2.35/policy/modules/system/userdomain.te 2006-04-24 20:16:38.000000000 -0400
-@@ -6,6 +6,7 @@
-
- ifdef(`enable_mls',`
- role secadm_r;
-+ role auditadm_r;
- ')
- ')
-
-@@ -67,6 +68,7 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-2.2.36/policy/modules/system/userdomain.te
+--- nsaserefpolicy/policy/modules/system/userdomain.te 2006-04-28 22:50:57.000000000 -0400
++++ serefpolicy-2.2.36/policy/modules/system/userdomain.te 2006-04-28 22:53:54.000000000 -0400
+@@ -67,6 +67,7 @@
# Define some type aliases to help with compatibility with
# macros and domains from the "strict" policy.
unconfined_alias_domain(secadm_t)
@@ -444,7 +790,7 @@
unconfined_alias_domain(sysadm_t)
# User home directory type.
-@@ -82,6 +84,7 @@
+@@ -82,6 +83,7 @@
# compatibility for switching from strict
# dominance { role secadm_r { role system_r; }}
@@ -452,7 +798,7 @@
# dominance { role sysadm_r { role system_r; }}
# dominance { role user_r { role system_r; }}
# dominance { role staff_r { role system_r; }}
-@@ -105,9 +108,10 @@
+@@ -105,9 +107,10 @@
ifdef(`enable_mls',`
allow secadm_r system_r;
@@ -464,7 +810,7 @@
')
optional_policy(`
-@@ -128,8 +132,19 @@
+@@ -128,8 +131,19 @@
ifdef(`enable_mls',`
admin_user_template(secadm)
@@ -484,7 +830,7 @@
')
# this should be tunable_policy, but
-@@ -179,10 +194,13 @@
+@@ -179,10 +193,13 @@
mls_file_downgrade(secadm_t)
init_exec(secadm_t)
logging_read_audit_log(secadm_t)
@@ -499,7 +845,7 @@
', `
logging_read_audit_log(sysadm_t)
logging_run_auditctl(sysadm_t,sysadm_r,admin_terminal)
-@@ -240,6 +258,7 @@
+@@ -240,6 +257,7 @@
ifdef(`enable_mls',`
consoletype_exec(secadm_t)
@@ -507,7 +853,7 @@
')
')
-@@ -252,6 +271,7 @@
+@@ -252,6 +270,7 @@
ifdef(`enable_mls',`
dmesg_exec(secadm_t)
@@ -515,48 +861,164 @@
')
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-2.2.35/policy/modules/system/xen.if
---- nsaserefpolicy/policy/modules/system/xen.if 2006-03-23 16:08:51.000000000 -0500
-+++ serefpolicy-2.2.35/policy/modules/system/xen.if 2006-04-24 20:16:38.000000000 -0400
-@@ -47,6 +47,24 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.fc serefpolicy-2.2.36/policy/modules/system/xen.fc
+--- nsaserefpolicy/policy/modules/system/xen.fc 2006-03-23 16:08:51.000000000 -0500
++++ serefpolicy-2.2.36/policy/modules/system/xen.fc 2006-04-28 22:53:54.000000000 -0400
+@@ -14,3 +14,4 @@
+ /var/run/xend\.pid -- gen_context(system_u:object_r:xend_var_run_t,s0)
+ /var/run/xenstore\.pid -- gen_context(system_u:object_r:xenstored_var_run_t,s0)
+ /var/run/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_run_t,s0)
++/usr/sbin/xm -- gen_context(system_u:object_r:xm_exec_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-2.2.36/policy/modules/system/xen.if
+--- nsaserefpolicy/policy/modules/system/xen.if 2006-04-27 10:31:34.000000000 -0400
++++ serefpolicy-2.2.36/policy/modules/system/xen.if 2006-04-28 22:53:54.000000000 -0400
+@@ -47,13 +47,12 @@
########################################
## <summary>
+-## Do not audit attempts to read and write
+-## Xen unix domain stream sockets.
+## Don't audit leaked file descriptor.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+-## Domain to don't audit.
+-## </summary>
+## <summary>
+## Domain to don't audit.
+## </summary>
+ ## </param>
+ #
+ interface(`xen_dontaudit_rw_unix_stream_sockets',`
+@@ -84,3 +83,66 @@
+ allow $1 xenstored_var_run_t:sock_file { getattr write };
+ allow $1 xenstored_t:unix_stream_socket connectto;
+ ')
++
++########################################
++## <summary>
++## Connect to xend over an unix stream socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
+## </param>
+#
-+interface(`xen_dontaudit_rw_unix_stream_sockets',`
-+ gen_require(`
-+ type xend_t;
-+ ')
++interface(`xen_connect',`
++ gen_require(`
++ type xend_t, xend_var_run_t;
++ ')
+
-+ dontaudit $1 xend_t:unix_stream_socket { read write };
++ files_search_pids($1)
++ allow $1 xend_var_run_t:dir search;
++ allow $1 xend_var_run_t:sock_file getattr;
++ allow $1 xend_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
- ## Connect to xenstored over an unix stream socket.
- ## </summary>
- ## <param name="domain">
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-2.2.35/policy/modules/system/xen.te
---- nsaserefpolicy/policy/modules/system/xen.te 2006-04-18 22:50:01.000000000 -0400
-+++ serefpolicy-2.2.35/policy/modules/system/xen.te 2006-04-24 20:16:38.000000000 -0400
-@@ -125,6 +125,7 @@
-
- files_read_etc_files(xend_t)
- files_read_kernel_symbol_table(xend_t)
-+files_read_kernel_img(xend_t)
-
- storage_raw_read_fixed_disk(xend_t)
++## Write to xend over an unix stream socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`xen_writeto',`
++ gen_require(`
++ type xend_var_run_t;
++ ')
++
++ allow $1 xend_var_run_t:sock_file write;
++')
++
++
++########################################
++## <summary>
++## Execute a domain transition to run xm.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`xm_domtrans',`
++ gen_requires(`
++ type xm_t, xm_exec_t;
++ ')
++
++ domain_auto_trans($1,xm_exec_t,xm_t)
++
++ allow $1 xm_t:fd use;
++ allow xm_t $1:fd use;
++ allow xm_t:$1:fifo_file rw_file_perms;
++ allow xm_t $1:process sigchld;
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-2.2.36/policy/modules/system/xen.te
+--- nsaserefpolicy/policy/modules/system/xen.te 2006-04-27 10:31:34.000000000 -0400
++++ serefpolicy-2.2.36/policy/modules/system/xen.te 2006-04-28 22:53:54.000000000 -0400
+@@ -224,3 +224,55 @@
+ miscfiles_read_localization(xenstored_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/rolemap serefpolicy-2.2.35/policy/rolemap
+ xen_append_log(xenstored_t)
++
++########################################
++#
++# Declarations
++#
++
++type xm_t;
++type xm_exec_t;
++domain_type(xm_t)
++init_daemon_domain(xm_t, xm_exec_t)
++
++########################################
++#
++# xm local policy
++#
++# Check in /etc/selinux/refpolicy/include for macros to use instead of allow rules.
++
++# Some common macros (you might be able to remove some)
++files_read_etc_files(xm_t)
++libs_use_ld_so(xm_t)
++libs_use_shared_libs(xm_t)
++miscfiles_read_localization(xm_t)
++# internal communication is often done using fifo and unix sockets.
++allow xm_t self:fifo_file { read write };
++allow xm_t self:unix_stream_socket create_stream_socket_perms;
++
++
++# james -- aujdit2allow
++
++corecmd_exec_bin(xm_t)
++corecmd_exec_sbin(xm_t)
++
++kernel_read_system_state(xm_t)
++kernel_read_kernel_sysctls(xm_t)
++kernel_read_xen_state(xm_t)
++kernel_write_xen_state(xm_t)
++term_use_all_terms(xm_t)
++
++dev_read_urand(xm_t)
++
++xen_append_log(xm_t)
++xen_connect(xm_t)
++xen_writeto(xm_t)
++
++xen_stream_connect_xenstore(xm_t)
++allow xm_t self:capability dac_override;
++
++
++# allow xm_t root_t:dir search;
++# Need to relabel files for xen
++auth_read_all_files_except_shadow(xm_t)
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/rolemap serefpolicy-2.2.36/policy/rolemap
--- nsaserefpolicy/policy/rolemap 2006-01-26 15:38:41.000000000 -0500
-+++ serefpolicy-2.2.35/policy/rolemap 2006-04-24 20:16:38.000000000 -0400
++++ serefpolicy-2.2.36/policy/rolemap 2006-04-28 22:53:54.000000000 -0400
@@ -15,5 +15,6 @@
ifdef(`enable_mls',`
@@ -564,9 +1026,9 @@
+ auditadm_t auditadm auditadm_t
')
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-2.2.35/policy/users
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-2.2.36/policy/users
--- nsaserefpolicy/policy/users 2006-02-15 17:02:30.000000000 -0500
-+++ serefpolicy-2.2.35/policy/users 2006-04-24 20:16:38.000000000 -0400
++++ serefpolicy-2.2.36/policy/users 2006-04-28 22:53:54.000000000 -0400
@@ -29,7 +29,7 @@
gen_user(user_u, user, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
',`
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.181
retrieving revision 1.182
diff -u -r1.181 -r1.182
--- selinux-policy.spec 25 Apr 2006 15:19:51 -0000 1.181
+++ selinux-policy.spec 29 Apr 2006 04:47:05 -0000 1.182
@@ -15,13 +15,12 @@
%define CHECKPOLICYVER 1.30.1-2
Summary: SELinux policy configuration
Name: selinux-policy
-Version: 2.2.35
-Release: 2
+Version: 2.2.36
+Release: 1
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
patch: policy-20060411.patch
-patch2: xm.patch
Source1: modules-targeted.conf
Source2: booleans-targeted.conf
Source3: Makefile.devel
@@ -151,7 +150,6 @@
%prep
%setup -q -n serefpolicy-%{version}
%patch -p1
-%patch2 -p1
%install
# Build targeted policy
@@ -269,6 +267,8 @@
%triggerpostun targeted -- selinux-policy-targeted <= 2.0.7
%rebuildpolicy targeted
+%rebuildpolicy targeted
+
%files targeted
%fileList targeted
@@ -295,9 +295,6 @@
%relabel mls
ln -sf ../devel/include /usr/share/selinux/mls/include
-%triggerpostun mls -- mls <= 2.0.7
-%{rebuildpolicy} mls
-
%files mls
%fileList mls
@@ -325,6 +322,12 @@
%relabel strict
ln -sf ../devel/include /usr/share/selinux/strict/include
+%triggerpostun strict -- selinux-policy-strict <= 2.2.35-2
+cd /usr/share/selinux/strict
+x=`ls *.pp | grep -v -e base.pp -e enableaudit.pp | awk '{ print "-i " $1 }'`
+semodule -b base.pp -r bootloader -r clock -r dpkg -r fstools -r hotplug -r init -r libraries -r locallogin -r logging -r lvm -r miscfiles -r modutils -r mount -r mta -r netutils -r selinuxutil -r storage -r sysnetwork -r udev -r userdomain -r vpnc -r xend $x -s strict
+
+
%triggerpostun strict -- strict <= 2.0.7
%{rebuildpolicy} strict
@@ -334,6 +337,9 @@
%endif
%changelog
+* Tue Apr 25 2006 Dan Walsh <dwalsh at redhat.com> 2.2.36-1
+- Update to upstream
+
* Tue Apr 25 2006 James Antill <jantill at redhat.com> 2.2.35-2
- Add xm policy
- Fix policygentool
More information about the fedora-cvs-commits
mailing list