rpms/selinux-policy/devel policy-20061106.patch, 1.31, 1.32 selinux-policy.spec, 1.358, 1.359
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Tue Dec 5 23:05:42 UTC 2006
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv31665
Modified Files:
policy-20061106.patch selinux-policy.spec
Log Message:
* Mon Dec 4 2006 Dan Walsh <dwalsh at redhat.com> 2.4.6-6
- Fix polyinstatiation
- Fix pcscd handling of terminal
Resolves: #218149
Resolves: #218350
policy-20061106.patch:
Rules.modular | 10
policy/flask/access_vectors | 2
policy/global_tunables | 40 ++
policy/modules/admin/acct.te | 1
policy/modules/admin/amanda.if | 17 +
policy/modules/admin/amanda.te | 1
policy/modules/admin/bootloader.te | 4
policy/modules/admin/consoletype.te | 10
policy/modules/admin/dmesg.te | 1
policy/modules/admin/firstboot.if | 6
policy/modules/admin/logwatch.te | 1
policy/modules/admin/netutils.te | 2
policy/modules/admin/prelink.te | 9
policy/modules/admin/quota.fc | 7
policy/modules/admin/quota.te | 20 -
policy/modules/admin/rpm.fc | 3
policy/modules/admin/rpm.if | 24 +
policy/modules/admin/rpm.te | 41 --
policy/modules/admin/usermanage.te | 3
policy/modules/apps/java.fc | 2
policy/modules/apps/java.te | 2
policy/modules/apps/loadkeys.if | 17 -
policy/modules/apps/slocate.te | 2
policy/modules/kernel/corecommands.fc | 3
policy/modules/kernel/corecommands.if | 17 +
policy/modules/kernel/corenetwork.if.in | 49 +++
policy/modules/kernel/corenetwork.te.in | 15
policy/modules/kernel/corenetwork.te.m4 | 4
policy/modules/kernel/devices.fc | 5
policy/modules/kernel/devices.te | 6
policy/modules/kernel/domain.te | 7
policy/modules/kernel/files.if | 112 +++++++
policy/modules/kernel/filesystem.te | 6
policy/modules/kernel/terminal.fc | 1
policy/modules/kernel/terminal.if | 2
policy/modules/kernel/terminal.te | 1
policy/modules/services/apache.fc | 10
policy/modules/services/apache.te | 16 -
policy/modules/services/apm.te | 1
policy/modules/services/automount.te | 1
policy/modules/services/avahi.if | 21 +
policy/modules/services/bind.fc | 1
policy/modules/services/clamav.te | 2
policy/modules/services/cron.fc | 2
policy/modules/services/cron.if | 49 ---
policy/modules/services/cron.te | 13
policy/modules/services/cups.fc | 2
policy/modules/services/cups.te | 7
policy/modules/services/cvs.te | 1
policy/modules/services/dbus.fc | 1
policy/modules/services/dbus.if | 1
policy/modules/services/ftp.te | 12
policy/modules/services/hal.fc | 4
policy/modules/services/hal.if | 20 +
policy/modules/services/hal.te | 8
policy/modules/services/kerberos.if | 1
policy/modules/services/kerberos.te | 11
policy/modules/services/lpd.if | 52 +--
policy/modules/services/mta.if | 1
policy/modules/services/mta.te | 1
policy/modules/services/nis.fc | 1
policy/modules/services/nis.if | 8
policy/modules/services/nis.te | 10
policy/modules/services/nscd.if | 20 +
policy/modules/services/nscd.te | 15
policy/modules/services/oddjob.te | 3
policy/modules/services/pcscd.fc | 9
policy/modules/services/pcscd.if | 23 +
policy/modules/services/pcscd.te | 69 ++++
policy/modules/services/pegasus.if | 31 ++
policy/modules/services/pegasus.te | 5
policy/modules/services/postfix.te | 13
policy/modules/services/procmail.te | 16 +
policy/modules/services/rlogin.te | 10
policy/modules/services/rpc.te | 1
policy/modules/services/rsync.te | 1
policy/modules/services/samba.if | 2
policy/modules/services/samba.te | 8
policy/modules/services/sasl.te | 2
policy/modules/services/smartmon.te | 1
policy/modules/services/snmp.te | 4
policy/modules/services/spamassassin.te | 5
policy/modules/services/ssh.te | 4
policy/modules/services/telnet.te | 1
policy/modules/services/tftp.te | 2
policy/modules/services/uucp.fc | 1
policy/modules/services/uucp.if | 67 ++++
policy/modules/services/uucp.te | 44 ++
policy/modules/services/xserver.if | 40 ++
policy/modules/system/authlogin.if | 7
policy/modules/system/authlogin.te | 5
policy/modules/system/clock.te | 8
policy/modules/system/fstools.fc | 1
policy/modules/system/fstools.te | 2
policy/modules/system/getty.te | 3
policy/modules/system/hostname.te | 10
policy/modules/system/init.te | 22 +
policy/modules/system/iptables.te | 6
policy/modules/system/libraries.fc | 26 -
policy/modules/system/libraries.te | 6
policy/modules/system/locallogin.if | 37 ++
policy/modules/system/logging.te | 1
policy/modules/system/lvm.fc | 1
policy/modules/system/lvm.te | 48 ++-
policy/modules/system/miscfiles.fc | 1
policy/modules/system/miscfiles.if | 38 ++
policy/modules/system/modutils.te | 5
policy/modules/system/mount.te | 20 -
policy/modules/system/raid.te | 7
policy/modules/system/selinuxutil.fc | 1
policy/modules/system/selinuxutil.if | 109 +++++++
policy/modules/system/selinuxutil.te | 105 +-----
policy/modules/system/sysnetwork.te | 3
policy/modules/system/unconfined.fc | 4
policy/modules/system/unconfined.if | 19 +
policy/modules/system/unconfined.te | 15
policy/modules/system/userdomain.if | 481 ++++++++++++++++++++++++++++----
policy/modules/system/userdomain.te | 52 ---
policy/modules/system/xen.fc | 1
policy/modules/system/xen.te | 35 ++
120 files changed, 1765 insertions(+), 421 deletions(-)
Index: policy-20061106.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/policy-20061106.patch,v
retrieving revision 1.31
retrieving revision 1.32
diff -u -r1.31 -r1.32
--- policy-20061106.patch 1 Dec 2006 21:52:08 -0000 1.31
+++ policy-20061106.patch 5 Dec 2006 23:05:39 -0000 1.32
@@ -1,6 +1,6 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors serefpolicy-2.4.6/policy/flask/access_vectors
--- nsaserefpolicy/policy/flask/access_vectors 2006-11-16 17:15:00.000000000 -0500
-+++ serefpolicy-2.4.6/policy/flask/access_vectors 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/flask/access_vectors 2006-12-05 13:19:41.000000000 -0500
@@ -619,6 +619,8 @@
send
recv
@@ -12,7 +12,7 @@
class key
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-2.4.6/policy/global_tunables
--- nsaserefpolicy/policy/global_tunables 2006-11-16 17:15:26.000000000 -0500
-+++ serefpolicy-2.4.6/policy/global_tunables 2006-12-01 15:25:57.000000000 -0500
++++ serefpolicy-2.4.6/policy/global_tunables 2006-12-05 13:19:41.000000000 -0500
@@ -82,6 +82,14 @@
## <desc>
@@ -28,8 +28,11 @@
## Allow gssd to read temp directory.
## </p>
## </desc>
-@@ -574,6 +582,13 @@
+@@ -572,8 +580,16 @@
+ ## </p>
+ ## </desc>
gen_tunable(xdm_sysadm_login,false)
++
')
+## <desc>
@@ -42,7 +45,7 @@
########################################
#
# Targeted policy specific
-@@ -589,6 +604,13 @@
+@@ -589,6 +605,13 @@
## <desc>
## <p>
@@ -56,7 +59,7 @@
## Allow mount to mount any file
## </p>
## </desc>
-@@ -596,8 +618,30 @@
+@@ -596,8 +619,23 @@
## <desc>
## <p>
@@ -66,13 +69,6 @@
## </desc>
gen_tunable(spamd_enable_home_dirs,true)
+
-+## <desc>
-+## <p>
-+## Allow xen to read/write physical disk devices
-+## </p>
-+## </desc>
-+gen_tunable(xen_use_raw_disk,true)
-+
')
+
+## <desc>
@@ -90,7 +86,7 @@
+gen_tunable(use_lpd_server,false)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/acct.te serefpolicy-2.4.6/policy/modules/admin/acct.te
--- nsaserefpolicy/policy/modules/admin/acct.te 2006-11-16 17:15:26.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/admin/acct.te 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/admin/acct.te 2006-12-05 13:19:41.000000000 -0500
@@ -9,6 +9,7 @@
type acct_t;
type acct_exec_t;
@@ -101,7 +97,7 @@
logging_log_file(acct_data_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.if serefpolicy-2.4.6/policy/modules/admin/amanda.if
--- nsaserefpolicy/policy/modules/admin/amanda.if 2006-11-16 17:15:26.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/admin/amanda.if 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/admin/amanda.if 2006-12-05 13:19:41.000000000 -0500
@@ -127,4 +127,21 @@
allow $1 amanda_log_t:file ra_file_perms;
')
@@ -126,7 +122,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.te serefpolicy-2.4.6/policy/modules/admin/amanda.te
--- nsaserefpolicy/policy/modules/admin/amanda.te 2006-11-16 17:15:26.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/admin/amanda.te 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/admin/amanda.te 2006-12-05 13:19:41.000000000 -0500
@@ -75,6 +75,7 @@
allow amanda_t self:unix_dgram_socket create_socket_perms;
allow amanda_t self:tcp_socket create_stream_socket_perms;
@@ -137,7 +133,7 @@
allow amanda_t amanda_amandates_t:file { getattr lock read write };
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/bootloader.te serefpolicy-2.4.6/policy/modules/admin/bootloader.te
--- nsaserefpolicy/policy/modules/admin/bootloader.te 2006-11-16 17:15:26.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/admin/bootloader.te 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/admin/bootloader.te 2006-12-05 13:19:41.000000000 -0500
@@ -218,3 +218,7 @@
userdom_dontaudit_search_staff_home_dirs(bootloader_t)
userdom_dontaudit_search_sysadm_home_dirs(bootloader_t)
@@ -148,7 +144,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-2.4.6/policy/modules/admin/consoletype.te
--- nsaserefpolicy/policy/modules/admin/consoletype.te 2006-11-16 17:15:26.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/admin/consoletype.te 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/admin/consoletype.te 2006-12-05 13:19:41.000000000 -0500
@@ -8,7 +8,12 @@
type consoletype_t;
@@ -182,7 +178,7 @@
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.te serefpolicy-2.4.6/policy/modules/admin/dmesg.te
--- nsaserefpolicy/policy/modules/admin/dmesg.te 2006-11-16 17:15:26.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/admin/dmesg.te 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/admin/dmesg.te 2006-12-05 13:19:41.000000000 -0500
@@ -10,6 +10,7 @@
type dmesg_t;
type dmesg_exec_t;
@@ -193,7 +189,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstboot.if serefpolicy-2.4.6/policy/modules/admin/firstboot.if
--- nsaserefpolicy/policy/modules/admin/firstboot.if 2006-11-16 17:15:26.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/admin/firstboot.if 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/admin/firstboot.if 2006-12-05 13:19:41.000000000 -0500
@@ -96,7 +96,7 @@
########################################
@@ -218,7 +214,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-2.4.6/policy/modules/admin/logwatch.te
--- nsaserefpolicy/policy/modules/admin/logwatch.te 2006-11-16 17:15:26.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/admin/logwatch.te 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/admin/logwatch.te 2006-12-05 13:19:41.000000000 -0500
@@ -53,6 +53,7 @@
corecmd_exec_ls(logwatch_t)
@@ -229,7 +225,7 @@
domain_read_all_domains_state(logwatch_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-2.4.6/policy/modules/admin/netutils.te
--- nsaserefpolicy/policy/modules/admin/netutils.te 2006-11-16 17:15:26.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/admin/netutils.te 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/admin/netutils.te 2006-12-05 13:19:41.000000000 -0500
@@ -18,10 +18,12 @@
type ping_exec_t;
init_system_domain(ping_t,ping_exec_t)
@@ -245,7 +241,7 @@
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-2.4.6/policy/modules/admin/prelink.te
--- nsaserefpolicy/policy/modules/admin/prelink.te 2006-11-16 17:15:26.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/admin/prelink.te 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/admin/prelink.te 2006-12-05 13:19:41.000000000 -0500
@@ -57,6 +57,7 @@
files_write_non_security_dirs(prelink_t)
files_read_etc_files(prelink_t)
@@ -274,8 +270,8 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/quota.fc serefpolicy-2.4.6/policy/modules/admin/quota.fc
--- nsaserefpolicy/policy/modules/admin/quota.fc 2006-11-16 17:15:26.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/admin/quota.fc 2006-11-30 17:03:20.000000000 -0500
-@@ -7,8 +7,15 @@
++++ serefpolicy-2.4.6/policy/modules/admin/quota.fc 2006-12-05 17:18:21.000000000 -0500
+@@ -7,8 +7,13 @@
/sbin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0)
')
@@ -284,8 +280,6 @@
/var/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
+/var/spool/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
-+/usr/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
-+/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
+/boot/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
+/etc/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
+HOME_ROOT/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
@@ -294,7 +288,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/quota.te serefpolicy-2.4.6/policy/modules/admin/quota.te
--- nsaserefpolicy/policy/modules/admin/quota.te 2006-11-16 17:15:26.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/admin/quota.te 2006-12-01 15:42:27.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/admin/quota.te 2006-12-05 13:19:41.000000000 -0500
@@ -21,15 +21,18 @@
allow quota_t self:process signal_perms;
@@ -337,7 +331,7 @@
-') dnl end TODO
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-2.4.6/policy/modules/admin/rpm.fc
--- nsaserefpolicy/policy/modules/admin/rpm.fc 2006-11-16 17:15:26.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/admin/rpm.fc 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/admin/rpm.fc 2006-12-05 13:19:41.000000000 -0500
@@ -21,6 +21,9 @@
/usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -350,7 +344,7 @@
/var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-2.4.6/policy/modules/admin/rpm.if
--- nsaserefpolicy/policy/modules/admin/rpm.if 2006-11-16 17:15:26.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/admin/rpm.if 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/admin/rpm.if 2006-12-05 13:19:41.000000000 -0500
@@ -278,3 +278,27 @@
dontaudit $1 rpm_var_lib_t:file create_file_perms;
dontaudit $1 rpm_var_lib_t:lnk_file create_lnk_perms;
@@ -381,7 +375,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-2.4.6/policy/modules/admin/rpm.te
--- nsaserefpolicy/policy/modules/admin/rpm.te 2006-11-16 17:15:26.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/admin/rpm.te 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/admin/rpm.te 2006-12-05 13:19:41.000000000 -0500
@@ -9,6 +9,8 @@
type rpm_t;
type rpm_exec_t;
@@ -450,7 +444,7 @@
-') dnl end TODO
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-2.4.6/policy/modules/admin/usermanage.te
--- nsaserefpolicy/policy/modules/admin/usermanage.te 2006-11-16 17:15:26.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/admin/usermanage.te 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/admin/usermanage.te 2006-12-05 13:19:41.000000000 -0500
@@ -189,7 +189,7 @@
#
@@ -470,7 +464,7 @@
allow useradd_t self:fd use;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-2.4.6/policy/modules/apps/java.fc
--- nsaserefpolicy/policy/modules/apps/java.fc 2006-11-16 17:15:07.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/apps/java.fc 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/apps/java.fc 2006-12-05 13:19:41.000000000 -0500
@@ -1,7 +1,7 @@
#
# /opt
@@ -480,9 +474,19 @@
/opt/ibm/java2-ppc64-50/jre/(bin|javaws)(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
#
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-2.4.6/policy/modules/apps/java.te
+--- nsaserefpolicy/policy/modules/apps/java.te 2006-11-16 17:15:07.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/apps/java.te 2006-12-05 14:54:18.000000000 -0500
+@@ -20,4 +20,6 @@
+ allow java_t self:process { execstack execmem execheap };
+ unconfined_domain_noaudit(java_t)
+ role system_r types java_t;
++ unconfined_dbus_chat(java_t)
++ init_dbus_chat_script(java_t)
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.if serefpolicy-2.4.6/policy/modules/apps/loadkeys.if
--- nsaserefpolicy/policy/modules/apps/loadkeys.if 2006-11-16 17:15:07.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/apps/loadkeys.if 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/apps/loadkeys.if 2006-12-05 13:19:41.000000000 -0500
@@ -50,18 +50,13 @@
## <rolecap/>
#
@@ -510,7 +514,7 @@
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate.te serefpolicy-2.4.6/policy/modules/apps/slocate.te
--- nsaserefpolicy/policy/modules/apps/slocate.te 2006-11-16 17:15:07.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/apps/slocate.te 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/apps/slocate.te 2006-12-05 13:19:41.000000000 -0500
@@ -39,6 +39,8 @@
files_list_all(locate_t)
@@ -522,7 +526,7 @@
# mls Higher level directories will be refused, so dontaudit
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-2.4.6/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2006-11-16 17:15:04.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/kernel/corecommands.fc 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/kernel/corecommands.fc 2006-12-05 16:42:25.000000000 -0500
@@ -73,6 +73,7 @@
ifdef(`targeted_policy',`
@@ -531,14 +535,15 @@
')
#
-@@ -247,3 +248,4 @@
+@@ -247,3 +248,5 @@
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
+
++/etc/security/namespace.init -- gen_context(system_u:object_r:bin_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-2.4.6/policy/modules/kernel/corecommands.if
--- nsaserefpolicy/policy/modules/kernel/corecommands.if 2006-11-16 17:15:04.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/kernel/corecommands.if 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/kernel/corecommands.if 2006-12-05 13:19:41.000000000 -0500
@@ -928,7 +928,19 @@
type bin_t, sbin_t;
')
@@ -584,7 +589,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-2.4.6/policy/modules/kernel/corenetwork.if.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in 2006-11-16 17:15:04.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/kernel/corenetwork.if.in 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/kernel/corenetwork.if.in 2006-12-05 15:10:09.000000000 -0500
@@ -998,9 +998,11 @@
interface(`corenet_tcp_sendrecv_reserved_port',`
gen_require(`
@@ -657,7 +662,33 @@
')
########################################
-@@ -1875,3 +1887,21 @@
+@@ -1292,6 +1304,25 @@
+
+ ########################################
+ ## <summary>
++## Do not audit attempts to connect TCP sockets
++## all ports.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`corenet_dontaudit_tcp_connect_all_ports',`
++ gen_require(`
++ attribute port_type;
++ ')
++
++ dontaudit $1 port_type:tcp_socket name_connect;
++')
++
++########################################
++## <summary>
+ ## Read and write the TUN/TAP virtual network device.
+ ## </summary>
+ ## <param name="domain">
+@@ -1875,3 +1906,21 @@
typeattribute $1 corenet_unconfined_type;
')
@@ -681,7 +712,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-2.4.6/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2006-11-16 17:15:04.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/kernel/corenetwork.te.in 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/kernel/corenetwork.te.in 2006-12-05 13:19:41.000000000 -0500
@@ -43,11 +43,16 @@
sid port gen_context(system_u:object_r:port_t,s0)
@@ -724,7 +755,7 @@
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.m4 serefpolicy-2.4.6/policy/modules/kernel/corenetwork.te.m4
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.m4 2006-11-16 17:15:04.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/kernel/corenetwork.te.m4 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/kernel/corenetwork.te.m4 2006-12-05 13:19:41.000000000 -0500
@@ -55,8 +55,8 @@
define(`declare_ports',`dnl
ifelse(eval($3 < 1024),1,`
@@ -738,7 +769,7 @@
ifelse(`$5',`',`',`declare_ports($1,shiftn(4,$*))')dnl
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-2.4.6/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2006-11-16 17:15:04.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/kernel/devices.fc 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/kernel/devices.fc 2006-12-05 13:19:41.000000000 -0500
@@ -20,11 +20,13 @@
/dev/fb[0-9]* -c gen_context(system_u:object_r:framebuf_device_t,s0)
/dev/full -c gen_context(system_u:object_r:null_device_t,s0)
@@ -772,7 +803,7 @@
/dev/usbdev.* -c gen_context(system_u:object_r:usb_device_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-2.4.6/policy/modules/kernel/devices.te
--- nsaserefpolicy/policy/modules/kernel/devices.te 2006-11-29 09:27:46.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/kernel/devices.te 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/kernel/devices.te 2006-12-05 13:19:41.000000000 -0500
@@ -27,6 +27,12 @@
dev_node(agp_device_t)
@@ -788,7 +819,7 @@
type apm_bios_t;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-2.4.6/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2006-11-16 17:15:04.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/kernel/domain.te 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/kernel/domain.te 2006-12-05 13:19:41.000000000 -0500
@@ -144,3 +144,10 @@
# act on all domains keys
@@ -802,7 +833,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.4.6/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2006-11-16 17:15:04.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/kernel/files.if 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/kernel/files.if 2006-12-05 17:31:26.000000000 -0500
@@ -353,8 +353,7 @@
########################################
@@ -878,7 +909,22 @@
# Need to give access to the polyinstantiated subdirectories
allow $1 polymember:dir search_dir_perms;
-@@ -4559,3 +4593,69 @@
+@@ -4491,11 +4525,13 @@
+ allow $1 self:process setfscreate;
+ allow $1 polymember: dir { create setattr relabelto };
+ allow $1 polydir: dir { write add_name };
+- allow $1 polyparent:dir { write add_name relabelfrom relabelto };
++ allow $1 polyparent:dir { read write remove_name add_name relabelfrom relabelto };
+
+ # Default type for mountpoints
+ allow $1 poly_t:dir { create mounton };
+ fs_unmount_xattr_fs($1)
++ corecmd_exec_bin($1)
++
+ ')
+
+ ########################################
+@@ -4559,3 +4595,69 @@
typealias etc_runtime_t alias $1;
')
@@ -950,7 +996,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-2.4.6/policy/modules/kernel/filesystem.te
--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2006-11-16 17:15:04.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/kernel/filesystem.te 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/kernel/filesystem.te 2006-12-05 13:19:41.000000000 -0500
@@ -21,9 +21,11 @@
# Use xattrs for the following filesystem types.
@@ -980,7 +1026,7 @@
+fs_associate_noxattr(noxattrfs)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.fc serefpolicy-2.4.6/policy/modules/kernel/terminal.fc
--- nsaserefpolicy/policy/modules/kernel/terminal.fc 2006-11-16 17:15:04.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/kernel/terminal.fc 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/kernel/terminal.fc 2006-12-05 13:19:41.000000000 -0500
@@ -11,6 +11,7 @@
/dev/ircomm[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/ip2[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
@@ -991,7 +1037,7 @@
/dev/tty -c gen_context(system_u:object_r:devtty_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-2.4.6/policy/modules/kernel/terminal.if
--- nsaserefpolicy/policy/modules/kernel/terminal.if 2006-11-29 09:27:46.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/kernel/terminal.if 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/kernel/terminal.if 2006-12-05 13:19:41.000000000 -0500
@@ -636,6 +636,8 @@
attribute ptynode;
')
@@ -1003,7 +1049,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.te serefpolicy-2.4.6/policy/modules/kernel/terminal.te
--- nsaserefpolicy/policy/modules/kernel/terminal.te 2006-11-29 09:27:46.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/kernel/terminal.te 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/kernel/terminal.te 2006-12-05 13:19:41.000000000 -0500
@@ -28,6 +28,7 @@
type devpts_t;
files_mountpoint(devpts_t)
@@ -1014,7 +1060,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-2.4.6/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/apache.fc 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/apache.fc 2006-12-05 13:19:41.000000000 -0500
@@ -45,6 +45,7 @@
/var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
/var/cache/mason(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
@@ -1038,7 +1084,7 @@
+/opt/fortitude/run(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-2.4.6/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2006-11-29 09:27:47.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/apache.te 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/apache.te 2006-12-05 13:19:41.000000000 -0500
@@ -143,6 +143,8 @@
allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow httpd_t self:tcp_socket create_stream_socket_perms;
@@ -1105,9 +1151,20 @@
miscfiles_read_localization(httpd_rotatelogs_t)
ifdef(`targeted_policy',`
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.te serefpolicy-2.4.6/policy/modules/services/apm.te
+--- nsaserefpolicy/policy/modules/services/apm.te 2006-11-16 17:15:21.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/apm.te 2006-12-05 15:23:11.000000000 -0500
+@@ -195,7 +195,6 @@
+
+ optional_policy(`
+ cron_system_entry(apmd_t, apmd_exec_t)
+- cron_anacron_domtrans_system_job(apmd_t)
+ ')
+
+ optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-2.4.6/policy/modules/services/automount.te
--- nsaserefpolicy/policy/modules/services/automount.te 2006-11-16 17:15:20.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/automount.te 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/automount.te 2006-12-05 13:19:41.000000000 -0500
@@ -76,6 +76,7 @@
files_mounton_all_mountpoints(automount_t)
files_mount_all_file_type_fs(automount_t)
@@ -1118,7 +1175,7 @@
fs_unmount_all_fs(automount_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.if serefpolicy-2.4.6/policy/modules/services/avahi.if
--- nsaserefpolicy/policy/modules/services/avahi.if 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/avahi.if 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/avahi.if 2006-12-05 13:19:41.000000000 -0500
@@ -20,3 +20,24 @@
allow $1 avahi_t:dbus send_msg;
allow avahi_t $1:dbus send_msg;
@@ -1146,7 +1203,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.fc serefpolicy-2.4.6/policy/modules/services/bind.fc
--- nsaserefpolicy/policy/modules/services/bind.fc 2006-11-16 17:15:20.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/bind.fc 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/bind.fc 2006-12-05 13:19:41.000000000 -0500
@@ -29,6 +29,7 @@
ifdef(`distro_redhat',`
@@ -1157,7 +1214,7 @@
/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-2.4.6/policy/modules/services/clamav.te
--- nsaserefpolicy/policy/modules/services/clamav.te 2006-11-16 17:15:20.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/clamav.te 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/clamav.te 2006-12-05 13:19:41.000000000 -0500
@@ -86,6 +86,8 @@
kernel_dontaudit_list_proc(clamd_t)
@@ -1167,9 +1224,21 @@
corenet_non_ipsec_sendrecv(clamd_t)
corenet_tcp_sendrecv_all_if(clamd_t)
corenet_tcp_sendrecv_all_nodes(clamd_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-2.4.6/policy/modules/services/cron.fc
+--- nsaserefpolicy/policy/modules/services/cron.fc 2006-11-16 17:15:21.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/cron.fc 2006-12-05 14:48:20.000000000 -0500
+@@ -5,7 +5,7 @@
+ /usr/bin/at -- gen_context(system_u:object_r:crontab_exec_t,s0)
+ /usr/bin/(f)?crontab -- gen_context(system_u:object_r:crontab_exec_t,s0)
+
+-/usr/sbin/anacron -- gen_context(system_u:object_r:anacron_exec_t,s0)
++/usr/sbin/anacron -- gen_context(system_u:object_r:crond_exec_t,s0)
+ /usr/sbin/atd -- gen_context(system_u:object_r:crond_exec_t,s0)
+ /usr/sbin/cron(d)? -- gen_context(system_u:object_r:crond_exec_t,s0)
+ /usr/sbin/fcron -- gen_context(system_u:object_r:crond_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-2.4.6/policy/modules/services/cron.if
--- nsaserefpolicy/policy/modules/services/cron.if 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/cron.if 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/cron.if 2006-12-05 15:21:35.000000000 -0500
@@ -54,9 +54,6 @@
domain_entry_file($1_crontab_t,crontab_exec_t)
role $3 types $1_crontab_t;
@@ -1243,10 +1312,60 @@
tunable_policy(`fcron_crond',`
# fcron wants an instant update of a crontab change for the administrator
+@@ -472,29 +460,6 @@
+
+ ########################################
+ ## <summary>
+-## Execute APM in the apm domain.
+-## </summary>
+-## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+-## </param>
+-#
+-interface(`cron_anacron_domtrans_system_job',`
+- gen_require(`
+- type system_crond_t, anacron_exec_t;
+- ')
+-
+- domain_auto_trans($1,anacron_exec_t,system_crond_t)
+-
+- allow $1 system_crond_t:fd use;
+- allow system_crond_t $1:fd use;
+- allow system_crond_t $1:fifo_file rw_file_perms;
+- allow system_crond_t $1:process sigchld;
+-')
+-
+-########################################
+-## <summary>
+ ## Inherit and use a file descriptor
+ ## from system cron jobs.
+ ## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-2.4.6/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/cron.te 2006-11-30 17:03:20.000000000 -0500
-@@ -86,7 +86,7 @@
++++ serefpolicy-2.4.6/policy/modules/services/cron.te 2006-12-05 16:46:56.000000000 -0500
+@@ -11,9 +11,6 @@
+ #
+ attribute cron_spool_type;
+
+-type anacron_exec_t;
+-corecmd_executable_file(anacron_exec_t)
+-
+ type cron_spool_t;
+ files_type(cron_spool_t)
+
+@@ -47,8 +44,8 @@
+ typealias crond_t alias system_crond_t;
+ ',`
+ type system_crond_t;
++ domain_type(system_crond_t)
+ ')
+-init_daemon_domain(system_crond_t,anacron_exec_t)
+ corecmd_shell_entry_type(system_crond_t)
+ role system_r types system_crond_t;
+
+@@ -86,7 +83,7 @@
allow crond_t self:sem create_sem_perms;
allow crond_t self:msgq create_msgq_perms;
allow crond_t self:msg { send receive };
@@ -1255,7 +1374,15 @@
allow crond_t crond_var_run_t:file create_file_perms;
files_pid_filetrans(crond_t,crond_var_run_t,file)
-@@ -166,6 +166,11 @@
+@@ -98,6 +95,7 @@
+
+ kernel_read_kernel_sysctls(crond_t)
+ kernel_search_key(crond_t)
++kernel_link_key(crond_t)
+
+ dev_read_sysfs(crond_t)
+ selinux_get_fs_mount(crond_t)
+@@ -166,6 +164,11 @@
')
')
@@ -1269,7 +1396,7 @@
allow crond_t system_crond_tmp_t:file create_file_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-2.4.6/policy/modules/services/cups.fc
--- nsaserefpolicy/policy/modules/services/cups.fc 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/cups.fc 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/cups.fc 2006-12-05 13:19:41.000000000 -0500
@@ -23,7 +23,7 @@
/usr/libexec/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
@@ -1281,7 +1408,7 @@
/usr/sbin/printconf-backend -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-2.4.6/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/cups.te 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/cups.te 2006-12-05 13:19:41.000000000 -0500
@@ -118,6 +118,8 @@
allow cupsd_t cupsd_tmp_t:file create_file_perms;
allow cupsd_t cupsd_tmp_t:fifo_file create_file_perms;
@@ -1319,7 +1446,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-2.4.6/policy/modules/services/cvs.te
--- nsaserefpolicy/policy/modules/services/cvs.te 2006-11-16 17:15:20.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/cvs.te 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/cvs.te 2006-12-05 13:19:41.000000000 -0500
@@ -9,6 +9,7 @@
type cvs_t;
type cvs_exec_t;
@@ -1330,7 +1457,7 @@
type cvs_data_t; # customizable
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.fc serefpolicy-2.4.6/policy/modules/services/dbus.fc
--- nsaserefpolicy/policy/modules/services/dbus.fc 2006-11-16 17:15:20.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/dbus.fc 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/dbus.fc 2006-12-05 13:19:41.000000000 -0500
@@ -4,3 +4,4 @@
/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:system_dbusd_exec_t,s0)
/bin/dbus-daemon -- gen_context(system_u:object_r:system_dbusd_exec_t,s0)
@@ -1338,7 +1465,7 @@
+/var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-2.4.6/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/dbus.if 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/dbus.if 2006-12-05 13:19:41.000000000 -0500
@@ -123,6 +123,7 @@
selinux_compute_relabel_context($1_dbusd_t)
selinux_compute_user_contexts($1_dbusd_t)
@@ -1349,7 +1476,7 @@
corecmd_read_bin_files($1_dbusd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-2.4.6/policy/modules/services/ftp.te
--- nsaserefpolicy/policy/modules/services/ftp.te 2006-11-16 17:15:20.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/ftp.te 2006-12-01 15:24:24.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/ftp.te 2006-12-05 13:19:41.000000000 -0500
@@ -103,6 +103,7 @@
corenet_tcp_bind_ftp_port(ftpd_t)
corenet_tcp_bind_ftp_data_port(ftpd_t)
@@ -1396,7 +1523,7 @@
tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-2.4.6/policy/modules/services/hal.fc
--- nsaserefpolicy/policy/modules/services/hal.fc 2006-11-16 17:15:20.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/hal.fc 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/hal.fc 2006-12-05 13:19:41.000000000 -0500
@@ -7,3 +7,7 @@
/usr/sbin/hald -- gen_context(system_u:object_r:hald_exec_t,s0)
@@ -1407,7 +1534,7 @@
+/var/run/haldaemon.pid -- gen_context(system_u:object_r:hald_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-2.4.6/policy/modules/services/hal.if
--- nsaserefpolicy/policy/modules/services/hal.if 2006-11-16 17:15:20.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/hal.if 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/hal.if 2006-12-05 13:19:41.000000000 -0500
@@ -157,3 +157,23 @@
files_search_pids($1)
allow $1 hald_var_run_t:file rw_file_perms;
@@ -1434,7 +1561,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-2.4.6/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2006-11-16 17:15:20.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/hal.te 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/hal.te 2006-12-05 13:19:41.000000000 -0500
@@ -16,6 +16,9 @@
type hald_var_run_t;
files_pid_file(hald_var_run_t)
@@ -1459,7 +1586,7 @@
files_pid_filetrans(hald_t,hald_var_run_t,file)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-2.4.6/policy/modules/services/kerberos.if
--- nsaserefpolicy/policy/modules/services/kerberos.if 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/kerberos.if 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/kerberos.if 2006-12-05 13:19:41.000000000 -0500
@@ -57,6 +57,7 @@
corenet_udp_bind_all_nodes($1)
corenet_tcp_connect_kerberos_port($1)
@@ -1470,7 +1597,7 @@
sysnet_dns_name_resolve($1)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-2.4.6/policy/modules/services/kerberos.te
--- nsaserefpolicy/policy/modules/services/kerberos.te 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/kerberos.te 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/kerberos.te 2006-12-05 13:19:41.000000000 -0500
@@ -156,14 +156,21 @@
# Use capabilities. Surplus capabilities may be allowed.
allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_override sys_nice };
@@ -1497,7 +1624,7 @@
allow krb5kdc_t krb5kdc_conf_t:dir search;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.if serefpolicy-2.4.6/policy/modules/services/lpd.if
--- nsaserefpolicy/policy/modules/services/lpd.if 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/lpd.if 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/lpd.if 2006-12-05 13:19:41.000000000 -0500
@@ -64,33 +64,35 @@
allow $1_lpr_t self:udp_socket create_socket_perms;
allow $1_lpr_t self:netlink_route_socket r_netlink_socket_perms;
@@ -1561,7 +1688,7 @@
# Transition from the user domain to the derived domain.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-2.4.6/policy/modules/services/mta.if
--- nsaserefpolicy/policy/modules/services/mta.if 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/mta.if 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/mta.if 2006-12-05 13:19:41.000000000 -0500
@@ -820,6 +820,7 @@
type mqueue_spool_t;
')
@@ -1572,7 +1699,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-2.4.6/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2006-11-16 17:15:20.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/mta.te 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/mta.te 2006-12-05 13:19:41.000000000 -0500
@@ -27,6 +27,7 @@
type sendmail_exec_t;
@@ -1583,7 +1710,7 @@
role system_r types system_mail_t;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-2.4.6/policy/modules/services/nis.fc
--- nsaserefpolicy/policy/modules/services/nis.fc 2006-11-16 17:15:20.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/nis.fc 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/nis.fc 2006-12-05 13:19:41.000000000 -0500
@@ -8,3 +8,4 @@
/usr/sbin/ypserv -- gen_context(system_u:object_r:ypserv_exec_t,s0)
@@ -1591,8 +1718,22 @@
+/usr/lib/yp/ypxfr -- gen_context(system_u:object_r:ypxfr_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-2.4.6/policy/modules/services/nis.if
--- nsaserefpolicy/policy/modules/services/nis.if 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/nis.if 2006-11-30 17:03:20.000000000 -0500
-@@ -81,8 +81,6 @@
++++ serefpolicy-2.4.6/policy/modules/services/nis.if 2006-12-05 15:14:12.000000000 -0500
+@@ -52,10 +52,13 @@
+ corenet_udp_bind_reserved_port($1)
+ corenet_dontaudit_tcp_bind_all_reserved_ports($1)
+ corenet_dontaudit_udp_bind_all_reserved_ports($1)
++ corenet_dontaudit_tcp_bind_all_ports($1)
++ corenet_dontaudit_udp_bind_all_ports($1)
+ corenet_tcp_connect_portmap_port($1)
+ corenet_tcp_connect_reserved_port($1)
+ corenet_tcp_connect_generic_port($1)
+ corenet_dontaudit_tcp_connect_all_reserved_ports($1)
++ corenet_dontaudit_tcp_connect_all_ports($1)
+ corenet_sendrecv_portmap_client_packets($1)
+ corenet_sendrecv_generic_client_packets($1)
+ corenet_sendrecv_generic_server_packets($1)
+@@ -81,8 +84,6 @@
tunable_policy(`allow_ypbind',`
nis_use_ypbind_uncond($1)
@@ -1601,7 +1742,7 @@
')
')
-@@ -247,10 +245,9 @@
+@@ -247,10 +248,9 @@
type ypxfr_t, ypxfr_exec_t;
')
@@ -1615,7 +1756,7 @@
allow ypxfr_t $1:process sigchld;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-2.4.6/policy/modules/services/nis.te
--- nsaserefpolicy/policy/modules/services/nis.te 2006-11-16 17:15:20.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/nis.te 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/nis.te 2006-12-05 13:19:41.000000000 -0500
@@ -329,6 +329,12 @@
# ypxfr local policy
#
@@ -1640,7 +1781,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-2.4.6/policy/modules/services/nscd.if
--- nsaserefpolicy/policy/modules/services/nscd.if 2006-11-16 17:15:20.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/nscd.if 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/nscd.if 2006-12-05 13:19:41.000000000 -0500
@@ -181,3 +181,23 @@
allow $1 nscd_t:nscd *;
@@ -1667,7 +1808,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-2.4.6/policy/modules/services/nscd.te
--- nsaserefpolicy/policy/modules/services/nscd.te 2006-11-16 17:15:20.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/nscd.te 2006-12-01 11:46:10.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/nscd.te 2006-12-05 13:19:42.000000000 -0500
@@ -35,7 +35,6 @@
allow nscd_t self:unix_stream_socket create_stream_socket_perms;
allow nscd_t self:unix_dgram_socket create_socket_perms;
@@ -1719,7 +1860,7 @@
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.te serefpolicy-2.4.6/policy/modules/services/oddjob.te
--- nsaserefpolicy/policy/modules/services/oddjob.te 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/oddjob.te 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/oddjob.te 2006-12-05 13:19:42.000000000 -0500
@@ -10,6 +10,7 @@
type oddjob_exec_t;
domain_type(oddjob_t)
@@ -1739,7 +1880,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.fc serefpolicy-2.4.6/policy/modules/services/pcscd.fc
--- nsaserefpolicy/policy/modules/services/pcscd.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/pcscd.fc 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/pcscd.fc 2006-12-05 13:19:42.000000000 -0500
@@ -0,0 +1,9 @@
+# pcscd executable will have:
+# label: system_u:object_r:pcscd_exec_t
@@ -1752,7 +1893,7 @@
+/var/run/pcscd\.comm -s gen_context(system_u:object_r:pcscd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.if serefpolicy-2.4.6/policy/modules/services/pcscd.if
--- nsaserefpolicy/policy/modules/services/pcscd.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/pcscd.if 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/pcscd.if 2006-12-05 13:19:42.000000000 -0500
@@ -0,0 +1,23 @@
+## <summary>policy for pcscd</summary>
+
@@ -1779,8 +1920,8 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-2.4.6/policy/modules/services/pcscd.te
--- nsaserefpolicy/policy/modules/services/pcscd.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/pcscd.te 2006-11-30 17:03:20.000000000 -0500
-@@ -0,0 +1,58 @@
++++ serefpolicy-2.4.6/policy/modules/services/pcscd.te 2006-12-05 13:19:42.000000000 -0500
+@@ -0,0 +1,69 @@
+policy_module(pcscd,1.0.0)
+
+########################################
@@ -1834,14 +1975,25 @@
+
+allow pcscd_t self:unix_dgram_socket create_socket_perms;
+
-+logging_send_syslog_msg(pcscd_t)
-+term_dontaudit_getattr_pty_dirs(pcscd_t)
++init_dontaudit_use_fds(pcscd_t)
++
+dev_rw_generic_usb_dev(pcscd_t)
++
+files_read_etc_runtime_files(pcscd_t)
+
++logging_send_syslog_msg(pcscd_t)
++
++term_dontaudit_getattr_pty_dirs(pcscd_t)
++
++ifdef(`targeted_policy',`
++ term_dontaudit_use_generic_ptys(pcscd_t)
++ term_dontaudit_use_unallocated_ttys(pcscd_t)
++ term_dontaudit_use_console(pcscd_t)
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.if serefpolicy-2.4.6/policy/modules/services/pegasus.if
--- nsaserefpolicy/policy/modules/services/pegasus.if 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/pegasus.if 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/pegasus.if 2006-12-05 13:19:42.000000000 -0500
@@ -1 +1,32 @@
## <summary>The Open Group Pegasus CIM/WBEM Server.</summary>
+
@@ -1877,7 +2029,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-2.4.6/policy/modules/services/pegasus.te
--- nsaserefpolicy/policy/modules/services/pegasus.te 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/pegasus.te 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/pegasus.te 2006-12-05 13:19:42.000000000 -0500
@@ -100,13 +100,12 @@
auth_use_nsswitch(pegasus_t)
@@ -1896,7 +2048,7 @@
hostname_exec(pegasus_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-2.4.6/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/postfix.te 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/postfix.te 2006-12-05 13:19:42.000000000 -0500
@@ -382,6 +382,10 @@
locallogin_dontaudit_use_fds(postfix_map_t)
')
@@ -1936,7 +2088,7 @@
# Postfix smtpd local policy
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-2.4.6/policy/modules/services/procmail.te
--- nsaserefpolicy/policy/modules/services/procmail.te 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/procmail.te 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/procmail.te 2006-12-05 13:19:42.000000000 -0500
@@ -10,6 +10,7 @@
type procmail_exec_t;
domain_type(procmail_t)
@@ -1969,7 +2121,7 @@
userdom_dontaudit_search_staff_home_dirs(procmail_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.te serefpolicy-2.4.6/policy/modules/services/rlogin.te
--- nsaserefpolicy/policy/modules/services/rlogin.te 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/rlogin.te 2006-12-01 12:44:56.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/rlogin.te 2006-12-05 13:19:42.000000000 -0500
@@ -62,6 +62,7 @@
dev_read_urand(rlogind_t)
@@ -1999,7 +2151,7 @@
ifdef(`TODO',`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-2.4.6/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te 2006-11-16 17:15:20.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/rpc.te 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/rpc.te 2006-12-05 13:19:42.000000000 -0500
@@ -121,6 +121,7 @@
#
@@ -2010,7 +2162,7 @@
allow gssd_t gssd_tmp_t:dir create_dir_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-2.4.6/policy/modules/services/rsync.te
--- nsaserefpolicy/policy/modules/services/rsync.te 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/rsync.te 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/rsync.te 2006-12-05 13:19:42.000000000 -0500
@@ -9,6 +9,7 @@
type rsync_t;
type rsync_exec_t;
@@ -2021,7 +2173,7 @@
type rsync_data_t;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-2.4.6/policy/modules/services/samba.if
--- nsaserefpolicy/policy/modules/services/samba.if 2006-11-16 17:15:20.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/samba.if 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/samba.if 2006-12-05 13:19:42.000000000 -0500
@@ -140,6 +140,7 @@
')
@@ -2040,7 +2192,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-2.4.6/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/samba.te 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/samba.te 2006-12-05 13:19:42.000000000 -0500
@@ -349,7 +349,7 @@
allow nmbd_t samba_etc_t:file { getattr read };
@@ -2079,7 +2231,7 @@
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-2.4.6/policy/modules/services/sasl.te
--- nsaserefpolicy/policy/modules/services/sasl.te 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/sasl.te 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/sasl.te 2006-12-05 13:19:42.000000000 -0500
@@ -47,6 +47,8 @@
fs_getattr_all_fs(saslauthd_t)
fs_search_auto_mountpoints(saslauthd_t)
@@ -2089,9 +2241,20 @@
term_dontaudit_use_console(saslauthd_t)
auth_domtrans_chk_passwd(saslauthd_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-2.4.6/policy/modules/services/smartmon.te
+--- nsaserefpolicy/policy/modules/services/smartmon.te 2006-11-16 17:15:21.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/smartmon.te 2006-12-05 14:22:49.000000000 -0500
+@@ -61,6 +61,7 @@
+ fs_search_auto_mountpoints(fsdaemon_t)
+
+ mls_file_read_up(fsdaemon_t)
++mls_file_write_down(fsdaemon_t)
+
+ storage_raw_read_fixed_disk(fsdaemon_t)
+ storage_raw_write_fixed_disk(fsdaemon_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-2.4.6/policy/modules/services/snmp.te
--- nsaserefpolicy/policy/modules/services/snmp.te 2006-11-16 17:15:20.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/snmp.te 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/snmp.te 2006-12-05 13:19:42.000000000 -0500
@@ -77,6 +77,7 @@
dev_read_sysfs(snmpd_t)
dev_read_urand(snmpd_t)
@@ -2114,7 +2277,7 @@
storage_dontaudit_read_fixed_disk(snmpd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-2.4.6/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/spamassassin.te 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/spamassassin.te 2006-12-05 13:19:42.000000000 -0500
@@ -8,7 +8,7 @@
# spamassassin client executable
@@ -2143,7 +2306,7 @@
corenet_sendrecv_generic_server_packets(spamd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-2.4.6/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2006-11-16 17:15:20.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/ssh.te 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/ssh.te 2006-12-05 13:38:33.000000000 -0500
@@ -10,7 +10,7 @@
# ssh client executable.
@@ -2153,14 +2316,22 @@
type ssh_keygen_t;
type ssh_keygen_exec_t;
-@@ -259,3 +259,4 @@
+@@ -82,6 +82,7 @@
+ allow sshd_t sshd_tmp_t:sock_file create_file_perms;
+ files_tmp_filetrans(sshd_t, sshd_tmp_t, { dir file sock_file })
+
++ kernel_search_key(sshd_t)
+ kernel_link_key(sshd_t)
+
+ # for X forwarding
+@@ -259,3 +260,4 @@
optional_policy(`
udev_read_db(ssh_keygen_t)
')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/telnet.te serefpolicy-2.4.6/policy/modules/services/telnet.te
--- nsaserefpolicy/policy/modules/services/telnet.te 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/telnet.te 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/telnet.te 2006-12-05 13:19:42.000000000 -0500
@@ -32,6 +32,7 @@
allow telnetd_t self:udp_socket create_socket_perms;
# for identd; cjp: this should probably only be inetd_child rules?
@@ -2171,7 +2342,7 @@
allow telnetd_t telnetd_devpts_t:chr_file { rw_file_perms setattr };
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.te serefpolicy-2.4.6/policy/modules/services/tftp.te
--- nsaserefpolicy/policy/modules/services/tftp.te 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/tftp.te 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/tftp.te 2006-12-05 13:19:42.000000000 -0500
@@ -54,6 +54,8 @@
dev_read_sysfs(tftpd_t)
@@ -2183,7 +2354,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.fc serefpolicy-2.4.6/policy/modules/services/uucp.fc
--- nsaserefpolicy/policy/modules/services/uucp.fc 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/uucp.fc 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/uucp.fc 2006-12-05 13:19:42.000000000 -0500
@@ -1,5 +1,6 @@
/usr/sbin/uucico -- gen_context(system_u:object_r:uucpd_exec_t,s0)
@@ -2193,7 +2364,7 @@
/var/spool/uucppublic(/.*)? gen_context(system_u:object_r:uucpd_spool_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.if serefpolicy-2.4.6/policy/modules/services/uucp.if
--- nsaserefpolicy/policy/modules/services/uucp.if 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/uucp.if 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/uucp.if 2006-12-05 13:19:42.000000000 -0500
@@ -1 +1,68 @@
## <summary>Unix to Unix Copy</summary>
+
@@ -2265,7 +2436,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-2.4.6/policy/modules/services/uucp.te
--- nsaserefpolicy/policy/modules/services/uucp.te 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/uucp.te 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/uucp.te 2006-12-05 13:19:42.000000000 -0500
@@ -10,6 +10,12 @@
inetd_tcp_service_domain(uucpd_t,uucpd_exec_t)
role system_r types uucpd_t;
@@ -2330,7 +2501,7 @@
+logging_search_logs(uux_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-2.4.6/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2006-11-29 09:27:47.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/xserver.if 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/xserver.if 2006-12-05 13:19:42.000000000 -0500
@@ -906,10 +906,12 @@
domain_auto_trans($1,xserver_exec_t,xdm_xserver_t)
@@ -2388,23 +2559,16 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-2.4.6/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/authlogin.if 2006-12-01 15:41:41.000000000 -0500
-@@ -232,6 +232,14 @@
-
- tunable_policy(`allow_polyinstantiation',`
- files_polyinstantiate_all($1)
-+ # Add/remove user home directories
-+ userdom_manage_generic_user_home_dirs($1)
-+ userdom_relabel_generic_user_home_dirs($1)
-+ userdom_relabel_staff_home_dirs($1)
-+ ifdef(`strict_policy',`
-+ userdom_manage_staff_home_dirs($1)
-+ userdom_staff_home_dir_filetrans_staff_home_content($1, dir)
-+ ')
- ')
- ')
-
-@@ -1258,7 +1266,7 @@
++++ serefpolicy-2.4.6/policy/modules/system/authlogin.if 2006-12-05 17:57:10.000000000 -0500
+@@ -214,6 +214,7 @@
+ mls_file_upgrade($1)
+ mls_file_downgrade($1)
+ mls_process_set_level($1)
++ mls_fd_share_all_levels($1)
+
+ auth_domtrans_chk_passwd($1)
+ auth_dontaudit_read_shadow($1)
+@@ -1258,7 +1259,7 @@
type wtmp_t;
')
@@ -2413,7 +2577,7 @@
')
#######################################
-@@ -1374,6 +1382,10 @@
+@@ -1374,6 +1375,10 @@
optional_policy(`
samba_stream_connect_winbind($1)
')
@@ -2426,7 +2590,7 @@
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-2.4.6/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/authlogin.te 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/authlogin.te 2006-12-05 13:19:42.000000000 -0500
@@ -141,6 +141,7 @@
allow pam_console_t pam_var_console_t:lnk_file { getattr read };
allow pam_console_t pam_var_console_t:file r_file_perms;
@@ -2462,7 +2626,7 @@
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/clock.te serefpolicy-2.4.6/policy/modules/system/clock.te
--- nsaserefpolicy/policy/modules/system/clock.te 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/clock.te 2006-12-01 16:42:11.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/clock.te 2006-12-05 13:19:42.000000000 -0500
@@ -25,16 +25,16 @@
dontaudit hwclock_t self:capability sys_tty_config;
allow hwclock_t self:process signal_perms;
@@ -2486,7 +2650,7 @@
dev_rw_realtime_clock(hwclock_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-2.4.6/policy/modules/system/fstools.fc
--- nsaserefpolicy/policy/modules/system/fstools.fc 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/fstools.fc 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/fstools.fc 2006-12-05 13:19:42.000000000 -0500
@@ -19,7 +19,6 @@
/sbin/mkfs.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
@@ -2497,7 +2661,7 @@
/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-2.4.6/policy/modules/system/fstools.te
--- nsaserefpolicy/policy/modules/system/fstools.te 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/fstools.te 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/fstools.te 2006-12-05 13:19:42.000000000 -0500
@@ -9,7 +9,7 @@
type fsadm_t;
type fsadm_exec_t;
@@ -2509,7 +2673,7 @@
type fsadm_log_t;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.te serefpolicy-2.4.6/policy/modules/system/getty.te
--- nsaserefpolicy/policy/modules/system/getty.te 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/getty.te 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/getty.te 2006-12-05 13:19:42.000000000 -0500
@@ -33,7 +33,8 @@
#
@@ -2522,7 +2686,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-2.4.6/policy/modules/system/hostname.te
--- nsaserefpolicy/policy/modules/system/hostname.te 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/hostname.te 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/hostname.te 2006-12-05 13:19:42.000000000 -0500
@@ -8,8 +8,12 @@
type hostname_t;
@@ -2547,7 +2711,16 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-2.4.6/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/init.te 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/init.te 2006-12-05 14:16:30.000000000 -0500
+@@ -189,7 +189,7 @@
+ # Init script local policy
+ #
+
+-allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
++allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched setfscreate };
+ allow initrc_t self:capability ~{ sys_admin sys_module };
+ dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
+ allow initrc_t self:passwd rootok;
@@ -205,6 +205,9 @@
allow initrc_t initrc_devpts_t:chr_file rw_term_perms;
term_create_pty(initrc_t,initrc_devpts_t)
@@ -2558,17 +2731,20 @@
can_exec(initrc_t,initrc_exec_t)
allow initrc_t initrc_state_t:dir manage_dir_perms;
-@@ -347,7 +350,8 @@
+@@ -347,7 +350,11 @@
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
-miscfiles_read_localization(initrc_t)
++# init scripts cp /etc/localtime over other directories localtime
+miscfiles_rw_localization(initrc_t)
++miscfiles_setattr_localization(initrc_t)
++miscfiles_relabel_localization(initrc_t)
+
# slapd needs to read cert files from its initscript
miscfiles_read_certs(initrc_t)
-@@ -500,6 +504,14 @@
+@@ -500,6 +507,14 @@
term_use_unallocated_ttys(daemon)
term_use_generic_ptys(daemon)
')
@@ -2583,7 +2759,7 @@
',`
# cjp: require doesnt work in the else of optionals :\
# this also would result in a type transition
-@@ -710,6 +722,9 @@
+@@ -710,6 +725,9 @@
# why is this needed:
rpm_manage_db(initrc_t)
@@ -2595,7 +2771,7 @@
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-2.4.6/policy/modules/system/iptables.te
--- nsaserefpolicy/policy/modules/system/iptables.te 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/iptables.te 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/iptables.te 2006-12-05 13:19:42.000000000 -0500
@@ -85,7 +85,7 @@
optional_policy(`
@@ -2615,7 +2791,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-2.4.6/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/libraries.fc 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/libraries.fc 2006-12-05 13:19:42.000000000 -0500
@@ -131,6 +131,7 @@
/usr/lib/win32/.* -- gen_context(system_u:object_r:shlib_t,s0)
@@ -2691,7 +2867,7 @@
/usr/(local/)?Adobe/(.*/)?intellinux/sidecars/* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-2.4.6/policy/modules/system/libraries.te
--- nsaserefpolicy/policy/modules/system/libraries.te 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/libraries.te 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/libraries.te 2006-12-05 13:19:42.000000000 -0500
@@ -81,12 +81,6 @@
userdom_use_all_users_fds(ldconfig_t)
@@ -2707,7 +2883,7 @@
unconfined_domain(ldconfig_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.if serefpolicy-2.4.6/policy/modules/system/locallogin.if
--- nsaserefpolicy/policy/modules/system/locallogin.if 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/locallogin.if 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/locallogin.if 2006-12-05 13:19:42.000000000 -0500
@@ -75,3 +75,40 @@
allow $1 local_login_t:process signull;
@@ -2751,7 +2927,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-2.4.6/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/logging.te 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/logging.te 2006-12-05 13:19:42.000000000 -0500
@@ -53,6 +53,7 @@
type var_log_t;
@@ -2762,7 +2938,7 @@
init_ranged_daemon_domain(auditd_t,auditd_exec_t,mls_systemhigh)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc serefpolicy-2.4.6/policy/modules/system/lvm.fc
--- nsaserefpolicy/policy/modules/system/lvm.fc 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/lvm.fc 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/lvm.fc 2006-12-05 13:19:42.000000000 -0500
@@ -95,3 +95,4 @@
/var/cache/multipathd(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
/var/lock/lvm(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0)
@@ -2770,7 +2946,7 @@
+/var/lib/multipath(/.*)? gen_context(system_u:object_r:lvm_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-2.4.6/policy/modules/system/lvm.te
--- nsaserefpolicy/policy/modules/system/lvm.te 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/lvm.te 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/lvm.te 2006-12-05 13:19:42.000000000 -0500
@@ -13,6 +13,9 @@
type clvmd_var_run_t;
files_pid_file(clvmd_var_run_t)
@@ -2901,7 +3077,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.fc serefpolicy-2.4.6/policy/modules/system/miscfiles.fc
--- nsaserefpolicy/policy/modules/system/miscfiles.fc 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/miscfiles.fc 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/miscfiles.fc 2006-12-05 13:19:42.000000000 -0500
@@ -39,6 +39,7 @@
/usr/share/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
/usr/share/ghostscript/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
@@ -2910,9 +3086,57 @@
/usr/share/man(/.*)? gen_context(system_u:object_r:man_t,s0)
/usr/share/zoneinfo(/.*)? gen_context(system_u:object_r:locale_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-2.4.6/policy/modules/system/miscfiles.if
+--- nsaserefpolicy/policy/modules/system/miscfiles.if 2006-11-16 17:15:24.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/miscfiles.if 2006-12-05 14:16:09.000000000 -0500
+@@ -138,6 +138,44 @@
+
+ ########################################
+ ## <summary>
++## Allow process to setattr localization info
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`miscfiles_setattr_localization',`
++ gen_require(`
++ type locale_t;
++ ')
++
++ files_search_usr($1)
++ allow $1 locale_t:dir list_dir_perms;
++ allow $1 locale_t:file setattr;
++')
++
++########################################
++## <summary>
++## Allow process to relabel localization info
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`miscfiles_relabel_localization',`
++ gen_require(`
++ type locale_t;
++ ')
++
++ allow $1 locale_t:file { relabelto relabelfrom };
++')
++
++########################################
++## <summary>
+ ## Allow process to read legacy time localization info
+ ## </summary>
+ ## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-2.4.6/policy/modules/system/modutils.te
--- nsaserefpolicy/policy/modules/system/modutils.te 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/modutils.te 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/modutils.te 2006-12-05 13:19:42.000000000 -0500
@@ -117,10 +117,6 @@
kernel_domtrans_to(insmod_t,insmod_exec_t)
}
@@ -2934,7 +3158,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-2.4.6/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/mount.te 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/mount.te 2006-12-05 13:19:42.000000000 -0500
@@ -9,6 +9,7 @@
type mount_t;
type mount_exec_t;
@@ -2995,7 +3219,7 @@
rpm_rw_pipes(mount_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-2.4.6/policy/modules/system/raid.te
--- nsaserefpolicy/policy/modules/system/raid.te 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/raid.te 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/raid.te 2006-12-05 13:19:42.000000000 -0500
@@ -38,12 +38,15 @@
dev_dontaudit_getattr_all_blk_files(mdadm_t)
dev_dontaudit_getattr_all_chr_files(mdadm_t)
@@ -3022,7 +3246,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-2.4.6/policy/modules/system/selinuxutil.fc
--- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/selinuxutil.fc 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/selinuxutil.fc 2006-12-05 13:19:42.000000000 -0500
@@ -41,6 +41,7 @@
/usr/sbin/setsebool -- gen_context(system_u:object_r:semanage_exec_t,s0)
/usr/sbin/semanage -- gen_context(system_u:object_r:semanage_exec_t,s0)
@@ -3033,7 +3257,7 @@
# /var/run
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-2.4.6/policy/modules/system/selinuxutil.if
--- nsaserefpolicy/policy/modules/system/selinuxutil.if 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/selinuxutil.if 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/selinuxutil.if 2006-12-05 13:19:42.000000000 -0500
@@ -713,7 +713,7 @@
')
@@ -3163,7 +3387,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-2.4.6/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/selinuxutil.te 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/selinuxutil.te 2006-12-05 14:58:53.000000000 -0500
@@ -107,6 +107,19 @@
type semanage_exec_t;
domain_entry_file(semanage_t, semanage_exec_t)
@@ -3342,7 +3566,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-2.4.6/policy/modules/system/sysnetwork.te
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/sysnetwork.te 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/sysnetwork.te 2006-12-05 13:19:42.000000000 -0500
@@ -333,6 +333,9 @@
ifdef(`targeted_policy',`
term_use_generic_ptys(ifconfig_t)
@@ -3355,7 +3579,7 @@
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-2.4.6/policy/modules/system/unconfined.fc
--- nsaserefpolicy/policy/modules/system/unconfined.fc 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/unconfined.fc 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/unconfined.fc 2006-12-05 13:19:42.000000000 -0500
@@ -7,6 +7,8 @@
ifdef(`targeted_policy',`
/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
@@ -3368,7 +3592,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-2.4.6/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/unconfined.if 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/unconfined.if 2006-12-05 13:19:42.000000000 -0500
@@ -31,6 +31,7 @@
allow $1 self:nscd *;
allow $1 self:dbus *;
@@ -3404,7 +3628,7 @@
## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-2.4.6/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/unconfined.te 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/unconfined.te 2006-12-05 13:19:42.000000000 -0500
@@ -83,6 +83,9 @@
optional_policy(`
networkmanager_dbus_chat(unconfined_t)
@@ -3454,7 +3678,7 @@
init_dbus_chat_script(unconfined_execmem_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-2.4.6/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2006-11-29 09:27:47.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/userdomain.if 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/userdomain.if 2006-12-05 17:51:43.000000000 -0500
@@ -22,9 +22,9 @@
## <rolebase/>
#
@@ -3488,7 +3712,24 @@
# type for contents of home directory
type $1_home_t, $1_file_type, home_type;
files_type($1_home_t)
-@@ -347,6 +355,10 @@
+@@ -319,12 +327,10 @@
+ ## <rolebase/>
+ #
+ template(`userdom_poly_home_template',`
+- ifdef(`enable_polyinstantiation',`
+- type_member $1_t $1_home_dir_t:dir $1_home_t;
+-
+- files_poly($1_home_dir_t)
+- files_poly_member($1_home_t)
+- ')
++ type_member $1_t $1_home_dir_t:dir $1_home_t;
++ files_poly($1_home_dir_t)
++ files_poly_parent($1_home_t)
++ files_poly_member($1_home_t)
+ ')
+
+ #######################################
+@@ -347,6 +353,10 @@
## <rolebase/>
#
template(`userdom_manage_tmp_template',`
@@ -3499,7 +3740,18 @@
type $1_tmp_t, $1_file_type;
files_tmp_file($1_tmp_t)
-@@ -415,6 +427,9 @@
+@@ -387,9 +397,7 @@
+ ## <rolebase/>
+ #
+ template(`userdom_poly_tmp_template',`
+- ifdef(`enable_polyinstantiation',`
+- files_poly_member_tmp($1_t,$1_tmp_t)
+- ')
++ files_poly_member_tmp($1_t,$1_tmp_t)
+ ')
+
+ #######################################
+@@ -415,6 +423,9 @@
## <rolebase/>
#
template(`userdom_manage_tmpfs_template',`
@@ -3509,7 +3761,7 @@
type $1_tmpfs_t, $1_file_type;
files_tmpfs_file($1_tmpfs_t)
-@@ -673,6 +688,8 @@
+@@ -673,6 +684,8 @@
allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow $1_t self:process { ptrace setfscreate };
@@ -3518,7 +3770,7 @@
# evolution and gnome-session try to create a netlink socket
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
-@@ -1188,7 +1205,7 @@
+@@ -1188,7 +1201,7 @@
ifdef(`xserver.te', `
tunable_policy(`xdm_sysadm_login',`
allow xdm_t $1_home_t:lnk_file read;
@@ -3527,7 +3779,7 @@
')
')
') dnl endif TODO
-@@ -1859,7 +1876,7 @@
+@@ -1859,7 +1872,7 @@
')
files_search_home($2)
@@ -3536,7 +3788,7 @@
allow $2 $1_home_t:dir search_dir_perms;
allow $2 $1_home_t:file r_file_perms;
')
-@@ -1962,8 +1979,8 @@
+@@ -1962,8 +1975,8 @@
')
files_search_home($2)
@@ -3547,7 +3799,7 @@
allow $2 $1_home_t:lnk_file r_file_perms;
')
-@@ -1998,8 +2015,8 @@
+@@ -1998,8 +2011,8 @@
')
files_search_home($2)
@@ -3558,7 +3810,7 @@
can_exec($2,$1_home_t)
')
-@@ -2069,7 +2086,7 @@
+@@ -2069,7 +2082,7 @@
')
files_search_home($2)
@@ -3567,7 +3819,7 @@
allow $2 $1_home_t:dir rw_dir_perms;
allow $2 $1_home_t:file create_file_perms;
')
-@@ -2142,7 +2159,7 @@
+@@ -2142,7 +2155,7 @@
')
files_search_home($2)
@@ -3576,7 +3828,7 @@
allow $2 $1_home_t:dir rw_dir_perms;
allow $2 $1_home_t:lnk_file create_lnk_perms;
')
-@@ -2180,7 +2197,7 @@
+@@ -2180,7 +2193,7 @@
')
files_search_home($2)
@@ -3585,7 +3837,7 @@
allow $2 $1_home_t:dir rw_dir_perms;
allow $2 $1_home_t:fifo_file create_file_perms;
')
-@@ -2218,7 +2235,7 @@
+@@ -2218,7 +2231,7 @@
')
files_search_home($2)
@@ -3594,7 +3846,7 @@
allow $2 $1_home_t:dir rw_dir_perms;
allow $2 $1_home_t:sock_file create_file_perms;
')
-@@ -3977,7 +3994,7 @@
+@@ -3977,7 +3990,7 @@
')
files_search_home($1)
@@ -3603,7 +3855,7 @@
')
########################################
-@@ -3996,7 +4013,7 @@
+@@ -3996,7 +4009,7 @@
type staff_home_dir_t;
')
@@ -3612,7 +3864,7 @@
')
########################################
-@@ -4343,7 +4360,7 @@
+@@ -4343,7 +4356,7 @@
type sysadm_home_dir_t;
')
@@ -3621,7 +3873,7 @@
')
########################################
-@@ -4501,41 +4518,13 @@
+@@ -4501,41 +4514,13 @@
## </param>
#
interface(`userdom_read_sysadm_home_content_files',`
@@ -3639,7 +3891,7 @@
+ type sysadm_home_dir_t, sysadm_home_t;
')
-')
--
+
-########################################
-## <summary>
-## Read files in the sysadm users home directory.
@@ -3655,7 +3907,7 @@
- gen_require(`
- type sysadm_tmp_t;
- ')
-
+-
- files_search_tmp($1)
- allow $1 sysadm_tmp_t:dir list_dir_perms;
- allow $1 sysadm_tmp_t:{ file lnk_file } r_file_perms;
@@ -3668,7 +3920,7 @@
')
########################################
-@@ -4858,7 +4847,7 @@
+@@ -4858,7 +4843,7 @@
type user_home_t;
')
@@ -3677,7 +3929,36 @@
')
########################################
-@@ -5497,3 +5486,254 @@
+@@ -4905,6 +4890,28 @@
+
+ ########################################
+ ## <summary>
++## Create, read, write, and delete
++## subdirectories of generic staff
++## home directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_manage_staff_home_content_dirs',`
++ gen_require(`
++ type staff_home_t;
++ ')
++
++ files_search_home($1)
++ allow $1 staff_home_dir_t:dir search_dir_perms;
++ allow $1 staff_home_t:dir create_dir_perms;
++')
++
++########################################
++## <summary>
+ ## Read files in generic user home directories.
+ ## </summary>
+ ## <param name="domain">
+@@ -5497,3 +5504,363 @@
allow $1 user_home_dir_t:dir create_dir_perms;
files_home_filetrans($1,user_home_dir_t,dir)
')
@@ -3932,9 +4213,118 @@
+')
+
+
++
++
++########################################
++## <summary>
++## Allow user to run as a secadm
++## </summary>
++## <desc>
++## <p>
++## Create objects in a user home directory
++## with an automatic type transition to
++## a specified private type.
++## </p>
++## <p>
++## This is a templated interface, and should only
++## be called from a per-userdomain template.
++## </p>
++## </desc>
++## <param name="userdomain_prefix">
++## <summary>
++## The prefix of the user domain (e.g., user
++## is the prefix for user_t).
++## </summary>
++## </param>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role of the object to create.
++## </summary>
++## </param>
++## <param name="object_class">
++## <summary>
++## The terminal
++## </summary>
++## </param>
++#
++template(`userdom_security_administrator',`
++ allow $1 self:capability { dac_read_search dac_override };
++
++ selinux_set_enforce_mode($1)
++ selinux_set_boolean($1)
++ selinux_set_parameters($1)
++
++ seutil_manage_bin_policy($1)
++ seutil_run_checkpolicy($1,$2,$3)
++ seutil_run_loadpolicy($1,$2,$3)
++ seutil_run_semanage($1,$2,$3)
++ seutil_run_setfiles($1, $2, $3)
++ seutil_run_restorecon($1,$2,$3)
++
++ corecmd_exec_shell($1)
++ consoletype_exec($1)
++
++ dmesg_exec($1)
++
++ domain_obj_id_change_exemption($1)
++
++ files_create_boot_flag($1)
++
++ mls_process_read_up($1)
++ mls_file_read_up($1)
++ mls_file_upgrade($1)
++ mls_file_downgrade($1)
++
++ auth_relabel_all_files_except_shadow($1)
++ auth_relabel_shadow($1)
++
++ dev_relabel_all_dev_nodes($1)
++
++ init_exec($1)
++
++ logging_send_syslog_msg($1)
++ logging_read_audit_log($1)
++ logging_read_generic_logs($1)
++ logging_read_audit_config($1)
++
++ userdom_dontaudit_append_staff_home_content_files($1)
++ userdom_dontaudit_read_sysadm_home_content_files($1)
++
++ optional_policy(`
++ netlabel_run_mgmt($1,$2, $3)
++ ')
++ optional_policy(`
++ aide_run($1,$2, $3)
++ ')
++')
++
++########################################
++## <summary>
++## allow relabel of home type directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_relabel_user_home_content_dirs',`
++ gen_require(`
++ type user_home_dir_t;
++ ')
++
++ files_search_home($1)
++ allow $1 home_type:dir { relabelfrom relabelto };
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-2.4.6/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/userdomain.te 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/userdomain.te 2006-12-05 13:19:42.000000000 -0500
@@ -24,6 +24,9 @@
# users home directory contents
attribute home_type;
@@ -3945,23 +4335,82 @@
# The privhome attribute identifies every domain that can create files under
# regular user home directories in the regular context (IE act on behalf of
# a user in writing regular files)
-@@ -155,11 +158,15 @@
- init_exec(secadm_t)
- logging_read_audit_log(secadm_t)
- logging_read_generic_logs(secadm_t)
-+ logging_read_audit_config(secadm_t)
- userdom_dontaudit_append_staff_home_content_files(secadm_t)
- userdom_dontaudit_read_sysadm_home_content_files(secadm_t)
- optional_policy(`
- netlabel_run_mgmt(secadm_t,secadm_r, { secadm_tty_device_t secadm_devpts_t })
- ')
-+ optional_policy(`
-+ aide_run(secadm_t,secadm_r, { secadm_tty_device_t secadm_devpts_t })
-+ ')
+@@ -141,25 +144,6 @@
+ logging_run_auditd(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
+ userdom_dontaudit_read_sysadm_home_content_files(auditadm_t)
+
+- allow secadm_t self:capability { dac_read_search dac_override };
+- corecmd_exec_shell(secadm_t)
+- domain_obj_id_change_exemption(secadm_t)
+- mls_process_read_up(secadm_t)
+- mls_file_read_up(secadm_t)
+- mls_file_write_down(secadm_t)
+- mls_file_upgrade(secadm_t)
+- mls_file_downgrade(secadm_t)
+- auth_relabel_all_files_except_shadow(secadm_t)
+- dev_relabel_all_dev_nodes(secadm_t)
+- auth_relabel_shadow(secadm_t)
+- init_exec(secadm_t)
+- logging_read_audit_log(secadm_t)
+- logging_read_generic_logs(secadm_t)
+- userdom_dontaudit_append_staff_home_content_files(secadm_t)
+- userdom_dontaudit_read_sysadm_home_content_files(secadm_t)
+- optional_policy(`
+- netlabel_run_mgmt(secadm_t,secadm_r, { secadm_tty_device_t secadm_devpts_t })
+- ')
',`
logging_manage_audit_log(sysadm_t)
logging_manage_audit_config(sysadm_t)
-@@ -428,6 +435,9 @@
+@@ -229,7 +213,6 @@
+ consoletype_exec(sysadm_t)
+
+ ifdef(`enable_mls',`
+- consoletype_exec(secadm_t)
+ consoletype_exec(auditadm_t)
+ ')
+ ')
+@@ -248,7 +231,6 @@
+ dmesg_exec(sysadm_t)
+
+ ifdef(`enable_mls',`
+- dmesg_exec(secadm_t)
+ dmesg_exec(auditadm_t)
+ ')
+ ')
+@@ -383,27 +365,12 @@
+ seutil_run_runinit(sysadm_t,sysadm_r,admin_terminal)
+
+ ifdef(`enable_mls',`
+- selinux_set_enforce_mode(secadm_t)
+- selinux_set_boolean(secadm_t)
+- selinux_set_parameters(secadm_t)
+-
+- seutil_manage_bin_policy(secadm_t)
+- seutil_run_checkpolicy(secadm_t,secadm_r,{ secadm_tty_device_t sysadm_devpts_t })
+- seutil_run_loadpolicy(secadm_t,secadm_r,{ secadm_tty_device_t sysadm_devpts_t })
+- seutil_run_semanage(secadm_t,secadm_r,{ secadm_tty_device_t sysadm_devpts_t })
+- seutil_run_setfiles(secadm_t,secadm_r,{ secadm_tty_device_t sysadm_devpts_t })
+- seutil_run_restorecon(secadm_t,secadm_r,{ secadm_tty_device_t sysadm_devpts_t })
+- logging_send_syslog_msg(secadm_t)
++ userdom_security_administrator(secadm_t,secadm_r,{ secadm_tty_device_t sysadm_devpts_t })
++# tunable_policy(`allow_sysadm_manage_security',`
++ userdom_security_administrator(sysadm_t,sysadm_r,admin_terminal)
++# ')
+ ', `
+- selinux_set_enforce_mode(sysadm_t)
+- selinux_set_boolean(sysadm_t)
+- selinux_set_parameters(sysadm_t)
+-
+- seutil_manage_bin_policy(sysadm_t)
+- seutil_run_checkpolicy(sysadm_t,sysadm_r,admin_terminal)
+- seutil_run_loadpolicy(sysadm_t,sysadm_r,admin_terminal)
+- seutil_run_semanage(sysadm_t,sysadm_r,admin_terminal)
+- seutil_run_setfiles(sysadm_t,sysadm_r,admin_terminal)
++ userdom_security_administrator(sysadm_t,sysadm_r,admin_terminal)
+ ')
+ ')
+
+@@ -428,6 +395,9 @@
')
optional_policy(`
@@ -3973,7 +4422,7 @@
usermanage_run_useradd(sysadm_t,sysadm_r,admin_terminal)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.fc serefpolicy-2.4.6/policy/modules/system/xen.fc
--- nsaserefpolicy/policy/modules/system/xen.fc 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/xen.fc 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/xen.fc 2006-12-05 13:19:42.000000000 -0500
@@ -8,6 +8,7 @@
/usr/sbin/xm -- gen_context(system_u:object_r:xm_exec_t,s0)
@@ -3984,7 +4433,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-2.4.6/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/xen.te 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/xen.te 2006-12-05 13:19:42.000000000 -0500
@@ -86,8 +86,8 @@
allow xend_t self:tcp_socket create_stream_socket_perms;
allow xend_t self:packet_socket create_socket_perms;
@@ -4076,7 +4525,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-2.4.6/Rules.modular
--- nsaserefpolicy/Rules.modular 2006-11-16 17:15:29.000000000 -0500
-+++ serefpolicy-2.4.6/Rules.modular 2006-11-30 17:03:20.000000000 -0500
++++ serefpolicy-2.4.6/Rules.modular 2006-12-05 13:19:42.000000000 -0500
@@ -219,6 +219,16 @@
########################################
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.358
retrieving revision 1.359
diff -u -r1.358 -r1.359
--- selinux-policy.spec 1 Dec 2006 21:52:08 -0000 1.358
+++ selinux-policy.spec 5 Dec 2006 23:05:39 -0000 1.359
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 2.4.6
-Release: 5%{?dist}
+Release: 6%{?dist}
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -180,7 +180,7 @@
# Install devel
make clean
-make NAME=targeted TYPE=targeted-mcs DISTRO=%{distro} DIRECT_INITRC=y MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 install-headers install-docs
+make NAME=targeted TYPE=targeted-mcs DISTRO=%{distro} DIRECT_INITRC=y MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} POLY=y MLS_CATS=1024 MCS_CATS=1024 install-headers install-docs
mkdir %{buildroot}%{_usr}/share/selinux/devel/
mv %{buildroot}%{_usr}/share/selinux/targeted/include %{buildroot}%{_usr}/share/selinux/devel/include
install -m 755 ${RPM_SOURCE_DIR}/policygentool %{buildroot}%{_usr}/share/selinux/devel/
@@ -351,6 +351,12 @@
%endif
%changelog
+* Mon Dec 4 2006 Dan Walsh <dwalsh at redhat.com> 2.4.6-6
+- Fix polyinstatiation
+- Fix pcscd handling of terminal
+Resolves: #218149
+Resolves: #218350
+
* Fri Dec 1 2006 Dan Walsh <dwalsh at redhat.com> 2.4.6-5
- More fixes for quota
Resolves: #212957
More information about the fedora-cvs-commits
mailing list