rpms/selinux-policy/devel modules-mls.conf, 1.22, 1.23 modules-strict.conf, 1.15, 1.16 modules-targeted.conf, 1.40, 1.41 policy-20061106.patch, 1.35, 1.36 selinux-policy.spec, 1.362, 1.363
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Tue Dec 12 21:46:26 UTC 2006
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv7166
Modified Files:
modules-mls.conf modules-strict.conf modules-targeted.conf
policy-20061106.patch selinux-policy.spec
Log Message:
* Thu Dec 12 2006 Dan Walsh <dwalsh at redhat.com> 2.4.6-10
- Allow initrc to create files in /var directories
Resolves: #219227
Index: modules-mls.conf
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/modules-mls.conf,v
retrieving revision 1.22
retrieving revision 1.23
diff -u -r1.22 -r1.23
--- modules-mls.conf 30 Nov 2006 20:23:49 -0000 1.22
+++ modules-mls.conf 12 Dec 2006 21:46:24 -0000 1.23
@@ -1022,3 +1022,10 @@
# PC/SC Smart Card Daemon
#
pcscd = module
+
+# Layer: system
+# Module: tzdata
+#
+# Policy for tzdata-update
+#
+tzdata = base
Index: modules-strict.conf
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/modules-strict.conf,v
retrieving revision 1.15
retrieving revision 1.16
diff -u -r1.15 -r1.16
--- modules-strict.conf 30 Nov 2006 20:23:49 -0000 1.15
+++ modules-strict.conf 12 Dec 2006 21:46:24 -0000 1.16
@@ -1297,3 +1297,10 @@
# PC/SC Smart Card Daemon
#
pcscd = module
+
+# Layer: system
+# Module: tzdata
+#
+# Policy for tzdata-update
+#
+tzdata = base
Index: modules-targeted.conf
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/modules-targeted.conf,v
retrieving revision 1.40
retrieving revision 1.41
diff -u -r1.40 -r1.41
--- modules-targeted.conf 30 Nov 2006 20:23:49 -0000 1.40
+++ modules-targeted.conf 12 Dec 2006 21:46:24 -0000 1.41
@@ -1172,3 +1172,12 @@
#
pcscd = module
+# Layer: system
+# Module: tzdata
+#
+# Policy for tzdata-update
+#
+tzdata = base
+
+
+
policy-20061106.patch:
Rules.modular | 10
policy/flask/access_vectors | 2
policy/global_tunables | 40 ++
policy/mls | 31 +
policy/modules/admin/acct.te | 1
policy/modules/admin/amanda.if | 17 +
policy/modules/admin/amanda.te | 1
policy/modules/admin/bootloader.fc | 5
policy/modules/admin/bootloader.te | 7
policy/modules/admin/consoletype.te | 10
policy/modules/admin/dmesg.te | 1
policy/modules/admin/firstboot.if | 6
policy/modules/admin/logwatch.te | 1
policy/modules/admin/netutils.te | 2
policy/modules/admin/prelink.te | 9
policy/modules/admin/quota.fc | 7
policy/modules/admin/quota.te | 20 -
policy/modules/admin/rpm.fc | 3
policy/modules/admin/rpm.if | 24 +
policy/modules/admin/rpm.te | 45 +-
policy/modules/admin/su.if | 11
policy/modules/admin/sudo.if | 5
policy/modules/admin/usermanage.te | 4
policy/modules/apps/gpg.if | 1
policy/modules/apps/java.fc | 2
policy/modules/apps/java.te | 2
policy/modules/apps/loadkeys.if | 17 -
policy/modules/apps/slocate.te | 2
policy/modules/kernel/corecommands.fc | 3
policy/modules/kernel/corecommands.if | 36 ++
policy/modules/kernel/corenetwork.if.in | 49 +++
policy/modules/kernel/corenetwork.te.in | 15
policy/modules/kernel/corenetwork.te.m4 | 4
policy/modules/kernel/devices.fc | 5
policy/modules/kernel/devices.te | 8
policy/modules/kernel/domain.te | 7
policy/modules/kernel/files.if | 134 ++++++++
policy/modules/kernel/filesystem.te | 6
policy/modules/kernel/kernel.te | 2
policy/modules/kernel/mls.if | 8
policy/modules/kernel/mls.te | 6
policy/modules/kernel/terminal.fc | 1
policy/modules/kernel/terminal.if | 2
policy/modules/kernel/terminal.te | 1
policy/modules/services/apache.fc | 10
policy/modules/services/apache.te | 16 -
policy/modules/services/apm.te | 1
policy/modules/services/automount.te | 1
policy/modules/services/avahi.if | 21 +
policy/modules/services/bind.fc | 1
policy/modules/services/clamav.te | 2
policy/modules/services/cron.fc | 2
policy/modules/services/cron.if | 49 ---
policy/modules/services/cron.te | 13
policy/modules/services/cups.fc | 2
policy/modules/services/cups.te | 7
policy/modules/services/cvs.te | 1
policy/modules/services/dbus.fc | 1
policy/modules/services/dbus.if | 1
policy/modules/services/ftp.te | 12
policy/modules/services/hal.fc | 4
policy/modules/services/hal.if | 20 +
policy/modules/services/hal.te | 8
policy/modules/services/kerberos.if | 1
policy/modules/services/kerberos.te | 11
policy/modules/services/lpd.if | 52 +--
policy/modules/services/mta.if | 1
policy/modules/services/mta.te | 1
policy/modules/services/nis.fc | 1
policy/modules/services/nis.if | 8
policy/modules/services/nis.te | 10
policy/modules/services/nscd.if | 20 +
policy/modules/services/nscd.te | 15
policy/modules/services/oddjob.te | 3
policy/modules/services/pcscd.fc | 9
policy/modules/services/pcscd.if | 23 +
policy/modules/services/pcscd.te | 69 ++++
policy/modules/services/pegasus.if | 31 +
policy/modules/services/pegasus.te | 5
policy/modules/services/postfix.te | 13
policy/modules/services/procmail.te | 16 +
policy/modules/services/rlogin.te | 10
policy/modules/services/rpc.te | 1
policy/modules/services/rsync.te | 1
policy/modules/services/samba.if | 2
policy/modules/services/samba.te | 8
policy/modules/services/sasl.te | 2
policy/modules/services/smartmon.te | 1
policy/modules/services/snmp.te | 4
policy/modules/services/spamassassin.te | 5
policy/modules/services/ssh.te | 7
policy/modules/services/telnet.te | 1
policy/modules/services/tftp.te | 2
policy/modules/services/uucp.fc | 1
policy/modules/services/uucp.if | 67 ++++
policy/modules/services/uucp.te | 44 ++
policy/modules/services/xserver.if | 40 ++
policy/modules/system/authlogin.if | 69 ++++
policy/modules/system/authlogin.te | 6
policy/modules/system/clock.te | 8
policy/modules/system/fstools.fc | 1
policy/modules/system/fstools.te | 2
policy/modules/system/getty.te | 3
policy/modules/system/hostname.te | 10
policy/modules/system/init.if | 3
policy/modules/system/init.te | 26 +
policy/modules/system/iptables.te | 7
policy/modules/system/libraries.fc | 28 -
policy/modules/system/libraries.te | 6
policy/modules/system/locallogin.if | 37 ++
policy/modules/system/logging.te | 1
policy/modules/system/lvm.fc | 1
policy/modules/system/lvm.te | 48 ++-
policy/modules/system/miscfiles.fc | 1
policy/modules/system/miscfiles.if | 79 +++++
policy/modules/system/modutils.te | 5
policy/modules/system/mount.te | 20 -
policy/modules/system/raid.te | 7
policy/modules/system/selinuxutil.fc | 1
policy/modules/system/selinuxutil.if | 109 ++++++
policy/modules/system/selinuxutil.te | 106 +-----
policy/modules/system/sysnetwork.te | 3
policy/modules/system/tzdata.fc | 3
policy/modules/system/tzdata.if | 23 +
policy/modules/system/tzdata.te | 28 +
policy/modules/system/unconfined.fc | 4
policy/modules/system/unconfined.if | 19 +
policy/modules/system/unconfined.te | 19 +
policy/modules/system/userdomain.if | 503 ++++++++++++++++++++++++++++----
policy/modules/system/userdomain.te | 60 +--
policy/modules/system/xen.fc | 1
policy/modules/system/xen.te | 35 ++
132 files changed, 2065 insertions(+), 447 deletions(-)
Index: policy-20061106.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/policy-20061106.patch,v
retrieving revision 1.35
retrieving revision 1.36
diff -u -r1.35 -r1.36
--- policy-20061106.patch 11 Dec 2006 12:35:45 -0000 1.35
+++ policy-20061106.patch 12 Dec 2006 21:46:24 -0000 1.36
@@ -1,6 +1,6 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors serefpolicy-2.4.6/policy/flask/access_vectors
--- nsaserefpolicy/policy/flask/access_vectors 2006-11-16 17:15:00.000000000 -0500
-+++ serefpolicy-2.4.6/policy/flask/access_vectors 2006-12-05 13:19:41.000000000 -0500
++++ serefpolicy-2.4.6/policy/flask/access_vectors 2006-12-12 15:19:22.000000000 -0500
@@ -619,6 +619,8 @@
send
recv
@@ -12,7 +12,7 @@
class key
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-2.4.6/policy/global_tunables
--- nsaserefpolicy/policy/global_tunables 2006-11-16 17:15:26.000000000 -0500
-+++ serefpolicy-2.4.6/policy/global_tunables 2006-12-05 13:19:41.000000000 -0500
++++ serefpolicy-2.4.6/policy/global_tunables 2006-12-12 15:19:22.000000000 -0500
@@ -82,6 +82,14 @@
## <desc>
@@ -84,9 +84,83 @@
+## </p>
+## </desc>
+gen_tunable(use_lpd_server,false)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mls serefpolicy-2.4.6/policy/mls
+--- nsaserefpolicy/policy/mls 2006-11-16 17:15:26.000000000 -0500
++++ serefpolicy-2.4.6/policy/mls 2006-12-12 16:40:35.000000000 -0500
+@@ -89,12 +89,14 @@
+ mlsconstrain { file lnk_file fifo_file dir chr_file blk_file sock_file } { write create setattr relabelfrom append unlink link rename mounton }
+ (( l1 eq l2 ) or
+ (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+- (( t2 == mlsfilewriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
+ ( t1 == mlsfilewrite ) or
++ (( t2 == mlsrangedobject ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
+ ( t2 == mlstrustedobject ));
+
++# Directory "write" ops
+ mlsconstrain dir { add_name remove_name reparent rmdir }
+- ((( l1 dom l2 ) and ( l1 domby h2 )) or
++ (( l1 eq l2 ) or
++ (( t1 == mlsfilewriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
+ (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsfilewrite ) or
+ ( t2 == mlstrustedobject ));
+@@ -165,8 +167,20 @@
+ mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } relabelto
+ ( h1 dom h2 );
+
++# the socket "read+write" ops
++# (Socket FDs are generally bidirectional, equivalent to open(..., O_RDWR),
++# require equal levels for unprivileged subjects, or read *and* write overrides)
++mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { accept connect }
++ (( l1 eq l2 ) or
++ (((( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
++ ( t1 == mlsnetread )) and
++ ((( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
++ (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
++ ( t1 == mlsnetwrite ))));
++
++
+ # the socket "read" ops (note the check is dominance of the low level)
+-mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { read getattr listen accept getopt recv_msg }
++mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { read getattr listen getopt recv_msg }
+ (( l1 dom l2 ) or
+ (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsnetread ));
+@@ -177,8 +191,9 @@
+ ( t1 == mlsnetread ));
+
+ # the socket "write" ops
+-mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { write setattr relabelfrom connect setopt shutdown }
+- ((( l1 dom l2 ) and ( l1 domby h2 )) or
++mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { write setattr relabelfrom setopt shutdown }
++ (( l1 eq l2 ) or
++ (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
+ (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsnetwrite ));
+
+@@ -274,7 +289,8 @@
+
+ # the netif/node "write" ops (implicit single level socket doing the write)
+ mlsconstrain { netif node } { tcp_send udp_send rawip_send }
+- (( l1 dom l2 ) and ( l1 domby h2 ));
++ (( l1 eq l2 ) or
++ (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )));
+
+ # these access vectors have no MLS restrictions
+ # node enforce_dest
+@@ -581,7 +597,8 @@
+ ( t2 == unlabeled_t ));
+
+ mlsconstrain association { sendto }
+- ((( l1 dom l2 ) and ( l1 domby h2 )) or
++ (( l1 eq l2 ) or
++ (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
+ ( t2 == unlabeled_t ));
+
+ mlsconstrain association { polmatch }
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/acct.te serefpolicy-2.4.6/policy/modules/admin/acct.te
--- nsaserefpolicy/policy/modules/admin/acct.te 2006-11-16 17:15:26.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/admin/acct.te 2006-12-05 13:19:41.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/admin/acct.te 2006-12-12 15:19:22.000000000 -0500
@@ -9,6 +9,7 @@
type acct_t;
type acct_exec_t;
@@ -97,7 +171,7 @@
logging_log_file(acct_data_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.if serefpolicy-2.4.6/policy/modules/admin/amanda.if
--- nsaserefpolicy/policy/modules/admin/amanda.if 2006-11-16 17:15:26.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/admin/amanda.if 2006-12-05 13:19:41.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/admin/amanda.if 2006-12-12 15:19:22.000000000 -0500
@@ -127,4 +127,21 @@
allow $1 amanda_log_t:file ra_file_perms;
')
@@ -122,7 +196,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.te serefpolicy-2.4.6/policy/modules/admin/amanda.te
--- nsaserefpolicy/policy/modules/admin/amanda.te 2006-11-16 17:15:26.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/admin/amanda.te 2006-12-05 13:19:41.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/admin/amanda.te 2006-12-12 15:19:22.000000000 -0500
@@ -75,6 +75,7 @@
allow amanda_t self:unix_dgram_socket create_socket_perms;
allow amanda_t self:tcp_socket create_stream_socket_perms;
@@ -131,10 +205,35 @@
# access to amanda_amandates_t
allow amanda_t amanda_amandates_t:file { getattr lock read write };
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/bootloader.fc serefpolicy-2.4.6/policy/modules/admin/bootloader.fc
+--- nsaserefpolicy/policy/modules/admin/bootloader.fc 2006-11-16 17:15:26.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/admin/bootloader.fc 2006-12-12 15:19:22.000000000 -0500
+@@ -2,11 +2,6 @@
+ /etc/lilo\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0)
+ /etc/yaboot\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0)
+
+-/etc/mkinitrd/scripts/.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+-
+-/usr/sbin/mkinitrd -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+-
+ /sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+ /sbin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+-/sbin/mkinitrd -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+ /sbin/ybin.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/bootloader.te serefpolicy-2.4.6/policy/modules/admin/bootloader.te
--- nsaserefpolicy/policy/modules/admin/bootloader.te 2006-11-16 17:15:26.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/admin/bootloader.te 2006-12-05 13:19:41.000000000 -0500
-@@ -218,3 +218,7 @@
++++ serefpolicy-2.4.6/policy/modules/admin/bootloader.te 2006-12-12 15:19:22.000000000 -0500
+@@ -163,9 +163,6 @@
+ # new file system defaults to file_t, granting file_t access is still bad.
+ allow bootloader_t boot_runtime_t:file { r_file_perms unlink };
+
+- # mkinitrd mount initrd on bootloader temp dir
+- files_mountpoint(bootloader_tmp_t)
+-
+ # new file system defaults to file_t, granting file_t access is still bad.
+ files_manage_isid_type_dirs(bootloader_t)
+ files_manage_isid_type_files(bootloader_t)
+@@ -218,3 +215,7 @@
userdom_dontaudit_search_staff_home_dirs(bootloader_t)
userdom_dontaudit_search_sysadm_home_dirs(bootloader_t)
')
@@ -144,7 +243,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-2.4.6/policy/modules/admin/consoletype.te
--- nsaserefpolicy/policy/modules/admin/consoletype.te 2006-11-16 17:15:26.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/admin/consoletype.te 2006-12-05 13:19:41.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/admin/consoletype.te 2006-12-12 15:19:22.000000000 -0500
@@ -8,7 +8,12 @@
type consoletype_t;
@@ -178,7 +277,7 @@
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.te serefpolicy-2.4.6/policy/modules/admin/dmesg.te
--- nsaserefpolicy/policy/modules/admin/dmesg.te 2006-11-16 17:15:26.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/admin/dmesg.te 2006-12-05 13:19:41.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/admin/dmesg.te 2006-12-12 15:19:22.000000000 -0500
@@ -10,6 +10,7 @@
type dmesg_t;
type dmesg_exec_t;
@@ -189,7 +288,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstboot.if serefpolicy-2.4.6/policy/modules/admin/firstboot.if
--- nsaserefpolicy/policy/modules/admin/firstboot.if 2006-11-16 17:15:26.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/admin/firstboot.if 2006-12-05 13:19:41.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/admin/firstboot.if 2006-12-12 15:19:22.000000000 -0500
@@ -96,7 +96,7 @@
########################################
@@ -214,7 +313,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-2.4.6/policy/modules/admin/logwatch.te
--- nsaserefpolicy/policy/modules/admin/logwatch.te 2006-11-16 17:15:26.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/admin/logwatch.te 2006-12-05 13:19:41.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/admin/logwatch.te 2006-12-12 15:19:22.000000000 -0500
@@ -53,6 +53,7 @@
corecmd_exec_ls(logwatch_t)
@@ -225,7 +324,7 @@
domain_read_all_domains_state(logwatch_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-2.4.6/policy/modules/admin/netutils.te
--- nsaserefpolicy/policy/modules/admin/netutils.te 2006-11-16 17:15:26.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/admin/netutils.te 2006-12-05 13:19:41.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/admin/netutils.te 2006-12-12 15:19:22.000000000 -0500
@@ -18,10 +18,12 @@
type ping_exec_t;
init_system_domain(ping_t,ping_exec_t)
@@ -241,7 +340,7 @@
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-2.4.6/policy/modules/admin/prelink.te
--- nsaserefpolicy/policy/modules/admin/prelink.te 2006-11-16 17:15:26.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/admin/prelink.te 2006-12-05 13:19:41.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/admin/prelink.te 2006-12-12 15:19:22.000000000 -0500
@@ -57,6 +57,7 @@
files_write_non_security_dirs(prelink_t)
files_read_etc_files(prelink_t)
@@ -270,7 +369,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/quota.fc serefpolicy-2.4.6/policy/modules/admin/quota.fc
--- nsaserefpolicy/policy/modules/admin/quota.fc 2006-11-16 17:15:26.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/admin/quota.fc 2006-12-05 17:18:21.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/admin/quota.fc 2006-12-12 15:19:22.000000000 -0500
@@ -7,8 +7,13 @@
/sbin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0)
')
@@ -288,7 +387,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/quota.te serefpolicy-2.4.6/policy/modules/admin/quota.te
--- nsaserefpolicy/policy/modules/admin/quota.te 2006-11-16 17:15:26.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/admin/quota.te 2006-12-05 13:19:41.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/admin/quota.te 2006-12-12 15:19:22.000000000 -0500
@@ -21,15 +21,18 @@
allow quota_t self:process signal_perms;
@@ -331,7 +430,7 @@
-') dnl end TODO
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-2.4.6/policy/modules/admin/rpm.fc
--- nsaserefpolicy/policy/modules/admin/rpm.fc 2006-11-16 17:15:26.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/admin/rpm.fc 2006-12-05 13:19:41.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/admin/rpm.fc 2006-12-12 15:19:22.000000000 -0500
@@ -21,6 +21,9 @@
/usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -344,7 +443,7 @@
/var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-2.4.6/policy/modules/admin/rpm.if
--- nsaserefpolicy/policy/modules/admin/rpm.if 2006-11-16 17:15:26.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/admin/rpm.if 2006-12-05 13:19:41.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/admin/rpm.if 2006-12-12 15:19:22.000000000 -0500
@@ -278,3 +278,27 @@
dontaudit $1 rpm_var_lib_t:file create_file_perms;
dontaudit $1 rpm_var_lib_t:lnk_file create_lnk_perms;
@@ -375,7 +474,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-2.4.6/policy/modules/admin/rpm.te
--- nsaserefpolicy/policy/modules/admin/rpm.te 2006-11-16 17:15:26.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/admin/rpm.te 2006-12-05 13:19:41.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/admin/rpm.te 2006-12-12 15:19:22.000000000 -0500
@@ -9,6 +9,8 @@
type rpm_t;
type rpm_exec_t;
@@ -410,7 +509,18 @@
dev_list_sysfs(rpm_script_t)
# ideally we would not need this
-@@ -368,31 +381,3 @@
+@@ -356,6 +369,10 @@
+ ')
+
+ optional_policy(`
++ tzdata_domtrans(rpm_script_t)
++')
++
++optional_policy(`
+ bootloader_domtrans(rpm_script_t)
+ ')
+
+@@ -368,31 +385,3 @@
usermanage_domtrans_useradd(rpm_script_t)
')
@@ -444,7 +554,7 @@
-') dnl end TODO
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-2.4.6/policy/modules/admin/sudo.if
--- nsaserefpolicy/policy/modules/admin/sudo.if 2006-11-16 17:15:26.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/admin/sudo.if 2006-12-07 09:41:19.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/admin/sudo.if 2006-12-12 15:19:22.000000000 -0500
@@ -71,6 +71,7 @@
allow $1_sudo_t self:unix_dgram_socket sendto;
allow $1_sudo_t self:unix_stream_socket connectto;
@@ -468,7 +578,7 @@
domain_sigchld_interactive_fds($1_sudo_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-2.4.6/policy/modules/admin/su.if
--- nsaserefpolicy/policy/modules/admin/su.if 2006-11-16 17:15:26.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/admin/su.if 2006-12-07 09:42:26.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/admin/su.if 2006-12-12 15:19:22.000000000 -0500
@@ -180,6 +180,7 @@
allow $1_su_t self:process { setexec setsched setrlimit };
allow $1_su_t self:fifo_file rw_file_perms;
@@ -531,7 +641,7 @@
# file_type_auto_trans($1_su_t, staff_home_dir_t, staff_xauth_home_t, file)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-2.4.6/policy/modules/admin/usermanage.te
--- nsaserefpolicy/policy/modules/admin/usermanage.te 2006-11-16 17:15:26.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/admin/usermanage.te 2006-12-07 09:59:42.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/admin/usermanage.te 2006-12-12 15:19:22.000000000 -0500
@@ -112,6 +112,7 @@
files_manage_etc_files(chfn_t)
files_read_etc_runtime_files(chfn_t)
@@ -559,7 +669,7 @@
allow useradd_t self:fd use;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-2.4.6/policy/modules/apps/gpg.if
--- nsaserefpolicy/policy/modules/apps/gpg.if 2006-11-16 17:15:07.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/apps/gpg.if 2006-12-07 09:49:55.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/apps/gpg.if 2006-12-12 15:19:22.000000000 -0500
@@ -87,6 +87,7 @@
allow $1_gpg_t $1_gpg_secret_t:dir rw_dir_perms;
allow $1_gpg_t $1_gpg_secret_t:file create_file_perms;
@@ -570,7 +680,7 @@
domain_auto_trans($2,gpg_exec_t,$1_gpg_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-2.4.6/policy/modules/apps/java.fc
--- nsaserefpolicy/policy/modules/apps/java.fc 2006-11-16 17:15:07.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/apps/java.fc 2006-12-05 13:19:41.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/apps/java.fc 2006-12-12 15:19:22.000000000 -0500
@@ -1,7 +1,7 @@
#
# /opt
@@ -582,7 +692,7 @@
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-2.4.6/policy/modules/apps/java.te
--- nsaserefpolicy/policy/modules/apps/java.te 2006-11-16 17:15:07.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/apps/java.te 2006-12-05 14:54:18.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/apps/java.te 2006-12-12 15:19:22.000000000 -0500
@@ -20,4 +20,6 @@
allow java_t self:process { execstack execmem execheap };
unconfined_domain_noaudit(java_t)
@@ -592,7 +702,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.if serefpolicy-2.4.6/policy/modules/apps/loadkeys.if
--- nsaserefpolicy/policy/modules/apps/loadkeys.if 2006-11-16 17:15:07.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/apps/loadkeys.if 2006-12-05 13:19:41.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/apps/loadkeys.if 2006-12-12 15:19:22.000000000 -0500
@@ -50,18 +50,13 @@
## <rolecap/>
#
@@ -620,7 +730,7 @@
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate.te serefpolicy-2.4.6/policy/modules/apps/slocate.te
--- nsaserefpolicy/policy/modules/apps/slocate.te 2006-11-16 17:15:07.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/apps/slocate.te 2006-12-05 13:19:41.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/apps/slocate.te 2006-12-12 15:19:22.000000000 -0500
@@ -39,6 +39,8 @@
files_list_all(locate_t)
@@ -632,7 +742,7 @@
# mls Higher level directories will be refused, so dontaudit
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-2.4.6/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2006-11-16 17:15:04.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/kernel/corecommands.fc 2006-12-05 16:42:25.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/kernel/corecommands.fc 2006-12-12 15:19:22.000000000 -0500
@@ -73,6 +73,7 @@
ifdef(`targeted_policy',`
@@ -649,7 +759,7 @@
+/etc/security/namespace.init -- gen_context(system_u:object_r:bin_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-2.4.6/policy/modules/kernel/corecommands.if
--- nsaserefpolicy/policy/modules/kernel/corecommands.if 2006-11-16 17:15:04.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/kernel/corecommands.if 2006-12-07 09:40:13.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/kernel/corecommands.if 2006-12-12 15:19:22.000000000 -0500
@@ -928,7 +928,19 @@
type bin_t, sbin_t;
')
@@ -714,7 +824,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-2.4.6/policy/modules/kernel/corenetwork.if.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in 2006-11-16 17:15:04.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/kernel/corenetwork.if.in 2006-12-05 15:10:09.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/kernel/corenetwork.if.in 2006-12-12 15:19:22.000000000 -0500
@@ -998,9 +998,11 @@
interface(`corenet_tcp_sendrecv_reserved_port',`
gen_require(`
@@ -837,7 +947,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-2.4.6/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2006-11-16 17:15:04.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/kernel/corenetwork.te.in 2006-12-05 13:19:41.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/kernel/corenetwork.te.in 2006-12-12 15:19:22.000000000 -0500
@@ -43,11 +43,16 @@
sid port gen_context(system_u:object_r:port_t,s0)
@@ -880,7 +990,7 @@
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.m4 serefpolicy-2.4.6/policy/modules/kernel/corenetwork.te.m4
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.m4 2006-11-16 17:15:04.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/kernel/corenetwork.te.m4 2006-12-05 13:19:41.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/kernel/corenetwork.te.m4 2006-12-12 15:19:22.000000000 -0500
@@ -55,8 +55,8 @@
define(`declare_ports',`dnl
ifelse(eval($3 < 1024),1,`
@@ -894,7 +1004,7 @@
ifelse(`$5',`',`',`declare_ports($1,shiftn(4,$*))')dnl
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-2.4.6/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2006-11-16 17:15:04.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/kernel/devices.fc 2006-12-05 13:19:41.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/kernel/devices.fc 2006-12-12 15:19:22.000000000 -0500
@@ -20,11 +20,13 @@
/dev/fb[0-9]* -c gen_context(system_u:object_r:framebuf_device_t,s0)
/dev/full -c gen_context(system_u:object_r:null_device_t,s0)
@@ -928,7 +1038,7 @@
/dev/usbdev.* -c gen_context(system_u:object_r:usb_device_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-2.4.6/policy/modules/kernel/devices.te
--- nsaserefpolicy/policy/modules/kernel/devices.te 2006-11-29 09:27:46.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/kernel/devices.te 2006-12-05 13:19:41.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/kernel/devices.te 2006-12-12 16:39:31.000000000 -0500
@@ -27,6 +27,12 @@
dev_node(agp_device_t)
@@ -942,9 +1052,18 @@
# Type for /dev/apm_bios
#
type apm_bios_t;
+@@ -119,7 +125,7 @@
+
+ type printer_device_t;
+ dev_node(printer_device_t)
+-mls_file_write_within_range(printer_device_t)
++mls_file_writable_within_range(printer_device_t)
+
+ #
+ # random_device_t is the type of /dev/random
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-2.4.6/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2006-11-16 17:15:04.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/kernel/domain.te 2006-12-05 13:19:41.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/kernel/domain.te 2006-12-12 15:19:22.000000000 -0500
@@ -144,3 +144,10 @@
# act on all domains keys
@@ -958,7 +1077,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.4.6/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2006-11-16 17:15:04.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/kernel/files.if 2006-12-06 18:02:26.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/kernel/files.if 2006-12-12 15:19:22.000000000 -0500
@@ -353,8 +353,7 @@
########################################
@@ -1025,7 +1144,32 @@
## Do not audit attempts to get the attributes
## of non security symbolic links.
## </summary>
-@@ -4471,14 +4505,16 @@
+@@ -3543,6 +3577,24 @@
+
+ ########################################
+ ## <summary>
++## Allow attempts to write to /var.dirs
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`files_write_var_dirs',`
++ gen_require(`
++ type var_t;
++ ')
++
++ allow $1 var_t:dir write;
++')
++
++########################################
++## <summary>
+ ## Do not audit attempts to search
+ ## the contents of /var.
+ ## </summary>
+@@ -4471,14 +4523,16 @@
type poly_t;
')
@@ -1044,7 +1188,7 @@
# Need to give access to the polyinstantiated subdirectories
allow $1 polymember:dir search_dir_perms;
-@@ -4491,11 +4527,13 @@
+@@ -4491,11 +4545,13 @@
allow $1 self:process setfscreate;
allow $1 polymember: dir { create setattr relabelto };
allow $1 polydir: dir { write add_name };
@@ -1059,7 +1203,7 @@
')
########################################
-@@ -4559,3 +4597,69 @@
+@@ -4559,3 +4615,69 @@
typealias etc_runtime_t alias $1;
')
@@ -1131,7 +1275,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-2.4.6/policy/modules/kernel/filesystem.te
--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2006-11-16 17:15:04.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/kernel/filesystem.te 2006-12-05 13:19:41.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/kernel/filesystem.te 2006-12-12 15:19:22.000000000 -0500
@@ -21,9 +21,11 @@
# Use xattrs for the following filesystem types.
@@ -1161,7 +1305,7 @@
+fs_associate_noxattr(noxattrfs)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-2.4.6/policy/modules/kernel/kernel.te
--- nsaserefpolicy/policy/modules/kernel/kernel.te 2006-11-16 17:15:04.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/kernel/kernel.te 2006-12-06 12:57:42.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/kernel/kernel.te 2006-12-12 15:19:22.000000000 -0500
@@ -138,6 +138,8 @@
type unlabeled_t;
sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
@@ -1171,9 +1315,67 @@
# These initial sids are no longer used, and can be removed:
sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
sid file_labels gen_context(system_u:object_r:unlabeled_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mls.if serefpolicy-2.4.6/policy/modules/kernel/mls.if
+--- nsaserefpolicy/policy/modules/kernel/mls.if 2006-11-16 17:15:04.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/kernel/mls.if 2006-12-12 16:39:31.000000000 -0500
+@@ -100,16 +100,16 @@
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Object domain granting ranged access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`mls_file_write_within_range',`
++interface(`mls_file_writable_within_range',`
+ gen_require(`
+- attribute mlsfilewriteinrange;
++ attribute mlsrangedobject;
+ ')
+
+- typeattribute $1 mlsfilewriteinrange;
++ typeattribute $1 mlsrangedobject;
+ ')
+
+ ########################################
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mls.te serefpolicy-2.4.6/policy/modules/kernel/mls.te
+--- nsaserefpolicy/policy/modules/kernel/mls.te 2006-11-16 17:15:04.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/kernel/mls.te 2006-12-12 16:40:02.000000000 -0500
+@@ -6,11 +6,12 @@
+ # Declarations
+ #
+
++# Subject attributes that give MLS override capabilities
+ attribute mlsfileread;
+ attribute mlsfilereadtoclr;
+ attribute mlsfilewrite;
+ attribute mlsfilewritetoclr;
+-attribute mlsfilewriteinrange;
++attribute mlsfilewriteranged;
+ attribute mlsfileupgrade;
+ attribute mlsfiledowngrade;
+
+@@ -18,6 +19,7 @@
+ attribute mlsnetreadtoclr;
+ attribute mlsnetwrite;
+ attribute mlsnetwritetoclr;
++attribute mlsnetwriteranged;
+ attribute mlsnetupgrade;
+ attribute mlsnetdowngrade;
+ attribute mlsnetrecvall;
+@@ -43,6 +45,8 @@
+ attribute mlsxwinwritecolormap;
+ attribute mlsxwinwritexinput;
+
++# Object attributes that allow MLS overrides for access by all subjects
++attribute mlsrangedobject;
+ attribute mlstrustedobject;
+
+ attribute privrangetrans;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.fc serefpolicy-2.4.6/policy/modules/kernel/terminal.fc
--- nsaserefpolicy/policy/modules/kernel/terminal.fc 2006-11-16 17:15:04.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/kernel/terminal.fc 2006-12-05 13:19:41.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/kernel/terminal.fc 2006-12-12 15:19:22.000000000 -0500
@@ -11,6 +11,7 @@
/dev/ircomm[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/ip2[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
@@ -1184,7 +1386,7 @@
/dev/tty -c gen_context(system_u:object_r:devtty_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-2.4.6/policy/modules/kernel/terminal.if
--- nsaserefpolicy/policy/modules/kernel/terminal.if 2006-11-29 09:27:46.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/kernel/terminal.if 2006-12-05 13:19:41.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/kernel/terminal.if 2006-12-12 15:19:22.000000000 -0500
@@ -636,6 +636,8 @@
attribute ptynode;
')
@@ -1196,7 +1398,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.te serefpolicy-2.4.6/policy/modules/kernel/terminal.te
--- nsaserefpolicy/policy/modules/kernel/terminal.te 2006-11-29 09:27:46.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/kernel/terminal.te 2006-12-05 13:19:41.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/kernel/terminal.te 2006-12-12 15:19:22.000000000 -0500
@@ -28,6 +28,7 @@
type devpts_t;
files_mountpoint(devpts_t)
@@ -1207,7 +1409,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-2.4.6/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/apache.fc 2006-12-05 13:19:41.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/apache.fc 2006-12-12 15:19:22.000000000 -0500
@@ -45,6 +45,7 @@
/var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
/var/cache/mason(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
@@ -1231,7 +1433,7 @@
+/opt/fortitude/run(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-2.4.6/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2006-11-29 09:27:47.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/apache.te 2006-12-05 13:19:41.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/apache.te 2006-12-12 15:19:22.000000000 -0500
@@ -143,6 +143,8 @@
allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow httpd_t self:tcp_socket create_stream_socket_perms;
@@ -1300,7 +1502,7 @@
ifdef(`targeted_policy',`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.te serefpolicy-2.4.6/policy/modules/services/apm.te
--- nsaserefpolicy/policy/modules/services/apm.te 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/apm.te 2006-12-05 15:23:11.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/apm.te 2006-12-12 15:19:22.000000000 -0500
@@ -195,7 +195,6 @@
optional_policy(`
@@ -1311,7 +1513,7 @@
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-2.4.6/policy/modules/services/automount.te
--- nsaserefpolicy/policy/modules/services/automount.te 2006-11-16 17:15:20.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/automount.te 2006-12-05 13:19:41.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/automount.te 2006-12-12 15:19:22.000000000 -0500
@@ -76,6 +76,7 @@
files_mounton_all_mountpoints(automount_t)
files_mount_all_file_type_fs(automount_t)
@@ -1322,7 +1524,7 @@
fs_unmount_all_fs(automount_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.if serefpolicy-2.4.6/policy/modules/services/avahi.if
--- nsaserefpolicy/policy/modules/services/avahi.if 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/avahi.if 2006-12-05 13:19:41.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/avahi.if 2006-12-12 15:19:22.000000000 -0500
@@ -20,3 +20,24 @@
allow $1 avahi_t:dbus send_msg;
allow avahi_t $1:dbus send_msg;
@@ -1350,7 +1552,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.fc serefpolicy-2.4.6/policy/modules/services/bind.fc
--- nsaserefpolicy/policy/modules/services/bind.fc 2006-11-16 17:15:20.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/bind.fc 2006-12-05 13:19:41.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/bind.fc 2006-12-12 15:19:22.000000000 -0500
@@ -29,6 +29,7 @@
ifdef(`distro_redhat',`
@@ -1361,7 +1563,7 @@
/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-2.4.6/policy/modules/services/clamav.te
--- nsaserefpolicy/policy/modules/services/clamav.te 2006-11-16 17:15:20.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/clamav.te 2006-12-05 13:19:41.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/clamav.te 2006-12-12 15:19:22.000000000 -0500
@@ -86,6 +86,8 @@
kernel_dontaudit_list_proc(clamd_t)
@@ -1373,7 +1575,7 @@
corenet_tcp_sendrecv_all_nodes(clamd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-2.4.6/policy/modules/services/cron.fc
--- nsaserefpolicy/policy/modules/services/cron.fc 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/cron.fc 2006-12-05 14:48:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/cron.fc 2006-12-12 15:19:22.000000000 -0500
@@ -5,7 +5,7 @@
/usr/bin/at -- gen_context(system_u:object_r:crontab_exec_t,s0)
/usr/bin/(f)?crontab -- gen_context(system_u:object_r:crontab_exec_t,s0)
@@ -1385,7 +1587,7 @@
/usr/sbin/fcron -- gen_context(system_u:object_r:crond_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-2.4.6/policy/modules/services/cron.if
--- nsaserefpolicy/policy/modules/services/cron.if 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/cron.if 2006-12-05 15:21:35.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/cron.if 2006-12-12 15:19:22.000000000 -0500
@@ -54,9 +54,6 @@
domain_entry_file($1_crontab_t,crontab_exec_t)
role $3 types $1_crontab_t;
@@ -1491,7 +1693,7 @@
## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-2.4.6/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/cron.te 2006-12-05 16:46:56.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/cron.te 2006-12-12 15:19:22.000000000 -0500
@@ -11,9 +11,6 @@
#
attribute cron_spool_type;
@@ -1543,7 +1745,7 @@
allow crond_t system_crond_tmp_t:file create_file_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-2.4.6/policy/modules/services/cups.fc
--- nsaserefpolicy/policy/modules/services/cups.fc 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/cups.fc 2006-12-05 13:19:41.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/cups.fc 2006-12-12 15:19:22.000000000 -0500
@@ -23,7 +23,7 @@
/usr/libexec/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
@@ -1555,7 +1757,7 @@
/usr/sbin/printconf-backend -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-2.4.6/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/cups.te 2006-12-05 13:19:41.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/cups.te 2006-12-12 15:19:22.000000000 -0500
@@ -118,6 +118,8 @@
allow cupsd_t cupsd_tmp_t:file create_file_perms;
allow cupsd_t cupsd_tmp_t:fifo_file create_file_perms;
@@ -1593,7 +1795,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-2.4.6/policy/modules/services/cvs.te
--- nsaserefpolicy/policy/modules/services/cvs.te 2006-11-16 17:15:20.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/cvs.te 2006-12-05 13:19:41.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/cvs.te 2006-12-12 15:19:22.000000000 -0500
@@ -9,6 +9,7 @@
type cvs_t;
type cvs_exec_t;
@@ -1604,7 +1806,7 @@
type cvs_data_t; # customizable
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.fc serefpolicy-2.4.6/policy/modules/services/dbus.fc
--- nsaserefpolicy/policy/modules/services/dbus.fc 2006-11-16 17:15:20.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/dbus.fc 2006-12-05 13:19:41.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/dbus.fc 2006-12-12 15:19:22.000000000 -0500
@@ -4,3 +4,4 @@
/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:system_dbusd_exec_t,s0)
/bin/dbus-daemon -- gen_context(system_u:object_r:system_dbusd_exec_t,s0)
@@ -1612,7 +1814,7 @@
+/var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-2.4.6/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/dbus.if 2006-12-05 13:19:41.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/dbus.if 2006-12-12 15:19:22.000000000 -0500
@@ -123,6 +123,7 @@
selinux_compute_relabel_context($1_dbusd_t)
selinux_compute_user_contexts($1_dbusd_t)
@@ -1623,7 +1825,7 @@
corecmd_read_bin_files($1_dbusd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-2.4.6/policy/modules/services/ftp.te
--- nsaserefpolicy/policy/modules/services/ftp.te 2006-11-16 17:15:20.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/ftp.te 2006-12-05 13:19:41.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/ftp.te 2006-12-12 15:19:22.000000000 -0500
@@ -103,6 +103,7 @@
corenet_tcp_bind_ftp_port(ftpd_t)
corenet_tcp_bind_ftp_data_port(ftpd_t)
@@ -1670,7 +1872,7 @@
tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-2.4.6/policy/modules/services/hal.fc
--- nsaserefpolicy/policy/modules/services/hal.fc 2006-11-16 17:15:20.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/hal.fc 2006-12-05 13:19:41.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/hal.fc 2006-12-12 15:19:22.000000000 -0500
@@ -7,3 +7,7 @@
/usr/sbin/hald -- gen_context(system_u:object_r:hald_exec_t,s0)
@@ -1681,7 +1883,7 @@
+/var/run/haldaemon.pid -- gen_context(system_u:object_r:hald_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-2.4.6/policy/modules/services/hal.if
--- nsaserefpolicy/policy/modules/services/hal.if 2006-11-16 17:15:20.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/hal.if 2006-12-05 13:19:41.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/hal.if 2006-12-12 15:19:22.000000000 -0500
@@ -157,3 +157,23 @@
files_search_pids($1)
allow $1 hald_var_run_t:file rw_file_perms;
@@ -1708,7 +1910,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-2.4.6/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2006-11-16 17:15:20.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/hal.te 2006-12-05 13:19:41.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/hal.te 2006-12-12 15:19:22.000000000 -0500
@@ -16,6 +16,9 @@
type hald_var_run_t;
files_pid_file(hald_var_run_t)
@@ -1733,7 +1935,7 @@
files_pid_filetrans(hald_t,hald_var_run_t,file)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-2.4.6/policy/modules/services/kerberos.if
--- nsaserefpolicy/policy/modules/services/kerberos.if 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/kerberos.if 2006-12-05 13:19:41.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/kerberos.if 2006-12-12 15:19:22.000000000 -0500
@@ -57,6 +57,7 @@
corenet_udp_bind_all_nodes($1)
corenet_tcp_connect_kerberos_port($1)
@@ -1744,7 +1946,7 @@
sysnet_dns_name_resolve($1)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-2.4.6/policy/modules/services/kerberos.te
--- nsaserefpolicy/policy/modules/services/kerberos.te 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/kerberos.te 2006-12-05 13:19:41.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/kerberos.te 2006-12-12 15:19:22.000000000 -0500
@@ -156,14 +156,21 @@
# Use capabilities. Surplus capabilities may be allowed.
allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_override sys_nice };
@@ -1771,7 +1973,7 @@
allow krb5kdc_t krb5kdc_conf_t:dir search;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.if serefpolicy-2.4.6/policy/modules/services/lpd.if
--- nsaserefpolicy/policy/modules/services/lpd.if 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/lpd.if 2006-12-05 13:19:41.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/lpd.if 2006-12-12 15:19:22.000000000 -0500
@@ -64,33 +64,35 @@
allow $1_lpr_t self:udp_socket create_socket_perms;
allow $1_lpr_t self:netlink_route_socket r_netlink_socket_perms;
@@ -1835,7 +2037,7 @@
# Transition from the user domain to the derived domain.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-2.4.6/policy/modules/services/mta.if
--- nsaserefpolicy/policy/modules/services/mta.if 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/mta.if 2006-12-05 13:19:41.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/mta.if 2006-12-12 15:19:22.000000000 -0500
@@ -820,6 +820,7 @@
type mqueue_spool_t;
')
@@ -1846,7 +2048,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-2.4.6/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2006-11-16 17:15:20.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/mta.te 2006-12-05 13:19:41.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/mta.te 2006-12-12 15:19:22.000000000 -0500
@@ -27,6 +27,7 @@
type sendmail_exec_t;
@@ -1857,7 +2059,7 @@
role system_r types system_mail_t;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-2.4.6/policy/modules/services/nis.fc
--- nsaserefpolicy/policy/modules/services/nis.fc 2006-11-16 17:15:20.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/nis.fc 2006-12-05 13:19:41.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/nis.fc 2006-12-12 15:19:22.000000000 -0500
@@ -8,3 +8,4 @@
/usr/sbin/ypserv -- gen_context(system_u:object_r:ypserv_exec_t,s0)
@@ -1865,7 +2067,7 @@
+/usr/lib/yp/ypxfr -- gen_context(system_u:object_r:ypxfr_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-2.4.6/policy/modules/services/nis.if
--- nsaserefpolicy/policy/modules/services/nis.if 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/nis.if 2006-12-05 15:14:12.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/nis.if 2006-12-12 15:19:22.000000000 -0500
@@ -52,10 +52,13 @@
corenet_udp_bind_reserved_port($1)
corenet_dontaudit_tcp_bind_all_reserved_ports($1)
@@ -1903,7 +2105,7 @@
allow ypxfr_t $1:process sigchld;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-2.4.6/policy/modules/services/nis.te
--- nsaserefpolicy/policy/modules/services/nis.te 2006-11-16 17:15:20.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/nis.te 2006-12-05 13:19:41.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/nis.te 2006-12-12 15:19:22.000000000 -0500
@@ -329,6 +329,12 @@
# ypxfr local policy
#
@@ -1928,7 +2130,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-2.4.6/policy/modules/services/nscd.if
--- nsaserefpolicy/policy/modules/services/nscd.if 2006-11-16 17:15:20.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/nscd.if 2006-12-05 13:19:41.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/nscd.if 2006-12-12 15:19:22.000000000 -0500
@@ -181,3 +181,23 @@
allow $1 nscd_t:nscd *;
@@ -1955,7 +2157,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-2.4.6/policy/modules/services/nscd.te
--- nsaserefpolicy/policy/modules/services/nscd.te 2006-11-16 17:15:20.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/nscd.te 2006-12-05 13:19:42.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/nscd.te 2006-12-12 15:19:22.000000000 -0500
@@ -35,7 +35,6 @@
allow nscd_t self:unix_stream_socket create_stream_socket_perms;
allow nscd_t self:unix_dgram_socket create_socket_perms;
@@ -2007,7 +2209,7 @@
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.te serefpolicy-2.4.6/policy/modules/services/oddjob.te
--- nsaserefpolicy/policy/modules/services/oddjob.te 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/oddjob.te 2006-12-05 13:19:42.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/oddjob.te 2006-12-12 15:19:22.000000000 -0500
@@ -10,6 +10,7 @@
type oddjob_exec_t;
domain_type(oddjob_t)
@@ -2027,7 +2229,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.fc serefpolicy-2.4.6/policy/modules/services/pcscd.fc
--- nsaserefpolicy/policy/modules/services/pcscd.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/pcscd.fc 2006-12-05 13:19:42.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/pcscd.fc 2006-12-12 15:19:22.000000000 -0500
@@ -0,0 +1,9 @@
+# pcscd executable will have:
+# label: system_u:object_r:pcscd_exec_t
@@ -2040,7 +2242,7 @@
+/var/run/pcscd\.comm -s gen_context(system_u:object_r:pcscd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.if serefpolicy-2.4.6/policy/modules/services/pcscd.if
--- nsaserefpolicy/policy/modules/services/pcscd.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/pcscd.if 2006-12-05 13:19:42.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/pcscd.if 2006-12-12 15:19:22.000000000 -0500
@@ -0,0 +1,23 @@
+## <summary>policy for pcscd</summary>
+
@@ -2067,7 +2269,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-2.4.6/policy/modules/services/pcscd.te
--- nsaserefpolicy/policy/modules/services/pcscd.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/pcscd.te 2006-12-05 13:19:42.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/pcscd.te 2006-12-12 15:19:22.000000000 -0500
@@ -0,0 +1,69 @@
+policy_module(pcscd,1.0.0)
+
@@ -2140,7 +2342,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.if serefpolicy-2.4.6/policy/modules/services/pegasus.if
--- nsaserefpolicy/policy/modules/services/pegasus.if 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/pegasus.if 2006-12-05 13:19:42.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/pegasus.if 2006-12-12 15:19:22.000000000 -0500
@@ -1 +1,32 @@
## <summary>The Open Group Pegasus CIM/WBEM Server.</summary>
+
@@ -2176,7 +2378,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-2.4.6/policy/modules/services/pegasus.te
--- nsaserefpolicy/policy/modules/services/pegasus.te 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/pegasus.te 2006-12-05 13:19:42.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/pegasus.te 2006-12-12 15:19:22.000000000 -0500
@@ -100,13 +100,12 @@
auth_use_nsswitch(pegasus_t)
@@ -2195,7 +2397,7 @@
hostname_exec(pegasus_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-2.4.6/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/postfix.te 2006-12-05 13:19:42.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/postfix.te 2006-12-12 15:19:22.000000000 -0500
@@ -382,6 +382,10 @@
locallogin_dontaudit_use_fds(postfix_map_t)
')
@@ -2235,7 +2437,7 @@
# Postfix smtpd local policy
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-2.4.6/policy/modules/services/procmail.te
--- nsaserefpolicy/policy/modules/services/procmail.te 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/procmail.te 2006-12-05 13:19:42.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/procmail.te 2006-12-12 15:19:22.000000000 -0500
@@ -10,6 +10,7 @@
type procmail_exec_t;
domain_type(procmail_t)
@@ -2268,7 +2470,7 @@
userdom_dontaudit_search_staff_home_dirs(procmail_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.te serefpolicy-2.4.6/policy/modules/services/rlogin.te
--- nsaserefpolicy/policy/modules/services/rlogin.te 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/rlogin.te 2006-12-05 13:19:42.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/rlogin.te 2006-12-12 15:19:22.000000000 -0500
@@ -62,6 +62,7 @@
dev_read_urand(rlogind_t)
@@ -2298,7 +2500,7 @@
ifdef(`TODO',`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-2.4.6/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te 2006-11-16 17:15:20.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/rpc.te 2006-12-05 13:19:42.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/rpc.te 2006-12-12 15:19:22.000000000 -0500
@@ -121,6 +121,7 @@
#
@@ -2309,7 +2511,7 @@
allow gssd_t gssd_tmp_t:dir create_dir_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-2.4.6/policy/modules/services/rsync.te
--- nsaserefpolicy/policy/modules/services/rsync.te 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/rsync.te 2006-12-05 13:19:42.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/rsync.te 2006-12-12 15:19:22.000000000 -0500
@@ -9,6 +9,7 @@
type rsync_t;
type rsync_exec_t;
@@ -2320,7 +2522,7 @@
type rsync_data_t;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-2.4.6/policy/modules/services/samba.if
--- nsaserefpolicy/policy/modules/services/samba.if 2006-11-16 17:15:20.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/samba.if 2006-12-05 13:19:42.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/samba.if 2006-12-12 15:19:22.000000000 -0500
@@ -140,6 +140,7 @@
')
@@ -2339,7 +2541,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-2.4.6/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/samba.te 2006-12-05 13:19:42.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/samba.te 2006-12-12 15:19:22.000000000 -0500
@@ -349,7 +349,7 @@
allow nmbd_t samba_etc_t:file { getattr read };
@@ -2378,7 +2580,7 @@
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-2.4.6/policy/modules/services/sasl.te
--- nsaserefpolicy/policy/modules/services/sasl.te 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/sasl.te 2006-12-05 13:19:42.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/sasl.te 2006-12-12 15:19:22.000000000 -0500
@@ -47,6 +47,8 @@
fs_getattr_all_fs(saslauthd_t)
fs_search_auto_mountpoints(saslauthd_t)
@@ -2390,7 +2592,7 @@
auth_domtrans_chk_passwd(saslauthd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-2.4.6/policy/modules/services/smartmon.te
--- nsaserefpolicy/policy/modules/services/smartmon.te 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/smartmon.te 2006-12-05 14:22:49.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/smartmon.te 2006-12-12 15:19:22.000000000 -0500
@@ -61,6 +61,7 @@
fs_search_auto_mountpoints(fsdaemon_t)
@@ -2401,7 +2603,7 @@
storage_raw_write_fixed_disk(fsdaemon_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-2.4.6/policy/modules/services/snmp.te
--- nsaserefpolicy/policy/modules/services/snmp.te 2006-11-16 17:15:20.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/snmp.te 2006-12-05 13:19:42.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/snmp.te 2006-12-12 15:19:22.000000000 -0500
@@ -77,6 +77,7 @@
dev_read_sysfs(snmpd_t)
dev_read_urand(snmpd_t)
@@ -2424,7 +2626,7 @@
storage_dontaudit_read_fixed_disk(snmpd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-2.4.6/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/spamassassin.te 2006-12-05 13:19:42.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/spamassassin.te 2006-12-12 15:19:22.000000000 -0500
@@ -8,7 +8,7 @@
# spamassassin client executable
@@ -2453,7 +2655,7 @@
corenet_sendrecv_generic_server_packets(spamd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-2.4.6/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2006-11-16 17:15:20.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/ssh.te 2006-12-06 12:13:01.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/ssh.te 2006-12-12 15:19:22.000000000 -0500
@@ -10,7 +10,7 @@
# ssh client executable.
@@ -2491,7 +2693,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/telnet.te serefpolicy-2.4.6/policy/modules/services/telnet.te
--- nsaserefpolicy/policy/modules/services/telnet.te 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/telnet.te 2006-12-05 13:19:42.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/telnet.te 2006-12-12 15:19:22.000000000 -0500
@@ -32,6 +32,7 @@
allow telnetd_t self:udp_socket create_socket_perms;
# for identd; cjp: this should probably only be inetd_child rules?
@@ -2502,7 +2704,7 @@
allow telnetd_t telnetd_devpts_t:chr_file { rw_file_perms setattr };
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.te serefpolicy-2.4.6/policy/modules/services/tftp.te
--- nsaserefpolicy/policy/modules/services/tftp.te 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/tftp.te 2006-12-05 13:19:42.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/tftp.te 2006-12-12 15:19:22.000000000 -0500
@@ -54,6 +54,8 @@
dev_read_sysfs(tftpd_t)
@@ -2514,7 +2716,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.fc serefpolicy-2.4.6/policy/modules/services/uucp.fc
--- nsaserefpolicy/policy/modules/services/uucp.fc 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/uucp.fc 2006-12-05 13:19:42.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/uucp.fc 2006-12-12 15:19:22.000000000 -0500
@@ -1,5 +1,6 @@
/usr/sbin/uucico -- gen_context(system_u:object_r:uucpd_exec_t,s0)
@@ -2524,7 +2726,7 @@
/var/spool/uucppublic(/.*)? gen_context(system_u:object_r:uucpd_spool_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.if serefpolicy-2.4.6/policy/modules/services/uucp.if
--- nsaserefpolicy/policy/modules/services/uucp.if 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/uucp.if 2006-12-05 13:19:42.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/uucp.if 2006-12-12 15:19:22.000000000 -0500
@@ -1 +1,68 @@
## <summary>Unix to Unix Copy</summary>
+
@@ -2596,7 +2798,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-2.4.6/policy/modules/services/uucp.te
--- nsaserefpolicy/policy/modules/services/uucp.te 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/uucp.te 2006-12-05 13:19:42.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/uucp.te 2006-12-12 15:19:22.000000000 -0500
@@ -10,6 +10,12 @@
inetd_tcp_service_domain(uucpd_t,uucpd_exec_t)
role system_r types uucpd_t;
@@ -2661,7 +2863,7 @@
+logging_search_logs(uux_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-2.4.6/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2006-11-29 09:27:47.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/xserver.if 2006-12-05 13:19:42.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/xserver.if 2006-12-12 15:19:22.000000000 -0500
@@ -906,10 +906,12 @@
domain_auto_trans($1,xserver_exec_t,xdm_xserver_t)
@@ -2719,7 +2921,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-2.4.6/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/authlogin.if 2006-12-06 17:48:50.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/authlogin.if 2006-12-12 15:19:22.000000000 -0500
@@ -190,6 +190,9 @@
## </param>
#
@@ -2830,7 +3032,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-2.4.6/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/authlogin.te 2006-12-06 12:10:33.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/authlogin.te 2006-12-12 15:19:22.000000000 -0500
@@ -9,6 +9,7 @@
attribute can_read_shadow_passwords;
attribute can_write_shadow_passwords;
@@ -2874,7 +3076,7 @@
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/clock.te serefpolicy-2.4.6/policy/modules/system/clock.te
--- nsaserefpolicy/policy/modules/system/clock.te 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/clock.te 2006-12-05 13:19:42.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/clock.te 2006-12-12 15:19:22.000000000 -0500
@@ -25,16 +25,16 @@
dontaudit hwclock_t self:capability sys_tty_config;
allow hwclock_t self:process signal_perms;
@@ -2898,7 +3100,7 @@
dev_rw_realtime_clock(hwclock_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-2.4.6/policy/modules/system/fstools.fc
--- nsaserefpolicy/policy/modules/system/fstools.fc 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/fstools.fc 2006-12-05 13:19:42.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/fstools.fc 2006-12-12 15:19:22.000000000 -0500
@@ -19,7 +19,6 @@
/sbin/mkfs.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
@@ -2909,7 +3111,7 @@
/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-2.4.6/policy/modules/system/fstools.te
--- nsaserefpolicy/policy/modules/system/fstools.te 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/fstools.te 2006-12-05 13:19:42.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/fstools.te 2006-12-12 15:19:22.000000000 -0500
@@ -9,7 +9,7 @@
type fsadm_t;
type fsadm_exec_t;
@@ -2921,7 +3123,7 @@
type fsadm_log_t;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.te serefpolicy-2.4.6/policy/modules/system/getty.te
--- nsaserefpolicy/policy/modules/system/getty.te 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/getty.te 2006-12-05 13:19:42.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/getty.te 2006-12-12 15:19:22.000000000 -0500
@@ -33,7 +33,8 @@
#
@@ -2934,7 +3136,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-2.4.6/policy/modules/system/hostname.te
--- nsaserefpolicy/policy/modules/system/hostname.te 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/hostname.te 2006-12-05 13:19:42.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/hostname.te 2006-12-12 15:19:22.000000000 -0500
@@ -8,8 +8,12 @@
type hostname_t;
@@ -2957,9 +3159,27 @@
+optional_policy(`
+ xen_append_log(hostname_t)
+')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-2.4.6/policy/modules/system/init.if
+--- nsaserefpolicy/policy/modules/system/init.if 2006-11-16 17:15:24.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/init.if 2006-12-12 15:19:22.000000000 -0500
+@@ -221,11 +221,14 @@
+ gen_require(`
+ type initrc_t;
+ role system_r;
++ attribute daemon;
+ ')
+
+ domain_type($1)
+ domain_entry_file($1,$2)
+
++ typeattribute $1 daemon;
++
+ role system_r types $1;
+
+ domain_auto_trans(initrc_t,$2,$1)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-2.4.6/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/init.te 2006-12-05 14:16:30.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/init.te 2006-12-12 15:19:22.000000000 -0500
@@ -189,7 +189,7 @@
# Init script local policy
#
@@ -2979,7 +3199,16 @@
can_exec(initrc_t,initrc_exec_t)
allow initrc_t initrc_state_t:dir manage_dir_perms;
-@@ -347,7 +350,11 @@
+@@ -335,6 +338,8 @@
+ files_mounton_isid_type_dirs(initrc_t)
+ files_list_default(initrc_t)
+ files_mounton_default(initrc_t)
++# Needs to cp localtime to /var dirs
++files_write_var_dirs(initrc_t)
+
+ libs_rw_ld_so_cache(initrc_t)
+ libs_use_ld_so(initrc_t)
+@@ -347,7 +352,11 @@
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@@ -2992,13 +3221,16 @@
# slapd needs to read cert files from its initscript
miscfiles_read_certs(initrc_t)
-@@ -500,6 +507,14 @@
+@@ -499,7 +508,17 @@
+ tunable_policy(`allow_daemons_use_tty',`
term_use_unallocated_ttys(daemon)
term_use_generic_ptys(daemon)
- ')
++ unconfined_rw_pipes(daemon)
++ ', `
++ # system-config-services causes avc messages that should be dontaudited
++ unconfined_dontaudit_rw_pipes(daemon)
+
-+ # system-config-services causes avc messages that should be dontaudited
-+ unconfined_dontaudit_rw_pipes(daemon)
+ ')
+
+ tunable_policy(`allow_daemons_dump_core',`
+ files_dump_core(daemon)
@@ -3007,7 +3239,7 @@
',`
# cjp: require doesnt work in the else of optionals :\
# this also would result in a type transition
-@@ -710,6 +725,9 @@
+@@ -710,6 +729,9 @@
# why is this needed:
rpm_manage_db(initrc_t)
@@ -3019,8 +3251,13 @@
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-2.4.6/policy/modules/system/iptables.te
--- nsaserefpolicy/policy/modules/system/iptables.te 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/iptables.te 2006-12-05 13:19:42.000000000 -0500
-@@ -85,7 +85,7 @@
++++ serefpolicy-2.4.6/policy/modules/system/iptables.te 2006-12-12 15:19:22.000000000 -0500
+@@ -81,11 +81,12 @@
+ term_dontaudit_use_unallocated_ttys(iptables_t)
+ term_dontaudit_use_generic_ptys(iptables_t)
+ files_dontaudit_read_root_files(iptables_t)
++ unconfined_rw_pipes(iptables_t)
+ ')
optional_policy(`
firstboot_use_fds(iptables_t)
@@ -3029,7 +3266,7 @@
')
optional_policy(`
-@@ -104,3 +104,7 @@
+@@ -104,3 +105,7 @@
optional_policy(`
udev_read_db(iptables_t)
')
@@ -3039,7 +3276,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-2.4.6/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/libraries.fc 2006-12-06 12:36:40.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/libraries.fc 2006-12-12 15:19:22.000000000 -0500
@@ -131,6 +131,7 @@
/usr/lib/win32/.* -- gen_context(system_u:object_r:shlib_t,s0)
@@ -3121,7 +3358,7 @@
+/usr/lib64/python2.4/site-packages/M2Crypto/__m2crypto.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-2.4.6/policy/modules/system/libraries.te
--- nsaserefpolicy/policy/modules/system/libraries.te 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/libraries.te 2006-12-05 13:19:42.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/libraries.te 2006-12-12 15:19:22.000000000 -0500
@@ -81,12 +81,6 @@
userdom_use_all_users_fds(ldconfig_t)
@@ -3137,7 +3374,7 @@
unconfined_domain(ldconfig_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.if serefpolicy-2.4.6/policy/modules/system/locallogin.if
--- nsaserefpolicy/policy/modules/system/locallogin.if 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/locallogin.if 2006-12-05 13:19:42.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/locallogin.if 2006-12-12 15:19:22.000000000 -0500
@@ -75,3 +75,40 @@
allow $1 local_login_t:process signull;
@@ -3181,7 +3418,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-2.4.6/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/logging.te 2006-12-05 13:19:42.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/logging.te 2006-12-12 15:19:22.000000000 -0500
@@ -53,6 +53,7 @@
type var_log_t;
@@ -3192,7 +3429,7 @@
init_ranged_daemon_domain(auditd_t,auditd_exec_t,mls_systemhigh)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc serefpolicy-2.4.6/policy/modules/system/lvm.fc
--- nsaserefpolicy/policy/modules/system/lvm.fc 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/lvm.fc 2006-12-05 13:19:42.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/lvm.fc 2006-12-12 15:19:22.000000000 -0500
@@ -95,3 +95,4 @@
/var/cache/multipathd(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
/var/lock/lvm(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0)
@@ -3200,7 +3437,7 @@
+/var/lib/multipath(/.*)? gen_context(system_u:object_r:lvm_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-2.4.6/policy/modules/system/lvm.te
--- nsaserefpolicy/policy/modules/system/lvm.te 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/lvm.te 2006-12-05 13:19:42.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/lvm.te 2006-12-12 15:19:22.000000000 -0500
@@ -13,6 +13,9 @@
type clvmd_var_run_t;
files_pid_file(clvmd_var_run_t)
@@ -3331,7 +3568,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.fc serefpolicy-2.4.6/policy/modules/system/miscfiles.fc
--- nsaserefpolicy/policy/modules/system/miscfiles.fc 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/miscfiles.fc 2006-12-05 13:19:42.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/miscfiles.fc 2006-12-12 15:19:22.000000000 -0500
@@ -39,6 +39,7 @@
/usr/share/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
/usr/share/ghostscript/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
@@ -3342,7 +3579,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-2.4.6/policy/modules/system/miscfiles.if
--- nsaserefpolicy/policy/modules/system/miscfiles.if 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/miscfiles.if 2006-12-05 14:16:09.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/miscfiles.if 2006-12-12 15:19:22.000000000 -0500
@@ -138,6 +138,44 @@
########################################
@@ -3388,9 +3625,54 @@
## Allow process to read legacy time localization info
## </summary>
## <param name="domain">
+@@ -387,3 +425,44 @@
+ allow $1 test_file_t:lnk_file r_file_perms;
+ can_exec($1, test_file_t)
+ ')
++
++########################################
++## <summary>
++## Execute test files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`miscfiles_etc_filetrans_localization',`
++ gen_require(`
++ type locale_t;
++ ')
++
++ files_etc_filetrans($1, locale_t, file)
++
++')
++
++########################################
++## <summary>
++## Create, read, write, and delete localization
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`miscfiles_manage_localization',`
++ gen_require(`
++ type locale_t;
++ ')
++
++ allow $1 locale_t:dir create_dir_perms;
++ allow $1 locale_t:file create_file_perms;
++ allow $1 locale_t:lnk_file create_lnk_perms;
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-2.4.6/policy/modules/system/modutils.te
--- nsaserefpolicy/policy/modules/system/modutils.te 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/modutils.te 2006-12-05 13:19:42.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/modutils.te 2006-12-12 15:19:22.000000000 -0500
@@ -117,10 +117,6 @@
kernel_domtrans_to(insmod_t,insmod_exec_t)
}
@@ -3412,7 +3694,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-2.4.6/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/mount.te 2006-12-05 13:19:42.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/mount.te 2006-12-12 15:19:22.000000000 -0500
@@ -9,6 +9,7 @@
type mount_t;
type mount_exec_t;
@@ -3473,7 +3755,7 @@
rpm_rw_pipes(mount_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-2.4.6/policy/modules/system/raid.te
--- nsaserefpolicy/policy/modules/system/raid.te 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/raid.te 2006-12-05 13:19:42.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/raid.te 2006-12-12 15:19:22.000000000 -0500
@@ -38,12 +38,15 @@
dev_dontaudit_getattr_all_blk_files(mdadm_t)
dev_dontaudit_getattr_all_chr_files(mdadm_t)
@@ -3500,7 +3782,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-2.4.6/policy/modules/system/selinuxutil.fc
--- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/selinuxutil.fc 2006-12-05 13:19:42.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/selinuxutil.fc 2006-12-12 15:19:22.000000000 -0500
@@ -41,6 +41,7 @@
/usr/sbin/setsebool -- gen_context(system_u:object_r:semanage_exec_t,s0)
/usr/sbin/semanage -- gen_context(system_u:object_r:semanage_exec_t,s0)
@@ -3511,7 +3793,7 @@
# /var/run
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-2.4.6/policy/modules/system/selinuxutil.if
--- nsaserefpolicy/policy/modules/system/selinuxutil.if 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/selinuxutil.if 2006-12-05 13:19:42.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/selinuxutil.if 2006-12-12 15:19:22.000000000 -0500
@@ -713,7 +713,7 @@
')
@@ -3641,7 +3923,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-2.4.6/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/selinuxutil.te 2006-12-07 09:28:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/selinuxutil.te 2006-12-12 15:19:22.000000000 -0500
@@ -107,6 +107,19 @@
type semanage_exec_t;
domain_entry_file(semanage_t, semanage_exec_t)
@@ -3828,7 +4110,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-2.4.6/policy/modules/system/sysnetwork.te
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/sysnetwork.te 2006-12-05 13:19:42.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/sysnetwork.te 2006-12-12 15:19:22.000000000 -0500
@@ -333,6 +333,9 @@
ifdef(`targeted_policy',`
term_use_generic_ptys(ifconfig_t)
@@ -3839,9 +4121,75 @@
')
optional_policy(`
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/tzdata.fc serefpolicy-2.4.6/policy/modules/system/tzdata.fc
+--- nsaserefpolicy/policy/modules/system/tzdata.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/tzdata.fc 2006-12-12 15:19:22.000000000 -0500
+@@ -0,0 +1,3 @@
++# tzdata executable will have:
++
++/usr/sbin/tzdata-update -- gen_context(system_u:object_r:tzdata_exec_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/tzdata.if serefpolicy-2.4.6/policy/modules/system/tzdata.if
+--- nsaserefpolicy/policy/modules/system/tzdata.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/tzdata.if 2006-12-12 15:19:22.000000000 -0500
+@@ -0,0 +1,23 @@
++## <summary>policy for tzdata</summary>
++
++########################################
++## <summary>
++## Execute a domain transition to run tzdata.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`tzdata_domtrans',`
++ gen_require(`
++ type tzdata_t, tzdata_exec_t;
++ ')
++
++ domain_auto_trans($1,tzdata_exec_t,tzdata_t)
++
++ allow tzdata_t $1:fd use;
++ allow tzdata_t $1:fifo_file rw_file_perms;
++ allow tzdata_t $1:process sigchld;
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/tzdata.te serefpolicy-2.4.6/policy/modules/system/tzdata.te
+--- nsaserefpolicy/policy/modules/system/tzdata.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/tzdata.te 2006-12-12 15:19:22.000000000 -0500
+@@ -0,0 +1,28 @@
++policy_module(tzdata,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type tzdata_t;
++type tzdata_exec_t;
++domain_type(tzdata_t)
++init_daemon_domain(tzdata_t, tzdata_exec_t)
++
++########################################
++#
++# tzdata local policy
++#
++
++# Some common macros (you might be able to remove some)
++files_read_etc_files(tzdata_t)
++libs_use_ld_so(tzdata_t)
++libs_use_shared_libs(tzdata_t)
++miscfiles_read_localization(tzdata_t)
++
++files_search_spool(tzdata_t)
++miscfiles_manage_localization(tzdata_t)
++miscfiles_etc_filetrans_localization(tzdata_t)
++
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-2.4.6/policy/modules/system/unconfined.fc
--- nsaserefpolicy/policy/modules/system/unconfined.fc 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/unconfined.fc 2006-12-05 13:19:42.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/unconfined.fc 2006-12-12 15:19:22.000000000 -0500
@@ -7,6 +7,8 @@
ifdef(`targeted_policy',`
/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
@@ -3854,7 +4202,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-2.4.6/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/unconfined.if 2006-12-05 13:19:42.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/unconfined.if 2006-12-12 15:19:22.000000000 -0500
@@ -31,6 +31,7 @@
allow $1 self:nscd *;
allow $1 self:dbus *;
@@ -3890,7 +4238,7 @@
## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-2.4.6/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/unconfined.te 2006-12-05 13:19:42.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/unconfined.te 2006-12-12 15:19:22.000000000 -0500
@@ -83,6 +83,9 @@
optional_policy(`
networkmanager_dbus_chat(unconfined_t)
@@ -3910,16 +4258,20 @@
')
optional_policy(`
-@@ -173,6 +178,8 @@
+@@ -173,6 +178,12 @@
optional_policy(`
xserver_domtrans_xdm_xserver(unconfined_t)
')
+ mcs_killall(unconfined_t)
+ mcs_ptrace_all(unconfined_t)
++
++ optional_policy(`
++ tzdata_domtrans(unconfined_t)
++ ')
')
########################################
-@@ -181,10 +188,18 @@
+@@ -181,10 +192,18 @@
#
ifdef(`targeted_policy',`
@@ -3940,7 +4292,7 @@
init_dbus_chat_script(unconfined_execmem_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-2.4.6/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2006-11-29 09:27:47.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/userdomain.if 2006-12-07 15:28:22.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/userdomain.if 2006-12-12 15:19:22.000000000 -0500
@@ -22,9 +22,9 @@
## <rolebase/>
#
@@ -4615,7 +4967,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-2.4.6/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/userdomain.te 2006-12-08 09:17:52.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/userdomain.te 2006-12-12 15:19:22.000000000 -0500
@@ -24,6 +24,9 @@
# users home directory contents
attribute home_type;
@@ -4652,10 +5004,14 @@
',`
logging_manage_audit_log(sysadm_t)
logging_manage_audit_config(sysadm_t)
-@@ -181,6 +165,10 @@
+@@ -181,6 +165,14 @@
')
optional_policy(`
++ tzdata_domtrans(sysadm_t)
++ ')
++
++ optional_policy(`
+ raid_domtrans_mdadm(sysadm_t)
+ ')
+
@@ -4663,7 +5019,7 @@
# cjp: why is this not apm_run_client
apm_domtrans_client(sysadm_t)
')
-@@ -229,7 +217,6 @@
+@@ -229,7 +221,6 @@
consoletype_exec(sysadm_t)
ifdef(`enable_mls',`
@@ -4671,7 +5027,7 @@
consoletype_exec(auditadm_t)
')
')
-@@ -248,7 +235,6 @@
+@@ -248,7 +239,6 @@
dmesg_exec(sysadm_t)
ifdef(`enable_mls',`
@@ -4679,7 +5035,7 @@
dmesg_exec(auditadm_t)
')
')
-@@ -383,27 +369,12 @@
+@@ -383,27 +373,12 @@
seutil_run_runinit(sysadm_t,sysadm_r,admin_terminal)
ifdef(`enable_mls',`
@@ -4712,7 +5068,7 @@
')
')
-@@ -428,6 +399,9 @@
+@@ -428,6 +403,9 @@
')
optional_policy(`
@@ -4724,7 +5080,7 @@
usermanage_run_useradd(sysadm_t,sysadm_r,admin_terminal)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.fc serefpolicy-2.4.6/policy/modules/system/xen.fc
--- nsaserefpolicy/policy/modules/system/xen.fc 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/xen.fc 2006-12-05 13:19:42.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/xen.fc 2006-12-12 15:19:22.000000000 -0500
@@ -8,6 +8,7 @@
/usr/sbin/xm -- gen_context(system_u:object_r:xm_exec_t,s0)
@@ -4735,7 +5091,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-2.4.6/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/xen.te 2006-12-05 13:19:42.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/xen.te 2006-12-12 15:19:22.000000000 -0500
@@ -86,8 +86,8 @@
allow xend_t self:tcp_socket create_stream_socket_perms;
allow xend_t self:packet_socket create_socket_perms;
@@ -4827,7 +5183,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-2.4.6/Rules.modular
--- nsaserefpolicy/Rules.modular 2006-11-16 17:15:29.000000000 -0500
-+++ serefpolicy-2.4.6/Rules.modular 2006-12-05 13:19:42.000000000 -0500
++++ serefpolicy-2.4.6/Rules.modular 2006-12-12 15:19:22.000000000 -0500
@@ -219,6 +219,16 @@
########################################
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.362
retrieving revision 1.363
diff -u -r1.362 -r1.363
--- selinux-policy.spec 11 Dec 2006 12:35:45 -0000 1.362
+++ selinux-policy.spec 12 Dec 2006 21:46:24 -0000 1.363
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 2.4.6
-Release: 9%{?dist}
+Release: 10%{?dist}
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -351,8 +351,13 @@
%endif
%changelog
+* Thu Dec 12 2006 Dan Walsh <dwalsh at redhat.com> 2.4.6-10
+- Allow initrc to create files in /var directories
+Resolves: #219227
+
* Fri Dec 8 2006 Dan Walsh <dwalsh at redhat.com> 2.4.6-9
- More fixes for MLS
+Resolves: #181566
* Wed Dec 6 2006 Dan Walsh <dwalsh at redhat.com> 2.4.6-8
- More Fixes polyinstatiation
More information about the fedora-cvs-commits
mailing list