rpms/selinux-policy/devel .cvsignore, 1.21, 1.22 modules-mls.conf, 1.7, 1.8 policy-20060104.patch, 1.7, 1.8 selinux-policy.spec, 1.80, 1.81 sources, 1.23, 1.24
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Wed Jan 11 22:25:10 UTC 2006
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv12627
Modified Files:
.cvsignore modules-mls.conf policy-20060104.patch
selinux-policy.spec sources
Log Message:
* Tue Jan 10 2006 Dan Walsh <dwalsh at redhat.com> 2.1.9-1
- Update to upstream
Index: .cvsignore
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/.cvsignore,v
retrieving revision 1.21
retrieving revision 1.22
diff -u -r1.21 -r1.22
--- .cvsignore 9 Jan 2006 20:20:08 -0000 1.21
+++ .cvsignore 11 Jan 2006 22:25:06 -0000 1.22
@@ -22,3 +22,4 @@
serefpolicy-2.1.6.tgz
serefpolicy-2.1.7.tgz
serefpolicy-2.1.8.tgz
+serefpolicy-2.1.9.tgz
Index: modules-mls.conf
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/modules-mls.conf,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -r1.7 -r1.8
--- modules-mls.conf 30 Dec 2005 16:08:00 -0000 1.7
+++ modules-mls.conf 11 Jan 2006 22:25:06 -0000 1.8
@@ -114,6 +114,20 @@
rpm = base
# Layer: admin
+# Module: readahead
+#
+# Readahead, read files into page cache for improved performance
+#
+readahead = base
+
+# Layer: apps
+# Module: alsa
+#
+# alsa - Configure sound
+#
+alsa = base
+
+# Layer: admin
# Module: kudzu
#
# Hardware detection and configuration tools
policy-20060104.patch:
Makefile | 2
policy/modules/admin/amanda.te | 4
policy/modules/admin/kudzu.te | 1
policy/modules/admin/readahead.te | 6 +
policy/modules/admin/su.if | 2
policy/modules/admin/vpn.te | 7 +
policy/modules/apps/alsa.fc | 3
policy/modules/apps/alsa.if | 21 ++++
policy/modules/apps/alsa.te | 34 ++++++++
policy/modules/apps/java.fc | 4
policy/modules/apps/java.if | 23 +++++
policy/modules/apps/java.te | 25 +++++
policy/modules/apps/wine.fc | 2
policy/modules/apps/wine.if | 23 +++++
policy/modules/apps/wine.te | 27 ++++++
policy/modules/kernel/corecommands.te | 6 +
policy/modules/kernel/devices.if | 16 +++
policy/modules/kernel/domain.if | 1
policy/modules/kernel/domain.te | 4
policy/modules/kernel/files.if | 17 ++++
policy/modules/kernel/mls.te | 2
policy/modules/services/apache.te | 9 ++
policy/modules/services/apm.te | 1
policy/modules/services/automount.te | 10 ++
policy/modules/services/bind.if | 19 ++++
policy/modules/services/cron.te | 34 +-------
policy/modules/services/cups.te | 6 -
policy/modules/services/dovecot.te | 1
policy/modules/services/finger.te | 1
policy/modules/services/hal.fc | 1
policy/modules/services/hal.te | 20 +++-
policy/modules/services/kerberos.te | 5 -
policy/modules/services/locate.fc | 4
policy/modules/services/locate.if | 1
policy/modules/services/locate.te | 50 +++++++++++
policy/modules/services/mta.te | 10 ++
policy/modules/services/networkmanager.te | 5 -
policy/modules/services/ntp.te | 2
policy/modules/services/prelink.fc | 7 +
policy/modules/services/prelink.if | 39 +++++++++
policy/modules/services/prelink.te | 64 +++++++++++++++
policy/modules/services/samba.if | 2
policy/modules/services/sendmail.te | 2
policy/modules/services/ssh.if | 4
policy/modules/services/xdm.te | 4
policy/modules/system/authlogin.if | 14 +++
policy/modules/system/authlogin.te | 12 --
policy/modules/system/fstools.te | 2
policy/modules/system/hostname.te | 37 +-------
policy/modules/system/init.if | 3
policy/modules/system/init.te | 20 +---
policy/modules/system/iptables.te | 1
policy/modules/system/libraries.fc | 127 +++++++++++++++---------------
policy/modules/system/libraries.te | 4
policy/modules/system/locallogin.te | 1
policy/modules/system/lvm.te | 9 --
policy/modules/system/mount.te | 3
policy/modules/system/selinuxutil.te | 1
policy/modules/system/unconfined.if | 1
policy/modules/system/unconfined.te | 12 +-
policy/modules/system/userdomain.fc | 2
policy/modules/system/userdomain.if | 67 +++++++++++----
policy/modules/system/userdomain.te | 1
policy/users | 8 +
64 files changed, 656 insertions(+), 200 deletions(-)
Index: policy-20060104.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/policy-20060104.patch,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -r1.7 -r1.8
--- policy-20060104.patch 10 Jan 2006 17:36:14 -0000 1.7
+++ policy-20060104.patch 11 Jan 2006 22:25:06 -0000 1.8
@@ -1,6 +1,6 @@
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-2.1.8/Makefile
---- nsaserefpolicy/Makefile 2005-12-09 23:35:04.000000000 -0500
-+++ serefpolicy-2.1.8/Makefile 2006-01-09 14:37:14.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-2.1.9/Makefile
+--- nsaserefpolicy/Makefile 2006-01-11 14:31:29.000000000 -0500
++++ serefpolicy-2.1.9/Makefile 2006-01-11 17:13:44.000000000 -0500
@@ -92,7 +92,7 @@
# enable MLS if requested.
@@ -10,9 +10,9 @@
override CHECKPOLICY += -M
override CHECKMODULE += -M
endif
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.te serefpolicy-2.1.8/policy/modules/admin/amanda.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.te serefpolicy-2.1.9/policy/modules/admin/amanda.te
--- nsaserefpolicy/policy/modules/admin/amanda.te 2005-12-09 23:35:04.000000000 -0500
-+++ serefpolicy-2.1.8/policy/modules/admin/amanda.te 2006-01-09 14:37:14.000000000 -0500
++++ serefpolicy-2.1.9/policy/modules/admin/amanda.te 2006-01-11 17:13:44.000000000 -0500
@@ -165,6 +165,10 @@
sysnet_read_config(amanda_t)
@@ -24,40 +24,37 @@
optional_policy(`authlogin',`
auth_read_shadow(amanda_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-2.1.8/policy/modules/admin/consoletype.te
---- nsaserefpolicy/policy/modules/admin/consoletype.te 2005-12-09 23:35:04.000000000 -0500
-+++ serefpolicy-2.1.8/policy/modules/admin/consoletype.te 2006-01-09 14:37:14.000000000 -0500
-@@ -38,6 +38,7 @@
-
- kernel_use_fd(consoletype_t)
- kernel_dontaudit_read_system_state(consoletype_t)
-+kernel_read_proc_devices(consoletype_t)
-
- fs_getattr_all_fs(consoletype_t)
- fs_search_auto_mountpoints(consoletype_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-2.1.8/policy/modules/admin/netutils.te
---- nsaserefpolicy/policy/modules/admin/netutils.te 2005-12-09 23:35:04.000000000 -0500
-+++ serefpolicy-2.1.8/policy/modules/admin/netutils.te 2006-01-09 14:37:14.000000000 -0500
-@@ -42,6 +42,7 @@
- files_create_tmp_files(netutils_t, netutils_tmp_t, { file dir })
-
- kernel_search_proc(netutils_t)
-+kernel_read_proc_devices(netutils_t)
-
- corenet_tcp_sendrecv_all_if(netutils_t)
- corenet_raw_sendrecv_all_if(netutils_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-2.1.8/policy/modules/admin/readahead.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kudzu.te serefpolicy-2.1.9/policy/modules/admin/kudzu.te
+--- nsaserefpolicy/policy/modules/admin/kudzu.te 2006-01-09 11:32:53.000000000 -0500
++++ serefpolicy-2.1.9/policy/modules/admin/kudzu.te 2006-01-11 17:13:44.000000000 -0500
+@@ -63,6 +63,7 @@
+ fs_write_ramfs_socket(kudzu_t)
+
+ mls_file_read_up(kudzu_t)
++mls_file_write_down(kudzu_t)
+
+ modutils_read_mods_deps(kudzu_t)
+ modutils_read_module_conf(kudzu_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-2.1.9/policy/modules/admin/readahead.te
--- nsaserefpolicy/policy/modules/admin/readahead.te 2006-01-04 16:55:14.000000000 -0500
-+++ serefpolicy-2.1.8/policy/modules/admin/readahead.te 2006-01-10 11:39:08.000000000 -0500
++++ serefpolicy-2.1.9/policy/modules/admin/readahead.te 2006-01-11 17:13:44.000000000 -0500
@@ -27,6 +27,7 @@
kernel_read_kernel_sysctl(readahead_t)
kernel_read_system_state(readahead_t)
-+kernel_getattr_core(readahead_t)
++kernel_dontaudit_getattr_core(readahead_t)
dev_read_sysfs(readahead_t)
dev_getattr_generic_chr_file(readahead_t)
-@@ -43,6 +44,9 @@
+@@ -34,6 +35,7 @@
+ dev_getattr_all_chr_files(readahead_t)
+ dev_getattr_all_blk_files(readahead_t)
+ dev_dontaudit_read_all_blk_files(readahead_t)
++dev_dontaudit_getattr_memory_device(readahead_t)
+
+ domain_use_wide_inherit_fd(readahead_t)
+
+@@ -43,6 +45,9 @@
fs_getattr_all_fs(readahead_t)
fs_search_auto_mountpoints(readahead_t)
@@ -67,7 +64,7 @@
term_dontaudit_use_console(readahead_t)
-@@ -50,6 +54,7 @@
+@@ -50,6 +55,7 @@
init_use_fd(readahead_t)
init_use_script_pty(readahead_t)
@@ -75,9 +72,9 @@
libs_use_ld_so(readahead_t)
libs_use_shared_libs(readahead_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-2.1.8/policy/modules/admin/su.if
---- nsaserefpolicy/policy/modules/admin/su.if 2005-12-09 23:35:04.000000000 -0500
-+++ serefpolicy-2.1.8/policy/modules/admin/su.if 2006-01-09 14:37:14.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-2.1.9/policy/modules/admin/su.if
+--- nsaserefpolicy/policy/modules/admin/su.if 2006-01-11 14:31:30.000000000 -0500
++++ serefpolicy-2.1.9/policy/modules/admin/su.if 2006-01-11 17:13:44.000000000 -0500
@@ -193,7 +193,9 @@
domain_use_wide_inherit_fd($1_su_t)
@@ -88,9 +85,9 @@
init_dontaudit_use_fd($1_su_t)
# Write to utmp.
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te serefpolicy-2.1.8/policy/modules/admin/vpn.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te serefpolicy-2.1.9/policy/modules/admin/vpn.te
--- nsaserefpolicy/policy/modules/admin/vpn.te 2005-12-09 23:35:04.000000000 -0500
-+++ serefpolicy-2.1.8/policy/modules/admin/vpn.te 2006-01-09 14:37:14.000000000 -0500
++++ serefpolicy-2.1.9/policy/modules/admin/vpn.te 2006-01-11 17:13:44.000000000 -0500
@@ -24,6 +24,7 @@
#
@@ -116,17 +113,87 @@
+optional_policy(`dbus',`
+ dbus_system_bus_client_template(vpnc,vpnc_t)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-2.1.8/policy/modules/apps/java.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/alsa.fc serefpolicy-2.1.9/policy/modules/apps/alsa.fc
+--- nsaserefpolicy/policy/modules/apps/alsa.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-2.1.9/policy/modules/apps/alsa.fc 2006-01-11 17:13:44.000000000 -0500
+@@ -0,0 +1,3 @@
++#DESC ainit - configuration tool for ALSA
++/usr/bin/ainit -- gen_context(system_u:object_r:alsa_exec_t, s0)
++/etc/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t, s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/alsa.if serefpolicy-2.1.9/policy/modules/apps/alsa.if
+--- nsaserefpolicy/policy/modules/apps/alsa.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-2.1.9/policy/modules/apps/alsa.if 2006-01-11 17:13:44.000000000 -0500
+@@ -0,0 +1,21 @@
++## <summary>configuration tool for ALSA.</summary>
++########################################
++## <summary>
++## Execute alsa in the alsa domain.
++## </summary>
++## <param name="domain">
++## The type of the process performing this action.
++## </param>
++#
++interface(`alsa_domtrans',`
++ gen_require(`
++ type alsa_t, alsa_exec_t;
++ ')
++
++ domain_auto_trans($1,alsa_exec_t,alsa_t)
++
++ allow $1 alsa_t:fd use;
++ allow alsa_t $1:fd use;
++ allow alsa_t $1:fifo_file rw_file_perms;
++ allow alsa_t $1:process sigchld;
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/alsa.te serefpolicy-2.1.9/policy/modules/apps/alsa.te
+--- nsaserefpolicy/policy/modules/apps/alsa.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-2.1.9/policy/modules/apps/alsa.te 2006-01-11 17:13:44.000000000 -0500
+@@ -0,0 +1,34 @@
++policy_module(alsa,1.0.0)
++type alsa_t;
++domain_type(alsa_t)
++
++type alsa_exec_t;
++domain_entry_file(alsa_t,alsa_exec_t)
++role system_r types alsa_t;
++
++type alsa_etc_rw_t;
++files_type(alsa_etc_rw_t)
++
++allow alsa_t self:capability { setgid setuid ipc_owner };
++dontaudit alsa_t self:capability sys_admin;
++
++files_read_etc_files(alsa_t)
++
++logging_send_syslog_msg(alsa_t)
++
++libs_use_ld_so(alsa_t)
++libs_use_shared_libs(alsa_t)
++
++miscfiles_read_localization(alsa_t)
++
++allow alsa_t { unpriv_userdomain self }:sem create_sem_perms;
++allow alsa_t { unpriv_userdomain self }:shm create_shm_perms;
++allow alsa_t self:unix_stream_socket create_stream_socket_perms;
++allow alsa_t self:unix_dgram_socket create_socket_perms;
++allow unpriv_userdomain alsa_t:sem { unix_read unix_write associate read write };
++allow unpriv_userdomain alsa_t:shm { unix_read unix_write create_shm_perms };
++
++allow alsa_t alsa_etc_rw_t:dir rw_dir_perms;
++allow alsa_t alsa_etc_rw_t:file create_file_perms;
++
++allow alsa_t devpts_t:chr_file { read write };
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-2.1.9/policy/modules/apps/java.fc
--- nsaserefpolicy/policy/modules/apps/java.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.1.8/policy/modules/apps/java.fc 2006-01-09 14:37:14.000000000 -0500
++++ serefpolicy-2.1.9/policy/modules/apps/java.fc 2006-01-11 17:13:44.000000000 -0500
@@ -0,0 +1,4 @@
+
+/usr/.*/java -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/bin/gij -- gen_context(system_u:object_r:java_exec_t,s0)
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-2.1.8/policy/modules/apps/java.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-2.1.9/policy/modules/apps/java.if
--- nsaserefpolicy/policy/modules/apps/java.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.1.8/policy/modules/apps/java.if 2006-01-09 14:37:14.000000000 -0500
++++ serefpolicy-2.1.9/policy/modules/apps/java.if 2006-01-11 17:13:44.000000000 -0500
@@ -0,0 +1,23 @@
+## <summary>Load keyboard mappings.</summary>
+
@@ -151,9 +218,9 @@
+ allow java_t $1:fifo_file rw_file_perms;
+ allow java_t $1:process sigchld;
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-2.1.8/policy/modules/apps/java.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-2.1.9/policy/modules/apps/java.te
--- nsaserefpolicy/policy/modules/apps/java.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.1.8/policy/modules/apps/java.te 2006-01-09 14:37:14.000000000 -0500
++++ serefpolicy-2.1.9/policy/modules/apps/java.te 2006-01-11 17:13:44.000000000 -0500
@@ -0,0 +1,25 @@
+policy_module(java,1.0.0)
+
@@ -180,15 +247,15 @@
+ unconfined_domtrans(java_t)
+ role system_r types java_t;
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.fc serefpolicy-2.1.8/policy/modules/apps/wine.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.fc serefpolicy-2.1.9/policy/modules/apps/wine.fc
--- nsaserefpolicy/policy/modules/apps/wine.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.1.8/policy/modules/apps/wine.fc 2006-01-09 14:37:14.000000000 -0500
++++ serefpolicy-2.1.9/policy/modules/apps/wine.fc 2006-01-11 17:13:44.000000000 -0500
@@ -0,0 +1,2 @@
+/usr/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0)
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-2.1.8/policy/modules/apps/wine.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-2.1.9/policy/modules/apps/wine.if
--- nsaserefpolicy/policy/modules/apps/wine.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.1.8/policy/modules/apps/wine.if 2006-01-09 14:37:14.000000000 -0500
++++ serefpolicy-2.1.9/policy/modules/apps/wine.if 2006-01-11 17:13:44.000000000 -0500
@@ -0,0 +1,23 @@
+## <summary>Load keyboard mappings.</summary>
+
@@ -213,9 +280,9 @@
+ allow wine_t $1:fifo_file rw_file_perms;
+ allow wine_t $1:process sigchld;
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-2.1.8/policy/modules/apps/wine.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-2.1.9/policy/modules/apps/wine.te
--- nsaserefpolicy/policy/modules/apps/wine.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.1.8/policy/modules/apps/wine.te 2006-01-09 14:37:14.000000000 -0500
++++ serefpolicy-2.1.9/policy/modules/apps/wine.te 2006-01-11 17:13:44.000000000 -0500
@@ -0,0 +1,27 @@
+policy_module(wine,1.0.0)
+
@@ -244,9 +311,9 @@
+ allow wine_t file_type:file execmod;
+
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.te serefpolicy-2.1.8/policy/modules/kernel/corecommands.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.te serefpolicy-2.1.9/policy/modules/kernel/corecommands.te
--- nsaserefpolicy/policy/modules/kernel/corecommands.te 2005-12-09 23:35:04.000000000 -0500
-+++ serefpolicy-2.1.8/policy/modules/kernel/corecommands.te 2006-01-09 14:37:14.000000000 -0500
++++ serefpolicy-2.1.9/policy/modules/kernel/corecommands.te 2006-01-11 17:13:44.000000000 -0500
@@ -35,3 +35,9 @@
type chroot_exec_t;
@@ -257,9 +324,32 @@
+')
+
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-2.1.8/policy/modules/kernel/domain.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-2.1.9/policy/modules/kernel/devices.if
+--- nsaserefpolicy/policy/modules/kernel/devices.if 2005-12-05 22:35:02.000000000 -0500
++++ serefpolicy-2.1.9/policy/modules/kernel/devices.if 2006-01-11 17:13:44.000000000 -0500
+@@ -2248,3 +2248,19 @@
+ typeattribute $1 memory_raw_write, memory_raw_read;
+ ')
+
++########################################
++## <summary>
++## dontaudit getattr raw memory devices (e.g. /dev/mem).
++## </summary>
++## <param name="domain">
++## Domain allowed access.
++## </param>
++#
++interface(`dev_dontaudit_getattr_memory_device',`
++ gen_require(`
++ type memory_device_t;
++ ')
++
++ dontaudit $1 memory_device_t:chr_file getattr;
++')
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-2.1.9/policy/modules/kernel/domain.if
--- nsaserefpolicy/policy/modules/kernel/domain.if 2005-12-12 15:35:53.000000000 -0500
-+++ serefpolicy-2.1.8/policy/modules/kernel/domain.if 2006-01-09 17:23:08.000000000 -0500
++++ serefpolicy-2.1.9/policy/modules/kernel/domain.if 2006-01-11 17:13:44.000000000 -0500
@@ -501,6 +501,7 @@
')
@@ -268,9 +358,9 @@
')
########################################
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-2.1.8/policy/modules/kernel/domain.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-2.1.9/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2005-12-09 23:35:04.000000000 -0500
-+++ serefpolicy-2.1.8/policy/modules/kernel/domain.te 2006-01-09 14:37:14.000000000 -0500
++++ serefpolicy-2.1.9/policy/modules/kernel/domain.te 2006-01-11 17:13:44.000000000 -0500
@@ -67,3 +67,7 @@
# cjp: also need to except correctly for SEFramework
neverallow { domain unlabeled_t } file_type:process *;
@@ -280,10 +370,10 @@
+ prelink_relabel(entry_type)
+')
\ No newline at end of file
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.1.8/policy/modules/kernel/files.if
---- nsaserefpolicy/policy/modules/kernel/files.if 2006-01-04 17:28:52.000000000 -0500
-+++ serefpolicy-2.1.8/policy/modules/kernel/files.if 2006-01-09 14:37:14.000000000 -0500
-@@ -3183,3 +3183,20 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.1.9/policy/modules/kernel/files.if
+--- nsaserefpolicy/policy/modules/kernel/files.if 2006-01-11 14:31:30.000000000 -0500
++++ serefpolicy-2.1.9/policy/modules/kernel/files.if 2006-01-11 17:13:44.000000000 -0500
+@@ -3241,3 +3241,20 @@
')
')
')
@@ -305,62 +395,9 @@
+ allow $1 file_type:dir write;
+')
\ No newline at end of file
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-2.1.8/policy/modules/kernel/kernel.if
---- nsaserefpolicy/policy/modules/kernel/kernel.if 2006-01-09 11:32:53.000000000 -0500
-+++ serefpolicy-2.1.8/policy/modules/kernel/kernel.if 2006-01-09 14:37:14.000000000 -0500
-@@ -662,6 +662,27 @@
- allow $1 proc_mdstat_t:file rw_file_perms;
- ')
-
-+#######################################
-+## <summary>
-+## Allow caller to read the state information for device node numbers.
-+## </summary>
-+## <param name="domain">
-+## The process type reading device number state.
-+## </param>
-+#
-+interface(`kernel_read_proc_devices',`
-+ gen_require(`
-+ type proc_t, proc_devices_t;
-+ class dir r_dir_perms;
-+ class file r_file_perms;
-+ ')
-+
-+ allow $1 kernel_t:fd use;
-+ allow $1 device_t:chr_file getattr;
-+ allow $1 proc_t:dir r_dir_perms;
-+ allow $1 proc_devices_t:file r_file_perms;
-+')
-+
- ########################################
- ## <summary>
- ## Allows caller to get attribues of core kernel interface.
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-2.1.8/policy/modules/kernel/kernel.te
---- nsaserefpolicy/policy/modules/kernel/kernel.te 2006-01-09 11:32:53.000000000 -0500
-+++ serefpolicy-2.1.8/policy/modules/kernel/kernel.te 2006-01-09 14:37:14.000000000 -0500
-@@ -72,6 +72,9 @@
- type proc_mdstat_t, proc_type;
- genfscon proc /mdstat gen_context(system_u:object_r:proc_mdstat_t,s0)
-
-+type proc_devices_t, proc_type;
-+genfscon proc /devices gen_context(system_u:object_r:proc_devices_t,s0)
-+
- type proc_net_t, proc_type;
- genfscon proc /net gen_context(system_u:object_r:proc_net_t,s0)
-
-@@ -184,6 +187,8 @@
- allow kernel_t proc_net_t:dir r_dir_perms;
- allow kernel_t proc_net_t:file r_file_perms;
- allow kernel_t proc_mdstat_t:file r_file_perms;
-+allow kernel_t proc_devices_t:file r_file_perms;
-+allow kernel_t proc_devices_t:file { read };
- allow kernel_t proc_kcore_t:file getattr;
- allow kernel_t proc_kmsg_t:file getattr;
- allow kernel_t sysctl_t:dir r_dir_perms;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mls.te serefpolicy-2.1.8/policy/modules/kernel/mls.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mls.te serefpolicy-2.1.9/policy/modules/kernel/mls.te
--- nsaserefpolicy/policy/modules/kernel/mls.te 2006-01-09 11:32:53.000000000 -0500
-+++ serefpolicy-2.1.8/policy/modules/kernel/mls.te 2006-01-09 14:37:14.000000000 -0500
++++ serefpolicy-2.1.9/policy/modules/kernel/mls.te 2006-01-11 17:13:44.000000000 -0500
@@ -82,9 +82,11 @@
# these might be targeted_policy only
range_transition unconfined_t su_exec_t s0 - s0:c0.c255;
@@ -373,9 +410,9 @@
range_transition kernel_t init_exec_t s0 - s15:c0.c255;
+range_transition initrc_t auditd_exec_t s15:c0.c255;
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-2.1.8/policy/modules/services/apache.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-2.1.9/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2005-12-12 23:05:35.000000000 -0500
-+++ serefpolicy-2.1.8/policy/modules/services/apache.te 2006-01-09 14:37:14.000000000 -0500
++++ serefpolicy-2.1.9/policy/modules/services/apache.te 2006-01-11 17:13:44.000000000 -0500
@@ -391,6 +391,10 @@
userdom_dontaudit_use_sysadm_terms(httpd_t)
')
@@ -396,9 +433,9 @@
+ cron_system_entry(httpd_t, httpd_exec_t)
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.te serefpolicy-2.1.8/policy/modules/services/apm.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.te serefpolicy-2.1.9/policy/modules/services/apm.te
--- nsaserefpolicy/policy/modules/services/apm.te 2005-12-09 23:35:05.000000000 -0500
-+++ serefpolicy-2.1.8/policy/modules/services/apm.te 2006-01-09 14:37:14.000000000 -0500
++++ serefpolicy-2.1.9/policy/modules/services/apm.te 2006-01-11 17:13:44.000000000 -0500
@@ -196,6 +196,7 @@
')
@@ -407,9 +444,9 @@
cron_domtrans_anacron_system_job(apmd_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-2.1.8/policy/modules/services/automount.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-2.1.9/policy/modules/services/automount.te
--- nsaserefpolicy/policy/modules/services/automount.te 2006-01-09 11:32:53.000000000 -0500
-+++ serefpolicy-2.1.8/policy/modules/services/automount.te 2006-01-09 14:37:14.000000000 -0500
++++ serefpolicy-2.1.9/policy/modules/services/automount.te 2006-01-11 17:13:44.000000000 -0500
@@ -28,7 +28,7 @@
# Local policy
#
@@ -429,32 +466,68 @@
corenet_dontaudit_tcp_connect_all_reserved_ports(automount_t)
dev_read_sysfs(automount_t)
-@@ -143,6 +145,11 @@
+@@ -107,6 +109,7 @@
+ fs_manage_auto_mountpoints(automount_t)
+
+ term_dontaudit_use_console(automount_t)
++term_dontaudit_getattr_pty_dir(lvm_t)
+
+ init_use_fd(automount_t)
+ init_use_script_pty(automount_t)
+@@ -143,6 +146,10 @@
fstools_domtrans(automount_t)
')
+optional_policy(`bind',`
-+ allow automount_t named_conf_t:dir search;
-+ allow automount_t named_zone_t:dir search;
++ bind_search_mounts(automount_t)
+')
+
optional_policy(`nis',`
nis_use_ypbind(automount_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-2.1.8/policy/modules/services/bluetooth.te
---- nsaserefpolicy/policy/modules/services/bluetooth.te 2005-12-09 23:35:05.000000000 -0500
-+++ serefpolicy-2.1.8/policy/modules/services/bluetooth.te 2006-01-09 14:37:14.000000000 -0500
-@@ -86,6 +86,7 @@
-
- kernel_read_kernel_sysctl(bluetooth_t)
- kernel_read_system_state(bluetooth_t)
-+kernel_read_proc_devices(bluetooth_t)
-
- corenet_tcp_sendrecv_all_if(bluetooth_t)
- corenet_udp_sendrecv_all_if(bluetooth_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-2.1.8/policy/modules/services/cron.te
+@@ -158,3 +165,4 @@
+ optional_policy(`udev',`
+ udev_read_db(automount_t)
+ ')
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-2.1.9/policy/modules/services/bind.if
+--- nsaserefpolicy/policy/modules/services/bind.if 2006-01-09 11:32:53.000000000 -0500
++++ serefpolicy-2.1.9/policy/modules/services/bind.if 2006-01-11 17:13:44.000000000 -0500
+@@ -207,3 +207,22 @@
+ allow $1 named_zone_t:file r_file_perms;
+ ')
+
++########################################
++## <summary>
++## Read BIND search for mount points
++## </summary>
++## <param name="domain">
++## Domain allowed access.
++## </param>
++#
++interface(`bind_search_mounts',`
++ gen_require(`
++ type named_zone_t;
++ type named_conf_t;
++ ')
++
++ files_search_var($1)
++ allow $1 named_zone_t:dir search_dir_perms;
++ allow $1 named_conf_t:dir search_dir_perms;
++')
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-2.1.9/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te 2006-01-09 11:32:53.000000000 -0500
-+++ serefpolicy-2.1.8/policy/modules/services/cron.te 2006-01-09 14:37:14.000000000 -0500
++++ serefpolicy-2.1.9/policy/modules/services/cron.te 2006-01-11 17:13:44.000000000 -0500
+@@ -120,7 +120,7 @@
+
+ init_use_fd(crond_t)
+ init_use_script_pty(crond_t)
+-init_read_script_pid(crond_t)
++init_rw_script_pid(crond_t)
+
+ libs_use_ld_so(crond_t)
+ libs_use_shared_libs(crond_t)
@@ -407,43 +407,21 @@
sysstat_manage_log(system_crond_t)
')
@@ -504,9 +577,9 @@
allow mta_user_agent system_crond_t:fd use;
r_dir_file(system_mail_t, crond_tmp_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-2.1.8/policy/modules/services/cups.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-2.1.9/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2006-01-09 11:32:53.000000000 -0500
-+++ serefpolicy-2.1.8/policy/modules/services/cups.te 2006-01-09 14:37:14.000000000 -0500
++++ serefpolicy-2.1.9/policy/modules/services/cups.te 2006-01-11 17:13:44.000000000 -0500
@@ -201,8 +201,7 @@
')
@@ -527,9 +600,9 @@
')
optional_policy(`dbus',`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-2.1.8/policy/modules/services/dovecot.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-2.1.9/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te 2006-01-09 11:32:54.000000000 -0500
-+++ serefpolicy-2.1.8/policy/modules/services/dovecot.te 2006-01-09 14:37:14.000000000 -0500
++++ serefpolicy-2.1.9/policy/modules/services/dovecot.te 2006-01-11 17:13:44.000000000 -0500
@@ -95,6 +95,7 @@
files_read_etc_files(dovecot_t)
files_search_spool(dovecot_t)
@@ -538,17 +611,28 @@
files_dontaudit_list_default(dovecot_t)
init_use_fd(dovecot_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-2.1.8/policy/modules/services/hal.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/finger.te serefpolicy-2.1.9/policy/modules/services/finger.te
+--- nsaserefpolicy/policy/modules/services/finger.te 2006-01-11 14:31:32.000000000 -0500
++++ serefpolicy-2.1.9/policy/modules/services/finger.te 2006-01-11 17:13:44.000000000 -0500
+@@ -65,6 +65,7 @@
+ fs_getattr_all_fs(fingerd_t)
+ fs_search_auto_mountpoints(fingerd_t)
+
++term_search_ptys(fingerd_t)
+ term_dontaudit_use_console(fingerd_t)
+ term_getattr_all_user_ttys(fingerd_t)
+ term_getattr_all_user_ptys(fingerd_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-2.1.9/policy/modules/services/hal.fc
--- nsaserefpolicy/policy/modules/services/hal.fc 2005-11-14 18:24:07.000000000 -0500
-+++ serefpolicy-2.1.8/policy/modules/services/hal.fc 2006-01-09 14:37:14.000000000 -0500
++++ serefpolicy-2.1.9/policy/modules/services/hal.fc 2006-01-11 17:13:44.000000000 -0500
@@ -7,3 +7,4 @@
/usr/sbin/hald -- gen_context(system_u:object_r:hald_exec_t,s0)
/usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/hal/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-2.1.8/policy/modules/services/hal.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-2.1.9/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2006-01-09 11:32:54.000000000 -0500
-+++ serefpolicy-2.1.8/policy/modules/services/hal.te 2006-01-10 12:17:49.000000000 -0500
++++ serefpolicy-2.1.9/policy/modules/services/hal.te 2006-01-11 17:13:44.000000000 -0500
@@ -47,8 +47,14 @@
kernel_read_system_state(hald_t)
kernel_read_network_state(hald_t)
@@ -585,27 +669,27 @@
optional_policy(`cups',`
cups_domtrans_config(hald_t)
cups_signal_config(hald_t)
-@@ -205,6 +216,3 @@
+@@ -154,6 +165,7 @@
+ dbus_system_bus_client_template(hald,hald_t)
+ dbus_send_system_bus_msg(hald_t)
+ dbus_connect_system_bus(hald_t)
++ allow hald_t self:dbus send_msg;
+
+ init_dbus_chat_script(hald_t)
+
+@@ -205,6 +217,6 @@
vbetool_domtrans(hald_t)
')
-ifdef(`TODO',`
-allow hald_t device_t:dir create_dir_perms;
-') dnl end TODO
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/irqbalance.te serefpolicy-2.1.8/policy/modules/services/irqbalance.te
---- nsaserefpolicy/policy/modules/services/irqbalance.te 2005-11-28 17:23:58.000000000 -0500
-+++ serefpolicy-2.1.8/policy/modules/services/irqbalance.te 2006-01-09 14:37:14.000000000 -0500
-@@ -28,6 +28,7 @@
- kernel_read_system_state(irqbalance_t)
- kernel_read_kernel_sysctl(irqbalance_t)
- kernel_rw_irq_sysctl(irqbalance_t)
-+kernel_read_proc_devices(irqbalance_t)
-
- dev_read_sysfs(irqbalance_t)
-
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-2.1.8/policy/modules/services/kerberos.te
++optional_policy(`bind',`
++ bind_search_mounts(hald_t)
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-2.1.9/policy/modules/services/kerberos.te
--- nsaserefpolicy/policy/modules/services/kerberos.te 2005-12-09 23:35:05.000000000 -0500
-+++ serefpolicy-2.1.8/policy/modules/services/kerberos.te 2006-01-10 08:56:50.000000000 -0500
++++ serefpolicy-2.1.9/policy/modules/services/kerberos.te 2006-01-11 17:13:44.000000000 -0500
@@ -249,8 +249,3 @@
udev_read_db(krb5kdc_t)
')
@@ -615,22 +699,22 @@
-allow krb5kdc_t userdomain:udp_socket recvfrom;
-allow userdomain krb5kdc_t:udp_socket recvfrom;
-') dnl end TODO
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/locate.fc serefpolicy-2.1.8/policy/modules/services/locate.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/locate.fc serefpolicy-2.1.9/policy/modules/services/locate.fc
--- nsaserefpolicy/policy/modules/services/locate.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.1.8/policy/modules/services/locate.fc 2006-01-09 14:37:14.000000000 -0500
++++ serefpolicy-2.1.9/policy/modules/services/locate.fc 2006-01-11 17:13:44.000000000 -0500
@@ -0,0 +1,4 @@
+# locate - file locater
+/usr/bin/updatedb -- gen_context(system_u:object_r:locate_exec_t, s0)
+/var/lib/[sm]locate(/.*)? gen_context(system_u:object_r:locate_var_lib_t,s0)
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/locate.if serefpolicy-2.1.8/policy/modules/services/locate.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/locate.if serefpolicy-2.1.9/policy/modules/services/locate.if
--- nsaserefpolicy/policy/modules/services/locate.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.1.8/policy/modules/services/locate.if 2006-01-09 14:37:14.000000000 -0500
++++ serefpolicy-2.1.9/policy/modules/services/locate.if 2006-01-11 17:13:44.000000000 -0500
@@ -0,0 +1 @@
+## <summary>Update database for mlocate</summary>
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/locate.te serefpolicy-2.1.8/policy/modules/services/locate.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/locate.te serefpolicy-2.1.9/policy/modules/services/locate.te
--- nsaserefpolicy/policy/modules/services/locate.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.1.8/policy/modules/services/locate.te 2006-01-09 14:37:14.000000000 -0500
++++ serefpolicy-2.1.9/policy/modules/services/locate.te 2006-01-11 17:13:44.000000000 -0500
@@ -0,0 +1,50 @@
+policy_module(locate,1.0.0)
+
@@ -682,144 +766,11 @@
+ allow system_crond_t locate_log_t:dir rw_dir_perms;
+ allow system_crond_t locate_log_t:file { create append getattr };
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/logwatch.fc serefpolicy-2.1.8/policy/modules/services/logwatch.fc
---- nsaserefpolicy/policy/modules/services/logwatch.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.1.8/policy/modules/services/logwatch.fc 2006-01-09 14:37:14.000000000 -0500
-@@ -0,0 +1,3 @@
-+# logwatch - file logwatchr
-+/usr/share/logwatch/scripts/logwatch.pl -- gen_context(system_u:object_r:logwatch_exec_t, s0)
-+/var/cache/logwatch(/.*)? gen_context(system_u:object_r:logwatch_cache_t, s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/logwatch.if serefpolicy-2.1.8/policy/modules/services/logwatch.if
---- nsaserefpolicy/policy/modules/services/logwatch.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.1.8/policy/modules/services/logwatch.if 2006-01-09 14:37:14.000000000 -0500
-@@ -0,0 +1 @@
-+## <summary>Update database for mlogwatch</summary>
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/logwatch.te serefpolicy-2.1.8/policy/modules/services/logwatch.te
---- nsaserefpolicy/policy/modules/services/logwatch.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.1.8/policy/modules/services/logwatch.te 2006-01-09 14:37:14.000000000 -0500
-@@ -0,0 +1,107 @@
-+policy_module(logwatch,1.0.0)
-+
-+#DESC LOGWATCH - system log analyzer and reporter
-+#
-+# Author: Dan Walsh <dwalsh at redhat.com>
-+#
-+
-+#################################
-+#
-+# Rules for the logwatch_t domain.
-+#
-+# logwatch_exec_t is the type of the logwatch executable.
-+#
-+type logwatch_t;
-+domain_type(logwatch_t)
-+role system_r types logwatch_t;
-+
-+type logwatch_exec_t;
-+domain_entry_file(logwatch_t,logwatch_exec_t)
-+
-+type logwatch_cache_t;
-+files_type(logwatch_cache_t)
-+
-+type logwatch_tmp_t;
-+files_tmp_file(logwatch_tmp_t)
-+
-+allow logwatch_t self:capability setgid;
-+allow logwatch_t self:fifo_file rw_file_perms;
-+allow logwatch_t self:unix_stream_socket create_stream_socket_perms;
-+
-+allow logwatch_t logwatch_tmp_t:dir create_dir_perms;
-+allow logwatch_t logwatch_tmp_t:file create_file_perms;
-+files_create_tmp_files(logwatch_t, logwatch_tmp_t, { file dir })
-+
-+allow logwatch_t logwatch_cache_t:dir create_dir_perms;
-+allow logwatch_t logwatch_cache_t:file create_file_perms;
-+
-+auth_dontaudit_read_shadow(logwatch_t)
-+
-+corecmd_read_sbin_file(logwatch_t)
-+corecmd_exec_bin(logwatch_t)
-+corecmd_exec_shell(logwatch_t)
-+
-+dev_read_urand(logwatch_t)
-+
-+fs_getattr_all_fs(logwatch_t)
-+
-+kernel_read_fs_sysctl(logwatch_t)
-+kernel_read_kernel_sysctl(logwatch_t)
-+
-+files_read_etc_files(logwatch_t)
-+files_read_etc_runtime_files(logwatch_t)
-+files_read_usr_files(logwatch_t)
-+files_search_spool(logwatch_t)
-+files_dontaudit_search_home(logwatch_t)
-+
-+kernel_read_system_state(logwatch_t)
-+
-+libs_use_ld_so(logwatch_t)
-+libs_use_shared_libs(logwatch_t)
-+libs_read_lib(logwatch_t)
-+
-+logging_read_all_logs(logwatch_t)
-+
-+miscfiles_read_localization(logwatch_t)
-+
-+nscd_use_socket(logwatch_t)
-+
-+rpc_search_nfs_state_data(logwatch_t)
-+
-+term_dontaudit_getattr_pty_dir(logwatch_t)
-+term_dontaudit_list_ptys(logwatch_t)
-+
-+userdom_dontaudit_search_sysadm_home_dir(logwatch_t)
-+userdom_dontaudit_getattr_sysadm_home_dir(logwatch_t)
-+
-+# Read /proc/PID directories for all domains.
-+domain_read_all_domains_state(logwatch_t)
-+
-+mta_send_mail(logwatch_t)
-+
-+optional_policy(`cron',`
-+ cron_system_entry(logwatch_t, logwatch_exec_t)
-+')
-+
-+optional_policy(`samba',`
-+ samba_read_log(logwatch_t)
-+')
-+
-+optional_policy(`bind',`
-+ bind_read_config(logwatch_t)
-+ bind_read_zone(logwatch_t)
-+')
-+
-+optional_policy(`mta',`
-+ mta_getattr_spool(logwatch_t)
-+ allow system_mail_t logwatch_tmp_t:file r_file_perms;
-+')
-+
-+optional_policy(`apache',`
-+ apache_read_log(logwatch_t)
-+')
-+
-+optional_policy(`ntp',`
-+ allow logwatch_t ntpd_exec_t:file getattr;
-+')
-+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-2.1.8/policy/modules/services/mta.te
---- nsaserefpolicy/policy/modules/services/mta.te 2006-01-04 17:28:52.000000000 -0500
-+++ serefpolicy-2.1.8/policy/modules/services/mta.te 2006-01-09 14:37:14.000000000 -0500
-@@ -47,6 +47,9 @@
- allow system_mail_t etc_mail_t:dir { getattr search };
- allow system_mail_t etc_mail_t:file r_file_perms;
-
-+allow initrc_t etc_mail_t:dir r_dir_perms;
-+allow initrc_t etc_mail_t:file r_file_perms;
-+
- kernel_read_system_state(system_mail_t)
- kernel_read_network_state(system_mail_t)
-
-@@ -124,6 +127,10 @@
- logrotate_read_tmp_files(system_mail_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-2.1.9/policy/modules/services/mta.te
+--- nsaserefpolicy/policy/modules/services/mta.te 2006-01-11 14:31:32.000000000 -0500
++++ serefpolicy-2.1.9/policy/modules/services/mta.te 2006-01-11 17:20:33.000000000 -0500
+@@ -128,6 +128,10 @@
+ logwatch_read_tmp_files(system_mail_t)
')
+optional_policy(`sendmail',`
@@ -829,7 +780,7 @@
optional_policy(`postfix',`
allow system_mail_t etc_aliases_t:dir create_dir_perms;
allow system_mail_t etc_aliases_t:file create_file_perms;
-@@ -174,3 +181,9 @@
+@@ -178,3 +182,9 @@
cron_read_system_job_tmp_files(mta_user_agent)
')
')
@@ -839,9 +790,9 @@
+allow initrc_t etc_mail_t:dir rw_dir_perms;
+allow initrc_t etc_mail_t:file create_file_perms;
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-2.1.8/policy/modules/services/networkmanager.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-2.1.9/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2005-12-09 23:35:05.000000000 -0500
-+++ serefpolicy-2.1.8/policy/modules/services/networkmanager.te 2006-01-10 09:08:19.000000000 -0500
++++ serefpolicy-2.1.9/policy/modules/services/networkmanager.te 2006-01-11 17:13:44.000000000 -0500
@@ -28,8 +28,6 @@
allow NetworkManager_t self:tcp_socket create_stream_socket_perms;
allow NetworkManager_t self:udp_socket create_socket_perms;
@@ -866,20 +817,9 @@
vpn_domtrans(NetworkManager_t)
+ allow NetworkManager_t vpnc_t:process signal;
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-2.1.8/policy/modules/services/nscd.te
---- nsaserefpolicy/policy/modules/services/nscd.te 2005-12-09 23:35:06.000000000 -0500
-+++ serefpolicy-2.1.8/policy/modules/services/nscd.te 2006-01-09 14:37:14.000000000 -0500
-@@ -128,7 +128,6 @@
-
- optional_policy(`samba',`
- samba_connect_winbind(nscd_t)
-- samba_search_var(nscd_t)
- ')
-
- optional_policy(`udev',`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-2.1.8/policy/modules/services/ntp.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-2.1.9/policy/modules/services/ntp.te
--- nsaserefpolicy/policy/modules/services/ntp.te 2005-12-09 23:35:06.000000000 -0500
-+++ serefpolicy-2.1.8/policy/modules/services/ntp.te 2006-01-09 14:37:14.000000000 -0500
++++ serefpolicy-2.1.9/policy/modules/services/ntp.te 2006-01-11 17:13:44.000000000 -0500
@@ -148,8 +148,6 @@
')
@@ -889,20 +829,9 @@
samba_connect_winbind(ntpd_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portmap.te serefpolicy-2.1.8/policy/modules/services/portmap.te
---- nsaserefpolicy/policy/modules/services/portmap.te 2005-12-09 23:35:06.000000000 -0500
-+++ serefpolicy-2.1.8/policy/modules/services/portmap.te 2006-01-09 14:37:14.000000000 -0500
-@@ -47,6 +47,7 @@
- kernel_read_proc_symlinks(portmap_t)
- kernel_udp_sendfrom(portmap_t)
- kernel_tcp_recvfrom(portmap_t)
-+kernel_read_proc_devices(portmap_t)
-
- corenet_tcp_sendrecv_all_if(portmap_t)
- corenet_udp_sendrecv_all_if(portmap_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelink.fc serefpolicy-2.1.8/policy/modules/services/prelink.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelink.fc serefpolicy-2.1.9/policy/modules/services/prelink.fc
--- nsaserefpolicy/policy/modules/services/prelink.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.1.8/policy/modules/services/prelink.fc 2006-01-09 14:37:14.000000000 -0500
++++ serefpolicy-2.1.9/policy/modules/services/prelink.fc 2006-01-11 17:13:44.000000000 -0500
@@ -0,0 +1,7 @@
+# prelink - prelink ELF shared libraries and binaries to speed up startup time
+/usr/sbin/prelink -- gen_context(system_u:object_r:prelink_exec_t,s0)
@@ -911,9 +840,9 @@
+')
+/var/log/prelink\.log -- gen_context(system_u:object_r:prelink_log_t,s0)
+/etc/prelink\.cache -- gen_context(system_u:object_r:prelink_cache_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelink.if serefpolicy-2.1.8/policy/modules/services/prelink.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelink.if serefpolicy-2.1.9/policy/modules/services/prelink.if
--- nsaserefpolicy/policy/modules/services/prelink.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.1.8/policy/modules/services/prelink.if 2006-01-09 14:37:14.000000000 -0500
++++ serefpolicy-2.1.9/policy/modules/services/prelink.if 2006-01-11 17:13:44.000000000 -0500
@@ -0,0 +1,39 @@
+## <summary>Prelink mappings.</summary>
+
@@ -954,9 +883,9 @@
+ ')
+ allow prelink_t $1:file { create_file_perms execute relabelto relabelfrom };
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelink.te serefpolicy-2.1.8/policy/modules/services/prelink.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelink.te serefpolicy-2.1.9/policy/modules/services/prelink.te
--- nsaserefpolicy/policy/modules/services/prelink.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.1.8/policy/modules/services/prelink.te 2006-01-09 14:37:14.000000000 -0500
++++ serefpolicy-2.1.9/policy/modules/services/prelink.te 2006-01-11 17:13:44.000000000 -0500
@@ -0,0 +1,64 @@
+policy_module(prelink,1.0.0)
+
@@ -1022,20 +951,9 @@
+')
+
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-2.1.8/policy/modules/services/rpc.te
---- nsaserefpolicy/policy/modules/services/rpc.te 2005-12-09 23:35:06.000000000 -0500
-+++ serefpolicy-2.1.8/policy/modules/services/rpc.te 2006-01-09 14:37:14.000000000 -0500
-@@ -48,6 +48,7 @@
- kernel_search_network_state(rpcd_t)
- # for rpc.rquotad
- kernel_read_sysctl(rpcd_t)
-+kernel_read_proc_devices(rpcd_t)
-
- corenet_udp_bind_generic_port(rpcd_t)
- corenet_udp_bind_reserved_port(rpcd_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-2.1.8/policy/modules/services/samba.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-2.1.9/policy/modules/services/samba.if
--- nsaserefpolicy/policy/modules/services/samba.if 2006-01-09 11:32:54.000000000 -0500
-+++ serefpolicy-2.1.8/policy/modules/services/samba.if 2006-01-09 14:37:14.000000000 -0500
++++ serefpolicy-2.1.9/policy/modules/services/samba.if 2006-01-11 17:13:44.000000000 -0500
@@ -342,7 +342,9 @@
')
@@ -1046,9 +964,42 @@
allow $1 winbind_t:unix_stream_socket connectto;
')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xdm.te serefpolicy-2.1.8/policy/modules/services/xdm.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-2.1.9/policy/modules/services/sendmail.te
+--- nsaserefpolicy/policy/modules/services/sendmail.te 2006-01-09 11:32:54.000000000 -0500
++++ serefpolicy-2.1.9/policy/modules/services/sendmail.te 2006-01-11 17:13:44.000000000 -0500
+@@ -17,6 +17,7 @@
+
+ type sendmail_t;
+ mta_sendmail_mailserver(sendmail_t)
++mta_read_config(sendmail_t)
+ mta_mailserver_delivery(sendmail_t)
+ mta_mailserver_sender(sendmail_t)
+
+@@ -53,6 +54,7 @@
+ corenet_udp_bind_all_nodes(sendmail_t)
+ corenet_tcp_bind_smtp_port(sendmail_t)
+ corenet_tcp_connect_all_ports(sendmail_t)
++allow sendmail_t self:udp_socket create_socket_perms;
+
+ dev_read_urand(sendmail_t)
+ dev_read_sysfs(sendmail_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-2.1.9/policy/modules/services/ssh.if
+--- nsaserefpolicy/policy/modules/services/ssh.if 2005-12-06 19:49:51.000000000 -0500
++++ serefpolicy-2.1.9/policy/modules/services/ssh.if 2006-01-11 17:13:44.000000000 -0500
+@@ -58,6 +58,10 @@
+ domain_entry_file($1_ssh_keysign_t,ssh_keysign_exec_t)
+ role $3 types $1_ssh_keysign_t;
+
++ allow $1_ssh_t $1_devpts_t:chr_file { rw_file_perms setattr getattr relabelfrom };
++ term_create_pty($1_ssh_t,$1_devpts_t)
++
++
+ ##############################
+ #
+ # $1_ssh_t local policy
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xdm.te serefpolicy-2.1.9/policy/modules/services/xdm.te
--- nsaserefpolicy/policy/modules/services/xdm.te 2005-12-09 23:35:06.000000000 -0500
-+++ serefpolicy-2.1.8/policy/modules/services/xdm.te 2006-01-09 14:37:14.000000000 -0500
++++ serefpolicy-2.1.9/policy/modules/services/xdm.te 2006-01-11 17:13:44.000000000 -0500
@@ -319,6 +319,10 @@
allow xdm_xserver_t xkb_var_lib_t:lnk_file read;
can_exec(xdm_xserver_t, xkb_var_lib_t)
@@ -1060,41 +1011,63 @@
# Insert video drivers.
allow xdm_xserver_t self:capability mknod;
allow xdm_xserver_t sysctl_modprobe_t:file { getattr read };
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-2.1.8/policy/modules/system/authlogin.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-2.1.9/policy/modules/system/authlogin.if
+--- nsaserefpolicy/policy/modules/system/authlogin.if 2006-01-09 11:32:54.000000000 -0500
++++ serefpolicy-2.1.9/policy/modules/system/authlogin.if 2006-01-11 17:13:44.000000000 -0500
+@@ -977,6 +977,20 @@
+
+ #######################################
+ #
++# auth_setattr_login_records(domain)
++#
++interface(`auth_setattr_login_records',`
++ gen_require(`
++ type wtmp_t;
++ class file setattr;
++ ')
++
++ allow $1 wtmp_t:file setattr;
++ logging_search_logs($1)
++')
++
++#######################################
++#
+ # auth_create_login_records(domain)
+ #
+ interface(`auth_create_login_records',`
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-2.1.9/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te 2006-01-09 11:32:54.000000000 -0500
-+++ serefpolicy-2.1.8/policy/modules/system/authlogin.te 2006-01-09 14:37:14.000000000 -0500
-@@ -157,6 +157,7 @@
- kernel_use_fd(pam_console_t)
- # Read /proc/meminfo
- kernel_read_system_state(pam_console_t)
-+kernel_read_proc_devices(pam_console_t)
-
- dev_read_sysfs(pam_console_t)
- dev_getattr_apm_bios(pam_console_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/clock.te serefpolicy-2.1.8/policy/modules/system/clock.te
---- nsaserefpolicy/policy/modules/system/clock.te 2005-12-09 23:35:06.000000000 -0500
-+++ serefpolicy-2.1.8/policy/modules/system/clock.te 2006-01-09 14:37:14.000000000 -0500
-@@ -33,6 +33,7 @@
- kernel_read_kernel_sysctl(hwclock_t)
- kernel_list_proc(hwclock_t)
- kernel_read_proc_symlinks(hwclock_t)
-+kernel_read_proc_devices(hwclock_t)
-
- dev_read_sysfs(hwclock_t)
- dev_rw_realtime_clock(hwclock_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-2.1.8/policy/modules/system/fstools.te
++++ serefpolicy-2.1.9/policy/modules/system/authlogin.te 2006-01-11 17:13:44.000000000 -0500
+@@ -129,14 +129,6 @@
+ nscd_use_socket(pam_t)
+ ')
+
+-ifdef(`TODO',`
+-ifdef(`gnome-pty-helper.te', `allow pam_t gphdomain:fd use;')
+-# Supress xdm denial
+-ifdef(`xdm.te', `
+-dontaudit pam_t xdm_t:fd use;
+-') dnl ifdef
+-') dnl endif TODO
+-
+ ########################################
+ #
+ # PAM console local policy
+@@ -223,6 +215,10 @@
+ userdom_dontaudit_use_sysadm_terms(pam_console_t)
+ ')
+
++optional_policy(`alsa',`
++ alsa_domtrans(pam_console_t)
++')
++
+ ifdef(`targeted_policy', `
+ term_dontaudit_use_unallocated_tty(pam_console_t)
+ term_dontaudit_use_generic_pty(pam_console_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-2.1.9/policy/modules/system/fstools.te
--- nsaserefpolicy/policy/modules/system/fstools.te 2005-12-09 23:35:06.000000000 -0500
-+++ serefpolicy-2.1.8/policy/modules/system/fstools.te 2006-01-09 14:37:14.000000000 -0500
-@@ -56,6 +56,8 @@
- # Access to /initrd devices
- kernel_rw_unlabeled_dir(fsadm_t)
- kernel_use_unlabeled_blk_dev(fsadm_t)
-+# Access to /proc/devices
-+kernel_read_proc_devices(fsadm_t)
-
- dev_getattr_all_chr_files(fsadm_t)
- # mkreiserfs and other programs need this for UUID
-@@ -69,6 +71,8 @@
++++ serefpolicy-2.1.9/policy/modules/system/fstools.te 2006-01-11 17:13:44.000000000 -0500
+@@ -69,6 +69,8 @@
dev_read_sysfs(fsadm_t)
# Access to /initrd devices
dev_getattr_usbfs_dir(fsadm_t)
@@ -1103,9 +1076,9 @@
fs_search_auto_mountpoints(fsadm_t)
fs_getattr_xattr_fs(fsadm_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-2.1.8/policy/modules/system/hostname.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-2.1.9/policy/modules/system/hostname.te
--- nsaserefpolicy/policy/modules/system/hostname.te 2005-12-09 23:35:06.000000000 -0500
-+++ serefpolicy-2.1.8/policy/modules/system/hostname.te 2006-01-09 14:37:14.000000000 -0500
++++ serefpolicy-2.1.9/policy/modules/system/hostname.te 2006-01-11 17:13:44.000000000 -0500
@@ -7,8 +7,10 @@
#
@@ -1118,15 +1091,7 @@
role system_r types hostname_t;
########################################
-@@ -24,6 +26,7 @@
-
- kernel_list_proc(hostname_t)
- kernel_read_proc_symlinks(hostname_t)
-+kernel_read_proc_devices(hostname_t)
-
- dev_read_sysfs(hostname_t)
-
-@@ -55,35 +58,6 @@
+@@ -55,35 +57,6 @@
sysnet_read_config(hostname_t)
sysnet_dns_name_resolve(hostname_t)
@@ -1164,10 +1129,31 @@
-')
+
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-2.1.8/policy/modules/system/init.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-2.1.9/policy/modules/system/init.if
+--- nsaserefpolicy/policy/modules/system/init.if 2006-01-11 14:31:32.000000000 -0500
++++ serefpolicy-2.1.9/policy/modules/system/init.if 2006-01-11 17:13:44.000000000 -0500
+@@ -345,6 +345,9 @@
+ interface(`init_domtrans_script',`
+ gen_require(`
+ type initrc_t, initrc_exec_t;
++ class process sigchld;
++ class fd use;
++ class fifo_file rw_file_perms;
+ ')
+
+ files_list_etc($1)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-2.1.9/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2006-01-09 11:32:54.000000000 -0500
-+++ serefpolicy-2.1.8/policy/modules/system/init.te 2006-01-09 14:37:14.000000000 -0500
-@@ -449,7 +449,6 @@
++++ serefpolicy-2.1.9/policy/modules/system/init.te 2006-01-11 17:14:12.000000000 -0500
+@@ -298,6 +298,7 @@
+ term_reset_tty_labels(initrc_t)
+
+ auth_rw_login_records(initrc_t)
++auth_setattr_login_records(initrc_t)
+ auth_rw_lastlog(initrc_t)
+ auth_read_pam_pid(initrc_t)
+ auth_delete_pam_pid(initrc_t)
+@@ -449,7 +450,6 @@
# readahead asks for these
auth_dontaudit_read_shadow(initrc_t)
@@ -1175,6 +1161,16 @@
optional_policy(`bind',`
bind_manage_config_dir(initrc_t)
+@@ -575,8 +575,7 @@
+ ')
+
+ optional_policy(`lvm',`
+- #allow initrc_t lvm_control_t:chr_file unlink;
+-
++ lvm_read_config(initrc_t)
+ dev_read_lvm_control(initrc_t)
+ dev_create_generic_chr_file(initrc_t)
+ ')
@@ -687,6 +686,10 @@
zebra_read_config(initrc_t)
')
@@ -1211,9 +1207,20 @@
- ')
')
') dnl end TODO
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-2.1.8/policy/modules/system/libraries.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-2.1.9/policy/modules/system/iptables.te
+--- nsaserefpolicy/policy/modules/system/iptables.te 2006-01-11 14:31:32.000000000 -0500
++++ serefpolicy-2.1.9/policy/modules/system/iptables.te 2006-01-11 17:13:44.000000000 -0500
+@@ -87,6 +87,7 @@
+ ')
+
+ optional_policy(`modutils',`
++ corecmd_search_sbin(iptables_t)
+ modutils_domtrans_insmod(iptables_t)
+ ')
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-2.1.9/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2006-01-09 11:32:54.000000000 -0500
-+++ serefpolicy-2.1.8/policy/modules/system/libraries.fc 2006-01-10 11:55:40.000000000 -0500
++++ serefpolicy-2.1.9/policy/modules/system/libraries.fc 2006-01-11 17:13:44.000000000 -0500
@@ -11,6 +11,9 @@
/emul/ia32-linux/lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
/emul/ia32-linux/lib/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
@@ -1394,9 +1401,9 @@
')
#
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-2.1.8/policy/modules/system/libraries.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-2.1.9/policy/modules/system/libraries.te
--- nsaserefpolicy/policy/modules/system/libraries.te 2005-12-12 15:35:54.000000000 -0500
-+++ serefpolicy-2.1.8/policy/modules/system/libraries.te 2006-01-09 14:37:14.000000000 -0500
++++ serefpolicy-2.1.9/policy/modules/system/libraries.te 2006-01-11 17:13:44.000000000 -0500
@@ -94,6 +94,10 @@
unconfined_domain_template(ldconfig_t)
')
@@ -1408,9 +1415,9 @@
optional_policy(`apache',`
# dontaudit access to /usr/lib/apache, normal programs cannot read these libs anyway
apache_dontaudit_search_modules(ldconfig_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-2.1.8/policy/modules/system/locallogin.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-2.1.9/policy/modules/system/locallogin.te
--- nsaserefpolicy/policy/modules/system/locallogin.te 2006-01-09 11:32:54.000000000 -0500
-+++ serefpolicy-2.1.8/policy/modules/system/locallogin.te 2006-01-09 14:37:14.000000000 -0500
++++ serefpolicy-2.1.9/policy/modules/system/locallogin.te 2006-01-11 17:13:44.000000000 -0500
@@ -165,6 +165,7 @@
userdom_signal_all_users(local_login_t)
userdom_search_all_users_home(local_login_t)
@@ -1419,64 +1426,40 @@
# Search for mail spool file.
mta_getattr_spool(local_login_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-2.1.8/policy/modules/system/logging.te
---- nsaserefpolicy/policy/modules/system/logging.te 2006-01-09 11:32:54.000000000 -0500
-+++ serefpolicy-2.1.8/policy/modules/system/logging.te 2006-01-09 14:37:14.000000000 -0500
-@@ -70,6 +70,7 @@
-
- kernel_read_kernel_sysctl(auditctl_t)
- kernel_read_proc_symlinks(auditctl_t)
-+kernel_read_proc_devices(auditctl_t)
-
- domain_read_all_domains_state(auditctl_t)
- domain_use_wide_inherit_fd(auditctl_t)
-@@ -128,6 +129,7 @@
- kernel_read_kernel_sysctl(auditd_t)
- kernel_list_proc(auditd_t)
- kernel_read_proc_symlinks(auditd_t)
-+kernel_read_proc_devices(auditd_t)
-
- dev_read_sysfs(auditd_t)
-
-@@ -203,6 +205,7 @@
- # Control syslog and console logging
- kernel_clear_ring_buffer(klogd_t)
- kernel_change_ring_buffer_level(klogd_t)
-+kernel_read_proc_devices(klogd_t)
-
- bootloader_read_kernel_symbol_table(klogd_t)
-
-@@ -298,6 +301,7 @@
- kernel_read_messages(syslogd_t)
- kernel_clear_ring_buffer(syslogd_t)
- kernel_change_ring_buffer_level(syslogd_t)
-+kernel_read_proc_devices(syslogd_t)
-
- dev_create_dev_node(syslogd_t,devlog_t,sock_file)
- dev_read_sysfs(syslogd_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-2.1.8/policy/modules/system/lvm.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-2.1.9/policy/modules/system/lvm.te
--- nsaserefpolicy/policy/modules/system/lvm.te 2005-12-09 23:35:08.000000000 -0500
-+++ serefpolicy-2.1.8/policy/modules/system/lvm.te 2006-01-09 14:37:14.000000000 -0500
-@@ -155,6 +155,8 @@
++++ serefpolicy-2.1.9/policy/modules/system/lvm.te 2006-01-11 17:15:14.000000000 -0500
+@@ -155,6 +155,7 @@
allow lvm_t lvm_etc_t:file r_file_perms;
allow lvm_t lvm_etc_t:lnk_file r_file_perms;
-+allow initrc_t lvm_etc_t:file r_file_perms;
+
# Write to /etc/lvm, /etc/lvmtab, /etc/lvmtab.d
allow lvm_t lvm_etc_t:dir rw_dir_perms;
allow lvm_t lvm_metadata_t:file create_file_perms;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-2.1.8/policy/modules/system/mount.te
---- nsaserefpolicy/policy/modules/system/mount.te 2005-12-12 23:05:35.000000000 -0500
-+++ serefpolicy-2.1.8/policy/modules/system/mount.te 2006-01-09 14:37:14.000000000 -0500
-@@ -26,12 +26,14 @@
- files_create_tmp_files(mount_t,mount_tmp_t,{ file dir })
+@@ -209,6 +210,7 @@
+ storage_manage_fixed_disk(lvm_t)
- kernel_read_system_state(mount_t)
-+kernel_read_proc_devices(mount_t)
+ term_dontaudit_getattr_all_user_ttys(lvm_t)
++term_dontaudit_getattr_pty_dir(lvm_t)
- corenet_dontaudit_tcp_bind_all_reserved_ports(mount_t)
- corenet_dontaudit_udp_bind_all_reserved_ports(mount_t)
+ corecmd_search_sbin(lvm_t)
+ corecmd_dontaudit_getattr_sbin_file(lvm_t)
+@@ -260,10 +262,3 @@
+ udev_read_db(lvm_t)
+ ')
+
+-ifdef(`TODO',`
+-# it has no reason to need this
+-allow lvm_t var_t:dir { search getattr };
+-allow lvm_t ramfs_t:filesystem unmount;
+-
+-dontaudit lvm_t xconsole_device_t:fifo_file getattr;
+-') dnl end TODO
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-2.1.9/policy/modules/system/mount.te
+--- nsaserefpolicy/policy/modules/system/mount.te 2005-12-12 23:05:35.000000000 -0500
++++ serefpolicy-2.1.9/policy/modules/system/mount.te 2006-01-11 17:13:44.000000000 -0500
+@@ -32,6 +32,7 @@
dev_getattr_all_blk_files(mount_t)
dev_list_all_dev_nodes(mount_t)
@@ -1484,7 +1467,7 @@
storage_raw_read_fixed_disk(mount_t)
storage_raw_write_fixed_disk(mount_t)
-@@ -46,7 +48,7 @@
+@@ -46,7 +47,7 @@
fs_search_auto_mountpoints(mount_t)
fs_use_tmpfs_chr_dev(mount_t)
@@ -1493,52 +1476,20 @@
# required for mount.smbfs
corecmd_exec_sbin(mount_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-2.1.8/policy/modules/system/selinuxutil.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-2.1.9/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2006-01-09 11:32:54.000000000 -0500
-+++ serefpolicy-2.1.8/policy/modules/system/selinuxutil.te 2006-01-09 14:37:14.000000000 -0500
-@@ -324,6 +324,7 @@
- kernel_use_fd(restorecon_t)
- kernel_rw_pipe(restorecon_t)
- kernel_read_system_state(restorecon_t)
-+kernel_read_proc_devices(restorecon_t)
-
- # cjp: why is this needed?
- dev_rw_generic_file(restorecon_t)
-@@ -412,9 +413,11 @@
- ifdef(`targeted_policy',`',`
- allow run_init_t self:process setexec;
++++ serefpolicy-2.1.9/policy/modules/system/selinuxutil.te 2006-01-11 17:22:44.000000000 -0500
+@@ -414,6 +414,7 @@
allow run_init_t self:capability setuid;
-- allow run_init_t self:fifo_file rw_file_perms;
+ allow run_init_t self:fifo_file rw_file_perms;
allow run_init_t self:netlink_audit_socket { create bind write nlmsg_read read };
-
-+ allow run_init_t self:fifo_file rw_file_perms;
+ domain_auto_trans(run_init_t,initrc_exec_t,initrc_t)
-+
+
# often the administrator runs such programs from a directory that is owned
# by a different user or has restrictive SE permissions, do not want to audit
- # the failed access to the current directory
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-2.1.8/policy/modules/system/sysnetwork.te
---- nsaserefpolicy/policy/modules/system/sysnetwork.te 2005-12-09 23:35:08.000000000 -0500
-+++ serefpolicy-2.1.8/policy/modules/system/sysnetwork.te 2006-01-09 14:37:14.000000000 -0500
-@@ -90,6 +90,7 @@
- kernel_read_network_state(dhcpc_t)
- kernel_read_kernel_sysctl(dhcpc_t)
- kernel_use_fd(dhcpc_t)
-+kernel_read_proc_devices(dhcpc_t)
-
- corenet_tcp_sendrecv_all_if(dhcpc_t)
- corenet_raw_sendrecv_all_if(dhcpc_t)
-@@ -281,6 +282,7 @@
- kernel_read_system_state(ifconfig_t)
- kernel_read_network_state(ifconfig_t)
- kernel_search_network_sysctl(ifconfig_t)
-+kernel_read_proc_devices(ifconfig_t)
-
- corenet_use_tun_tap_device(ifconfig_t)
-
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-2.1.8/policy/modules/system/unconfined.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-2.1.9/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2005-12-13 15:51:50.000000000 -0500
-+++ serefpolicy-2.1.8/policy/modules/system/unconfined.if 2006-01-09 17:22:51.000000000 -0500
++++ serefpolicy-2.1.9/policy/modules/system/unconfined.if 2006-01-11 17:13:44.000000000 -0500
@@ -33,6 +33,7 @@
corenet_unconfined($1)
dev_unconfined($1)
@@ -1547,9 +1498,9 @@
files_unconfined($1)
fs_unconfined($1)
selinux_unconfined($1)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-2.1.8/policy/modules/system/unconfined.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-2.1.9/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2006-01-09 11:32:54.000000000 -0500
-+++ serefpolicy-2.1.8/policy/modules/system/unconfined.te 2006-01-09 14:37:14.000000000 -0500
++++ serefpolicy-2.1.9/policy/modules/system/unconfined.te 2006-01-11 17:13:44.000000000 -0500
@@ -57,6 +57,10 @@
bluetooth_domtrans_helper(unconfined_t)
')
@@ -1583,9 +1534,9 @@
ifdef(`TODO',`
ifdef(`use_mcs',`
rw_dir_create_file(sysadm_su_t, home_dir_type)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-2.1.8/policy/modules/system/userdomain.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-2.1.9/policy/modules/system/userdomain.fc
--- nsaserefpolicy/policy/modules/system/userdomain.fc 2005-11-15 09:13:40.000000000 -0500
-+++ serefpolicy-2.1.8/policy/modules/system/userdomain.fc 2006-01-09 14:37:14.000000000 -0500
++++ serefpolicy-2.1.9/policy/modules/system/userdomain.fc 2006-01-11 17:13:44.000000000 -0500
@@ -4,6 +4,6 @@
HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0)
HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0)
@@ -1594,10 +1545,18 @@
+HOME_DIR -d gen_context(system_u:object_r:ROLE_home_dir_t,s0-s15:c0.c255)
HOME_DIR/.+ gen_context(system_u:object_r:ROLE_home_t,s0)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-2.1.8/policy/modules/system/userdomain.if
---- nsaserefpolicy/policy/modules/system/userdomain.if 2006-01-09 11:32:54.000000000 -0500
-+++ serefpolicy-2.1.8/policy/modules/system/userdomain.if 2006-01-09 14:37:14.000000000 -0500
-@@ -1881,19 +1881,16 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-2.1.9/policy/modules/system/userdomain.if
+--- nsaserefpolicy/policy/modules/system/userdomain.if 2006-01-11 14:31:32.000000000 -0500
++++ serefpolicy-2.1.9/policy/modules/system/userdomain.if 2006-01-11 17:13:44.000000000 -0500
+@@ -103,6 +103,7 @@
+ # execute files in the home directory
+ can_exec($1_t,$1_home_t)
+
++ allow $1_t home_root_t:dir { getattr search };
+ # full control of the home directory
+ allow $1_t $1_home_t:file { create_file_perms relabelfrom relabelto };
+ allow $1_t $1_home_t:lnk_file { create_lnk_perms relabelfrom relabelto };
+@@ -1880,19 +1881,16 @@
## </param>
#
interface(`userdom_dontaudit_getattr_sysadm_home_dir',`
@@ -1625,7 +1584,7 @@
')
########################################
-@@ -1922,19 +1919,15 @@
+@@ -1921,19 +1919,15 @@
## </param>
#
interface(`userdom_dontaudit_search_sysadm_home_dir',`
@@ -1650,7 +1609,7 @@
')
########################################
-@@ -2074,6 +2067,22 @@
+@@ -2073,6 +2067,22 @@
########################################
## <summary>
@@ -1673,7 +1632,7 @@
## Read all files in all users home directories.
## </summary>
## <param name="domain">
-@@ -2665,6 +2674,23 @@
+@@ -2664,6 +2674,23 @@
########################################
## <summary>
@@ -1697,9 +1656,9 @@
## Send general signals to all user domains.
## </summary>
## <param name="domain">
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-2.1.8/policy/modules/system/userdomain.te
---- nsaserefpolicy/policy/modules/system/userdomain.te 2006-01-09 11:32:54.000000000 -0500
-+++ serefpolicy-2.1.8/policy/modules/system/userdomain.te 2006-01-09 14:37:14.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-2.1.9/policy/modules/system/userdomain.te
+--- nsaserefpolicy/policy/modules/system/userdomain.te 2006-01-11 14:31:32.000000000 -0500
++++ serefpolicy-2.1.9/policy/modules/system/userdomain.te 2006-01-11 17:13:44.000000000 -0500
@@ -205,6 +205,7 @@
optional_policy(`hostname',`
@@ -1708,9 +1667,9 @@
')
optional_policy(`ipsec',`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-2.1.8/policy/users
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-2.1.9/policy/users
--- nsaserefpolicy/policy/users 2005-12-05 22:35:02.000000000 -0500
-+++ serefpolicy-2.1.8/policy/users 2006-01-09 14:37:14.000000000 -0500
++++ serefpolicy-2.1.9/policy/users 2006-01-11 17:13:44.000000000 -0500
@@ -26,7 +26,9 @@
ifdef(`targeted_policy',`
gen_user(user_u, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.80
retrieving revision 1.81
diff -u -r1.80 -r1.81
--- selinux-policy.spec 10 Jan 2006 17:36:14 -0000 1.80
+++ selinux-policy.spec 11 Jan 2006 22:25:06 -0000 1.81
@@ -6,8 +6,8 @@
%define CHECKPOLICYVER 1.28-3
Summary: SELinux policy configuration
Name: selinux-policy
-Version: 2.1.8
-Release: 3
+Version: 2.1.9
+Release: 1
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -262,6 +262,9 @@
%endif
%changelog
+* Tue Jan 10 2006 Dan Walsh <dwalsh at redhat.com> 2.1.9-1
+- Update to upstream
+
* Tue Jan 10 2006 Dan Walsh <dwalsh at redhat.com> 2.1.8-3
- More Fixes for hal and readahead
Index: sources
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/sources,v
retrieving revision 1.23
retrieving revision 1.24
diff -u -r1.23 -r1.24
--- sources 9 Jan 2006 20:20:08 -0000 1.23
+++ sources 11 Jan 2006 22:25:06 -0000 1.24
@@ -1 +1 @@
-b9ddc9e25ffbd12bd8711591d0af0a7f serefpolicy-2.1.8.tgz
+ff669d0d686714cd3a4e57047277e539 serefpolicy-2.1.9.tgz
More information about the fedora-cvs-commits
mailing list