rpms/selinux-policy/devel modules-targeted.conf, 1.12, 1.13 policy-20060104.patch, 1.18, 1.19 selinux-policy.spec, 1.88, 1.89

Tue Jan 24 15:30:43 UTC 2006

Author: dwalsh

Update of /cvs/dist/rpms/selinux-policy/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv6200

Modified Files:
	modules-targeted.conf policy-20060104.patch 
	selinux-policy.spec 
Log Message:
* Mon Jan 23 2006 Dan Walsh <dwalsh at redhat.com> 2.2.4-1
- Update to upstream



Index: modules-targeted.conf
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/modules-targeted.conf,v
retrieving revision 1.12
retrieving revision 1.13
diff -u -r1.12 -r1.13

--- modules-targeted.conf	19 Jan 2006 19:08:32 -0000	1.12
+++ modules-targeted.conf	24 Jan 2006 15:30:40 -0000	1.13
@@ -188,7 +188,7 @@
 #
 # ddcprobe retrieves monitor and graphics card information
 # 
-ddcprobe = module
+ddcprobe = off
 
 # Layer: admin
 # Module: quota
@@ -216,7 +216,7 @@
 #
 # run real-mode video BIOS code to alter hardware state
 # 
-vbetool = module
+vbetool = off
 
 # Layer: admin
 # Module: firstboot
@@ -329,7 +329,7 @@
 #
 # IIIMF htt server
 # 
-i18n_input = module
+i18n_input = off
 
 # Layer: services
 # Module: uucp
@@ -394,7 +394,7 @@
 #
 # MIDI to WAV converter and player configured as a service
 # 
-timidity = module
+timidity = off
 
 # Layer: services
 # Module: postgresql
@@ -408,7 +408,7 @@
 #
 # Service for handling smart card readers.
 # 
-openct = module
+openct = off
 
 # Layer: services
 # Module: snmp
@@ -605,7 +605,7 @@
 #
 # Smart disk monitoring daemon policy
 # 
-smartmon = module
+smartmon = off
 
 # Layer: services
 # Module: ftp
@@ -689,7 +689,7 @@
 #
 # Service for downloading news feeds the slrn newsreader.
 # 
-slrnpull = module
+slrnpull = off
 
 # Layer: services
 # Module: rsync

policy-20060104.patch:
 modules/kernel/filesystem.if |    1 +
 modules/services/dbus.fc     |    2 +-
 modules/services/xserver.if  |    9 +++++++++
 modules/system/locallogin.te |    4 ++++
 modules/system/logging.te    |   12 +++++-------
 modules/system/userdomain.if |    3 ++-
 users                        |    9 +++------
 7 files changed, 25 insertions(+), 15 deletions(-)

Index: policy-20060104.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/policy-20060104.patch,v
retrieving revision 1.18
retrieving revision 1.19
diff -u -r1.18 -r1.19
--- policy-20060104.patch	19 Jan 2006 19:10:47 -0000	1.18
+++ policy-20060104.patch	24 Jan 2006 15:30:40 -0000	1.19
@@ -1,321 +1,143 @@
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-2.2.2/Makefile
---- nsaserefpolicy/Makefile	2006-01-19 10:00:35.000000000 -0500
-+++ serefpolicy-2.2.2/Makefile	2006-01-19 10:42:14.000000000 -0500
-@@ -92,7 +92,7 @@
- 
- # enable MLS if requested.
- ifneq ($(findstring -mls,$(TYPE)),)
--	override M4PARAM += -D enable_mls
-+	override M4PARAM += -D enable_mls -D separate_secadm
- 	override CHECKPOLICY += -M
- 	override CHECKMODULE += -M
- endif
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-2.2.2/policy/global_tunables
---- nsaserefpolicy/policy/global_tunables	2006-01-13 09:48:26.000000000 -0500
-+++ serefpolicy-2.2.2/policy/global_tunables	2006-01-19 10:55:45.000000000 -0500
-@@ -22,6 +22,10 @@
- 
- ## Allow making the stack executable via mprotect.
- ## Also requires allow_execmem.
-+gen_tunable(allow_execheap,false)
-+
-+## Allow making the stack executable via mprotect.
-+## Also requires allow_execmem.
- gen_tunable(allow_execstack,false)
- 
- ## Allow ftp servers to modify public files
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-2.2.2/policy/modules/admin/logwatch.te
---- nsaserefpolicy/policy/modules/admin/logwatch.te	2006-01-13 17:06:02.000000000 -0500
-+++ serefpolicy-2.2.2/policy/modules/admin/logwatch.te	2006-01-19 11:23:59.000000000 -0500
-@@ -38,6 +38,7 @@
- kernel_read_kernel_sysctl(logwatch_t)
- kernel_read_system_state(logwatch_t)
- 
-+corecmd_read_sbin_symlink(logwatch_t)
- corecmd_read_sbin_file(logwatch_t)
- corecmd_exec_bin(logwatch_t)
- corecmd_exec_shell(logwatch_t)
-@@ -68,6 +69,8 @@
- 
- miscfiles_read_localization(logwatch_t)
- 
-+selinux_dontaudit_getattr_dir(logwatch_t)
-+
- userdom_dontaudit_search_sysadm_home_dir(logwatch_t)
- userdom_dontaudit_getattr_sysadm_home_dir(logwatch_t)
- 
-@@ -94,6 +97,10 @@
- 	nscd_use_socket(logwatch_t)
- ')
- 
-+optional_policy(`ntp',`
-+	ntp_domtrans(logwatch_t)
-+')
-+
- optional_policy(`rpc',`
- 	rpc_search_nfs_state_data(logwatch_t)
- ')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-2.2.2/policy/modules/apps/java.te
---- nsaserefpolicy/policy/modules/apps/java.te	2006-01-12 18:28:45.000000000 -0500
-+++ serefpolicy-2.2.2/policy/modules/apps/java.te	2006-01-19 13:05:16.000000000 -0500
-@@ -8,3 +8,4 @@
- 
- type java_exec_t;
- files_type(java_exec_t)
-+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.fc serefpolicy-2.2.2/policy/modules/apps/mono.fc
---- nsaserefpolicy/policy/modules/apps/mono.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.2.2/policy/modules/apps/mono.fc	2006-01-19 12:46:09.000000000 -0500
-@@ -0,0 +1,2 @@
-+/usr/bin/mono	--	gen_context(system_u:object_r:mono_exec_t,s0)
-+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-2.2.2/policy/modules/apps/mono.if
---- nsaserefpolicy/policy/modules/apps/mono.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.2.2/policy/modules/apps/mono.if	2006-01-19 12:46:09.000000000 -0500
-@@ -0,0 +1,23 @@
-+## <summary>Load keyboard mappings.</summary>
-+
-+########################################
-+## <summary>
-+##	Execute the mono program in the mono domain.
-+## </summary>
-+## <param name="domain">
-+##	The type of the process performing this action.
-+## </param>
-+#
-+interface(`mono_domtrans',`
-+	gen_require(`
-+		type mono_t, mono_exec_t;
-+	')
-+
-+	corecmd_search_bin($1)
-+	domain_auto_trans($1, mono_exec_t, mono_t)
-+
-+	allow $1 mono_t:fd use;
-+	allow mono_t $1:fd use;
-+	allow mono_t $1:fifo_file rw_file_perms;
-+	allow mono_t $1:process sigchld;
-+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-2.2.2/policy/modules/apps/mono.te
---- nsaserefpolicy/policy/modules/apps/mono.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.2.2/policy/modules/apps/mono.te	2006-01-19 13:29:46.000000000 -0500
-@@ -0,0 +1,25 @@
-+policy_module(mono,1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type mono_t;
-+domain_type(mono_t)
-+
-+type mono_exec_t;
-+domain_entry_file(mono_t,mono_exec_t)
-+
-+
-+########################################
-+#
-+# Local policy
-+#
-+
-+ifdef(`targeted_policy',`
-+	allow mono_t self:process execheap;
-+	unconfined_domain_template(mono_t)
-+	role system_r types mono_t;
-+')
-+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.fc serefpolicy-2.2.2/policy/modules/apps/wine.fc
---- nsaserefpolicy/policy/modules/apps/wine.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.2.2/policy/modules/apps/wine.fc	2006-01-19 10:58:16.000000000 -0500
-@@ -0,0 +1,2 @@
-+/usr/bin/wine	--	gen_context(system_u:object_r:wine_exec_t,s0)
-+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-2.2.2/policy/modules/apps/wine.if
---- nsaserefpolicy/policy/modules/apps/wine.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.2.2/policy/modules/apps/wine.if	2006-01-19 10:58:17.000000000 -0500
-@@ -0,0 +1,23 @@
-+## <summary>Load keyboard mappings.</summary>
-+
-+########################################
-+## <summary>
-+##	Execute the wine program in the wine domain.
-+## </summary>
-+## <param name="domain">
-+##	The type of the process performing this action.
-+## </param>
-+#
-+interface(`wine_domtrans',`
-+	gen_require(`
-+		type wine_t, wine_exec_t;
-+	')
-+
-+	corecmd_search_bin($1)
-+	domain_auto_trans($1, wine_exec_t, wine_t)
-+
-+	allow $1 wine_t:fd use;
-+	allow wine_t $1:fd use;
-+	allow wine_t $1:fifo_file rw_file_perms;
-+	allow wine_t $1:process sigchld;
-+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-2.2.2/policy/modules/apps/wine.te
---- nsaserefpolicy/policy/modules/apps/wine.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.2.2/policy/modules/apps/wine.te	2006-01-19 13:30:34.000000000 -0500
-@@ -0,0 +1,25 @@
-+policy_module(wine,1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type wine_t;
-+domain_type(wine_t)
-+
-+type wine_exec_t;
-+domain_entry_file(wine_t,wine_exec_t)
-+
-+
-+########################################
-+#
-+# Local policy
-+#
-+
-+ifdef(`targeted_policy',`
-+	allow wine_t self:process { execstack execmem };
-+	unconfined_domain_template(wine_t)
-+	role system_r types wine_t;
-+	allow wine_t file_type:file execmod;
-+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-2.2.2/policy/modules/kernel/filesystem.if
---- nsaserefpolicy/policy/modules/kernel/filesystem.if	2006-01-19 10:00:41.000000000 -0500
-+++ serefpolicy-2.2.2/policy/modules/kernel/filesystem.if	2006-01-19 10:42:14.000000000 -0500
-@@ -1826,6 +1826,22 @@
- 
- ########################################
- ## <summary>
-+##	Dontaudit Search directories on a ramfs
-+## </summary>
-+## <param name="domain">
-+##	Domain allowed access.
-+## </param>
-+#
-+interface(`fs_dontaudit_search_ramfs',`
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-2.2.4/policy/modules/kernel/filesystem.if
+--- nsaserefpolicy/policy/modules/kernel/filesystem.if	2006-01-20 10:02:32.000000000 -0500
++++ serefpolicy-2.2.4/policy/modules/kernel/filesystem.if	2006-01-23 13:30:17.000000000 -0500
+@@ -2290,6 +2290,7 @@
+ 	')
+ 
+ 	fs_search_tmpfs($1)
++	allow $1 tmpfs_t:lnk_file read;
+ 	allow $1 tmpfs_t:file rw_file_perms;
+ ')
+ 
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.fc serefpolicy-2.2.4/policy/modules/services/dbus.fc
+--- nsaserefpolicy/policy/modules/services/dbus.fc	2005-11-14 18:24:08.000000000 -0500
++++ serefpolicy-2.2.4/policy/modules/services/dbus.fc	2006-01-23 13:30:17.000000000 -0500
+@@ -1,5 +1,5 @@
+ /etc/dbus-1(/.*)?		gen_context(system_u:object_r:dbusd_etc_t,s0)
+ 
+-/usr/bin/dbus-daemon(-1)? --	gen_context(system_u:object_r:system_dbusd_exec_t,s0)
++/(usr/)?bin/dbus-daemon(-1)? --	gen_context(system_u:object_r:system_dbusd_exec_t,s0)
+ 
+ /var/run/dbus(/.*)?		gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-2.2.4/policy/modules/services/xserver.if
+--- nsaserefpolicy/policy/modules/services/xserver.if	2006-01-23 08:26:51.000000000 -0500
++++ serefpolicy-2.2.4/policy/modules/services/xserver.if	2006-01-23 13:50:16.000000000 -0500
+@@ -6,6 +6,9 @@
+ 	#
+ 	# Declarations
+ 	#
 +	gen_require(`
-+		type ramfs_t;
-+	')
-+
-+	dontaudit $1 ramfs_t:dir search;
-+')
-+
-+########################################
-+## <summary>
- ##	Write to named pipe on a ramfs filesystem.
- ## </summary>
- ## <param name="domain">
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-2.2.2/policy/modules/services/bind.if
---- nsaserefpolicy/policy/modules/services/bind.if	2006-01-13 09:48:26.000000000 -0500
-+++ serefpolicy-2.2.2/policy/modules/services/bind.if	2006-01-19 13:58:34.000000000 -0500
-@@ -165,6 +165,7 @@
- 	')
- 
- 	files_search_var($1)
-+	allow $1 named_conf_t:dir search_dir_perms;
- 	allow $1 named_zone_t:dir search_dir_perms;
- 	allow $1 named_cache_t:dir search_dir_perms;
- ')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xdm.te serefpolicy-2.2.2/policy/modules/services/xdm.te
---- nsaserefpolicy/policy/modules/services/xdm.te	2006-01-19 10:00:41.000000000 -0500
-+++ serefpolicy-2.2.2/policy/modules/services/xdm.te	2006-01-19 13:56:19.000000000 -0500
-@@ -74,7 +74,7 @@
- files_read_etc_runtime_files(xdm_t)
- 
- ifdef(`targeted_policy',`
--	allow xdm_t self:process execmem;
-+	allow xdm_t self:process { execheap execmem };
- 	unconfined_domain_template(xdm_t)
- 	unconfined_domtrans(xdm_t)
- ',`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-2.2.2/policy/modules/system/libraries.fc
---- nsaserefpolicy/policy/modules/system/libraries.fc	2006-01-17 13:22:14.000000000 -0500
-+++ serefpolicy-2.2.2/policy/modules/system/libraries.fc	2006-01-19 13:00:21.000000000 -0500
-@@ -166,7 +166,7 @@
- /usr/lib(64)?/libdivxencore.so.0		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
- 
- # Java, Sun Microsystems (JPackage SRPM)
--/usr/.*/jre/lib/i386/libdeploy.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/.*/jre.*/lib/i386/libdeploy.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
- 
- /usr(/.*)?/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:shlib_t,s0)
- /usr(/.*)?/Reader/intellinux/plug_ins/AcroForm\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-2.2.2/policy/modules/system/unconfined.if
---- nsaserefpolicy/policy/modules/system/unconfined.if	2006-01-17 13:22:14.000000000 -0500
-+++ serefpolicy-2.2.2/policy/modules/system/unconfined.if	2006-01-19 10:56:11.000000000 -0500
-@@ -45,6 +45,12 @@
- 		auditallow $1 self:process execmem;
- 	')
- 
-+	tunable_policy(`allow_execheap',`
-+		# Allow making the stack executable via mprotect.
-+		allow $1 self:process execheap;
-+		auditallow $1 self:process execheap;
++		type xkb_var_lib_t, xserver_log_t;
 +	')
-+
- 	tunable_policy(`allow_execmem && allow_execstack',`
- 		# Allow making the stack executable via mprotect.
- 		allow $1 self:process execstack;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-2.2.2/policy/modules/system/unconfined.te
---- nsaserefpolicy/policy/modules/system/unconfined.te	2006-01-17 17:08:57.000000000 -0500
-+++ serefpolicy-2.2.2/policy/modules/system/unconfined.te	2006-01-19 13:44:58.000000000 -0500
-@@ -97,6 +97,10 @@
- 		modutils_domtrans_update_mods(unconfined_t)
- 	')
  
-+	optional_policy(`mono',`
-+		mono_domtrans(unconfined_t)
-+	')
-+
- 	optional_policy(`netutils',`
- 		netutils_domtrans_ping(unconfined_t)
- 	')
-@@ -141,11 +145,8 @@
- 		webalizer_domtrans(unconfined_t)
- 	')
+ 	type $1_xserver_t;
+ 	domain_type($1_xserver_t)
+@@ -202,6 +205,12 @@
+ 	# Declarations
+ 	#
  
--	ifdef(`TODO',`
--	ifdef(`use_mcs',`
--	rw_dir_create_file(sysadm_su_t, home_dir_type)
--	')
--	allow unconfined_t initrc_t : dbus { send_msg acquire_svc };
--	allow initrc_t unconfined_t : dbus { send_msg acquire_svc };
--	') dnl end TODO
-+	optional_policy(`wine',`
-+		wine_domtrans(unconfined_t)
-+	')
-+
- ')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-2.2.2/policy/users
---- nsaserefpolicy/policy/users	2005-12-05 22:35:02.000000000 -0500
-+++ serefpolicy-2.2.2/policy/users	2006-01-19 10:42:14.000000000 -0500
-@@ -26,7 +26,9 @@
- ifdef(`targeted_policy',`
++	gen_require(`
++		type xauth_exec_t;
++		type xserver_exec_t;
++		type iceauth_exec_t;
++	')
++
+ 	xserver_common_domain_template($1)
+ 	role $3 types $1_xserver_t;
+ 
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-2.2.4/policy/modules/system/locallogin.te
+--- nsaserefpolicy/policy/modules/system/locallogin.te	2006-01-19 10:00:41.000000000 -0500
++++ serefpolicy-2.2.4/policy/modules/system/locallogin.te	2006-01-23 13:30:17.000000000 -0500
+@@ -266,6 +266,10 @@
+ ifdef(`distro_suse', `define(`sulogin_no_pam')')
+ ifdef(`distro_debian', `define(`sulogin_no_pam')')
+ 
++optional_policy(`nscd',`
++	nscd_use_socket(sulogin_t)
++')
++
+ ifdef(`sulogin_no_pam', `
+ 	allow sulogin_t self:capability sys_tty_config;
+ 	init_get_process_group(sulogin_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-2.2.4/policy/modules/system/logging.te
+--- nsaserefpolicy/policy/modules/system/logging.te	2006-01-19 10:00:41.000000000 -0500
++++ serefpolicy-2.2.4/policy/modules/system/logging.te	2006-01-23 13:30:17.000000000 -0500
+@@ -98,10 +98,12 @@
+ audit_manager_domain(secadm_t)
+ 
+ ifdef(`targeted_policy', `', `
+-ifdef(`separate_secadm', `', `
++ifdef(`enable_mls', `
++audit_manager_domain(secadm_t)
++', `
+ audit_manager_domain(sysadm_t)
+-allow auditctl_t admin_tty_type:chr_file rw_file_perms;
+ ') 
++allow auditctl_t admin_tty_type:chr_file rw_file_perms;
+ ')
+ ') dnl end TODO
+ 
+@@ -272,9 +274,6 @@
+ # Create and bind to /dev/log or /var/run/log.
+ allow syslogd_t devlog_t:sock_file create_file_perms;
+ files_filetrans_pid(syslogd_t,devlog_t,sock_file)
+-# cjp: I belive these are not needed:
+-allow syslogd_t devlog_t:unix_stream_socket name_bind;
+-allow syslogd_t devlog_t:unix_dgram_socket name_bind;
+ 
+ # create/append log files.
+ allow syslogd_t var_log_t:dir rw_dir_perms;
+@@ -325,8 +324,7 @@
+ corenet_non_ipsec_sendrecv(syslogd_t)
+ corenet_udp_bind_all_nodes(syslogd_t)
+ corenet_tcp_bind_syslogd_port(syslogd_t)
+-#cjp: why?
+-corenet_tcp_connect_rsh_port(syslogd_t)
++corenet_udp_bind_syslogd_port(syslogd_t)
+ 
+ fs_getattr_all_fs(syslogd_t)
+ 
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-2.2.4/policy/modules/system/userdomain.if
+--- nsaserefpolicy/policy/modules/system/userdomain.if	2006-01-23 08:26:51.000000000 -0500
++++ serefpolicy-2.2.4/policy/modules/system/userdomain.if	2006-01-23 13:30:17.000000000 -0500
+@@ -219,7 +219,7 @@
+ 	corecmd_exec_sbin($1_t)
+ 	corecmd_exec_ls($1_t)
+ 
+-	domain_exec_all_entry_files($1_t)
++#	domain_exec_all_entry_files($1_t)
+ 	domain_use_wide_inherit_fd($1_t)
+ 	# When the user domain runs ps, there will be a number of access
+ 	# denials when ps tries to search /proc.  Do not audit these denials.
+@@ -533,6 +533,7 @@
+ 
+ 	typeattribute $1_t unpriv_userdomain;
+ 	domain_wide_inherit_fd($1_t)
++	domain_exec_all_entry_files($1_t)
+ 
+ 	typeattribute $1_devpts_t user_ptynode;
+ 
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-2.2.4/policy/users
+--- nsaserefpolicy/policy/users	2006-01-20 10:02:31.000000000 -0500
++++ serefpolicy-2.2.4/policy/users	2006-01-23 13:34:09.000000000 -0500
+@@ -27,7 +27,7 @@
  gen_user(user_u, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
  ',`
--gen_user(user_u, user_r, s0, s0 - s15:c0.c255, c0.c255)
-+gen_user(user_u, user_r, s0, s0 - s0, c0)
-+gen_user(staff_u, staff_r secadm_r sysadm_r, s0, s0 - s15:c0.c255, c0.c255)
-+gen_user(sysadm_u, sysadm_r, s0, s0 - s15:c0.c255, c0.c255)
+ gen_user(user_u, user_r, s0, s0)
+-gen_user(staff_u, staff_r secadm_r sysadm_r, s0, s0 - s15:c0.c255, c0.c255)
++gen_user(staff_u, staff_r ifdef(`enable_mls', `secadm_r')  sysadm_r, s0, s0 - s15:c0.c255, c0.c255)
+ gen_user(sysadm_u, sysadm_r, s0, s0 - s15:c0.c255, c0.c255)
  ')
  
- #
-@@ -40,8 +42,8 @@
+@@ -41,9 +41,6 @@
+ ifdef(`targeted_policy',`
  	gen_user(root, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
  ',`
- 	ifdef(`direct_sysadm_daemon',`
--		gen_user(root, sysadm_r staff_r system_r, s0, s0 - s15:c0.c255, c0.c255)
-+		gen_user(root, sysadm_r staff_r secadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
- 	',`
--		gen_user(root, sysadm_r staff_r, s0, s0 - s15:c0.c255, c0.c255)
-+		gen_user(root, sysadm_r staff_r secadm_r , s0, s0 - s15:c0.c255, c0.c255)
- 	')
+-	ifdef(`direct_sysadm_daemon',`
+-		gen_user(root, sysadm_r staff_r secadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
+-	',`
+-		gen_user(root, sysadm_r staff_r secadm_r , s0, s0 - s15:c0.c255, c0.c255)
+-	')
++	
++	gen_user(root, sysadm_r staff_r ifdef(`enable_mls',`secadm_r') ifdef(`direct_sysadm_daemon',`system_r'), s0, s0 - s15:c0.c255, c0.c255)
  ')


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.88
retrieving revision 1.89
diff -u -r1.88 -r1.89
--- selinux-policy.spec	19 Jan 2006 19:08:33 -0000	1.88
+++ selinux-policy.spec	24 Jan 2006 15:30:40 -0000	1.89
@@ -1,12 +1,11 @@
 %define distro redhat
-%define direct_initrc y
 %define monolithic n
 %define POLICYVER 20
 %define POLICYCOREUTILSVER 1.29.5-1
 %define CHECKPOLICYVER 1.28-3
 Summary: SELinux policy configuration
 Name: selinux-policy
-Version: 2.2.2
+Version: 2.2.4
 Release: 1
 License: GPL
 Group: System Environment/Base
@@ -20,6 +19,10 @@
 Source6: booleans-mls.conf
 Source7: seusers-mls
 Source8: setrans-mls.conf
+Source9: modules-strict.conf
+Source10: booleans-strict.conf
+Source11: seusers-strict
+Source12: setrans-strict.conf
 
 Url: http://serefpolicy.sourceforge.net
 BuildRoot: %{_tmppath}/serefpolicy-buildroot
@@ -61,10 +64,6 @@
 make NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} enableaudit \
 make NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} base.pp \
 install -m0644 base.pp ${RPM_BUILD_ROOT}%{_usr}/share/selinux/%1/enableaudit.pp \
-for file in $(ls ${RPM_BUILD_ROOT}%{_usr}/share/selinux/%1 | grep -v -e base.pp -e enableaudit.pp ) \
-do \
-	rm ${RPM_BUILD_ROOT}%{_usr}/share/selinux/%1/$file; \
-done; \
 rm -rf $RPM_BUILD_ROOT%{_sysconfdir}/selinux/%1/booleans \
 touch $RPM_BUILD_ROOT%{_sysconfdir}/selinux/config \
 touch $RPM_BUILD_ROOT%{_sysconfdir}/selinux/%1/seusers \
@@ -80,8 +79,7 @@
 %defattr(-,root,root) \
 %dir %{_usr}/share/selinux \
 %dir %{_usr}/share/selinux/%1 \
-%{_usr}/share/selinux/%1/base.pp \
-%{_usr}/share/selinux/%1/enableaudit.pp \
+%{_usr}/share/selinux/%1/*.pp \
 %dir %{_sysconfdir}/selinux \
 %ghost %config(noreplace) %{_sysconfdir}/selinux/config \
 %dir %{_sysconfdir}/selinux/%1 \
@@ -146,19 +144,25 @@
 mkdir -p ${RPM_BUILD_ROOT}%{_mandir}/man8/
 install -m 644 man/man8/*.8 ${RPM_BUILD_ROOT}%{_mandir}/man8/
 
-%installCmds targeted targeted-mcs %{direct_initrc}
 
-# Build mls policy
+
+# Build targeted policy
+# Commented out because only targeted ref policy currently builds
 make clean
 make conf
-%installCmds mls strict-mls n
-
+%installCmds targeted targeted-mcs y
 
 # Build strict policy
 # Commented out because only targeted ref policy currently builds
-# make clean
-# make conf
-#%#installCmds strict strict-mcs %{direct_initrc}
+make clean
+make conf
+%installCmds strict strict-mcs y
+
+# Build mls policy
+make clean
+make conf
+%installCmds mls strict-mls n
+
 
 %clean
 %{__rm} -fR $RPM_BUILD_ROOT
@@ -233,7 +237,6 @@
 %files mls
 %fileList mls
 
-%if 0
 %package strict 
 Summary: SELinux strict base policy
 Group: System Environment/Base
@@ -259,9 +262,14 @@
 %files strict
 %fileList strict
 
-%endif
-
 %changelog
+* Mon Jan 23 2006 Dan Walsh <dwalsh at redhat.com> 2.2.4-1
+- Update to upstream
+
+* Wed Jan 18 2006 Dan Walsh <dwalsh at redhat.com> 2.2.3-1
+- Update to upstream
+- Fixes for booting and logging in on MLS machine
+
 * Wed Jan 18 2006 Dan Walsh <dwalsh at redhat.com> 2.2.2-1
 - Update to upstream
 - Turn off execheap execstack for unconfined users


