rpms/selinux-policy/devel policy-20061016.patch, 1.11, 1.12 selinux-policy.spec, 1.326, 1.327
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Mon Oct 30 16:45:12 UTC 2006
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv14313
Modified Files:
policy-20061016.patch selinux-policy.spec
Log Message:
* Fri Oct 27 2006 Dan Walsh <dwalsh at redhat.com> 2.4.2-2
- Fixes for ricci
policy-20061016.patch:
Rules.modular | 10
policy/flask/access_vectors | 2
policy/global_tunables | 22 +
policy/modules/admin/acct.te | 1
policy/modules/admin/amanda.te | 3
policy/modules/admin/anaconda.te | 4
policy/modules/admin/bootloader.fc | 2
policy/modules/admin/consoletype.te | 8
policy/modules/admin/dmesg.te | 1
policy/modules/admin/netutils.te | 6
policy/modules/admin/prelink.te | 8
policy/modules/admin/rpm.fc | 2
policy/modules/admin/rpm.if | 21 +
policy/modules/admin/rpm.te | 5
policy/modules/admin/su.if | 3
policy/modules/admin/usermanage.te | 5
policy/modules/apps/java.fc | 3
policy/modules/apps/java.te | 2
policy/modules/apps/mono.te | 3
policy/modules/kernel/corecommands.fc | 1
policy/modules/kernel/corecommands.if | 17 +
policy/modules/kernel/corenetwork.te.in | 6
policy/modules/kernel/devices.fc | 3
policy/modules/kernel/domain.te | 7
policy/modules/kernel/files.fc | 1
policy/modules/kernel/filesystem.if | 22 +
policy/modules/kernel/filesystem.te | 6
policy/modules/kernel/kernel.if | 2
policy/modules/kernel/kernel.te | 1
policy/modules/kernel/storage.fc | 1
policy/modules/kernel/storage.if | 1
policy/modules/kernel/terminal.if | 20 +
policy/modules/kernel/terminal.te | 1
policy/modules/services/apache.fc | 9
policy/modules/services/apache.if | 2
policy/modules/services/apache.te | 3
policy/modules/services/automount.te | 4
policy/modules/services/bluetooth.te | 2
policy/modules/services/ccs.fc | 8
policy/modules/services/ccs.if | 65 ++++
policy/modules/services/ccs.te | 87 +++++
policy/modules/services/cron.if | 26 -
policy/modules/services/cron.te | 8
policy/modules/services/cups.fc | 6
policy/modules/services/cups.if | 21 +
policy/modules/services/cups.te | 18 +
policy/modules/services/cvs.te | 1
policy/modules/services/dbus.if | 1
policy/modules/services/dovecot.te | 2
policy/modules/services/hal.te | 2
policy/modules/services/lpd.fc | 5
policy/modules/services/lpd.if | 72 +++-
policy/modules/services/mta.te | 1
policy/modules/services/networkmanager.te | 4
policy/modules/services/nscd.if | 20 +
policy/modules/services/nscd.te | 3
policy/modules/services/oddjob.te | 16 +
policy/modules/services/pegasus.if | 31 ++
policy/modules/services/pegasus.te | 5
policy/modules/services/procmail.te | 23 +
policy/modules/services/rhgb.te | 24 +
policy/modules/services/ricci.fc | 20 +
policy/modules/services/ricci.if | 184 ++++++++++++
policy/modules/services/ricci.te | 438 ++++++++++++++++++++++++++++++
policy/modules/services/rpc.te | 6
policy/modules/services/rsync.te | 1
policy/modules/services/samba.te | 4
policy/modules/services/sasl.te | 2
policy/modules/services/setroubleshoot.te | 2
policy/modules/services/snmp.te | 4
policy/modules/services/spamassassin.te | 5
policy/modules/services/squid.te | 7
policy/modules/services/ssh.te | 4
policy/modules/services/xserver.if | 40 ++
policy/modules/services/xserver.te | 2
policy/modules/system/authlogin.fc | 1
policy/modules/system/authlogin.if | 2
policy/modules/system/clock.te | 3
policy/modules/system/fstools.fc | 1
policy/modules/system/fstools.te | 3
policy/modules/system/getty.te | 3
policy/modules/system/hostname.te | 6
policy/modules/system/init.fc | 3
policy/modules/system/init.te | 10
policy/modules/system/iscsi.fc | 9
policy/modules/system/iscsi.if | 24 +
policy/modules/system/iscsi.te | 94 ++++++
policy/modules/system/libraries.fc | 8
policy/modules/system/locallogin.if | 37 ++
policy/modules/system/locallogin.te | 2
policy/modules/system/logging.te | 4
policy/modules/system/mount.fc | 1
policy/modules/system/mount.te | 3
policy/modules/system/raid.te | 5
policy/modules/system/selinuxutil.if | 6
policy/modules/system/selinuxutil.te | 8
policy/modules/system/setrans.te | 5
policy/modules/system/unconfined.if | 19 +
policy/modules/system/unconfined.te | 20 -
policy/modules/system/userdomain.if | 187 ++++++++++++
policy/modules/system/userdomain.te | 14
policy/modules/system/xen.fc | 2
policy/modules/system/xen.te | 46 ++-
103 files changed, 1785 insertions(+), 129 deletions(-)
Index: policy-20061016.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/policy-20061016.patch,v
retrieving revision 1.11
retrieving revision 1.12
diff -u -r1.11 -r1.12
--- policy-20061016.patch 27 Oct 2006 14:42:56 -0000 1.11
+++ policy-20061016.patch 30 Oct 2006 16:45:09 -0000 1.12
@@ -1,6 +1,6 @@
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors serefpolicy-2.4.1/policy/flask/access_vectors
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors serefpolicy-2.4.2/policy/flask/access_vectors
--- nsaserefpolicy/policy/flask/access_vectors 2006-10-23 16:14:53.000000000 -0400
-+++ serefpolicy-2.4.1/policy/flask/access_vectors 2006-10-23 17:01:48.000000000 -0400
++++ serefpolicy-2.4.2/policy/flask/access_vectors 2006-10-27 15:42:12.000000000 -0400
@@ -619,6 +619,8 @@
send
recv
@@ -10,9 +10,9 @@
}
class key
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-2.4.1/policy/global_tunables
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-2.4.2/policy/global_tunables
--- nsaserefpolicy/policy/global_tunables 2006-09-25 15:11:11.000000000 -0400
-+++ serefpolicy-2.4.1/policy/global_tunables 2006-10-23 17:01:48.000000000 -0400
++++ serefpolicy-2.4.2/policy/global_tunables 2006-10-27 15:42:12.000000000 -0400
@@ -594,3 +594,25 @@
## </desc>
gen_tunable(spamd_enable_home_dirs,true)
@@ -39,9 +39,9 @@
+## </p>
+## </desc>
+gen_tunable(use_lpd_server,false)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/acct.te serefpolicy-2.4.1/policy/modules/admin/acct.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/acct.te serefpolicy-2.4.2/policy/modules/admin/acct.te
--- nsaserefpolicy/policy/modules/admin/acct.te 2006-07-14 17:04:46.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/admin/acct.te 2006-10-23 17:01:48.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/admin/acct.te 2006-10-27 15:42:12.000000000 -0400
@@ -9,6 +9,7 @@
type acct_t;
type acct_exec_t;
@@ -50,9 +50,9 @@
type acct_data_t;
logging_log_file(acct_data_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.te serefpolicy-2.4.1/policy/modules/admin/amanda.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.te serefpolicy-2.4.2/policy/modules/admin/amanda.te
--- nsaserefpolicy/policy/modules/admin/amanda.te 2006-10-19 11:47:40.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/admin/amanda.te 2006-10-23 17:01:48.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/admin/amanda.te 2006-10-27 15:42:12.000000000 -0400
@@ -97,7 +97,7 @@
allow amanda_t amanda_gnutarlists_t:lnk_file manage_file_perms;
@@ -70,9 +70,9 @@
dev_getattr_all_blk_files(amanda_t)
dev_getattr_all_chr_files(amanda_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-2.4.1/policy/modules/admin/anaconda.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-2.4.2/policy/modules/admin/anaconda.te
--- nsaserefpolicy/policy/modules/admin/anaconda.te 2006-10-19 11:47:40.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/admin/anaconda.te 2006-10-23 17:01:48.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/admin/anaconda.te 2006-10-27 15:42:12.000000000 -0400
@@ -36,10 +36,6 @@
userdom_generic_user_home_dir_filetrans_generic_user_home_content(anaconda_t,{ dir file lnk_file fifo_file sock_file })
@@ -84,9 +84,9 @@
optional_policy(`
dmesg_domtrans(anaconda_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/bootloader.fc serefpolicy-2.4.1/policy/modules/admin/bootloader.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/bootloader.fc serefpolicy-2.4.2/policy/modules/admin/bootloader.fc
--- nsaserefpolicy/policy/modules/admin/bootloader.fc 2006-09-25 15:11:11.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/admin/bootloader.fc 2006-10-23 17:01:48.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/admin/bootloader.fc 2006-10-27 15:42:12.000000000 -0400
@@ -7,8 +7,6 @@
/usr/sbin/mkinitrd -- gen_context(system_u:object_r:bootloader_exec_t,s0)
@@ -96,9 +96,9 @@
/sbin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
/sbin/mkinitrd -- gen_context(system_u:object_r:bootloader_exec_t,s0)
/sbin/ybin.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-2.4.1/policy/modules/admin/consoletype.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-2.4.2/policy/modules/admin/consoletype.te
--- nsaserefpolicy/policy/modules/admin/consoletype.te 2006-10-19 11:47:40.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/admin/consoletype.te 2006-10-23 17:01:48.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/admin/consoletype.te 2006-10-27 15:42:12.000000000 -0400
@@ -8,7 +8,12 @@
type consoletype_t;
@@ -121,9 +121,9 @@
########################################
#
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.te serefpolicy-2.4.1/policy/modules/admin/dmesg.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.te serefpolicy-2.4.2/policy/modules/admin/dmesg.te
--- nsaserefpolicy/policy/modules/admin/dmesg.te 2006-07-14 17:04:46.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/admin/dmesg.te 2006-10-23 17:01:48.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/admin/dmesg.te 2006-10-27 15:42:12.000000000 -0400
@@ -10,6 +10,7 @@
type dmesg_t;
type dmesg_exec_t;
@@ -132,9 +132,9 @@
role system_r types dmesg_t;
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-2.4.1/policy/modules/admin/netutils.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-2.4.2/policy/modules/admin/netutils.te
--- nsaserefpolicy/policy/modules/admin/netutils.te 2006-10-19 11:47:40.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/admin/netutils.te 2006-10-23 17:01:48.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/admin/netutils.te 2006-10-27 15:42:12.000000000 -0400
@@ -18,10 +18,12 @@
type ping_exec_t;
init_system_domain(ping_t,ping_exec_t)
@@ -159,9 +159,9 @@
########################################
#
# Ping local policy
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-2.4.1/policy/modules/admin/prelink.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-2.4.2/policy/modules/admin/prelink.te
--- nsaserefpolicy/policy/modules/admin/prelink.te 2006-10-19 11:47:40.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/admin/prelink.te 2006-10-23 17:01:48.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/admin/prelink.te 2006-10-27 15:42:12.000000000 -0400
@@ -24,7 +24,7 @@
#
@@ -184,9 +184,9 @@
optional_policy(`
cron_system_entry(prelink_t, prelink_exec_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-2.4.1/policy/modules/admin/rpm.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-2.4.2/policy/modules/admin/rpm.fc
--- nsaserefpolicy/policy/modules/admin/rpm.fc 2006-09-22 14:07:08.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/admin/rpm.fc 2006-10-23 17:01:48.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/admin/rpm.fc 2006-10-27 15:42:12.000000000 -0400
@@ -21,6 +21,8 @@
/usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -196,9 +196,9 @@
')
/var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-2.4.1/policy/modules/admin/rpm.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-2.4.2/policy/modules/admin/rpm.if
--- nsaserefpolicy/policy/modules/admin/rpm.if 2006-09-15 13:14:27.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/admin/rpm.if 2006-10-23 17:01:48.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/admin/rpm.if 2006-10-27 15:42:12.000000000 -0400
@@ -257,3 +257,24 @@
dontaudit $1 rpm_var_lib_t:file create_file_perms;
dontaudit $1 rpm_var_lib_t:lnk_file create_lnk_perms;
@@ -224,9 +224,9 @@
+ allow $1 rpm_t:dbus send_msg;
+ allow rpm_t $1:dbus send_msg;
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-2.4.1/policy/modules/admin/rpm.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-2.4.2/policy/modules/admin/rpm.te
--- nsaserefpolicy/policy/modules/admin/rpm.te 2006-10-19 11:47:40.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/admin/rpm.te 2006-10-23 17:01:48.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/admin/rpm.te 2006-10-27 15:42:12.000000000 -0400
@@ -9,6 +9,8 @@
type rpm_t;
type rpm_exec_t;
@@ -246,9 +246,9 @@
dev_list_sysfs(rpm_script_t)
# ideally we would not need this
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-2.4.1/policy/modules/admin/su.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-2.4.2/policy/modules/admin/su.if
--- nsaserefpolicy/policy/modules/admin/su.if 2006-09-22 14:07:08.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/admin/su.if 2006-10-23 17:01:48.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/admin/su.if 2006-10-27 15:42:12.000000000 -0400
@@ -79,6 +79,7 @@
auth_domtrans_chk_passwd($1_su_t)
auth_dontaudit_read_shadow($1_su_t)
@@ -266,9 +266,9 @@
fs_mount_xattr_fs($1_su_t)
fs_unmount_xattr_fs($1_su_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-2.4.1/policy/modules/admin/usermanage.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-2.4.2/policy/modules/admin/usermanage.te
--- nsaserefpolicy/policy/modules/admin/usermanage.te 2006-10-19 11:47:40.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/admin/usermanage.te 2006-10-23 17:01:48.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/admin/usermanage.te 2006-10-27 15:42:12.000000000 -0400
@@ -379,6 +379,7 @@
allow sysadm_passwd_t sysadm_passwd_tmp_t:file create_file_perms;
files_tmp_filetrans(sysadm_passwd_t, sysadm_passwd_tmp_t, { file dir })
@@ -302,9 +302,9 @@
userdom_manage_staff_home_dirs(useradd_t)
userdom_generic_user_home_dir_filetrans_generic_user_home_content(useradd_t,notdevfile_class_set)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-2.4.1/policy/modules/apps/java.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-2.4.2/policy/modules/apps/java.fc
--- nsaserefpolicy/policy/modules/apps/java.fc 2006-08-29 09:00:26.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/apps/java.fc 2006-10-23 17:01:48.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/apps/java.fc 2006-10-27 15:42:12.000000000 -0400
@@ -1,7 +1,8 @@
#
# /opt
@@ -315,9 +315,9 @@
#
# /usr
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-2.4.1/policy/modules/apps/java.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-2.4.2/policy/modules/apps/java.te
--- nsaserefpolicy/policy/modules/apps/java.te 2006-10-19 11:47:36.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/apps/java.te 2006-10-23 17:01:48.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/apps/java.te 2006-10-27 15:42:12.000000000 -0400
@@ -17,6 +17,8 @@
ifdef(`targeted_policy',`
@@ -327,9 +327,9 @@
unconfined_domain_noaudit(java_t)
role system_r types java_t;
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-2.4.1/policy/modules/apps/mono.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-2.4.2/policy/modules/apps/mono.te
--- nsaserefpolicy/policy/modules/apps/mono.te 2006-10-19 11:47:36.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/apps/mono.te 2006-10-23 17:01:48.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/apps/mono.te 2006-10-27 15:42:12.000000000 -0400
@@ -44,4 +44,7 @@
optional_policy(`
unconfined_dbus_connect(mono_t)
@@ -338,9 +338,9 @@
+ rpm_dbus_chat(mono_t)
+ ')
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-2.4.1/policy/modules/kernel/corecommands.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-2.4.2/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2006-09-22 14:07:03.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/kernel/corecommands.fc 2006-10-23 17:01:48.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/kernel/corecommands.fc 2006-10-27 15:42:12.000000000 -0400
@@ -65,6 +65,7 @@
/etc/xen/qemu-ifup -- gen_context(system_u:object_r:bin_t,s0)
@@ -349,9 +349,9 @@
ifdef(`distro_debian',`
/etc/mysql/debian-start -- gen_context(system_u:object_r:bin_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-2.4.1/policy/modules/kernel/corecommands.if
---- nsaserefpolicy/policy/modules/kernel/corecommands.if 2006-09-15 13:14:21.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/kernel/corecommands.if 2006-10-23 17:01:48.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-2.4.2/policy/modules/kernel/corecommands.if
+--- nsaserefpolicy/policy/modules/kernel/corecommands.if 2006-10-27 10:27:56.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/kernel/corecommands.if 2006-10-30 11:44:20.000000000 -0500
@@ -928,7 +928,19 @@
type bin_t, sbin_t;
')
@@ -395,14 +395,14 @@
allow $1 exec_type:file { getattr read execute };
+ userdom_mmap_all_executables($1)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-2.4.1/policy/modules/kernel/corenetwork.te.in
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-2.4.2/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2006-10-19 11:47:35.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/kernel/corenetwork.te.in 2006-10-23 17:01:48.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/kernel/corenetwork.te.in 2006-10-27 16:23:23.000000000 -0400
@@ -67,6 +67,7 @@
network_port(clamd, tcp,3310,s0)
network_port(clockspeed, udp,4041,s0)
network_port(comsat, udp,512,s0)
-+network_port(cluster, tcp,40040,s0)
++network_port(cluster, tcp,40040,s0, tcp,50006,s0, udp,50006,s0, tcp,50007,s0, udp,50007,s0, tcp,50008,s0, udp,50008)
network_port(cvs, tcp,2401,s0, udp,2401,s0)
network_port(dcc, udp,6276,s0, udp,6277,s0)
network_port(dbskkd, tcp,1178,s0)
@@ -429,9 +429,9 @@
allow corenet_unconfined_type port_type:{ tcp_socket udp_socket } name_bind;
-allow corenet_unconfined_type node_type:{ tcp_socket udp_socket } node_bind;
+allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-2.4.1/policy/modules/kernel/devices.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-2.4.2/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2006-10-16 12:20:16.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/kernel/devices.fc 2006-10-26 09:25:39.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/kernel/devices.fc 2006-10-27 15:42:12.000000000 -0400
@@ -42,12 +42,12 @@
/dev/patmgr[01] -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/pmu -c gen_context(system_u:object_r:power_device_t,s0)
@@ -454,9 +454,9 @@
ifdef(`distro_debian',`
# used by udev init script as temporary mount point
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-2.4.1/policy/modules/kernel/domain.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-2.4.2/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2006-10-19 11:47:35.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/kernel/domain.te 2006-10-23 17:01:48.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/kernel/domain.te 2006-10-27 15:42:12.000000000 -0400
@@ -144,3 +144,10 @@
# act on all domains keys
@@ -468,9 +468,9 @@
+ xserver_dontaudit_use_xdm_fds(domain)
+ xserver_dontaudit_rw_xdm_pipes(domain)
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-2.4.1/policy/modules/kernel/files.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-2.4.2/policy/modules/kernel/files.fc
--- nsaserefpolicy/policy/modules/kernel/files.fc 2006-10-16 12:20:16.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/kernel/files.fc 2006-10-23 17:01:48.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/kernel/files.fc 2006-10-27 15:42:12.000000000 -0400
@@ -123,6 +123,7 @@
/media(/[^/]*) -l gen_context(system_u:object_r:mnt_t,s0)
/media(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0)
@@ -479,9 +479,9 @@
#
# /misc
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-2.4.1/policy/modules/kernel/filesystem.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-2.4.2/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2006-09-25 15:11:10.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/kernel/filesystem.if 2006-10-23 17:01:48.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/kernel/filesystem.if 2006-10-27 15:42:12.000000000 -0400
@@ -3381,3 +3381,25 @@
allow $1 noxattrfs:blk_file { getattr relabelfrom };
allow $1 noxattrfs:chr_file { getattr relabelfrom };
@@ -508,9 +508,9 @@
+ allow $1 autofs_t:lnk_file create_lnk_perms;
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-2.4.1/policy/modules/kernel/filesystem.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-2.4.2/policy/modules/kernel/filesystem.te
--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2006-10-19 11:47:35.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/kernel/filesystem.te 2006-10-23 17:01:48.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/kernel/filesystem.te 2006-10-27 15:42:12.000000000 -0400
@@ -21,9 +21,11 @@
# Use xattrs for the following filesystem types.
@@ -538,9 +538,9 @@
+
+# Allow me to mv from one noxattrfs to another nfs_t to dosfs_t for example
+fs_associate_tmpfs(noxattrfs)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-2.4.1/policy/modules/kernel/kernel.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-2.4.2/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2006-10-17 13:47:44.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/kernel/kernel.if 2006-10-23 17:01:48.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/kernel/kernel.if 2006-10-27 15:42:12.000000000 -0400
@@ -2167,7 +2167,7 @@
allow $1 unlabeled_t:association { sendto recvfrom };
@@ -550,9 +550,9 @@
')
########################################
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-2.4.1/policy/modules/kernel/kernel.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-2.4.2/policy/modules/kernel/kernel.te
--- nsaserefpolicy/policy/modules/kernel/kernel.te 2006-10-19 11:47:35.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/kernel/kernel.te 2006-10-23 17:01:48.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/kernel/kernel.te 2006-10-27 15:42:12.000000000 -0400
@@ -326,6 +326,7 @@
ifdef(`targeted_policy',`
@@ -561,9 +561,9 @@
')
optional_policy(`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-2.4.1/policy/modules/kernel/storage.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-2.4.2/policy/modules/kernel/storage.fc
--- nsaserefpolicy/policy/modules/kernel/storage.fc 2006-10-16 12:20:16.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/kernel/storage.fc 2006-10-26 09:28:15.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/kernel/storage.fc 2006-10-27 15:42:12.000000000 -0400
@@ -50,6 +50,7 @@
/dev/cciss/[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
@@ -572,9 +572,9 @@
/dev/floppy/[^/]* -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/i2o/hd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.if serefpolicy-2.4.1/policy/modules/kernel/storage.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.if serefpolicy-2.4.2/policy/modules/kernel/storage.if
--- nsaserefpolicy/policy/modules/kernel/storage.if 2006-07-14 17:04:29.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/kernel/storage.if 2006-10-23 17:01:48.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/kernel/storage.if 2006-10-27 15:42:12.000000000 -0400
@@ -37,6 +37,7 @@
')
@@ -583,9 +583,9 @@
')
########################################
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-2.4.1/policy/modules/kernel/terminal.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-2.4.2/policy/modules/kernel/terminal.if
--- nsaserefpolicy/policy/modules/kernel/terminal.if 2006-10-17 07:53:28.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/kernel/terminal.if 2006-10-23 17:01:48.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/kernel/terminal.if 2006-10-27 15:42:12.000000000 -0400
@@ -480,6 +480,26 @@
########################################
@@ -613,9 +613,9 @@
## Read and write the generic pty
## type. This is generally only used in
## the targeted policy.
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.te serefpolicy-2.4.1/policy/modules/kernel/terminal.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.te serefpolicy-2.4.2/policy/modules/kernel/terminal.te
--- nsaserefpolicy/policy/modules/kernel/terminal.te 2006-10-19 11:47:35.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/kernel/terminal.te 2006-10-23 17:01:48.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/kernel/terminal.te 2006-10-27 15:42:12.000000000 -0400
@@ -28,6 +28,7 @@
type devpts_t;
files_mountpoint(devpts_t)
@@ -624,9 +624,9 @@
fs_type(devpts_t)
fs_use_trans devpts gen_context(system_u:object_r:devpts_t,s0);
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-2.4.1/policy/modules/services/apache.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-2.4.2/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2006-08-02 10:34:07.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/services/apache.fc 2006-10-23 17:01:48.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/services/apache.fc 2006-10-27 15:42:12.000000000 -0400
@@ -80,3 +80,12 @@
/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -640,9 +640,9 @@
+/opt/fortitude/modules.local(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
+/opt/fortitude/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/opt/fortitude/run(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-2.4.1/policy/modules/services/apache.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-2.4.2/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2006-09-15 13:14:25.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/services/apache.if 2006-10-23 17:01:48.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/services/apache.if 2006-10-27 15:42:12.000000000 -0400
@@ -168,7 +168,7 @@
allow httpd_t httpd_$1_script_exec_t:dir r_dir_perms;
allow httpd_t httpd_$1_script_exec_t:file r_file_perms;
@@ -652,9 +652,9 @@
allow httpd_$1_script_t self:unix_stream_socket create_stream_socket_perms;
allow httpd_$1_script_t httpd_t:fd use;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-2.4.1/policy/modules/services/apache.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-2.4.2/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2006-10-19 11:47:39.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/services/apache.te 2006-10-23 17:01:48.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/services/apache.te 2006-10-30 11:44:28.000000000 -0500
@@ -204,6 +204,8 @@
allow httpd_t squirrelmail_spool_t:file create_file_perms;
allow httpd_t squirrelmail_spool_t:lnk_file create_lnk_perms;
@@ -668,13 +668,13 @@
# execute perl
corecmd_exec_bin(httpd_t)
corecmd_exec_sbin(httpd_t)
-+corecmd_check_exec_shell(httpd_t)
++corecmd_exec_shell(httpd_t)
domain_use_interactive_fds(httpd_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-2.4.1/policy/modules/services/automount.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-2.4.2/policy/modules/services/automount.te
--- nsaserefpolicy/policy/modules/services/automount.te 2006-10-19 11:47:39.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/services/automount.te 2006-10-23 17:01:48.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/services/automount.te 2006-10-27 15:42:12.000000000 -0400
@@ -36,6 +36,8 @@
allow automount_t self:unix_dgram_socket create_socket_perms;
allow automount_t self:tcp_socket create_stream_socket_perms;
@@ -700,9 +700,9 @@
term_dontaudit_use_console(automount_t)
term_dontaudit_getattr_pty_dirs(automount_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-2.4.1/policy/modules/services/bluetooth.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-2.4.2/policy/modules/services/bluetooth.te
--- nsaserefpolicy/policy/modules/services/bluetooth.te 2006-10-19 11:47:39.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/services/bluetooth.te 2006-10-23 17:01:48.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/services/bluetooth.te 2006-10-27 15:42:12.000000000 -0400
@@ -77,7 +77,7 @@
allow bluetooth_t bluetooth_var_lib_t:file create_file_perms;
@@ -712,9 +712,9 @@
allow bluetooth_t bluetooth_var_run_t:dir rw_dir_perms;
allow bluetooth_t bluetooth_var_run_t:file create_file_perms;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.fc serefpolicy-2.4.1/policy/modules/services/ccs.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.fc serefpolicy-2.4.2/policy/modules/services/ccs.fc
--- nsaserefpolicy/policy/modules/services/ccs.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.4.1/policy/modules/services/ccs.fc 2006-10-23 17:01:48.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/services/ccs.fc 2006-10-27 15:42:12.000000000 -0400
@@ -0,0 +1,8 @@
+# ccs executable will have:
+# label: system_u:object_r:ccs_exec_t
@@ -724,9 +724,9 @@
+/sbin/ccsd -- gen_context(system_u:object_r:ccs_exec_t,s0)
+/var/run/cluster(/.*)? gen_context(system_u:object_r:ccs_var_run_t,s0)
+/etc/cluster(/.*)? gen_context(system_u:object_r:cluster_conf_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.if serefpolicy-2.4.1/policy/modules/services/ccs.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.if serefpolicy-2.4.2/policy/modules/services/ccs.if
--- nsaserefpolicy/policy/modules/services/ccs.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.4.1/policy/modules/services/ccs.if 2006-10-23 17:01:48.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/services/ccs.if 2006-10-27 16:16:14.000000000 -0400
@@ -0,0 +1,65 @@
+## <summary>policy for ccs</summary>
+
@@ -793,10 +793,10 @@
+ allow $1 cluster_conf_t:file { getattr read };
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.te serefpolicy-2.4.1/policy/modules/services/ccs.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.te serefpolicy-2.4.2/policy/modules/services/ccs.te
--- nsaserefpolicy/policy/modules/services/ccs.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.4.1/policy/modules/services/ccs.te 2006-10-23 17:01:48.000000000 -0400
-@@ -0,0 +1,88 @@
++++ serefpolicy-2.4.2/policy/modules/services/ccs.te 2006-10-27 16:15:32.000000000 -0400
+@@ -0,0 +1,87 @@
+policy_module(ccs,1.0.0)
+
+########################################
@@ -844,8 +844,7 @@
+corenet_non_ipsec_sendrecv(ccs_t)
+corenet_tcp_bind_all_nodes(ccs_t)
+corenet_udp_bind_all_nodes(ccs_t)
-+# Wants to connect to 40040
-+corenet_tcp_connect_all_ports(ccs_t)
++corenet_tcp_bind_cluster_port(ccs_t)
+
+# Some common macros (you might be able to remove some)
+files_read_etc_files(ccs_t)
@@ -885,9 +884,9 @@
+
+allow ccs_t cluster_conf_t:dir r_dir_perms;
+allow ccs_t cluster_conf_t:file rw_file_perms;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-2.4.1/policy/modules/services/cron.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-2.4.2/policy/modules/services/cron.if
--- nsaserefpolicy/policy/modules/services/cron.if 2006-09-15 13:14:25.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/services/cron.if 2006-10-25 09:17:14.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/services/cron.if 2006-10-27 15:42:12.000000000 -0400
@@ -54,9 +54,6 @@
domain_entry_file($1_crontab_t,crontab_exec_t)
role $3 types $1_crontab_t;
@@ -961,9 +960,9 @@
tunable_policy(`fcron_crond',`
# fcron wants an instant update of a crontab change for the administrator
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-2.4.1/policy/modules/services/cron.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-2.4.2/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te 2006-10-19 11:47:39.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/services/cron.te 2006-10-23 17:01:48.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/services/cron.te 2006-10-27 15:42:12.000000000 -0400
@@ -72,6 +72,7 @@
# Cron Local policy
#
@@ -993,9 +992,9 @@
ifdef(`targeted_policy',`
allow crond_t system_crond_tmp_t:dir create_dir_perms;
allow crond_t system_crond_tmp_t:file create_file_perms;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-2.4.1/policy/modules/services/cups.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-2.4.2/policy/modules/services/cups.fc
--- nsaserefpolicy/policy/modules/services/cups.fc 2006-08-02 10:34:07.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/services/cups.fc 2006-10-23 17:01:48.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/services/cups.fc 2006-10-27 15:42:12.000000000 -0400
@@ -23,7 +23,7 @@
/usr/libexec/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
@@ -1020,9 +1019,9 @@
-/var/spool/cups(/.*)? gen_context(system_u:object_r:print_spool_t,s0)
+/var/spool/cups(/.*)? gen_context(system_u:object_r:print_spool_t,mls_systemhigh)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.if serefpolicy-2.4.1/policy/modules/services/cups.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.if serefpolicy-2.4.2/policy/modules/services/cups.if
--- nsaserefpolicy/policy/modules/services/cups.if 2006-09-15 13:14:25.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/services/cups.if 2006-10-23 17:01:48.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/services/cups.if 2006-10-27 15:42:12.000000000 -0400
@@ -244,3 +244,24 @@
allow $1 ptal_var_run_t:sock_file write;
allow $1 ptal_t:unix_stream_socket connectto;
@@ -1048,9 +1047,9 @@
+')
+
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-2.4.1/policy/modules/services/cups.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-2.4.2/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2006-10-19 11:47:39.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/services/cups.te 2006-10-23 17:01:49.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/services/cups.te 2006-10-27 15:42:12.000000000 -0400
@@ -124,6 +124,9 @@
allow cupsd_t ptal_var_run_t:sock_file { write setattr };
allow cupsd_t ptal_t:unix_stream_socket connectto;
@@ -1097,9 +1096,9 @@
')
optional_policy(`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-2.4.1/policy/modules/services/cvs.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-2.4.2/policy/modules/services/cvs.te
--- nsaserefpolicy/policy/modules/services/cvs.te 2006-10-19 11:47:39.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/services/cvs.te 2006-10-23 17:01:49.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/services/cvs.te 2006-10-27 15:42:12.000000000 -0400
@@ -9,6 +9,7 @@
type cvs_t;
type cvs_exec_t;
@@ -1108,9 +1107,9 @@
role system_r types cvs_t;
type cvs_data_t; # customizable
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-2.4.1/policy/modules/services/dbus.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-2.4.2/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if 2006-09-15 13:14:24.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/services/dbus.if 2006-10-23 17:01:49.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/services/dbus.if 2006-10-27 15:42:12.000000000 -0400
@@ -123,6 +123,7 @@
selinux_compute_relabel_context($1_dbusd_t)
selinux_compute_user_contexts($1_dbusd_t)
@@ -1119,9 +1118,9 @@
corecmd_list_bin($1_dbusd_t)
corecmd_read_bin_symlinks($1_dbusd_t)
corecmd_read_bin_files($1_dbusd_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-2.4.1/policy/modules/services/dovecot.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-2.4.2/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te 2006-10-19 11:47:39.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/services/dovecot.te 2006-10-23 17:01:49.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/services/dovecot.te 2006-10-27 15:42:12.000000000 -0400
@@ -171,6 +171,8 @@
allow dovecot_auth_t dovecot_var_run_t:dir r_dir_perms;
@@ -1131,9 +1130,9 @@
kernel_read_all_sysctls(dovecot_auth_t)
kernel_read_system_state(dovecot_auth_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-2.4.1/policy/modules/services/hal.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-2.4.2/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2006-10-19 11:47:39.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/services/hal.te 2006-10-23 17:01:49.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/services/hal.te 2006-10-27 15:42:12.000000000 -0400
@@ -74,6 +74,7 @@
dev_rw_generic_usb_dev(hald_t)
dev_setattr_generic_usb_dev(hald_t)
@@ -1150,9 +1149,9 @@
files_search_var_lib(hald_t)
files_read_usr_files(hald_t)
# hal is now execing pm-suspend
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.fc serefpolicy-2.4.1/policy/modules/services/lpd.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.fc serefpolicy-2.4.2/policy/modules/services/lpd.fc
--- nsaserefpolicy/policy/modules/services/lpd.fc 2006-09-29 14:28:02.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/services/lpd.fc 2006-10-23 17:01:49.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/services/lpd.fc 2006-10-27 15:42:12.000000000 -0400
@@ -7,15 +7,20 @@
# /usr
#
@@ -1174,9 +1173,9 @@
/usr/share/printconf/.* -- gen_context(system_u:object_r:printconf_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.if serefpolicy-2.4.1/policy/modules/services/lpd.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.if serefpolicy-2.4.2/policy/modules/services/lpd.if
--- nsaserefpolicy/policy/modules/services/lpd.if 2006-09-15 13:14:25.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/services/lpd.if 2006-10-23 17:01:49.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/services/lpd.if 2006-10-27 15:42:12.000000000 -0400
@@ -64,33 +64,35 @@
allow $1_lpr_t self:udp_socket create_socket_perms;
allow $1_lpr_t self:netlink_route_socket r_netlink_socket_perms;
@@ -1272,9 +1271,9 @@
## List the contents of the printer spool directories.
## </summary>
## <param name="domain">
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-2.4.1/policy/modules/services/mta.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-2.4.2/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2006-10-19 11:47:39.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/services/mta.te 2006-10-23 17:01:49.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/services/mta.te 2006-10-27 15:42:12.000000000 -0400
@@ -27,6 +27,7 @@
type sendmail_exec_t;
@@ -1283,9 +1282,9 @@
mta_base_mail_template(system)
role system_r types system_mail_t;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-2.4.1/policy/modules/services/networkmanager.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-2.4.2/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2006-10-19 11:47:39.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/services/networkmanager.te 2006-10-23 17:01:49.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/services/networkmanager.te 2006-10-27 15:42:12.000000000 -0400
@@ -119,6 +119,9 @@
term_dontaudit_use_unallocated_ttys(NetworkManager_t)
term_dontaudit_use_generic_ptys(NetworkManager_t)
@@ -1301,9 +1300,9 @@
vpn_signal(NetworkManager_t)
')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-2.4.1/policy/modules/services/nscd.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-2.4.2/policy/modules/services/nscd.if
--- nsaserefpolicy/policy/modules/services/nscd.if 2006-08-07 18:55:18.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/services/nscd.if 2006-10-23 17:01:49.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/services/nscd.if 2006-10-27 15:42:12.000000000 -0400
@@ -181,3 +181,23 @@
allow $1 nscd_t:nscd *;
@@ -1328,9 +1327,9 @@
+ role $1 types nscd_t;
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-2.4.1/policy/modules/services/nscd.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-2.4.2/policy/modules/services/nscd.te
--- nsaserefpolicy/policy/modules/services/nscd.te 2006-10-19 11:47:39.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/services/nscd.te 2006-10-23 17:01:49.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/services/nscd.te 2006-10-27 15:42:12.000000000 -0400
@@ -120,6 +120,9 @@
term_dontaudit_use_unallocated_ttys(nscd_t)
term_dontaudit_use_generic_ptys(nscd_t)
@@ -1341,18 +1340,28 @@
')
optional_policy(`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.te serefpolicy-2.4.1/policy/modules/services/oddjob.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.te serefpolicy-2.4.2/policy/modules/services/oddjob.te
--- nsaserefpolicy/policy/modules/services/oddjob.te 2006-09-29 14:28:02.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/services/oddjob.te 2006-10-26 11:02:29.000000000 -0400
-@@ -39,6 +39,7 @@
++++ serefpolicy-2.4.2/policy/modules/services/oddjob.te 2006-10-27 15:56:17.000000000 -0400
+@@ -10,6 +10,7 @@
+ type oddjob_exec_t;
+ domain_type(oddjob_t)
+ init_daemon_domain(oddjob_t, oddjob_exec_t)
++domain_subj_id_change_exemption(oddjob_t)
+
+ type oddjob_mkhomedir_t;
+ type oddjob_mkhomedir_exec_t;
+@@ -38,7 +39,8 @@
+
kernel_read_system_state(oddjob_t)
- corecmd_search_sbin(oddjob_t)
-+corecmd_search_bin(oddjob_t)
+-corecmd_search_sbin(oddjob_t)
++corecmd_exec_sbin(oddjob_t)
++corecmd_exec_bin(oddjob_t)
corecmd_exec_shell(oddjob_t)
selinux_compute_create_context(oddjob_t)
-@@ -54,7 +55,10 @@
+@@ -54,7 +56,10 @@
locallogin_dontaudit_use_fds(oddjob_t)
@@ -1363,7 +1372,7 @@
term_dontaudit_use_generic_ptys(oddjob_t)
term_dontaudit_use_unallocated_ttys(oddjob_t)
')
-@@ -83,3 +87,12 @@
+@@ -83,3 +88,12 @@
libs_use_shared_libs(oddjob_mkhomedir_t)
miscfiles_read_localization(oddjob_mkhomedir_t)
@@ -1376,9 +1385,9 @@
+userdom_manage_staff_home_dirs(oddjob_mkhomedir_t)
+userdom_generic_user_home_dir_filetrans_generic_user_home_content(oddjob_mkhomedir_t,notdevfile_class_set)
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.if serefpolicy-2.4.1/policy/modules/services/pegasus.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.if serefpolicy-2.4.2/policy/modules/services/pegasus.if
--- nsaserefpolicy/policy/modules/services/pegasus.if 2006-07-14 17:04:41.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/services/pegasus.if 2006-10-23 17:01:49.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/services/pegasus.if 2006-10-27 15:42:12.000000000 -0400
@@ -1 +1,32 @@
## <summary>The Open Group Pegasus CIM/WBEM Server.</summary>
+
@@ -1412,9 +1421,9 @@
+ allow pegasus_t $1:fifo_file rw_file_perms;
+ allow pegasus_t $1:process sigchld;
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-2.4.1/policy/modules/services/pegasus.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-2.4.2/policy/modules/services/pegasus.te
--- nsaserefpolicy/policy/modules/services/pegasus.te 2006-10-19 11:47:39.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/services/pegasus.te 2006-10-23 17:01:49.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/services/pegasus.te 2006-10-27 15:42:12.000000000 -0400
@@ -100,13 +100,12 @@
auth_use_nsswitch(pegasus_t)
@@ -1431,9 +1440,9 @@
files_read_var_lib_symlinks(pegasus_t)
hostname_exec(pegasus_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-2.4.1/policy/modules/services/procmail.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-2.4.2/policy/modules/services/procmail.te
--- nsaserefpolicy/policy/modules/services/procmail.te 2006-10-19 11:47:39.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/services/procmail.te 2006-10-25 15:25:23.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/services/procmail.te 2006-10-30 10:51:13.000000000 -0500
@@ -10,6 +10,7 @@
type procmail_exec_t;
domain_type(procmail_t)
@@ -1450,7 +1459,30 @@
auth_use_nsswitch(procmail_t)
-@@ -73,11 +75,6 @@
+@@ -63,21 +65,29 @@
+
+ # only works until we define a different type for maildir
+ userdom_priveleged_home_dir_manager(procmail_t)
++tunable_policy(`use_nfs_home_dirs',`
++ fs_manage_nfs_dirs(procmail_t)
++ fs_manage_nfs_files(procmail_t)
++ fs_manage_nfs_symlinks(procmail_t)
++')
++
++tunable_policy(`use_samba_home_dirs',`
++ fs_manage_cifs_dirs(procmail_t)
++ fs_manage_cifs_files(procmail_t)
++ fs_manage_cifs_symlinks(procmail_t)
++')
++
+ # Do not audit attempts to access /root.
+ userdom_dontaudit_search_sysadm_home_dirs(procmail_t)
+ userdom_dontaudit_search_staff_home_dirs(procmail_t)
+
++
+ mta_manage_spool(procmail_t)
+
+ ifdef(`hide_broken_symptoms',`
mta_dontaudit_rw_queue(procmail_t)
')
@@ -1462,15 +1494,16 @@
optional_policy(`
clamav_domtrans_clamscan(procmail_t)
clamav_search_lib(procmail_t)
-@@ -112,3 +109,5 @@
+@@ -112,3 +122,6 @@
spamassassin_exec(procmail_t)
spamassassin_exec_client(procmail_t)
')
+
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhgb.te serefpolicy-2.4.1/policy/modules/services/rhgb.te
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhgb.te serefpolicy-2.4.2/policy/modules/services/rhgb.te
--- nsaserefpolicy/policy/modules/services/rhgb.te 2006-10-19 11:47:39.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/services/rhgb.te 2006-10-23 17:01:49.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/services/rhgb.te 2006-10-27 15:42:12.000000000 -0400
@@ -13,10 +13,8 @@
type rhgb_tmpfs_t;
files_tmpfs_file(rhgb_tmpfs_t)
@@ -1532,9 +1565,9 @@
allow initrc_t rhgb_gph_t:fd use;
')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.fc serefpolicy-2.4.1/policy/modules/services/ricci.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.fc serefpolicy-2.4.2/policy/modules/services/ricci.fc
--- nsaserefpolicy/policy/modules/services/ricci.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.4.1/policy/modules/services/ricci.fc 2006-10-25 11:24:31.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/services/ricci.fc 2006-10-27 15:42:12.000000000 -0400
@@ -0,0 +1,20 @@
+# ricci executable will have:
+# label: system_u:object_r:ricci_exec_t
@@ -1556,9 +1589,9 @@
+/usr/libexec/ricci-modservice -- gen_context(system_u:object_r:ricci_modservice_exec_t,s0)
+/usr/libexec/ricci-modstorage -- gen_context(system_u:object_r:ricci_modstorage_exec_t,s0)
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.if serefpolicy-2.4.1/policy/modules/services/ricci.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.if serefpolicy-2.4.2/policy/modules/services/ricci.if
--- nsaserefpolicy/policy/modules/services/ricci.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.4.1/policy/modules/services/ricci.if 2006-10-23 17:01:49.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/services/ricci.if 2006-10-27 15:42:12.000000000 -0400
@@ -0,0 +1,184 @@
+## <summary>policy for ricci</summary>
+
@@ -1744,10 +1777,10 @@
+ allow $1 ricci_modcluster_var_run_t:sock_file write;
+ allow $1 ricci_modclusterd_t:unix_stream_socket connectto;
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-2.4.1/policy/modules/services/ricci.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-2.4.2/policy/modules/services/ricci.te
--- nsaserefpolicy/policy/modules/services/ricci.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.4.1/policy/modules/services/ricci.te 2006-10-26 11:51:59.000000000 -0400
-@@ -0,0 +1,434 @@
++++ serefpolicy-2.4.2/policy/modules/services/ricci.te 2006-10-27 16:16:39.000000000 -0400
+@@ -0,0 +1,438 @@
+policy_module(ricci,1.0.0)
+
+########################################
@@ -1992,6 +2025,10 @@
+unconfined_use_fds(ricci_modclusterd_t)
+
+optional_policy(`
++ ccs_domtrans(ricci_modclusterd_t)
++')
++
++optional_policy(`
+ ccs_stream_connect(ricci_modclusterd_t)
+ ccs_read_config(ricci_modclusterd_t)
+')
@@ -2046,7 +2083,7 @@
+
+corecmd_exec_bin(ricci_modrpm_t)
+
-+libs_use_ld_so(ricci_modservice_t)
++libs_use_ld_so(ricci_modrpm_t)
+libs_use_shared_libs(ricci_modrpm_t)
+
+files_search_usr(ricci_modrpm_t)
@@ -2182,9 +2219,9 @@
+')
+
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-2.4.1/policy/modules/services/rpc.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-2.4.2/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te 2006-10-19 11:47:39.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/services/rpc.te 2006-10-24 11:29:27.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/services/rpc.te 2006-10-27 15:42:12.000000000 -0400
@@ -76,6 +76,9 @@
allow nfsd_t exports_t:file { getattr read };
allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir r_dir_perms;
@@ -2212,9 +2249,9 @@
tunable_policy(`allow_gssd_read_tmp',`
userdom_list_unpriv_users_tmp(gssd_t)
userdom_read_unpriv_users_tmp_files(gssd_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-2.4.1/policy/modules/services/rsync.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-2.4.2/policy/modules/services/rsync.te
--- nsaserefpolicy/policy/modules/services/rsync.te 2006-10-19 11:47:39.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/services/rsync.te 2006-10-23 17:01:49.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/services/rsync.te 2006-10-27 15:42:12.000000000 -0400
@@ -9,6 +9,7 @@
type rsync_t;
type rsync_exec_t;
@@ -2223,9 +2260,9 @@
role system_r types rsync_t;
type rsync_data_t;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-2.4.1/policy/modules/services/samba.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-2.4.2/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2006-10-19 11:47:39.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/services/samba.te 2006-10-23 17:01:49.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/services/samba.te 2006-10-27 15:42:12.000000000 -0400
@@ -502,6 +502,10 @@
userdom_use_sysadm_ttys(smbmount_t)
@@ -2237,9 +2274,9 @@
nis_use_ypbind(smbmount_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-2.4.1/policy/modules/services/sasl.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-2.4.2/policy/modules/services/sasl.te
--- nsaserefpolicy/policy/modules/services/sasl.te 2006-10-19 11:47:39.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/services/sasl.te 2006-10-24 17:37:05.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/services/sasl.te 2006-10-27 15:42:12.000000000 -0400
@@ -47,6 +47,8 @@
fs_getattr_all_fs(saslauthd_t)
fs_search_auto_mountpoints(saslauthd_t)
@@ -2249,9 +2286,9 @@
term_dontaudit_use_console(saslauthd_t)
auth_domtrans_chk_passwd(saslauthd_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-2.4.1/policy/modules/services/setroubleshoot.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-2.4.2/policy/modules/services/setroubleshoot.te
--- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2006-10-19 11:47:39.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/services/setroubleshoot.te 2006-10-23 17:01:49.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/services/setroubleshoot.te 2006-10-27 15:42:12.000000000 -0400
@@ -28,7 +28,7 @@
#
@@ -2261,9 +2298,9 @@
allow setroubleshootd_t self:fifo_file rw_file_perms;
allow setroubleshootd_t self:tcp_socket create_stream_socket_perms;
allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto };
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-2.4.1/policy/modules/services/snmp.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-2.4.2/policy/modules/services/snmp.te
--- nsaserefpolicy/policy/modules/services/snmp.te 2006-10-19 11:47:39.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/services/snmp.te 2006-10-23 17:01:49.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/services/snmp.te 2006-10-27 15:42:12.000000000 -0400
@@ -85,7 +85,9 @@
files_read_etc_files(snmpd_t)
files_read_usr_files(snmpd_t)
@@ -2275,9 +2312,9 @@
fs_getattr_all_fs(snmpd_t)
fs_getattr_rpc_dirs(snmpd_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-2.4.1/policy/modules/services/spamassassin.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-2.4.2/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2006-10-19 11:47:39.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/services/spamassassin.te 2006-10-23 17:01:49.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/services/spamassassin.te 2006-10-27 15:42:12.000000000 -0400
@@ -8,7 +8,7 @@
# spamassassin client executable
@@ -2304,9 +2341,9 @@
allow spamd_t spamd_spool_t:file create_file_perms;
allow spamd_t spamd_spool_t:dir create_dir_perms;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-2.4.1/policy/modules/services/squid.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-2.4.2/policy/modules/services/squid.te
--- nsaserefpolicy/policy/modules/services/squid.te 2006-10-19 11:47:39.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/services/squid.te 2006-10-23 17:01:49.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/services/squid.te 2006-10-27 15:42:12.000000000 -0400
@@ -98,6 +98,9 @@
fs_getattr_all_fs(squid_t)
@@ -2325,9 +2362,9 @@
-#squid requires the following when run in diskd mode, the recommended setting
-allow squid_t tmpfs_t:file { read write };
-') dnl end TODO
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-2.4.1/policy/modules/services/ssh.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-2.4.2/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2006-10-19 11:47:39.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/services/ssh.te 2006-10-23 17:01:49.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/services/ssh.te 2006-10-27 15:42:12.000000000 -0400
@@ -10,7 +10,7 @@
# ssh client executable.
@@ -2346,9 +2383,9 @@
# for X forwarding
corenet_tcp_bind_xserver_port(sshd_t)
corenet_sendrecv_xserver_server_packets(sshd_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-2.4.1/policy/modules/services/xserver.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-2.4.2/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2006-09-15 13:14:25.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/services/xserver.if 2006-10-23 17:01:49.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/services/xserver.if 2006-10-27 15:42:12.000000000 -0400
@@ -898,10 +898,12 @@
domain_auto_trans($1,xserver_exec_t,xdm_xserver_t)
@@ -2404,9 +2441,9 @@
+ dontaudit $1 xdm_t:fifo_file { getattr read write };
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-2.4.1/policy/modules/services/xserver.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-2.4.2/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2006-10-19 11:47:39.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/services/xserver.te 2006-10-23 17:01:49.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/services/xserver.te 2006-10-27 15:42:12.000000000 -0400
@@ -463,7 +463,7 @@
allow rhgb_t xdm_xserver_t:process signal;
')
@@ -2416,9 +2453,9 @@
# xdm needs access for linking .X11-unix to poly /tmp
allow xdm_t polymember:dir { add_name remove_name write };
allow xdm_t polymember:lnk_file { create unlink };
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-2.4.1/policy/modules/system/authlogin.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-2.4.2/policy/modules/system/authlogin.fc
--- nsaserefpolicy/policy/modules/system/authlogin.fc 2006-07-14 17:04:43.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/system/authlogin.fc 2006-10-23 17:01:49.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/system/authlogin.fc 2006-10-27 15:42:12.000000000 -0400
@@ -32,6 +32,7 @@
/var/log/btmp.* -- gen_context(system_u:object_r:faillog_t,s0)
/var/log/dmesg -- gen_context(system_u:object_r:var_log_t,s0)
@@ -2427,9 +2464,9 @@
/var/log/lastlog -- gen_context(system_u:object_r:lastlog_t,s0)
/var/log/syslog -- gen_context(system_u:object_r:var_log_t,s0)
/var/log/wtmp.* -- gen_context(system_u:object_r:wtmp_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-2.4.1/policy/modules/system/authlogin.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-2.4.2/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2006-10-16 12:20:19.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/system/authlogin.if 2006-10-23 17:01:49.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/system/authlogin.if 2006-10-27 15:42:12.000000000 -0400
@@ -230,7 +230,7 @@
seutil_read_config($1)
seutil_read_default_contexts($1)
@@ -2439,9 +2476,9 @@
files_polyinstantiate_all($1)
')
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/clock.te serefpolicy-2.4.1/policy/modules/system/clock.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/clock.te serefpolicy-2.4.2/policy/modules/system/clock.te
--- nsaserefpolicy/policy/modules/system/clock.te 2006-10-19 11:47:40.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/system/clock.te 2006-10-23 17:01:49.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/system/clock.te 2006-10-27 15:42:12.000000000 -0400
@@ -25,10 +25,13 @@
dontaudit hwclock_t self:capability sys_tty_config;
allow hwclock_t self:process signal_perms;
@@ -2456,9 +2493,20 @@
kernel_read_kernel_sysctls(hwclock_t)
kernel_list_proc(hwclock_t)
kernel_read_proc_symlinks(hwclock_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-2.4.1/policy/modules/system/fstools.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-2.4.2/policy/modules/system/fstools.fc
+--- nsaserefpolicy/policy/modules/system/fstools.fc 2006-09-05 07:41:01.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/system/fstools.fc 2006-10-30 10:45:52.000000000 -0500
+@@ -19,7 +19,6 @@
+ /sbin/mkfs.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+-/sbin/mkswap -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-2.4.2/policy/modules/system/fstools.te
--- nsaserefpolicy/policy/modules/system/fstools.te 2006-10-19 11:47:40.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/system/fstools.te 2006-10-23 17:01:49.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/system/fstools.te 2006-10-27 15:42:12.000000000 -0400
@@ -9,7 +9,7 @@
type fsadm_t;
type fsadm_exec_t;
@@ -2476,9 +2524,9 @@
mls_file_write_down(fsadm_t)
storage_raw_read_fixed_disk(fsadm_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.te serefpolicy-2.4.1/policy/modules/system/getty.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.te serefpolicy-2.4.2/policy/modules/system/getty.te
--- nsaserefpolicy/policy/modules/system/getty.te 2006-10-19 11:47:40.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/system/getty.te 2006-10-23 17:01:49.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/system/getty.te 2006-10-27 15:42:12.000000000 -0400
@@ -33,7 +33,8 @@
#
@@ -2489,9 +2537,9 @@
dontaudit getty_t self:capability sys_tty_config;
allow getty_t self:process { getpgid getsession signal_perms };
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-2.4.1/policy/modules/system/hostname.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-2.4.2/policy/modules/system/hostname.te
--- nsaserefpolicy/policy/modules/system/hostname.te 2006-10-19 11:47:40.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/system/hostname.te 2006-10-23 17:01:49.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/system/hostname.te 2006-10-27 15:42:12.000000000 -0400
@@ -8,8 +8,12 @@
type hostname_t;
@@ -2506,9 +2554,9 @@
########################################
#
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-2.4.1/policy/modules/system/init.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-2.4.2/policy/modules/system/init.fc
--- nsaserefpolicy/policy/modules/system/init.fc 2006-08-25 13:29:58.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/system/init.fc 2006-10-23 17:01:49.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/system/init.fc 2006-10-27 15:42:12.000000000 -0400
@@ -66,3 +66,6 @@
/var/run/sysconfig(/.*)? gen_context(system_u:object_r:initrc_var_run_t,s0)
')
@@ -2516,9 +2564,9 @@
+# Until their is a policy for pcscd we need these
+/var/run/pcscd\.pub -- gen_context(system_u:object_r:initrc_var_run_t,s0)
+/var/run/pcscd\.pid -- gen_context(system_u:object_r:initrc_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-2.4.1/policy/modules/system/init.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-2.4.2/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2006-10-19 11:47:40.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/system/init.te 2006-10-23 17:01:49.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/system/init.te 2006-10-27 15:42:12.000000000 -0400
@@ -132,6 +132,7 @@
mcs_process_set_categories(init_t)
@@ -2557,9 +2605,9 @@
',`
# cjp: require doesnt work in the else of optionals :\
# this also would result in a type transition
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.fc serefpolicy-2.4.1/policy/modules/system/iscsi.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.fc serefpolicy-2.4.2/policy/modules/system/iscsi.fc
--- nsaserefpolicy/policy/modules/system/iscsi.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.4.1/policy/modules/system/iscsi.fc 2006-10-23 17:01:49.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/system/iscsi.fc 2006-10-27 15:42:12.000000000 -0400
@@ -0,0 +1,9 @@
+# iscsid executable will have:
+# label: system_u:object_r:iscsid_exec_t
@@ -2570,9 +2618,9 @@
+/var/run/iscsid.pid -- gen_context(system_u:object_r:iscsi_var_run_t,s0)
+/var/lib/iscsi(/.*)? -- gen_context(system_u:object_r:iscsi_var_lib_t,s0)
+/var/lock/iscsi(/.*)? -- gen_context(system_u:object_r:iscsi_lock_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.if serefpolicy-2.4.1/policy/modules/system/iscsi.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.if serefpolicy-2.4.2/policy/modules/system/iscsi.if
--- nsaserefpolicy/policy/modules/system/iscsi.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.4.1/policy/modules/system/iscsi.if 2006-10-23 17:01:49.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/system/iscsi.if 2006-10-27 15:42:12.000000000 -0400
@@ -0,0 +1,24 @@
+## <summary>policy for iscsid</summary>
+
@@ -2598,9 +2646,9 @@
+ allow iscsid_t $1:fifo_file rw_file_perms;
+ allow iscsid_t $1:process sigchld;
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-2.4.1/policy/modules/system/iscsi.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-2.4.2/policy/modules/system/iscsi.te
--- nsaserefpolicy/policy/modules/system/iscsi.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.4.1/policy/modules/system/iscsi.te 2006-10-23 17:01:49.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/system/iscsi.te 2006-10-27 15:42:12.000000000 -0400
@@ -0,0 +1,94 @@
+policy_module(iscsid,1.0.0)
+
@@ -2696,9 +2744,9 @@
+
+# I hope this is ok - ~J
+allow iscsid_t self:capability dac_override;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-2.4.1/policy/modules/system/libraries.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-2.4.2/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2006-10-16 12:20:18.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/system/libraries.fc 2006-10-23 17:01:49.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/system/libraries.fc 2006-10-27 15:42:12.000000000 -0400
@@ -74,11 +74,12 @@
/opt/(.*/)?lib64(/.*)? gen_context(system_u:object_r:lib_t,s0)
/opt/(.*/)?lib64/.+\.so -- gen_context(system_u:object_r:shlib_t,s0)
@@ -2723,9 +2771,9 @@
/usr/(local/)?Adobe/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(local/)?Adobe/(.*/)?intellinux/sidecars/* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.if serefpolicy-2.4.1/policy/modules/system/locallogin.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.if serefpolicy-2.4.2/policy/modules/system/locallogin.if
--- nsaserefpolicy/policy/modules/system/locallogin.if 2006-10-16 12:20:18.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/system/locallogin.if 2006-10-23 17:01:49.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/system/locallogin.if 2006-10-27 15:42:12.000000000 -0400
@@ -75,3 +75,40 @@
allow $1 local_login_t:process signull;
@@ -2767,9 +2815,9 @@
+
+ allow $1 local_login_t:key link;
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-2.4.1/policy/modules/system/locallogin.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-2.4.2/policy/modules/system/locallogin.te
--- nsaserefpolicy/policy/modules/system/locallogin.te 2006-10-19 11:47:40.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/system/locallogin.te 2006-10-25 16:13:30.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/system/locallogin.te 2006-10-27 15:42:12.000000000 -0400
@@ -47,7 +47,7 @@
allow local_login_t self:sem create_sem_perms;
allow local_login_t self:msgq create_msgq_perms;
@@ -2779,9 +2827,9 @@
allow local_login_t local_login_lock_t:file create_file_perms;
files_lock_filetrans(local_login_t,local_login_lock_t,file)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-2.4.1/policy/modules/system/logging.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-2.4.2/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2006-10-19 11:47:40.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/system/logging.te 2006-10-23 17:01:49.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/system/logging.te 2006-10-27 15:42:12.000000000 -0400
@@ -135,6 +135,7 @@
fs_getattr_all_fs(auditd_t)
@@ -2807,18 +2855,18 @@
seutil_dontaudit_read_config(auditd_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-2.4.1/policy/modules/system/mount.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-2.4.2/policy/modules/system/mount.fc
--- nsaserefpolicy/policy/modules/system/mount.fc 2006-07-14 17:04:43.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/system/mount.fc 2006-10-23 17:01:49.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/system/mount.fc 2006-10-27 15:42:12.000000000 -0400
@@ -4,4 +4,5 @@
# mount file contexts
#
/bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
+/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0)
/bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-2.4.1/policy/modules/system/mount.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-2.4.2/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2006-10-19 11:47:40.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/system/mount.te 2006-10-23 17:01:49.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/system/mount.te 2006-10-27 15:42:12.000000000 -0400
@@ -9,6 +9,7 @@
type mount_t;
type mount_exec_t;
@@ -2843,9 +2891,9 @@
userdom_use_all_users_fds(mount_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-2.4.1/policy/modules/system/raid.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-2.4.2/policy/modules/system/raid.te
--- nsaserefpolicy/policy/modules/system/raid.te 2006-10-19 11:47:40.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/system/raid.te 2006-10-23 17:01:49.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/system/raid.te 2006-10-27 15:42:12.000000000 -0400
@@ -22,7 +22,9 @@
allow mdadm_t self:capability { dac_override sys_admin ipc_lock };
dontaudit mdadm_t self:capability sys_tty_config;
@@ -2873,10 +2921,10 @@
domain_use_interactive_fds(mdadm_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-2.4.1/policy/modules/system/selinuxutil.if
---- nsaserefpolicy/policy/modules/system/selinuxutil.if 2006-10-26 12:00:23.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/system/selinuxutil.if 2006-10-23 17:01:49.000000000 -0400
-@@ -713,7 +692,7 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-2.4.2/policy/modules/system/selinuxutil.if
+--- nsaserefpolicy/policy/modules/system/selinuxutil.if 2006-10-27 10:27:56.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/system/selinuxutil.if 2006-10-27 15:42:12.000000000 -0400
+@@ -713,7 +713,7 @@
')
files_search_etc($1)
@@ -2885,7 +2933,7 @@
allow $1 selinux_config_t:file manage_file_perms;
allow $1 selinux_config_t:lnk_file { getattr read };
')
-@@ -776,8 +755,8 @@
+@@ -797,8 +797,8 @@
files_search_etc($1)
allow $1 selinux_config_t:dir search_dir_perms;
@@ -2896,9 +2944,9 @@
')
########################################
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-2.4.1/policy/modules/system/selinuxutil.te
---- nsaserefpolicy/policy/modules/system/selinuxutil.te 2006-10-23 16:14:54.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/system/selinuxutil.te 2006-10-23 17:01:49.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-2.4.2/policy/modules/system/selinuxutil.te
+--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2006-10-27 10:27:56.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/system/selinuxutil.te 2006-10-27 15:42:12.000000000 -0400
@@ -270,6 +270,7 @@
mls_file_upgrade(newrole_t)
mls_file_downgrade(newrole_t)
@@ -2942,9 +2990,9 @@
selinux_get_enforce_mode(semanage_t)
# for setsebool:
selinux_set_boolean(semanage_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.te serefpolicy-2.4.1/policy/modules/system/setrans.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.te serefpolicy-2.4.2/policy/modules/system/setrans.te
--- nsaserefpolicy/policy/modules/system/setrans.te 2006-10-23 16:14:54.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/system/setrans.te 2006-10-23 17:01:49.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/system/setrans.te 2006-10-27 15:42:12.000000000 -0400
@@ -55,9 +55,12 @@
mls_file_read_up(setrans_t)
@@ -2959,9 +3007,9 @@
selinux_compute_access_vector(setrans_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-2.4.1/policy/modules/system/unconfined.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-2.4.2/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2006-10-19 11:47:40.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/system/unconfined.if 2006-10-23 17:01:49.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/system/unconfined.if 2006-10-27 15:42:12.000000000 -0400
@@ -31,6 +31,7 @@
allow $1 self:nscd *;
allow $1 self:dbus *;
@@ -2995,9 +3043,9 @@
## Connect to the unconfined domain using
## a unix domain stream socket.
## </summary>
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-2.4.1/policy/modules/system/unconfined.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-2.4.2/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2006-10-19 11:47:40.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/system/unconfined.te 2006-10-23 17:01:49.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/system/unconfined.te 2006-10-27 15:42:12.000000000 -0400
@@ -59,13 +59,9 @@
bind_domtrans_ndc(unconfined_t)
')
@@ -3046,10 +3094,30 @@
allow unconfined_execmem_t self:process { execstack execmem };
unconfined_domain_noaudit(unconfined_execmem_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-2.4.1/policy/modules/system/userdomain.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-2.4.2/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2006-10-17 13:47:44.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/system/userdomain.if 2006-10-24 14:56:38.000000000 -0400
-@@ -135,10 +135,12 @@
++++ serefpolicy-2.4.2/policy/modules/system/userdomain.if 2006-10-30 11:07:15.000000000 -0500
+@@ -22,6 +22,10 @@
+ ## <rolebase/>
+ #
+ template(`userdom_base_user_template',`
++ gen_require(`
++ attribute userdomain;
++ ')
++
+ attribute $1_file_type;
+
+ type $1_t, userdomain;
+@@ -130,15 +134,21 @@
+ ## <rolebase/>
+ #
+ template(`userdom_ro_home_template',`
++ gen_require(`
++ attribute home_type, home_dir_type, $1_file_type;
++ ')
++
+ # type for contents of home directory
+ type $1_home_t, $1_file_type, home_type;
files_type($1_home_t)
files_associate_tmp($1_home_t)
fs_associate_tmpfs($1_home_t)
@@ -3062,7 +3130,47 @@
files_associate_tmp($1_home_dir_t)
fs_associate_tmpfs($1_home_dir_t)
-@@ -3995,12 +3997,7 @@
+@@ -212,6 +222,10 @@
+ ## <rolebase/>
+ #
+ template(`userdom_manage_home_template',`
++ gen_require(`
++ attribute home_type, home_dir_type, $1_file_type;
++ ')
++
+ # type for contents of home directory
+ type $1_home_t, $1_file_type, home_type;
+ files_type($1_home_t)
+@@ -339,6 +353,10 @@
+ ## <rolebase/>
+ #
+ template(`userdom_manage_tmp_template',`
++ gen_require(`
++ attribute $1_file_type;
++ ')
++
+ type $1_tmp_t, $1_file_type;
+ files_tmp_file($1_tmp_t)
+
+@@ -407,6 +425,9 @@
+ ## <rolebase/>
+ #
+ template(`userdom_manage_tmpfs_template',`
++ gen_require(`
++ attribute $1_file_type;
++ ')
+ type $1_tmpfs_t, $1_file_type;
+ files_tmpfs_file($1_tmpfs_t)
+
+@@ -1026,6 +1047,7 @@
+ template(`userdom_admin_user_template',`
+ gen_require(`
+ class passwd { passwd chfn chsh rootok crontab };
++ attribute admin_terminal;
+ ')
+
+ ##############################
+@@ -3995,12 +4017,7 @@
#
interface(`userdom_manage_staff_home_dirs',`
ifdef(`targeted_policy',`
@@ -3076,7 +3184,7 @@
',`
gen_require(`
type staff_home_dir_t;
-@@ -5437,3 +5434,161 @@
+@@ -5437,3 +5454,161 @@
allow $1 user_home_dir_t:dir create_dir_perms;
files_home_filetrans($1,user_home_dir_t,dir)
')
@@ -3238,9 +3346,9 @@
+ allow $1 user_exec_type:file { relabelfrom relabelto };
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-2.4.1/policy/modules/system/userdomain.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-2.4.2/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2006-10-19 11:47:40.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/system/userdomain.te 2006-10-23 17:01:49.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/system/userdomain.te 2006-10-27 15:42:12.000000000 -0400
@@ -24,6 +24,9 @@
# users home directory contents
attribute home_type;
@@ -3296,9 +3404,9 @@
usermanage_run_admin_passwd(sysadm_t,sysadm_r,admin_terminal)
usermanage_run_groupadd(sysadm_t,sysadm_r,admin_terminal)
usermanage_run_useradd(sysadm_t,sysadm_r,admin_terminal)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.fc serefpolicy-2.4.1/policy/modules/system/xen.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.fc serefpolicy-2.4.2/policy/modules/system/xen.fc
--- nsaserefpolicy/policy/modules/system/xen.fc 2006-09-22 14:07:07.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/system/xen.fc 2006-10-26 10:27:59.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/system/xen.fc 2006-10-27 15:42:12.000000000 -0400
@@ -2,6 +2,7 @@
/usr/sbin/xend -- gen_context(system_u:object_r:xend_exec_t,s0)
/usr/sbin/xenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0)
@@ -3312,9 +3420,9 @@
/xen(/.*)? gen_context(system_u:object_r:xen_image_t,s0)
+/dev/xen/tapctrl.* -p gen_context(system_u:object_r:xenctl_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-2.4.1/policy/modules/system/xen.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-2.4.2/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te 2006-10-19 11:47:40.000000000 -0400
-+++ serefpolicy-2.4.1/policy/modules/system/xen.te 2006-10-24 15:44:24.000000000 -0400
++++ serefpolicy-2.4.2/policy/modules/system/xen.te 2006-10-30 10:34:47.000000000 -0500
@@ -14,6 +14,8 @@
# Xen Image files
type xen_image_t; # customizable
@@ -3392,7 +3500,7 @@
allow xenconsoled_t xen_devpts_t:chr_file rw_term_perms;
# pid file
-@@ -203,6 +222,7 @@
+@@ -203,11 +222,16 @@
allow xenconsoled_t xenconsoled_var_run_t:sock_file manage_file_perms;
allow xenconsoled_t xenconsoled_var_run_t:dir rw_dir_perms;
files_pid_filetrans(xenconsoled_t,xenconsoled_var_run_t, { file sock_file })
@@ -3400,7 +3508,16 @@
kernel_read_kernel_sysctls(xenconsoled_t)
kernel_write_xen_state(xenconsoled_t)
-@@ -245,14 +265,16 @@
+ kernel_read_xen_state(xenconsoled_t)
+
++dev_manage_xen(xenconsoled_t)
++dev_filetrans_xen(xenconsoled_t)
++dev_rw_sysfs(xenconsoled_t)
++
+ domain_dontaudit_ptrace_all_domains(xenconsoled_t)
+
+ term_create_pty(xenconsoled_t,xen_devpts_t);
+@@ -245,14 +269,16 @@
allow xenstored_t xenstored_var_lib_t:sock_file create_file_perms;
allow xenstored_t xenstored_var_lib_t:dir create_dir_perms;
files_var_lib_filetrans(xenstored_t,xenstored_var_lib_t,{ file dir sock_file })
@@ -3418,7 +3535,7 @@
term_use_generic_ptys(xenstored_t)
term_use_console(xenconsoled_t)
-@@ -278,7 +300,14 @@
+@@ -278,7 +304,14 @@
# internal communication is often done using fifo and unix sockets.
allow xm_t self:fifo_file { read write };
@@ -3434,7 +3551,7 @@
allow xm_t xend_var_lib_t:dir rw_dir_perms;
allow xm_t xend_var_lib_t:fifo_file create_file_perms;
-@@ -317,3 +346,8 @@
+@@ -317,3 +350,8 @@
xen_append_log(xm_t)
xen_stream_connect(xm_t)
xen_stream_connect_xenstore(xm_t)
@@ -3443,9 +3560,9 @@
+files_search_mnt(xend_t)
+fs_write_nfs_files(xend_t)
+fs_read_nfs_files(xend_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-2.4.1/Rules.modular
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-2.4.2/Rules.modular
--- nsaserefpolicy/Rules.modular 2006-10-16 12:20:19.000000000 -0400
-+++ serefpolicy-2.4.1/Rules.modular 2006-10-23 17:01:49.000000000 -0400
++++ serefpolicy-2.4.2/Rules.modular 2006-10-27 15:42:12.000000000 -0400
@@ -219,6 +219,16 @@
########################################
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.326
retrieving revision 1.327
diff -u -r1.326 -r1.327
--- selinux-policy.spec 27 Oct 2006 19:16:43 -0000 1.326
+++ selinux-policy.spec 30 Oct 2006 16:45:09 -0000 1.327
@@ -10,14 +10,14 @@
%if %{?BUILD_MLS:0}%{!?BUILD_MLS:1}
%define BUILD_MLS 1
%endif
-%define POLICYVER 20
+%define POLICYVER 21
%define libsepolver 1.12.26-1
%define POLICYCOREUTILSVER 1.30.29-1
%define CHECKPOLICYVER 1.30.11-1
Summary: SELinux policy configuration
Name: selinux-policy
Version: 2.4.2
-Release: 1
+Release: 2
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -351,6 +351,9 @@
%endif
%changelog
+* Fri Oct 27 2006 Dan Walsh <dwalsh at redhat.com> 2.4.2-2
+- Fixes for ricci
+
* Fri Oct 27 2006 Dan Walsh <dwalsh at redhat.com> 2.4.2-1
- Allow mount.nfs to work
More information about the fedora-cvs-commits
mailing list