rpms/selinux-policy/devel policy-20071130.patch, 1.76, 1.77 selinux-policy.spec, 1.616, 1.617

Tue Feb 26 19:25:08 UTC 2008

Author: dwalsh

Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv23003

Modified Files:
	policy-20071130.patch selinux-policy.spec 
Log Message:
* Tue Feb 26 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-3


policy-20071130.patch:

Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20071130.patch,v
retrieving revision 1.76
retrieving revision 1.77
diff -u -r1.76 -r1.77

--- policy-20071130.patch	26 Feb 2008 16:14:59 -0000	1.76
+++ policy-20071130.patch	26 Feb 2008 19:24:53 -0000	1.77
@@ -5996,7 +5996,7 @@
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.3.1/policy/modules/kernel/corecommands.fc
 --- nsaserefpolicy/policy/modules/kernel/corecommands.fc	2007-12-12 11:35:27.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/kernel/corecommands.fc	2008-02-26 08:29:22.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/kernel/corecommands.fc	2008-02-26 13:48:22.000000000 -0500
 @@ -7,11 +7,11 @@
  /bin/d?ash			--	gen_context(system_u:object_r:shell_exec_t,s0)
  /bin/bash			--	gen_context(system_u:object_r:shell_exec_t,s0)
@@ -6032,7 +6032,19 @@
  /etc/sysconfig/network-scripts/ifup-.*	-- gen_context(system_u:object_r:bin_t,s0)
  /etc/sysconfig/network-scripts/ifup-.*	-l gen_context(system_u:object_r:bin_t,s0)
  /etc/sysconfig/network-scripts/ifdown-.* -- gen_context(system_u:object_r:bin_t,s0)
-@@ -127,6 +135,8 @@
+@@ -99,11 +107,6 @@
+ /lib/rcscripts/net\.modules\.d/helpers\.d/udhcpc-.* -- gen_context(system_u:object_r:bin_t,s0)
+ ')
+ 
+-ifdef(`distro_redhat',`
+-/lib/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:bin_t,s0)
+-/lib64/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:bin_t,s0)
+-')
+-
+ #
+ # /sbin
+ #
+@@ -127,6 +130,8 @@
  /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
  ')
  
@@ -6041,7 +6053,7 @@
  #
  # /usr
  #
-@@ -144,10 +154,7 @@
+@@ -144,10 +149,7 @@
  /usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0)
  /usr/lib(64)?/apt/methods.+	--	gen_context(system_u:object_r:bin_t,s0)
  /usr/lib(64)?/courier(/.*)?		gen_context(system_u:object_r:bin_t,s0)
@@ -6053,7 +6065,7 @@
  
  /usr/lib(64)?/cyrus-imapd/.*	--	gen_context(system_u:object_r:bin_t,s0)
  /usr/lib(64)?/dpkg/.+		--	gen_context(system_u:object_r:bin_t,s0)
-@@ -178,6 +185,8 @@
+@@ -178,6 +180,8 @@
  /usr/lib(64)?/xen/bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
  
  /usr/libexec(/.*)?			gen_context(system_u:object_r:bin_t,s0)
@@ -6062,7 +6074,7 @@
  /usr/libexec/openssh/sftp-server --	gen_context(system_u:object_r:bin_t,s0)
  
  /usr/local/lib(64)?/ipsec/.*	-- 	gen_context(system_u:object_r:bin_t,s0)
-@@ -185,8 +194,12 @@
+@@ -185,8 +189,12 @@
  /usr/local/Brother(/.*)?/lpd(/.*)?	gen_context(system_u:object_r:bin_t,s0)
  /usr/local/Printer/[^/]*/cupswrapper(/.*)? gen_context(system_u:object_r:bin_t,s0)
  /usr/local/Printer/[^/]*/lpd(/.*)?     	gen_context(system_u:object_r:bin_t,s0)
@@ -6075,7 +6087,7 @@
  
  /usr/share/apr-0/build/[^/]+\.sh --	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/apr-0/build/libtool --	gen_context(system_u:object_r:bin_t,s0)
-@@ -284,3 +297,10 @@
+@@ -284,3 +292,10 @@
  ifdef(`distro_suse',`
  /var/lib/samba/bin/.+			gen_context(system_u:object_r:bin_t,s0)
  ')
@@ -6088,7 +6100,7 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.3.1/policy/modules/kernel/corecommands.if
 --- nsaserefpolicy/policy/modules/kernel/corecommands.if	2007-11-14 08:17:58.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/kernel/corecommands.if	2008-02-26 08:29:22.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/kernel/corecommands.if	2008-02-26 11:58:10.000000000 -0500
 @@ -875,6 +875,7 @@
  
  	read_lnk_files_pattern($1,bin_t,bin_t)
@@ -6199,7 +6211,7 @@
  network_port(xen, tcp,8002,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.3.1/policy/modules/kernel/devices.fc
 --- nsaserefpolicy/policy/modules/kernel/devices.fc	2007-12-12 11:35:27.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/kernel/devices.fc	2008-02-26 08:29:22.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/kernel/devices.fc	2008-02-26 14:17:28.000000000 -0500
 @@ -1,7 +1,7 @@
  
  /dev			-d	gen_context(system_u:object_r:device_t,s0)
@@ -6209,7 +6221,7 @@
  /dev/.*mouse.*		-c	gen_context(system_u:object_r:mouse_device_t,s0)
  /dev/admmidi.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
  /dev/adsp.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
-@@ -12,32 +12,45 @@
+@@ -12,42 +12,58 @@
  /dev/apm_bios		-c	gen_context(system_u:object_r:apm_bios_t,s0)
  /dev/atibm		-c	gen_context(system_u:object_r:mouse_device_t,s0)
  /dev/audio.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
@@ -6255,7 +6267,12 @@
  /dev/mice		-c	gen_context(system_u:object_r:mouse_device_t,s0)
  /dev/microcode		-c	gen_context(system_u:object_r:cpu_device_t,s0)
  /dev/midi.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
-@@ -48,6 +61,7 @@
+ /dev/mixer.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/mmetfgrab		-c	gen_context(system_u:object_r:scanner_device_t,s0)
+ /dev/mpu401.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
++/dev/network_latency	-c	gen_context(system_u:object_r:netcontrol_device_t,s0)
++/dev/network_throughput	-c	gen_context(system_u:object_r:netcontrol_device_t,s0)
+ /dev/null		-c	gen_context(system_u:object_r:null_device_t,s0)
  /dev/nvidia.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
  /dev/nvram		-c	gen_context(system_u:object_r:nvram_device_t,mls_systemhigh)
  /dev/oldmem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
@@ -6263,7 +6280,7 @@
  /dev/par.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
  /dev/patmgr[01]		-c	gen_context(system_u:object_r:sound_device_t,s0)
  /dev/pmu		-c	gen_context(system_u:object_r:power_device_t,s0)
-@@ -69,9 +83,8 @@
+@@ -69,9 +85,8 @@
  /dev/sonypi		-c	gen_context(system_u:object_r:v4l_device_t,s0)
  /dev/tlk[0-3]		-c	gen_context(system_u:object_r:v4l_device_t,s0)
  /dev/urandom		-c	gen_context(system_u:object_r:urandom_device_t,s0)
@@ -6275,7 +6292,15 @@
  /dev/usblp.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
  ifdef(`distro_suse', `
  /dev/usbscanner		-c	gen_context(system_u:object_r:scanner_device_t,s0)
-@@ -98,13 +111,23 @@
+@@ -91,6 +106,7 @@
+ 
+ /dev/cmx.*		-c	gen_context(system_u:object_r:smartcard_device_t,s0)
+ 
++/dev/cpu_dma_latency	-c	gen_context(system_u:object_r:netcontrol_device_t,s0)
+ /dev/cpu/.*		-c	gen_context(system_u:object_r:cpu_device_t,s0)
+ /dev/cpu/mtrr		-c	gen_context(system_u:object_r:mtrr_device_t,s0)
+ 
+@@ -98,13 +114,23 @@
  
  /dev/dvb/.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
  
@@ -6299,9 +6324,14 @@
  
  /dev/pts(/.*)?			<<none>>
  
+@@ -134,3 +160,4 @@
+ /var/named/chroot/dev/random -c	gen_context(system_u:object_r:random_device_t,s0)
+ /var/named/chroot/dev/zero -c	gen_context(system_u:object_r:zero_device_t,s0)
+ ')
++
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.3.1/policy/modules/kernel/devices.if
 --- nsaserefpolicy/policy/modules/kernel/devices.if	2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/kernel/devices.if	2008-02-26 08:29:22.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/kernel/devices.if	2008-02-26 14:19:56.000000000 -0500
 @@ -65,7 +65,7 @@
  
  	relabelfrom_dirs_pattern($1,device_t,device_node)
@@ -6476,7 +6506,7 @@
  ##	Mount a usbfs filesystem.
  ## </summary>
  ## <param name="domain">
-@@ -3322,3 +3452,96 @@
+@@ -3322,3 +3452,150 @@
  
  	typeattribute $1 devices_unconfined_type;
  ')
@@ -6573,9 +6603,63 @@
 +	rw_chr_files_pattern($1,device_t,autofs_device_t)
 +')
 +
++########################################
++## <summary>
++##	Get the attributes of the network control device
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dev_getattr_netcontrol',`
++	gen_require(`
++		type device_t, netcontrol_device_t;
++	')
++
++	getattr_chr_files_pattern($1,device_t,netcontrol_device_t)
++')
++
++########################################
++## <summary>
++##	Read the network control identity.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dev_read_netcontrol',`
++	gen_require(`
++		type device_t, netcontrol_device_t;
++	')
++
++	read_chr_files_pattern($1,device_t,netcontrol_device_t)
++')
++
++########################################
++## <summary>
++##	Read and write the the network control device.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dev_rw_netcontrol',`
++	gen_require(`
++		type device_t, netcontrol_device_t;
++	')
++
++	rw_chr_files_pattern($1,device_t,netcontrol_device_t)
++')
++
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.3.1/policy/modules/kernel/devices.te
 --- nsaserefpolicy/policy/modules/kernel/devices.te	2007-12-19 05:32:07.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/kernel/devices.te	2008-02-26 08:29:22.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/kernel/devices.te	2008-02-26 14:16:11.000000000 -0500
 @@ -32,6 +32,12 @@
  type apm_bios_t;
  dev_node(apm_bios_t)
@@ -6589,7 +6673,20 @@
  type cardmgr_dev_t;
  dev_node(cardmgr_dev_t)
  files_tmp_file(cardmgr_dev_t)
-@@ -66,12 +72,25 @@
+@@ -49,6 +55,12 @@
+ type cpu_device_t;
+ dev_node(cpu_device_t)
+ 
++#
++# network control devices 
++#
++type netcontrol_device_t;
++dev_node(netcontrol_device_t)
++
+ # for the IBM zSeries z90crypt hardware ssl accelorator
+ type crypt_device_t;
+ dev_node(crypt_device_t)
+@@ -66,12 +78,25 @@
  dev_node(framebuf_device_t)
  
  #
@@ -9396,7 +9493,7 @@
 +/etc/rc.d/init.d/canna	--	gen_context(system_u:object_r:canna_script_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/canna.if serefpolicy-3.3.1/policy/modules/services/canna.if
 --- nsaserefpolicy/policy/modules/services/canna.if	2007-01-02 12:57:43.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/canna.if	2008-02-26 08:29:22.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/canna.if	2008-02-26 11:51:53.000000000 -0500
 @@ -18,3 +18,74 @@
  	files_search_pids($1)
  	stream_connect_pattern($1,canna_var_run_t,canna_var_run_t,canna_t)
@@ -11210,9 +11307,22 @@
  ########################################
  #
  # Local policy
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.fc serefpolicy-3.3.1/policy/modules/services/dbus.fc
+--- nsaserefpolicy/policy/modules/services/dbus.fc	2007-09-12 10:34:18.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/dbus.fc	2008-02-26 11:48:35.000000000 -0500
+@@ -4,6 +4,9 @@
+ /usr/bin/dbus-daemon(-1)? --	gen_context(system_u:object_r:system_dbusd_exec_t,s0)
+ /bin/dbus-daemon 	--	gen_context(system_u:object_r:system_dbusd_exec_t,s0)
+ 
++/lib/dbus-1/dbus-daemon-launch-helper 	--	gen_context(system_u:object_r:system_dbusd_exec_t,s0)
++/lib64/dbus-1/dbus-daemon-launch-helper 	--	gen_context(system_u:object_r:system_dbusd_exec_t,s0)
++
+ /var/lib/dbus(/.*)?		gen_context(system_u:object_r:system_dbusd_var_lib_t,s0)
+ 
+ /var/run/dbus(/.*)?		gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.3.1/policy/modules/services/dbus.if
 --- nsaserefpolicy/policy/modules/services/dbus.if	2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/dbus.if	2008-02-26 08:29:22.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/dbus.if	2008-02-26 12:56:03.000000000 -0500
 @@ -53,6 +53,7 @@
  	gen_require(`
  		type system_dbusd_exec_t, system_dbusd_t, dbusd_etc_t;
@@ -11266,6 +11376,16 @@
  	allow $1_dbusd_t $2:process sigkill;
  	allow $2 $1_dbusd_t:fd use;
  	allow $2 $1_dbusd_t:fifo_file rw_fifo_file_perms;
+@@ -115,8 +117,8 @@
+ 	kernel_read_kernel_sysctls($1_dbusd_t)
+ 
+ 	corecmd_list_bin($1_dbusd_t)
+-	corecmd_read_bin_symlinks($1_dbusd_t)
+ 	corecmd_read_bin_files($1_dbusd_t)
++	corecmd_read_bin_symlinks($1_dbusd_t)
+ 	corecmd_read_bin_pipes($1_dbusd_t)
+ 	corecmd_read_bin_sockets($1_dbusd_t)
+ 
 @@ -139,6 +141,7 @@
  
  	fs_getattr_romfs($1_dbusd_t)
@@ -11472,7 +11592,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.3.1/policy/modules/services/dbus.te
 --- nsaserefpolicy/policy/modules/services/dbus.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/dbus.te	2008-02-26 10:53:25.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/dbus.te	2008-02-26 14:09:20.000000000 -0500
 @@ -9,6 +9,7 @@
  #
  # Delcarations
@@ -11515,7 +11635,16 @@
  allow system_dbusd_t self:fifo_file { read write };
  allow system_dbusd_t self:dbus { send_msg acquire_svc };
  allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto };
-@@ -65,6 +78,7 @@
+@@ -43,6 +56,8 @@
+ # Receive notifications of policy reloads and enforcing status changes.
+ allow system_dbusd_t self:netlink_selinux_socket { create bind read };
+ 
++can_exec(system_dbusd_t,system_dbusd_exec_t)
++
+ allow system_dbusd_t dbusd_etc_t:dir list_dir_perms;
+ read_files_pattern(system_dbusd_t,dbusd_etc_t,dbusd_etc_t)
+ read_lnk_files_pattern(system_dbusd_t,dbusd_etc_t,dbusd_etc_t)
+@@ -65,6 +80,7 @@
  
  fs_getattr_all_fs(system_dbusd_t)
  fs_search_auto_mountpoints(system_dbusd_t)
@@ -11523,15 +11652,24 @@
  
  selinux_get_fs_mount(system_dbusd_t)
  selinux_validate_context(system_dbusd_t)
-@@ -91,6 +105,7 @@
+@@ -81,7 +97,6 @@
+ corecmd_list_bin(system_dbusd_t)
+ corecmd_read_bin_pipes(system_dbusd_t)
+ corecmd_read_bin_sockets(system_dbusd_t)
+-corecmd_exec_bin(system_dbusd_t)
+ 
+ domain_use_interactive_fds(system_dbusd_t)
+ 
+@@ -91,6 +106,8 @@
  
  init_use_fds(system_dbusd_t)
  init_use_script_ptys(system_dbusd_t)
-+init_domtrans_script(system_dbusd_t)
++init_dbus_chat_script(system_dbusd_t)
++init_bin_domtrans_spec(system_dbusd_t)
  
  libs_use_ld_so(system_dbusd_t)
  libs_use_shared_libs(system_dbusd_t)
-@@ -121,9 +136,20 @@
+@@ -121,9 +138,20 @@
  ')
  
  optional_policy(`
@@ -12300,24 +12438,21 @@
 +/etc/rc.d/init.d/dovecot	--	gen_context(system_u:object_r:dovecot_script_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.if serefpolicy-3.3.1/policy/modules/services/dovecot.if
 --- nsaserefpolicy/policy/modules/services/dovecot.if	2008-02-26 08:17:43.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/dovecot.if	2008-02-26 10:29:56.000000000 -0500
-@@ -21,14 +21,53 @@
++++ serefpolicy-3.3.1/policy/modules/services/dovecot.if	2008-02-26 13:09:21.000000000 -0500
+@@ -21,7 +21,46 @@
  
  ########################################
  ## <summary>
 -##      Do not audit attempts to delete dovecot lib files.
 +##	Connect to dovecot auth unix domain stream socket.
- ## </summary>
- ## <param name="domain">
--##      <summary>
--##      Domain to not audit.
--##      </summary>
++## </summary>
++## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
- ## </param>
++## </param>
 +## <rolecap/>
- #
++#
 +interface(`dovecot_auth_stream_connect',`
 +	gen_require(`
 +		type dovecot_auth_t, dovecot_var_run_t;
@@ -12346,19 +12481,12 @@
 +	domtrans_pattern($1,dovecot_deliver_exec_t,dovecot_deliver_t)
 +')
 +
-+########################################
-+### <summary>
-+###      Do not audit attempts to delete dovecot lib files.
-+### </summary>
-+### <param name="domain">
-+###      <summary>
-+###      Domain to not audit.
-+###      </summary>
-+### </param>
-+##
- interface(`dovecot_dontaudit_unlink_lib_files',`
- 	gen_require(`
- 		type dovecot_var_lib_t;
++#######################################
++## <summary>
++##      Do not audit attempts to d`elete dovecot lib files.
+ ## </summary>
+ ## <param name="domain">
+ ##      <summary>
 @@ -36,3 +75,89 @@
  
  	dontaudit $1 dovecot_var_lib_t:file unlink;
@@ -15398,11 +15526,12 @@
  #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.3.1/policy/modules/services/networkmanager.fc
 --- nsaserefpolicy/policy/modules/services/networkmanager.fc	2007-09-12 10:34:18.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/networkmanager.fc	2008-02-26 08:29:22.000000000 -0500
-@@ -1,7 +1,9 @@
++++ serefpolicy-3.3.1/policy/modules/services/networkmanager.fc	2008-02-26 14:08:24.000000000 -0500
+@@ -1,7 +1,10 @@
  /usr/s?bin/NetworkManager	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
  /usr/s?bin/wpa_supplicant	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
 +/usr/sbin/NetworkManagerDispatcher	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
++/usr/sbin/nm-system-settings	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
  
  /var/run/NetworkManager\.pid	--	gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
  /var/run/NetworkManager(/.*)?		gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
@@ -24225,7 +24354,7 @@
 +/var/cache/coolkey(/.*)?	gen_context(system_u:object_r:auth_cache_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.3.1/policy/modules/system/authlogin.if
 --- nsaserefpolicy/policy/modules/system/authlogin.if	2008-02-01 09:12:53.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/authlogin.if	2008-02-26 08:29:22.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/system/authlogin.if	2008-02-26 13:19:58.000000000 -0500
 @@ -99,7 +99,7 @@
  template(`authlogin_per_role_template',`
  
@@ -24271,7 +24400,7 @@
  	# for SSP/ProPolice
  	dev_read_urand($1)
  	# for fingerprint readers
-@@ -226,6 +242,31 @@
+@@ -226,6 +242,33 @@
  	seutil_read_config($1)
  	seutil_read_default_contexts($1)
  
@@ -24288,6 +24417,8 @@
 +	')
 +
 +	optional_policy(`
++		corecmd_exec_bin($1)
++		storage_getattr_fixed_disk_dev($1)
 +		mount_domtrans($1)
 +	')
 +
@@ -24303,7 +24434,7 @@
  	tunable_policy(`allow_polyinstantiation',`
  		files_polyinstantiate_all($1)
  	')
-@@ -342,6 +383,8 @@
+@@ -342,6 +385,8 @@
  
  	optional_policy(`
  		kerberos_use($1)
@@ -24312,7 +24443,7 @@
  	')
  
  	optional_policy(`
-@@ -356,6 +399,28 @@
+@@ -356,6 +401,28 @@
  	optional_policy(`
  		samba_stream_connect_winbind($1)
  	')
@@ -24341,7 +24472,7 @@
  ')
  
  ########################################
-@@ -369,12 +434,12 @@
+@@ -369,12 +436,12 @@
  ## </param>
  ## <param name="role">
  ##	<summary>
@@ -24356,7 +24487,7 @@
  ##	</summary>
  ## </param>
  #
-@@ -386,6 +451,7 @@
+@@ -386,6 +453,7 @@
  	auth_domtrans_chk_passwd($1)
  	role $2 types system_chkpwd_t;
  	allow system_chkpwd_t $3:chr_file rw_file_perms;
@@ -24364,7 +24495,7 @@
  ')
  
  ########################################
-@@ -1457,6 +1523,7 @@
+@@ -1457,6 +1525,7 @@
  	optional_policy(`
  		samba_stream_connect_winbind($1)
  		samba_read_var_files($1)
@@ -24372,7 +24503,7 @@
  	')
  ')
  
-@@ -1491,3 +1558,23 @@
+@@ -1491,3 +1560,23 @@
  	typeattribute $1 can_write_shadow_passwords;
  	typeattribute $1 can_relabelto_shadow_passwords;
  ')
@@ -24554,7 +24685,7 @@
 -
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.3.1/policy/modules/system/init.if
 --- nsaserefpolicy/policy/modules/system/init.if	2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/system/init.if	2008-02-26 10:48:51.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/system/init.if	2008-02-26 14:08:51.000000000 -0500
 @@ -211,6 +211,13 @@
  			kernel_dontaudit_use_fds($1)
  		')
@@ -24607,26 +24738,23 @@
  	')
  ')
  
-@@ -567,18 +575,46 @@
+@@ -567,23 +575,70 @@
  #
  interface(`init_domtrans_script',`
  	gen_require(`
 -		type initrc_t, initrc_exec_t;
 +		type initrc_t;
 +		attribute initscript;
- 	')
- 
- 	files_list_etc($1)
--	domtrans_pattern($1,initrc_exec_t,initrc_t)
++	')
++
++	files_list_etc($1)
 +	domtrans_pattern($1,initscript,initrc_t)
- 
- 	ifdef(`enable_mcs',`
--		range_transition $1 initrc_exec_t:process s0;
++
++	ifdef(`enable_mcs',`
 +		range_transition $1 initscript:process s0;
- 	')
- 
- 	ifdef(`enable_mls',`
--		range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
++	')
++
++	ifdef(`enable_mls',`
 +		range_transition $1 initscript:process s0 - mls_systemhigh;
 +	')
 +')
@@ -24644,21 +24772,48 @@
 +interface(`init_script_domtrans_spec',`
 +	gen_require(`
 +		type initrc_t;
-+	')
-+
-+	files_list_etc($1)
+ 	')
+ 
+ 	files_list_etc($1)
+-	domtrans_pattern($1,initrc_exec_t,initrc_t)
 +	domtrans_pattern($1,$2,initrc_t)
-+
-+	ifdef(`enable_mcs',`
+ 
+ 	ifdef(`enable_mcs',`
+-		range_transition $1 initrc_exec_t:process s0;
 +		range_transition $1 $2:process s0;
-+	')
-+
-+	ifdef(`enable_mls',`
+ 	')
+ 
+ 	ifdef(`enable_mls',`
+-		range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
 +		range_transition $1 $2:process s0 - mls_systemhigh;
  	')
  ')
  
-@@ -609,11 +645,11 @@
+ ########################################
+ ## <summary>
++##	Execute a file in a bin directory
++##	in the initrc_t domain 
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`init_bin_domtrans_spec',`
++	gen_require(`
++		type initrc_t;
++	')
++
++	corecmd_bin_domtrans($1, initrc_t)
++')
++
++########################################
++## <summary>
+ ##	Execute a init script in a specified domain.
+ ## </summary>
+ ## <desc>
+@@ -609,11 +664,11 @@
  # cjp: added for gentoo integrated run_init
  interface(`init_script_file_domtrans',`
  	gen_require(`
@@ -24672,7 +24827,7 @@
  ')
  
  ########################################
-@@ -684,11 +720,11 @@
+@@ -684,11 +739,11 @@
  #
  interface(`init_getattr_script_files',`
  	gen_require(`
@@ -24686,7 +24841,7 @@
  ')
  
  ########################################
-@@ -703,11 +739,11 @@
+@@ -703,11 +758,11 @@
  #
  interface(`init_exec_script_files',`
  	gen_require(`
@@ -24700,7 +24855,7 @@
  ')
  
  ########################################
-@@ -931,6 +967,7 @@
+@@ -931,6 +986,7 @@
  
  	dontaudit $1 initrc_t:unix_stream_socket connectto;
  ')
@@ -24708,7 +24863,7 @@
  ########################################
  ## <summary>
  ##	Send messages to init scripts over dbus.
-@@ -1030,11 +1067,11 @@
+@@ -1030,11 +1086,11 @@
  #
  interface(`init_read_script_files',`
  	gen_require(`
@@ -24722,7 +24877,7 @@
  ')
  
  ########################################
-@@ -1097,6 +1134,25 @@
+@@ -1097,6 +1153,25 @@
  
  ########################################
  ## <summary>
@@ -24748,7 +24903,7 @@
  ##	Create files in a init script
  ##	temporary data directory.
  ## </summary>
-@@ -1252,7 +1308,7 @@
+@@ -1252,7 +1327,7 @@
  		type initrc_var_run_t;
  	')
  
@@ -24757,7 +24912,7 @@
  ')
  
  ########################################
-@@ -1273,3 +1329,112 @@
+@@ -1273,3 +1348,114 @@
  	files_search_pids($1)
  	allow $1 initrc_var_run_t:file manage_file_perms;
  ')
@@ -24870,6 +25025,8 @@
 +	allow $1 init_t:unix_dgram_socket sendto;
 +	allow init_t $1:unix_dgram_socket sendto;
 +')
++
++
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.3.1/policy/modules/system/init.te
 --- nsaserefpolicy/policy/modules/system/init.te	2008-02-26 08:17:43.000000000 -0500
 +++ serefpolicy-3.3.1/policy/modules/system/init.te	2008-02-26 10:49:22.000000000 -0500


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.616
retrieving revision 1.617
diff -u -r1.616 -r1.617
--- selinux-policy.spec	26 Feb 2008 16:15:00 -0000	1.616
+++ selinux-policy.spec	26 Feb 2008 19:24:53 -0000	1.617
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.3.1
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -388,8 +388,12 @@
 %endif
 
 %changelog
+* Tue Feb 26 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-3
+
 * Tue Feb 26 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-2
-- 
+- Fix Makefile.devel to build mls modules
+- Fix qemu to be more specific on labeling
+
 
 * Tue Feb 26 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-1
 - Update to upstream fixes


