rpms/selinux-policy/devel policy-20071130.patch, 1.32, 1.33 selinux-policy.spec, 1.583, 1.584

Mon Jan 14 19:47:17 UTC 2008

Author: dwalsh

Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv13853

Modified Files:
	policy-20071130.patch selinux-policy.spec 
Log Message:
* Mon Jan 14 2008 Dan Walsh <dwalsh at redhat.com> 3.2.5-12
- Allow users to execute all files in homedir, if boolean set
- Allow mount to read samba config


policy-20071130.patch:

Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20071130.patch,v
retrieving revision 1.32
retrieving revision 1.33
diff -u -r1.32 -r1.33

--- policy-20071130.patch	13 Jan 2008 14:01:50 -0000	1.32
+++ policy-20071130.patch	14 Jan 2008 19:47:11 -0000	1.33
@@ -4546,8 +4546,16 @@
  ########################################
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.2.5/policy/modules/kernel/corenetwork.te.in
 --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in	2007-11-29 13:29:34.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/kernel/corenetwork.te.in	2007-12-31 07:12:10.000000000 -0500
-@@ -122,6 +122,8 @@
++++ serefpolicy-3.2.5/policy/modules/kernel/corenetwork.te.in	2008-01-14 13:32:12.000000000 -0500
+@@ -82,6 +82,7 @@
+ network_port(clockspeed, udp,4041,s0)
+ network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006,s0, udp,50006,s0, tcp,50007,s0, udp,50007,s0, tcp,50008,s0, udp,50008,s0)
+ network_port(comsat, udp,512,s0)
++network_port(cyphesis, udp,32771,s0, tcp,6767,s0, tcp,6769,s0)
+ network_port(cvs, tcp,2401,s0, udp,2401,s0)
+ network_port(dcc, udp,6276,s0, udp,6277,s0)
+ network_port(dbskkd, tcp,1178,s0)
+@@ -122,6 +123,8 @@
  network_port(mmcc, tcp,5050,s0, udp,5050,s0)
  network_port(monopd, tcp,1234,s0)
  network_port(msnp, tcp,1863,s0, udp,1863,s0)
@@ -4556,7 +4564,7 @@
  network_port(mysqld, tcp,1186,s0, tcp,3306,s0)
  portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0)
  network_port(nessus, tcp,1241,s0)
-@@ -133,6 +135,7 @@
+@@ -133,6 +136,7 @@
  network_port(pegasus_http, tcp,5988,s0)
  network_port(pegasus_https, tcp,5989,s0)
  network_port(postfix_policyd, tcp,10031,s0)
@@ -4564,6 +4572,256 @@
  network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
  network_port(portmap, udp,111,s0, tcp,111,s0)
  network_port(postgresql, tcp,5432,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in.cyphesis serefpolicy-3.2.5/policy/modules/kernel/corenetwork.te.in.cyphesis
+--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in.cyphesis	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/kernel/corenetwork.te.in.cyphesis	2007-12-31 07:12:10.000000000 -0500
+@@ -0,0 +1,246 @@
++
++policy_module(corenetwork,1.2.14)
++
++########################################
++#
++# Declarations
++#
++
++attribute client_packet_type;
++attribute netif_type;
++attribute node_type;
++attribute packet_type;
++attribute port_type;
++attribute reserved_port_type;
++attribute rpc_port_type;
++attribute server_packet_type;
++
++attribute corenet_unconfined_type;
++
++type ppp_device_t;
++dev_node(ppp_device_t)
++
++#
++# tun_tap_device_t is the type of /dev/net/tun/* and /dev/net/tap/*
++#
++type tun_tap_device_t;
++dev_node(tun_tap_device_t)
++
++########################################
++#
++# Ports and packets
++#
++
++#
++# client_packet_t is the default type of IPv4 and IPv6 client packets.
++#
++type client_packet_t, packet_type, client_packet_type;
++
++#
++# The netlabel_peer_t is used by the kernel's NetLabel subsystem for network
++# connections using NetLabel which do not carry full SELinux contexts.
++#
++type netlabel_peer_t;
++sid netmsg gen_context(system_u:object_r:netlabel_peer_t,mls_systemhigh)
++
++#
++# port_t is the default type of INET port numbers.
++#
++type port_t, port_type;
++sid port gen_context(system_u:object_r:port_t,s0)
++
++#
++# reserved_port_t is the type of INET port numbers below 1024.
++#
++type reserved_port_t, port_type, reserved_port_type;
++
++#
++# hi_reserved_port_t is the type of INET port numbers between 600-1023.
++#
++type hi_reserved_port_t, port_type, reserved_port_type, rpc_port_type;
++
++#
++# server_packet_t is the default type of IPv4 and IPv6 server packets.
++#
++type server_packet_t, packet_type, server_packet_type;
++
++network_port(afs_bos, udp,7007,s0)
++network_port(afs_fs, tcp,2040,s0, udp,7000,s0, udp,7005,s0)
++network_port(afs_ka, udp,7004,s0)
++network_port(afs_pt, udp,7002,s0)
++network_port(afs_vl, udp,7003,s0)
++network_port(amanda, udp,10080,s0, tcp,10080,s0, udp,10081,s0, tcp,10081,s0, tcp,10082,s0, tcp,10083,s0)
++network_port(amavisd_recv, tcp,10024,s0)
++network_port(amavisd_send, tcp,10025,s0)
++network_port(aol, udp,5190,s0, tcp,5190,s0, udp,5191,s0, tcp,5191,s0, udp,5192,s0, tcp,5192,s0, udp,5193,s0, tcp,5193,s0) 
++network_port(apcupsd, tcp,3551,s0, udp,3551,s0)
++network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0, udp,5060,s0)
++network_port(auth, tcp,113,s0)
++network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0)
++type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict
++network_port(clamd, tcp,3310,s0)
++network_port(clockspeed, udp,4041,s0)
++network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006,s0, udp,50006,s0, tcp,50007,s0, udp,50007,s0, tcp,50008,s0, udp,50008,s0)
++network_port(comsat, udp,512,s0)
++network_port(cvs, tcp,2401,s0, udp,2401,s0)
++network_port(dcc, udp,6276,s0, udp,6277,s0)
++network_port(dbskkd, tcp,1178,s0)
++network_port(dhcpc, udp,68,s0)
++network_port(dhcpd, udp,67,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0)
++network_port(dict, tcp,2628,s0)
++network_port(distccd, tcp,3632,s0)
++network_port(dns, udp,53,s0, tcp,53,s0)
++network_port(fingerd, tcp,79,s0)
++network_port(ftp_data, tcp,20,s0)
++network_port(ftp, tcp,21,s0)
++network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
++network_port(giftd, tcp,1213,s0)
++network_port(gopher, tcp,70,s0, udp,70,s0)
++network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0) # 8118 is for privoxy
++network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
++network_port(howl, tcp,5335,s0, udp,5353,s0)
++network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
++network_port(i18n_input, tcp,9010,s0)
++network_port(imaze, tcp,5323,s0, udp,5323,s0)
++network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
++network_port(innd, tcp,119,s0)
++network_port(ipp, tcp,631,s0, udp,631,s0)
++network_port(ipsecnat, tcp,4500,s0, udp,4500,s0)
++network_port(ircd, tcp,6667,s0)
++network_port(isakmp, udp,500,s0)
++network_port(iscsi, tcp,3260,s0)
++network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
++network_port(jabber_interserver, tcp,5269,s0)
++network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
++network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
++network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
++network_port(ktalkd, udp,517,s0, udp,518,s0)
++network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0)
++type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
++network_port(lmtp, tcp,24,s0, udp,24,s0)
++network_port(mail, tcp,2000,s0)
++network_port(mmcc, tcp,5050,s0, udp,5050,s0)
++network_port(monopd, tcp,1234,s0)
++network_port(msnp, tcp,1863,s0, udp,1863,s0)
++network_port(munin, tcp,4949,s0, udp,4949,s0)
++network_port(mythtv, tcp,6543,s0, udp,6543,s0)
++network_port(mysqld, tcp,1186,s0, tcp,3306,s0)
++portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0)
++network_port(nessus, tcp,1241,s0)
++network_port(netsupport, tcp,5405,s0, udp,5405,s0)
++network_port(nmbd, udp,137,s0, udp,138,s0)
++network_port(ntp, udp,123,s0)
++network_port(ocsp, tcp,9080,s0)
++network_port(openvpn, tcp,1194,s0, udp,1194,s0)
++network_port(pegasus_http, tcp,5988,s0)
++network_port(pegasus_https, tcp,5989,s0)
++network_port(postfix_policyd, tcp,10031,s0)
++network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0)
++network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
++network_port(portmap, udp,111,s0, tcp,111,s0)
++network_port(postgresql, tcp,5432,s0)
++network_port(postgrey, tcp,60000,s0)
++network_port(printer, tcp,515,s0)
++network_port(ptal, tcp,5703,s0)
++network_port(pxe, udp,4011,s0)
++network_port(pyzor, udp,24441,s0)
++network_port(radacct, udp,1646,s0, udp,1813,s0)
++network_port(radius, udp,1645,s0, udp,1812,s0)
++network_port(razor, tcp,2703,s0)
++network_port(ricci, tcp,11111,s0, udp,11111,s0)
++network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
++network_port(rlogind, tcp,513,s0)
++network_port(rndc, tcp,953,s0)
++network_port(router, udp,520,s0)
++network_port(rsh, tcp,514,s0)
++network_port(rsync, tcp,873,s0, udp,873,s0)
++network_port(rwho, udp,513,s0)
++network_port(smbd, tcp,139,s0, tcp,445,s0)
++network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
++network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0)
++network_port(spamd, tcp,783,s0)
++network_port(ssh, tcp,22,s0)
++network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0)
++type socks_port_t, port_type; dnl network_port(socks) # no defined portcon
++type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
++network_port(squid, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp
++network_port(swat, tcp,901,s0)
++network_port(syslogd, udp,514,s0)
++network_port(telnetd, tcp,23,s0)
++network_port(tftp, udp,69,s0)
++network_port(tor, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0)
++network_port(traceroute, udp,64000,s0, udp,64001,s0, udp,64002,s0, udp,64003,s0, udp,64004,s0, udp,64005,s0, udp,64006,s0, udp,64007,s0, udp,64008,s0, udp,64009,s0, udp,64010,s0)
++network_port(transproxy, tcp,8081,s0)
++type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
++network_port(uucpd, tcp,540,s0)
++network_port(vnc, tcp,5900,s0)
++network_port(wccp, udp,2048,s0)
++network_port(xdmcp, udp,177,s0, tcp,177,s0)
++network_port(xen, tcp,8002,s0)
++network_port(xfs, tcp,7100,s0)
++network_port(xserver, tcp, 6000, s0, tcp,6001,s0, tcp,6002,s0, tcp,6003,s0, tcp,6004,s0, tcp,6005,s0, tcp,6006,s0, tcp,6007,s0, tcp,6008,s0, tcp,6009,s0, tcp,6010,s0, tcp,6011,s0, tcp,6012,s0, tcp,6013,s0, tcp,6014,s0, tcp,6015,s0, tcp,6016,s0, tcp,6017,s0, tcp,6018,s0, tcp,6019,s0, tcp,6020,s0)
++network_port(zebra, tcp,2600,s0, tcp,2601,s0, tcp,2602,s0, tcp,2603,s0, tcp,2604,s0, tcp,2606,s0, udp,2600,s0, udp,2601,s0, udp,2602,s0, udp,2603,s0, udp,2604,s0, udp,2606,s0)
++network_port(zope, tcp,8021,s0)
++
++# Defaults for reserved ports.  Earlier portcon entries take precedence;
++# these entries just cover any remaining reserved ports not otherwise declared.
++
++portcon tcp 600-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
++portcon udp 600-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
++portcon tcp 1-599 gen_context(system_u:object_r:reserved_port_t, s0)
++portcon udp 1-599 gen_context(system_u:object_r:reserved_port_t, s0)
++
++########################################
++#
++# Network nodes
++#
++
++#
++# node_t is the default type of network nodes.
++# The node_*_t types are used for specific network
++# nodes in net_contexts or net_contexts.mls.
++#
++type node_t, node_type;
++sid node gen_context(system_u:object_r:node_t,s0 - mls_systemhigh)
++
++network_node(compat_ipv4, s0, ::, ffff:ffff:ffff:ffff:ffff:ffff::)
++network_node(inaddr_any, s0, 0.0.0.0, 255.255.255.255)
++type node_internal_t, node_type; dnl network_node(internal, s0, , ) # no nodecon for this in current strict policy
++network_node(link_local, s0, fe80::, ffff:ffff:ffff:ffff::, )
++network_node(lo, s0 - mls_systemhigh, 127.0.0.1, 255.255.255.255)
++network_node(mapped_ipv4, s0, ::ffff:0000:0000, ffff:ffff:ffff:ffff:ffff:ffff::)
++network_node(multicast, s0 - mls_systemhigh, ff00::, ff00::)
++network_node(site_local, s0, fec0::, ffc0::)
++network_node(unspec, s0, ::, ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff)
++
++########################################
++#
++# Network Interfaces
++#
++
++#
++# netif_t is the default type of network interfaces.
++#
++type netif_t, netif_type;
++sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
++
++build_option(`enable_mls',`
++network_interface(lo, lo,s0 - mls_systemhigh)
++',`
++typealias netif_t alias netif_lo_t;
++')
++
++########################################
++#
++# Unconfined access to this module
++#
++
++allow corenet_unconfined_type node_type:node *;
++allow corenet_unconfined_type netif_type:netif *;
++allow corenet_unconfined_type packet_type:packet *;
++allow corenet_unconfined_type port_type:tcp_socket { send_msg recv_msg name_connect };
++allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg };
++
++# Bind to any network address.
++allow corenet_unconfined_type port_type:{ tcp_socket udp_socket } name_bind;
++allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.2.5/policy/modules/kernel/devices.fc
 --- nsaserefpolicy/policy/modules/kernel/devices.fc	2007-12-12 11:35:27.000000000 -0500
 +++ serefpolicy-3.2.5/policy/modules/kernel/devices.fc	2007-12-31 08:18:04.000000000 -0500
@@ -5193,7 +5451,7 @@
  ########################################
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-3.2.5/policy/modules/services/amavis.te
 --- nsaserefpolicy/policy/modules/services/amavis.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/amavis.te	2007-12-19 09:38:10.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/amavis.te	2008-01-14 13:46:45.000000000 -0500
 @@ -65,6 +65,7 @@
  # Spool Files
  manage_dirs_pattern(amavis_t,amavis_spool_t,amavis_spool_t)
@@ -7172,9 +7430,139 @@
 -optional_policy(`
 -	nscd_socket_use(cvs_t)
 -')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyphesis.fc serefpolicy-3.2.5/policy/modules/services/cyphesis.fc
+--- nsaserefpolicy/policy/modules/services/cyphesis.fc	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/cyphesis.fc	2008-01-14 13:52:50.000000000 -0500
+@@ -0,0 +1,2 @@
++
++/usr/bin/cyphesis		--	gen_context(system_u:object_r:cyphesis_exec_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyphesis.if serefpolicy-3.2.5/policy/modules/services/cyphesis.if
+--- nsaserefpolicy/policy/modules/services/cyphesis.if	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/cyphesis.if	2008-01-14 13:52:25.000000000 -0500
+@@ -0,0 +1,19 @@
++## <summary>policy for cyphesis</summary>
++
++########################################
++## <summary>
++##	Execute a domain transition to run cyphesis.
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`cyphesis_domtrans',`
++	gen_require(`
++		type cyphesis_t, cyphesis_exec_t;
++	')
++
++	domtrans_pattern($1,cyphesis_exec_t,cyphesis_t)
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyphesis.te serefpolicy-3.2.5/policy/modules/services/cyphesis.te
+--- nsaserefpolicy/policy/modules/services/cyphesis.te	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/cyphesis.te	2008-01-14 14:41:56.000000000 -0500
+@@ -0,0 +1,97 @@
++policy_module(cyphesis,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type cyphesis_t;
++type cyphesis_exec_t;
++domain_type(cyphesis_t)
++init_daemon_domain(cyphesis_t, cyphesis_exec_t)
++
++type cyphesis_var_run_t;
++files_pid_file(cyphesis_var_run_t)
++
++type cyphesis_log_t;
++logging_file(cyphesis_log_t)
++
++type cyphesis_tmp_t;
++files_tmp_file(cyphesis_tmp_t)
++
++########################################
++#
++# cyphesis local policy
++#
++
++allow cyphesis_t self:process { setfscreate setsched signal };
++allow cyphesis_t self:fifo_file rw_fifo_file_perms;
++allow cyphesis_t self:tcp_socket create_stream_socket_perms;
++allow cyphesis_t self:unix_stream_socket create_stream_socket_perms;
++allow cyphesis_t self:unix_dgram_socket create_socket_perms;
++allow cyphesis_t self:netlink_route_socket create_netlink_socket_perms;
++
++# DAN> What is cyphesis looking for in /bin?
++corecmd_search_bin(cyphesis_t)
++corecmd_getattr_bin_files(cyphesis_t)
++
++manage_files_pattern(cyphesis_t, cyphesis_log_t, cyphesis_log_t)
++logging_log_filetrans(cyphesis_t,cyphesis_log_t,file)
++
++# DAN > Does cyphesis really create a sock_file in /tmp?  Why?
++allow cyphesis_t cyphesis_tmp_t:sock_file manage_sock_file_perms;
++files_tmp_filetrans(cyphesis_t,cyphesis_tmp_t,file)
++
++manage_files_pattern(cyphesis_t, cyphesis_var_run_t, cyphesis_var_run_t)
++manage_sock_files_pattern(cyphesis_t, cyphesis_var_run_t, cyphesis_var_run_t)
++files_pid_filetrans(cyphesis_t,cyphesis_var_run_t, { file sock_file })
++
++dev_read_urand(cyphesis_t)
++
++files_read_etc_files(cyphesis_t)
++files_read_usr_files(cyphesis_t)
++
++libs_use_ld_so(cyphesis_t)
++libs_use_shared_libs(cyphesis_t)
++
++miscfiles_read_localization(cyphesis_t)
++
++logging_send_syslog_msg(cyphesis_t)
++
++## Networking basics (adjust to your needs!)
++sysnet_dns_name_resolve(cyphesis_t)
++corenet_tcp_sendrecv_all_if(cyphesis_t)
++corenet_tcp_sendrecv_all_nodes(cyphesis_t)
++corenet_all_recvfrom_unlabeled(cyphesis_t)
++corenet_tcp_bind_all_nodes(cyphesis_t)
++corenet_tcp_cyphesis_bind(cyphesis_t)
++corenet_tcp_sendrecv_all_ports(cyphesis_t)
++
++# DAN  Do you really need this?  
++# For communication with the metaserver
++# allow cyphesis_t port_t:udp_socket { recv_msg send_msg };
++
++# Init script handling
++domain_use_interactive_fds(cyphesis_t)
++
++kernel_read_system_state(cyphesis_t)
++kernel_read_kernel_sysctls(cyphesis_t)
++
++# cyphesis wants to talk to avahi via dbus
++optional_policy(`
++
++	dbus_system_bus_client_template(cyphesis_t)
++
++	optional_policy(`
++		avahi_dbus_chat(cyphesis_t)
++	')
++')
++
++optional_policy(`
++	postgresql_stream_connect(cyphesis_t)
++')
++
++optional_policy(`
++	kerberos_use(cyphesis_t)
++')
++
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.2.5/policy/modules/services/dbus.if
 --- nsaserefpolicy/policy/modules/services/dbus.if	2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/dbus.if	2008-01-08 10:52:45.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/dbus.if	2008-01-14 14:20:38.000000000 -0500
 @@ -53,6 +53,7 @@
  	gen_require(`
  		type system_dbusd_exec_t, system_dbusd_t, dbusd_etc_t;
@@ -11509,7 +11897,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.2.5/policy/modules/services/sendmail.te
 --- nsaserefpolicy/policy/modules/services/sendmail.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/sendmail.te	2007-12-31 15:42:11.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/sendmail.te	2008-01-14 11:54:22.000000000 -0500
 @@ -20,13 +20,17 @@
  mta_mailserver_delivery(sendmail_t)
  mta_mailserver_sender(sendmail_t)
@@ -11538,7 +11926,15 @@
  
  corenet_all_recvfrom_unlabeled(sendmail_t)
  corenet_all_recvfrom_netlabel(sendmail_t)
-@@ -97,20 +102,35 @@
+@@ -69,6 +74,7 @@
+ 
+ # for piping mail to a command
+ corecmd_exec_shell(sendmail_t)
++corecmd_exec_bin(sendmail_t)
+ 
+ domain_use_interactive_fds(sendmail_t)
+ 
+@@ -97,20 +103,35 @@
  
  userdom_dontaudit_use_unpriv_user_fds(sendmail_t)
  userdom_dontaudit_search_sysadm_home_dirs(sendmail_t)
@@ -11575,7 +11971,7 @@
  	postfix_exec_master(sendmail_t)
  	postfix_read_config(sendmail_t)
  	postfix_search_spool(sendmail_t)
-@@ -125,24 +145,25 @@
+@@ -125,24 +146,25 @@
  ')
  
  optional_policy(`
@@ -11762,14 +12158,14 @@
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.2.5/policy/modules/services/spamassassin.fc
 --- nsaserefpolicy/policy/modules/services/spamassassin.fc	2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/services/spamassassin.fc	2008-01-09 09:00:58.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/spamassassin.fc	2008-01-14 11:58:23.000000000 -0500
 @@ -1,4 +1,4 @@
 -HOME_DIR/\.spamassassin(/.*)?	gen_context(system_u:object_r:ROLE_spamassassin_home_t,s0)
 +HOME_DIR/\.spamassassin(/.*)?	gen_context(system_u:object_r:user_spamassassin_home_t,s0)
  
  /usr/bin/sa-learn	--	gen_context(system_u:object_r:spamc_exec_t,s0)
  /usr/bin/spamassassin	--	gen_context(system_u:object_r:spamassassin_exec_t,s0)
-@@ -9,8 +9,11 @@
+@@ -9,8 +9,12 @@
  
  /var/lib/spamassassin(/.*)?	gen_context(system_u:object_r:spamd_var_lib_t,s0)
  
@@ -11777,6 +12173,7 @@
 +
  /var/run/spamassassin(/.*)?	gen_context(system_u:object_r:spamd_var_run_t,s0)
  /var/run/spamass-milter(/.*)?	gen_context(system_u:object_r:spamd_var_run_t,s0)
++/var/spool/milter-regex(/.*)?	gen_context(system_u:object_r:spamd_var_run_t,s0)
  
  /var/spool/spamassassin(/.*)?	gen_context(system_u:object_r:spamd_spool_t,s0)
  /var/spool/spamd(/.*)?		gen_context(system_u:object_r:spamd_spool_t,s0)
@@ -12916,12 +13313,12 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.fc serefpolicy-3.2.5/policy/modules/services/tftp.fc
 --- nsaserefpolicy/policy/modules/services/tftp.fc	2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/tftp.fc	2007-12-19 05:38:09.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/tftp.fc	2008-01-14 12:49:13.000000000 -0500
 @@ -4,3 +4,4 @@
  
  /tftpboot		-d	gen_context(system_u:object_r:tftpdir_t,s0)
  /tftpboot/.*			gen_context(system_u:object_r:tftpdir_t,s0)
-+/var/lib/tftp(/.*)?		gen_context(system_u:object_r:tftpdir_t,s0)
++/var/lib/tftpboot(/.*)?		gen_context(system_u:object_r:tftpdir_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.fc serefpolicy-3.2.5/policy/modules/services/w3c.fc
 --- nsaserefpolicy/policy/modules/services/w3c.fc	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-3.2.5/policy/modules/services/w3c.fc	2007-12-19 05:38:09.000000000 -0500
@@ -14955,8 +15352,16 @@
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.2.5/policy/modules/system/libraries.fc
 --- nsaserefpolicy/policy/modules/system/libraries.fc	2007-12-12 11:35:28.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/system/libraries.fc	2007-12-31 05:53:37.000000000 -0500
-@@ -183,6 +183,7 @@
++++ serefpolicy-3.2.5/policy/modules/system/libraries.fc	2008-01-14 12:58:45.000000000 -0500
+@@ -133,6 +133,7 @@
+ /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/xorg/libGL\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/xorg/modules/glesx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/xulrunner-[^/]*/libxul\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+ 
+@@ -183,6 +184,7 @@
  /usr/lib(64)?/libdv\.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/helix/plugins/[^/]*\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/helix/codecs/[^/]*\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -14964,7 +15369,7 @@
  /usr/lib(64)?/libSDL-.*\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/xorg/modules/dri/.+\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/X11R6/lib/modules/dri/.+\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -242,7 +243,7 @@
+@@ -242,7 +244,7 @@
  
  # Flash plugin, Macromedia
  HOME_DIR/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -14973,7 +15378,7 @@
  /usr/lib(64)?/.*/libflashplayer\.so.*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/local/(.*/)?libflashplayer\.so.*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  HOME_DIR/.*/plugins/nprhapengine\.so.* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -292,6 +293,8 @@
+@@ -292,6 +294,8 @@
  #
  # /var
  #
@@ -14982,7 +15387,7 @@
  /var/ftp/lib(64)?(/.*)?				gen_context(system_u:object_r:lib_t,s0)
  /var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)*	--	gen_context(system_u:object_r:ld_so_t,s0)
  
-@@ -304,3 +307,4 @@
+@@ -304,3 +308,4 @@
  /var/spool/postfix/lib(64)?(/.*)? 		gen_context(system_u:object_r:lib_t,s0)
  /var/spool/postfix/usr(/.*)?			gen_context(system_u:object_r:lib_t,s0)
  /var/spool/postfix/lib(64)?/ld.*\.so.*	--	gen_context(system_u:object_r:ld_so_t,s0)
@@ -15552,7 +15957,7 @@
 +/usr/bin/fusermount            --      gen_context(system_u:object_r:mount_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.2.5/policy/modules/system/mount.te
 --- nsaserefpolicy/policy/modules/system/mount.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/system/mount.te	2008-01-02 13:29:31.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/system/mount.te	2008-01-14 10:34:15.000000000 -0500
 @@ -8,7 +8,7 @@
  
  ## <desc>
@@ -15652,7 +16057,15 @@
  # for kernel package installation
  optional_policy(`
  	rpm_rw_pipes(mount_t)
-@@ -192,4 +206,26 @@
+@@ -182,6 +196,7 @@
+ 
+ optional_policy(`
+ 	samba_domtrans_smbmount(mount_t)
++	samba_read_config(mount_t)
+ ')
+ 
+ ########################################
+@@ -192,4 +207,26 @@
  optional_policy(`
  	files_etc_filetrans_etc_runtime(unconfined_mount_t,file)
  	unconfined_domain(unconfined_mount_t)
@@ -17073,7 +17486,7 @@
 +/root(/.*)?	 	gen_context(system_u:object_r:admin_home_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.2.5/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2007-11-29 13:29:35.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/system/userdomain.if	2008-01-08 05:05:58.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/system/userdomain.if	2008-01-14 09:58:38.000000000 -0500
 @@ -29,8 +29,9 @@
  	')
  
@@ -17399,9 +17812,9 @@
 -	tunable_policy(`use_nfs_home_dirs',`
 -		fs_exec_nfs_files($1_t)
 +	tunable_policy(`allow_$1_exec_content', `
-+		can_exec($1_usertype,user_home_t)
++		can_exec($1_usertype,user_home_type)
 +	',`
-+		dontaudit $1_usertype user_home_t:file execute;
++		dontaudit $1_usertype user_home_type:file execute;
  	')
  
 -	tunable_policy(`use_samba_home_dirs',`


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.583
retrieving revision 1.584
diff -u -r1.583 -r1.584
--- selinux-policy.spec	13 Jan 2008 13:20:05 -0000	1.583
+++ selinux-policy.spec	14 Jan 2008 19:47:11 -0000	1.584
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.2.5
-Release: 11%{?dist}
+Release: 12%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -387,6 +387,10 @@
 %endif
 
 %changelog
+* Mon Jan 14 2008 Dan Walsh <dwalsh at redhat.com> 3.2.5-12
+- Allow users to execute all files in homedir, if boolean set
+- Allow mount to read samba config
+
 * Sun Jan 13 2008 Dan Walsh <dwalsh at redhat.com> 3.2.5-11
 - Fixes for xguest to run java plugin
 


