rpms/selinux-policy/devel policy-F13.patch, 1.28, 1.29 selinux-policy.spec, 1.952, 1.953
Daniel J Walsh
dwalsh at fedoraproject.org
Tue Jan 5 22:09:03 UTC 2010
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv473
Modified Files:
policy-F13.patch selinux-policy.spec
Log Message:
* Tue Jan 5 2010 Dan Walsh <dwalsh at redhat.com> 3.7.5-7
- Add cobbler policy from dgrift
policy-F13.patch:
Makefile | 2
policy/global_tunables | 24
policy/modules/admin/alsa.te | 2
policy/modules/admin/anaconda.te | 3
policy/modules/admin/brctl.te | 2
policy/modules/admin/certwatch.te | 2
policy/modules/admin/consoletype.te | 2
policy/modules/admin/dmesg.fc | 2
policy/modules/admin/dmesg.te | 10
policy/modules/admin/firstboot.te | 6
policy/modules/admin/kismet.te | 5
policy/modules/admin/logrotate.te | 28
policy/modules/admin/logwatch.te | 8
policy/modules/admin/mrtg.te | 1
policy/modules/admin/netutils.te | 4
policy/modules/admin/portage.te | 2
policy/modules/admin/prelink.fc | 1
policy/modules/admin/prelink.if | 23
policy/modules/admin/prelink.te | 78 +
policy/modules/admin/readahead.te | 1
policy/modules/admin/rpm.fc | 21
policy/modules/admin/rpm.if | 344 ++++++
policy/modules/admin/rpm.te | 98 +
policy/modules/admin/shorewall.fc | 5
policy/modules/admin/shorewall.if | 40
policy/modules/admin/shorewall.te | 9
policy/modules/admin/smoltclient.fc | 4
policy/modules/admin/smoltclient.if | 1
policy/modules/admin/smoltclient.te | 66 +
policy/modules/admin/sudo.if | 13
policy/modules/admin/tmpreaper.te | 12
policy/modules/admin/usermanage.if | 11
policy/modules/admin/usermanage.te | 35
policy/modules/admin/vbetool.te | 14
policy/modules/admin/vpn.te | 4
policy/modules/apps/chrome.fc | 2
policy/modules/apps/chrome.if | 86 +
policy/modules/apps/chrome.te | 84 +
policy/modules/apps/cpufreqselector.te | 2
policy/modules/apps/execmem.fc | 42
policy/modules/apps/execmem.if | 103 +
policy/modules/apps/execmem.te | 11
policy/modules/apps/firewallgui.fc | 3
policy/modules/apps/firewallgui.if | 23
policy/modules/apps/firewallgui.te | 64 +
policy/modules/apps/gitosis.if | 45
policy/modules/apps/gnome.fc | 13
policy/modules/apps/gnome.if | 203 +++
policy/modules/apps/gnome.te | 113 +-
policy/modules/apps/java.fc | 23
policy/modules/apps/java.if | 113 +-
policy/modules/apps/java.te | 18
policy/modules/apps/kdumpgui.fc | 2
policy/modules/apps/kdumpgui.if | 2
policy/modules/apps/kdumpgui.te | 67 +
policy/modules/apps/livecd.fc | 2
policy/modules/apps/livecd.if | 52
policy/modules/apps/livecd.te | 27
policy/modules/apps/loadkeys.te | 6
policy/modules/apps/mono.fc | 2
policy/modules/apps/mono.if | 101 +
policy/modules/apps/mono.te | 9
policy/modules/apps/mozilla.fc | 1
policy/modules/apps/mozilla.if | 27
policy/modules/apps/mozilla.te | 22
policy/modules/apps/nsplugin.fc | 11
policy/modules/apps/nsplugin.if | 321 +++++
policy/modules/apps/nsplugin.te | 296 +++++
policy/modules/apps/openoffice.fc | 3
policy/modules/apps/openoffice.if | 92 +
policy/modules/apps/openoffice.te | 11
policy/modules/apps/podsleuth.te | 2
policy/modules/apps/ptchown.if | 24
policy/modules/apps/pulseaudio.fc | 3
policy/modules/apps/pulseaudio.if | 42
policy/modules/apps/pulseaudio.te | 19
policy/modules/apps/qemu.fc | 4
policy/modules/apps/qemu.if | 189 +++
policy/modules/apps/qemu.te | 83 +
policy/modules/apps/sambagui.fc | 1
policy/modules/apps/sambagui.if | 2
policy/modules/apps/sambagui.te | 61 +
policy/modules/apps/sandbox.fc | 1
policy/modules/apps/sandbox.if | 223 +++
policy/modules/apps/sandbox.te | 343 ++++++
policy/modules/apps/screen.if | 1
policy/modules/apps/sectoolm.fc | 6
policy/modules/apps/sectoolm.if | 3
policy/modules/apps/sectoolm.te | 120 ++
policy/modules/apps/seunshare.if | 2
policy/modules/apps/seunshare.te | 3
policy/modules/apps/slocate.te | 1
policy/modules/apps/wine.fc | 24
policy/modules/apps/wine.if | 114 ++
policy/modules/apps/wine.te | 32
policy/modules/kernel/corecommands.fc | 33
policy/modules/kernel/corecommands.if | 21
policy/modules/kernel/corenetwork.te.in | 46
policy/modules/kernel/devices.fc | 4
policy/modules/kernel/devices.if | 72 +
policy/modules/kernel/devices.te | 6
policy/modules/kernel/domain.if | 174 ++-
policy/modules/kernel/domain.te | 103 +
policy/modules/kernel/files.fc | 9
policy/modules/kernel/files.if | 483 ++++++++
policy/modules/kernel/files.te | 12
policy/modules/kernel/filesystem.if | 232 ++++
policy/modules/kernel/filesystem.te | 8
policy/modules/kernel/kernel.if | 58 +
policy/modules/kernel/kernel.te | 27
policy/modules/kernel/selinux.if | 25
policy/modules/kernel/storage.fc | 1
policy/modules/kernel/storage.if | 1
policy/modules/kernel/terminal.if | 27
policy/modules/roles/guest.te | 8
policy/modules/roles/staff.te | 124 --
policy/modules/roles/sysadm.te | 125 --
policy/modules/roles/unconfineduser.fc | 8
policy/modules/roles/unconfineduser.if | 667 +++++++++++
policy/modules/roles/unconfineduser.te | 443 +++++++
policy/modules/roles/unprivuser.te | 127 --
policy/modules/roles/xguest.te | 70 +
policy/modules/services/abrt.fc | 8
policy/modules/services/abrt.if | 139 ++
policy/modules/services/abrt.te | 128 ++
policy/modules/services/afs.fc | 2
policy/modules/services/afs.te | 2
policy/modules/services/aisexec.fc | 12
policy/modules/services/aisexec.if | 106 +
policy/modules/services/aisexec.te | 112 ++
policy/modules/services/amavis.te | 1
policy/modules/services/apache.fc | 54
policy/modules/services/apache.if | 489 ++++++--
policy/modules/services/apache.te | 458 ++++++--
policy/modules/services/apm.te | 4
policy/modules/services/arpwatch.te | 2
policy/modules/services/asterisk.if | 53
policy/modules/services/asterisk.te | 41
policy/modules/services/automount.te | 2
policy/modules/services/avahi.te | 13
policy/modules/services/bind.if | 61 +
policy/modules/services/bluetooth.if | 21
policy/modules/services/bluetooth.te | 12
policy/modules/services/ccs.fc | 8
policy/modules/services/ccs.te | 33
policy/modules/services/certmaster.fc | 1
policy/modules/services/certmonger.fc | 6
policy/modules/services/certmonger.if | 217 +++
policy/modules/services/certmonger.te | 74 +
policy/modules/services/cgroup.fc | 7
policy/modules/services/cgroup.if | 35
policy/modules/services/cgroup.te | 88 +
policy/modules/services/chronyd.fc | 11
policy/modules/services/chronyd.if | 105 +
policy/modules/services/chronyd.te | 67 +
policy/modules/services/clamav.te | 21
policy/modules/services/clogd.fc | 4
policy/modules/services/clogd.if | 98 +
policy/modules/services/clogd.te | 62 +
policy/modules/services/cobbler.fc | 9
policy/modules/services/cobbler.if | 186 +++
policy/modules/services/cobbler.te | 115 ++
policy/modules/services/consolekit.fc | 3
policy/modules/services/consolekit.if | 39
policy/modules/services/consolekit.te | 23
policy/modules/services/corosync.fc | 13
policy/modules/services/corosync.if | 108 +
policy/modules/services/corosync.te | 110 +
policy/modules/services/courier.if | 18
policy/modules/services/courier.te | 1
policy/modules/services/cron.fc | 6
policy/modules/services/cron.if | 74 +
policy/modules/services/cron.te | 84 +
policy/modules/services/cups.fc | 14
policy/modules/services/cups.te | 56 -
policy/modules/services/cvs.te | 1
policy/modules/services/cyrus.te | 3
policy/modules/services/dbus.if | 53
policy/modules/services/dbus.te | 31
policy/modules/services/dcc.te | 8
policy/modules/services/ddclient.if | 25
policy/modules/services/denyhosts.fc | 7
policy/modules/services/denyhosts.if | 90 +
policy/modules/services/denyhosts.te | 72 +
policy/modules/services/devicekit.fc | 3
policy/modules/services/devicekit.if | 20
policy/modules/services/devicekit.te | 77 +
policy/modules/services/dhcp.if | 19
policy/modules/services/dnsmasq.fc | 1
policy/modules/services/dnsmasq.if | 38
policy/modules/services/dnsmasq.te | 19
policy/modules/services/dovecot.fc | 1
policy/modules/services/dovecot.te | 48
policy/modules/services/exim.te | 5
policy/modules/services/fail2ban.if | 40
policy/modules/services/fetchmail.te | 3
policy/modules/services/fprintd.te | 5
policy/modules/services/ftp.te | 64 +
policy/modules/services/git.fc | 8
policy/modules/services/git.if | 286 +++++
policy/modules/services/git.te | 166 ++
policy/modules/services/gpsd.fc | 5
policy/modules/services/gpsd.if | 27
policy/modules/services/gpsd.te | 14
policy/modules/services/hal.fc | 1
policy/modules/services/hal.if | 18
policy/modules/services/hal.te | 51
policy/modules/services/howl.te | 2
policy/modules/services/inetd.fc | 2
policy/modules/services/inetd.te | 4
policy/modules/services/kerberos.if | 6
policy/modules/services/kerberos.te | 3
policy/modules/services/ksmtuned.fc | 5
policy/modules/services/ksmtuned.if | 76 +
policy/modules/services/ksmtuned.te | 46
policy/modules/services/ktalk.te | 1
policy/modules/services/ldap.fc | 2
policy/modules/services/ldap.if | 38
policy/modules/services/lircd.fc | 2
policy/modules/services/lircd.if | 9
policy/modules/services/lircd.te | 34
policy/modules/services/mailman.fc | 8
policy/modules/services/mailman.te | 4
policy/modules/services/memcached.te | 2
policy/modules/services/modemmanager.te | 5
policy/modules/services/mta.fc | 2
policy/modules/services/mta.if | 31
policy/modules/services/mta.te | 38
policy/modules/services/munin.fc | 3
policy/modules/services/munin.te | 6
policy/modules/services/mysql.if | 38
policy/modules/services/mysql.te | 21
policy/modules/services/nagios.fc | 46
policy/modules/services/nagios.if | 126 ++
policy/modules/services/nagios.te | 192 ++-
policy/modules/services/networkmanager.fc | 16
policy/modules/services/networkmanager.if | 65 +
policy/modules/services/networkmanager.te | 120 +-
policy/modules/services/nis.fc | 5
policy/modules/services/nis.if | 87 +
policy/modules/services/nis.te | 13
policy/modules/services/nscd.if | 20
policy/modules/services/nscd.te | 23
policy/modules/services/ntop.fc | 1
policy/modules/services/ntop.te | 34
policy/modules/services/ntp.if | 46
policy/modules/services/ntp.te | 8
policy/modules/services/nut.fc | 16
policy/modules/services/nut.if | 58 +
policy/modules/services/nut.te | 188 +++
policy/modules/services/nx.fc | 10
policy/modules/services/nx.if | 67 +
policy/modules/services/nx.te | 13
policy/modules/services/oddjob.if | 1
policy/modules/services/oddjob.te | 5
policy/modules/services/openvpn.te | 6
policy/modules/services/pcscd.if | 38
policy/modules/services/pegasus.te | 28
policy/modules/services/plymouth.fc | 5
policy/modules/services/plymouth.if | 322 +++++
policy/modules/services/plymouth.te | 102 +
policy/modules/services/policykit.fc | 5
policy/modules/services/policykit.if | 71 +
policy/modules/services/policykit.te | 67 -
policy/modules/services/portreserve.te | 3
policy/modules/services/postfix.fc | 2
policy/modules/services/postfix.if | 150 ++
policy/modules/services/postfix.te | 143 ++
policy/modules/services/postgresql.fc | 16
policy/modules/services/postgresql.if | 60 +
policy/modules/services/postgresql.te | 9
policy/modules/services/ppp.if | 6
policy/modules/services/ppp.te | 17
policy/modules/services/prelude.te | 1
policy/modules/services/procmail.te | 12
policy/modules/services/pyzor.fc | 4
policy/modules/services/pyzor.if | 47
policy/modules/services/pyzor.te | 37
policy/modules/services/razor.fc | 1
policy/modules/services/razor.if | 42
policy/modules/services/razor.te | 32
policy/modules/services/rdisc.if | 19
policy/modules/services/rgmanager.fc | 8
policy/modules/services/rgmanager.if | 59 +
policy/modules/services/rgmanager.te | 187 +++
policy/modules/services/rhcs.fc | 22
policy/modules/services/rhcs.if | 367 ++++++
policy/modules/services/rhcs.te | 410 +++++++
policy/modules/services/ricci.te | 31
policy/modules/services/rpc.fc | 4
policy/modules/services/rpc.if | 45
policy/modules/services/rpc.te | 27
policy/modules/services/rsync.fc | 1
policy/modules/services/rsync.if | 38
policy/modules/services/rsync.te | 28
policy/modules/services/rtkit.if | 20
policy/modules/services/rtkit.te | 4
policy/modules/services/samba.fc | 4
policy/modules/services/samba.if | 138 ++
policy/modules/services/samba.te | 109 +
policy/modules/services/sasl.te | 15
policy/modules/services/sendmail.if | 137 ++
policy/modules/services/sendmail.te | 88 +
policy/modules/services/setroubleshoot.fc | 2
policy/modules/services/setroubleshoot.if | 124 ++
policy/modules/services/setroubleshoot.te | 83 +
policy/modules/services/snmp.if | 38
policy/modules/services/snmp.te | 4
policy/modules/services/snort.te | 9
policy/modules/services/spamassassin.fc | 15
policy/modules/services/spamassassin.if | 107 +
policy/modules/services/spamassassin.te | 139 ++
policy/modules/services/squid.te | 9
policy/modules/services/ssh.fc | 2
policy/modules/services/ssh.if | 207 +++
policy/modules/services/ssh.te | 154 ++
policy/modules/services/sssd.fc | 5
policy/modules/services/sssd.if | 80 +
policy/modules/services/sssd.te | 17
policy/modules/services/sysstat.te | 5
policy/modules/services/telnet.te | 1
policy/modules/services/tftp.fc | 2
policy/modules/services/tftp.if | 38
policy/modules/services/tgtd.if | 17
policy/modules/services/tor.te | 13
policy/modules/services/tuned.te | 1
policy/modules/services/uucp.te | 10
policy/modules/services/vhostmd.fc | 6
policy/modules/services/vhostmd.if | 228 ++++
policy/modules/services/vhostmd.te | 86 +
policy/modules/services/virt.fc | 13
policy/modules/services/virt.if | 210 +++
policy/modules/services/virt.te | 297 +++++
policy/modules/services/w3c.te | 7
policy/modules/services/xserver.fc | 40
policy/modules/services/xserver.if | 353 ++++++
policy/modules/services/xserver.te | 365 +++++-
policy/modules/services/zebra.if | 20
policy/modules/system/application.te | 7
policy/modules/system/authlogin.fc | 9
policy/modules/system/authlogin.if | 210 +++
policy/modules/system/authlogin.te | 11
policy/modules/system/fstools.fc | 2
policy/modules/system/fstools.te | 5
policy/modules/system/getty.te | 7
policy/modules/system/init.fc | 7
policy/modules/system/init.if | 164 ++
policy/modules/system/init.te | 299 ++++-
policy/modules/system/ipsec.fc | 4
policy/modules/system/ipsec.if | 65 -
policy/modules/system/ipsec.te | 29
policy/modules/system/iptables.fc | 9
policy/modules/system/iptables.te | 15
policy/modules/system/iscsi.te | 7
policy/modules/system/kdump.te | 2
policy/modules/system/libraries.fc | 212 +++
policy/modules/system/libraries.if | 5
policy/modules/system/libraries.te | 18
policy/modules/system/locallogin.te | 30
policy/modules/system/logging.fc | 12
policy/modules/system/logging.if | 20
policy/modules/system/logging.te | 38
policy/modules/system/lvm.te | 10
policy/modules/system/miscfiles.fc | 3
policy/modules/system/miscfiles.if | 33
policy/modules/system/miscfiles.te | 3
policy/modules/system/modutils.te | 20
policy/modules/system/mount.fc | 7
policy/modules/system/mount.if | 59 +
policy/modules/system/mount.te | 90 +
policy/modules/system/raid.te | 2
policy/modules/system/selinuxutil.fc | 17
policy/modules/system/selinuxutil.if | 309 +++++
policy/modules/system/selinuxutil.te | 229 +---
policy/modules/system/sysnetwork.fc | 14
policy/modules/system/sysnetwork.if | 116 ++
policy/modules/system/sysnetwork.te | 79 +
policy/modules/system/udev.if | 1
policy/modules/system/udev.te | 12
policy/modules/system/unconfined.fc | 15
policy/modules/system/unconfined.if | 443 -------
policy/modules/system/unconfined.te | 224 ----
policy/modules/system/userdomain.fc | 7
policy/modules/system/userdomain.if | 1678 +++++++++++++++++++++++-------
policy/modules/system/userdomain.te | 51
policy/modules/system/xen.if | 19
policy/modules/system/xen.te | 12
policy/support/obj_perm_sets.spt | 23
policy/users | 15
389 files changed, 20842 insertions(+), 2805 deletions(-)
Index: policy-F13.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-F13.patch,v
retrieving revision 1.28
retrieving revision 1.29
diff -u -p -r1.28 -r1.29
--- policy-F13.patch 4 Jan 2010 21:31:53 -0000 1.28
+++ policy-F13.patch 5 Jan 2010 22:09:02 -0000 1.29
@@ -1894,8 +1894,8 @@ diff --exclude-from=exclude -N -u -r nsa
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.te serefpolicy-3.7.5/policy/modules/apps/chrome.te
--- nsaserefpolicy/policy/modules/apps/chrome.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.5/policy/modules/apps/chrome.te 2009-12-21 13:49:59.000000000 -0500
-@@ -0,0 +1,83 @@
++++ serefpolicy-3.7.5/policy/modules/apps/chrome.te 2010-01-05 11:37:05.000000000 -0500
+@@ -0,0 +1,84 @@
+policy_module(chrome,1.0.0)
+
+########################################
@@ -1961,7 +1961,8 @@ diff --exclude-from=exclude -N -u -r nsa
+')
+
+optional_policy(`
-+ gnome_write_inherited_config(chrome_sandbox_t)
++ gnome_rw_inherited_config(chrome_sandbox_t)
++ gnome_list_home_config(chrome_sandbox_t)
+')
+
+optional_policy(`
@@ -2338,8 +2339,8 @@ diff --exclude-from=exclude -N -u -r nsa
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.7.5/policy/modules/apps/gnome.if
--- nsaserefpolicy/policy/modules/apps/gnome.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.5/policy/modules/apps/gnome.if 2009-12-21 13:07:09.000000000 -0500
-@@ -84,10 +84,201 @@
++++ serefpolicy-3.7.5/policy/modules/apps/gnome.if 2010-01-05 10:04:21.000000000 -0500
+@@ -84,10 +84,207 @@
#
interface(`gnome_manage_config',`
gen_require(`
@@ -2377,12 +2378,6 @@ diff --exclude-from=exclude -N -u -r nsa
+## <summary>
+## read gnome homedir content (.config)
+## </summary>
-+## <param name="userdomain_prefix">
-+## <summary>
-+## The prefix of the user domain (e.g., user
-+## is the prefix for user_t).
-+## </summary>
-+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
@@ -2403,12 +2398,6 @@ diff --exclude-from=exclude -N -u -r nsa
+## <summary>
+## read gconf config files
+## </summary>
-+## <param name="userdomain_prefix">
-+## <summary>
-+## The prefix of the user domain (e.g., user
-+## is the prefix for user_t).
-+## </summary>
-+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
@@ -2529,7 +2518,25 @@ diff --exclude-from=exclude -N -u -r nsa
+
+########################################
+## <summary>
-+## Write all inherited gnome home config
++## read gnome homedir content (.config)
++## </summary>
++## <param name="user_domain">
++## <summary>
++## The type of the user domain.
++## </summary>
++## </param>
++#
++template(`gnome_list_home_config',`
++ gen_require(`
++ type config_home_t;
++ ')
++
++ allow $1 config_home_t:dir list_dir_perms;
++')
++
++########################################
++## <summary>
++## Read/Write all inherited gnome home config
+## </summary>
+## <param name="domain">
+## <summary>
@@ -2537,7 +2544,7 @@ diff --exclude-from=exclude -N -u -r nsa
+## </summary>
+## </param>
+#
-+interface(`gnome_write_inherited_config',`
++interface(`gnome_rw_inherited_config',`
+ gen_require(`
+ attribute gnome_home_type;
+ ')
@@ -4737,8 +4744,8 @@ diff --exclude-from=exclude -N -u -r nsa
+# No types are sandbox_exec_t
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.7.5/policy/modules/apps/sandbox.if
--- nsaserefpolicy/policy/modules/apps/sandbox.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.5/policy/modules/apps/sandbox.if 2009-12-22 11:04:52.000000000 -0500
-@@ -0,0 +1,222 @@
++++ serefpolicy-3.7.5/policy/modules/apps/sandbox.if 2010-01-05 17:01:46.000000000 -0500
+@@ -0,0 +1,223 @@
+
+## <summary>policy for sandbox</summary>
+
@@ -4845,9 +4852,10 @@ diff --exclude-from=exclude -N -u -r nsa
+#
+template(`sandbox_x_domain_template',`
+ gen_require(`
-+ type xserver_exec_t;
++ type xserver_exec_t, sandbox_devpts_t;
+ type sandbox_xserver_t;
+ attribute sandbox_domain, sandbox_x_domain;
++ attribute sandbox_file_type;
+ ')
+
+ type $1_t, sandbox_x_domain;
@@ -4963,8 +4971,8 @@ diff --exclude-from=exclude -N -u -r nsa
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.7.5/policy/modules/apps/sandbox.te
--- nsaserefpolicy/policy/modules/apps/sandbox.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.5/policy/modules/apps/sandbox.te 2009-12-23 12:55:41.000000000 -0500
-@@ -0,0 +1,342 @@
++++ serefpolicy-3.7.5/policy/modules/apps/sandbox.te 2010-01-05 15:56:30.000000000 -0500
+@@ -0,0 +1,343 @@
+policy_module(sandbox,1.0.0)
+dbus_stub()
+attribute sandbox_domain;
@@ -4977,6 +4985,7 @@ diff --exclude-from=exclude -N -u -r nsa
+#
+
+sandbox_domain_template(sandbox)
++sandbox_x_domain_template(sandbox_min)
+sandbox_x_domain_template(sandbox_x)
+sandbox_x_domain_template(sandbox_web)
+sandbox_x_domain_template(sandbox_net)
@@ -5067,7 +5076,7 @@ diff --exclude-from=exclude -N -u -r nsa
+## internal communication is often done using fifo and unix sockets.
+allow sandbox_domain self:fifo_file manage_file_perms;
+allow sandbox_domain self:unix_stream_socket create_stream_socket_perms;
-+allow sandbox_domain self:unix_dgram_socket create_socket_perms;
++allow sandbox_domain self:unix_dgram_socket { sendto create_socket_perms };
+
+gen_require(`
+ type usr_t, lib_t, locale_t;
@@ -5124,7 +5133,7 @@ diff --exclude-from=exclude -N -u -r nsa
+
+auth_dontaudit_read_login_records(sandbox_x_domain)
+auth_dontaudit_write_login_records(sandbox_x_domain)
-+#auth_use_nsswitch(sandbox_x_domain)
++auth_use_nsswitch(sandbox_x_domain)
+auth_search_pam_console_data(sandbox_x_domain)
+
+init_read_utmp(sandbox_x_domain)
@@ -5178,7 +5187,7 @@ diff --exclude-from=exclude -N -u -r nsa
+
+corenet_tcp_connect_ipp_port(sandbox_x_client_t)
+
-+#auth_use_nsswitch(sandbox_x_client_t)
++auth_use_nsswitch(sandbox_x_client_t)
+
+dbus_system_bus_client(sandbox_x_client_t)
+dbus_read_config(sandbox_x_client_t)
@@ -5238,7 +5247,7 @@ diff --exclude-from=exclude -N -u -r nsa
+corenet_dontaudit_tcp_bind_generic_port(sandbox_web_client_t)
+corenet_tcp_connect_speech_port(sandbox_web_client_t)
+
-+#auth_use_nsswitch(sandbox_web_client_t)
++auth_use_nsswitch(sandbox_web_client_t)
+
+dbus_system_bus_client(sandbox_web_client_t)
+dbus_read_config(sandbox_web_client_t)
@@ -5281,7 +5290,7 @@ diff --exclude-from=exclude -N -u -r nsa
+corenet_tcp_connect_all_ports(sandbox_net_client_t)
+corenet_sendrecv_all_client_packets(sandbox_net_client_t)
+
-+#auth_use_nsswitch(sandbox_net_client_t)
++auth_use_nsswitch(sandbox_net_client_t)
+
+dbus_system_bus_client(sandbox_net_client_t)
+dbus_read_config(sandbox_net_client_t)
@@ -5818,7 +5827,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.7.5/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2009-12-18 11:38:25.000000000 -0500
-+++ serefpolicy-3.7.5/policy/modules/kernel/corenetwork.te.in 2010-01-04 12:10:28.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/kernel/corenetwork.te.in 2010-01-05 10:16:34.000000000 -0500
@@ -65,6 +65,7 @@
type server_packet_t, packet_type, server_packet_type;
@@ -5827,7 +5836,11 @@ diff --exclude-from=exclude -N -u -r nsa
network_port(afs_fs, tcp,2040,s0, udp,7000,s0, udp,7005,s0)
network_port(afs_ka, udp,7004,s0)
network_port(afs_pt, udp,7002,s0)
-@@ -87,32 +88,41 @@
+@@ -84,35 +85,45 @@
+ network_port(clamd, tcp,3310,s0)
+ network_port(clockspeed, udp,4041,s0)
+ network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006,s0, udp,50006,s0, tcp,50007,s0, udp,50007,s0, tcp,50008,s0, udp,50008,s0)
++network_port(cobbler, tcp,25151,s0)
network_port(comsat, udp,512,s0)
network_port(cvs, tcp,2401,s0, udp,2401,s0)
network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, udp,32771,s0)
@@ -5872,7 +5885,7 @@ diff --exclude-from=exclude -N -u -r nsa
network_port(ipsecnat, tcp,4500,s0, udp,4500,s0)
network_port(ircd, tcp,6667,s0)
network_port(isakmp, udp,500,s0)
-@@ -128,8 +138,9 @@
+@@ -128,8 +139,9 @@
network_port(ktalkd, udp,517,s0, udp,518,s0)
network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0)
network_port(lmtp, tcp,24,s0, udp,24,s0)
@@ -5883,7 +5896,7 @@ diff --exclude-from=exclude -N -u -r nsa
network_port(memcache, tcp,11211,s0, udp,11211,s0)
network_port(mmcc, tcp,5050,s0, udp,5050,s0)
network_port(monopd, tcp,1234,s0)
-@@ -138,21 +149,29 @@
+@@ -138,21 +150,29 @@
network_port(mysqld, tcp,1186,s0, tcp,3306,s0)
portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0)
network_port(nessus, tcp,1241,s0)
@@ -5914,7 +5927,7 @@ diff --exclude-from=exclude -N -u -r nsa
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
network_port(pulseaudio, tcp,4713,s0)
-@@ -172,30 +191,38 @@
+@@ -172,30 +192,38 @@
network_port(rsync, tcp,873,s0, udp,873,s0)
network_port(rwho, udp,513,s0)
network_port(sap, tcp,9875,s0, udp,9875,s0)
@@ -5956,7 +5969,7 @@ diff --exclude-from=exclude -N -u -r nsa
network_port(xdmcp, udp,177,s0, tcp,177,s0)
network_port(xen, tcp,8002,s0)
network_port(xfs, tcp,7100,s0)
-@@ -224,6 +251,8 @@
+@@ -224,6 +252,8 @@
type node_t, node_type;
sid node gen_context(system_u:object_r:node_t,s0 - mls_systemhigh)
@@ -6550,7 +6563,7 @@ diff --exclude-from=exclude -N -u -r nsa
/var/lib/nfs/rpc_pipefs(/.*)? <<none>>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.7.5/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.5/policy/modules/kernel/files.if 2010-01-04 15:43:02.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/kernel/files.if 2010-01-05 10:16:34.000000000 -0500
@@ -932,10 +932,8 @@
relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
@@ -6614,7 +6627,32 @@ diff --exclude-from=exclude -N -u -r nsa
## Remove entries from the root directory.
## </summary>
## <param name="domain">
-@@ -2107,6 +2141,8 @@
+@@ -1504,6 +1538,24 @@
+
+ ########################################
+ ## <summary>
++## List the /boot directory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_list_boot',`
++ gen_require(`
++ type boot_t;
++ ')
++
++ allow $1 boot_t:dir list_dir_perms;
++')
++
++########################################
++## <summary>
+ ## Search the /boot directory.
+ ## </summary>
+ ## <param name="domain">
+@@ -2107,6 +2159,8 @@
allow $1 etc_t:dir list_dir_perms;
read_files_pattern($1, etc_t, etc_t)
read_lnk_files_pattern($1, etc_t, etc_t)
@@ -6623,7 +6661,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
########################################
-@@ -2189,6 +2225,24 @@
+@@ -2189,6 +2243,24 @@
########################################
## <summary>
@@ -6648,7 +6686,7 @@ diff --exclude-from=exclude -N -u -r nsa
## Execute generic files in /etc.
## </summary>
## <param name="domain">
-@@ -2594,6 +2648,11 @@
+@@ -2594,6 +2666,11 @@
')
delete_files_pattern($1, file_t, file_t)
@@ -6660,7 +6698,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
########################################
-@@ -3311,6 +3370,64 @@
+@@ -3311,6 +3388,64 @@
allow $1 readable_t:sock_file read_sock_file_perms;
')
@@ -6725,7 +6763,7 @@ diff --exclude-from=exclude -N -u -r nsa
########################################
## <summary>
## Allow the specified type to associate
-@@ -3496,6 +3613,32 @@
+@@ -3496,6 +3631,32 @@
########################################
## <summary>
@@ -6758,7 +6796,7 @@ diff --exclude-from=exclude -N -u -r nsa
## Manage temporary files and directories in /tmp.
## </summary>
## <param name="domain">
-@@ -3709,6 +3852,8 @@
+@@ -3709,6 +3870,8 @@
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -6767,7 +6805,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
########################################
-@@ -3817,7 +3962,12 @@
+@@ -3817,7 +3980,12 @@
type usr_t;
')
@@ -6781,7 +6819,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
########################################
-@@ -3856,6 +4006,7 @@
+@@ -3856,6 +4024,7 @@
allow $1 usr_t:dir list_dir_perms;
read_files_pattern($1, usr_t, usr_t)
read_lnk_files_pattern($1, usr_t, usr_t)
@@ -6789,7 +6827,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
########################################
-@@ -3880,6 +4031,24 @@
+@@ -3880,6 +4049,24 @@
########################################
## <summary>
@@ -6814,7 +6852,7 @@ diff --exclude-from=exclude -N -u -r nsa
## dontaudit write of /usr files
## </summary>
## <param name="domain">
-@@ -4500,6 +4669,24 @@
+@@ -4500,6 +4687,24 @@
read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
')
@@ -6839,7 +6877,7 @@ diff --exclude-from=exclude -N -u -r nsa
# cjp: the next two interfaces really need to be fixed
# in some way. They really neeed their own types.
-@@ -4772,6 +4959,25 @@
+@@ -4772,6 +4977,25 @@
search_dirs_pattern($1, var_t, var_run_t)
')
@@ -6865,7 +6903,7 @@ diff --exclude-from=exclude -N -u -r nsa
########################################
## <summary>
## Do not audit attempts to search
-@@ -4831,6 +5037,24 @@
+@@ -4831,6 +5055,24 @@
########################################
## <summary>
@@ -6890,7 +6928,7 @@ diff --exclude-from=exclude -N -u -r nsa
## Create an object in the process ID directory, with a private
## type using a type transition.
## </summary>
-@@ -4880,6 +5104,24 @@
+@@ -4880,6 +5122,24 @@
########################################
## <summary>
@@ -6915,7 +6953,7 @@ diff --exclude-from=exclude -N -u -r nsa
## Do not audit attempts to write to daemon runtime data files.
## </summary>
## <param name="domain">
-@@ -4933,6 +5175,7 @@
+@@ -4933,6 +5193,7 @@
list_dirs_pattern($1, var_t, pidfile)
read_files_pattern($1, pidfile, pidfile)
@@ -6923,7 +6961,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
########################################
-@@ -5001,6 +5244,24 @@
+@@ -5001,6 +5262,24 @@
########################################
## <summary>
@@ -6948,7 +6986,7 @@ diff --exclude-from=exclude -N -u -r nsa
## Search the contents of generic spool
## directories (/var/spool).
## </summary>
-@@ -5189,12 +5450,15 @@
+@@ -5189,12 +5468,15 @@
allow $1 poly_t:dir { create mounton };
fs_unmount_xattr_fs($1)
@@ -6965,7 +7003,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
')
-@@ -5215,3 +5479,192 @@
+@@ -5215,3 +5497,192 @@
typeattribute $1 files_unconfined_type;
')
@@ -10438,7 +10476,7 @@ diff --exclude-from=exclude -N -u -r nsa
sysnet_use_ldap(amavis_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.7.5/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.5/policy/modules/services/apache.fc 2009-12-21 13:07:09.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/services/apache.fc 2010-01-05 11:53:09.000000000 -0500
@@ -2,11 +2,15 @@
/etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
@@ -10471,7 +10509,7 @@ diff --exclude-from=exclude -N -u -r nsa
/usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
/usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
-@@ -32,31 +39,51 @@
+@@ -32,14 +39,28 @@
/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
')
@@ -10500,10 +10538,9 @@ diff --exclude-from=exclude -N -u -r nsa
/var/cache/php-eaccelerator(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
/var/cache/php-mmcache(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
/var/cache/rt3(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
- /var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0)
+@@ -47,16 +68,21 @@
/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-+/var/lib/cobbler/webui_sessions(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+/var/lib/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -10523,7 +10560,7 @@ diff --exclude-from=exclude -N -u -r nsa
ifdef(`distro_debian', `
/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
')
-@@ -64,11 +91,33 @@
+@@ -64,11 +90,33 @@
/var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0)
@@ -10560,8 +10597,8 @@ diff --exclude-from=exclude -N -u -r nsa
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.7.5/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2009-07-28 15:51:13.000000000 -0400
-+++ serefpolicy-3.7.5/policy/modules/services/apache.if 2009-12-22 10:55:59.000000000 -0500
-@@ -13,21 +13,16 @@
++++ serefpolicy-3.7.5/policy/modules/services/apache.if 2010-01-05 10:16:34.000000000 -0500
+@@ -13,21 +13,17 @@
#
template(`apache_content_template',`
gen_require(`
@@ -10569,6 +10606,7 @@ diff --exclude-from=exclude -N -u -r nsa
attribute httpd_exec_scripts;
attribute httpd_script_exec_type;
type httpd_t, httpd_suexec_t, httpd_log_t;
++ type httpd_sys_content_t;
')
- # allow write access to public file transfer
- # services files.
@@ -10585,7 +10623,7 @@ diff --exclude-from=exclude -N -u -r nsa
files_type(httpd_$1_htaccess_t)
# Type that CGI scripts run as
-@@ -42,20 +37,22 @@
+@@ -42,20 +38,22 @@
# The following three are the only areas that
# scripts can read, read/write, or append to
@@ -10616,7 +10654,7 @@ diff --exclude-from=exclude -N -u -r nsa
allow httpd_$1_script_t self:fifo_file rw_file_perms;
allow httpd_$1_script_t self:unix_stream_socket connectto;
-@@ -65,29 +62,26 @@
+@@ -65,29 +63,26 @@
dontaudit httpd_$1_script_t httpd_t:unix_stream_socket { read write };
# Allow the script process to search the cgi directory, and users directory
@@ -10660,7 +10698,7 @@ diff --exclude-from=exclude -N -u -r nsa
kernel_dontaudit_search_sysctl(httpd_$1_script_t)
kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t)
-@@ -96,6 +90,7 @@
+@@ -96,6 +91,7 @@
dev_read_urand(httpd_$1_script_t)
corecmd_exec_all_executables(httpd_$1_script_t)
@@ -10668,7 +10706,7 @@ diff --exclude-from=exclude -N -u -r nsa
files_exec_etc_files(httpd_$1_script_t)
files_read_etc_files(httpd_$1_script_t)
-@@ -109,34 +104,21 @@
+@@ -109,34 +105,21 @@
seutil_dontaudit_search_config(httpd_$1_script_t)
@@ -10716,7 +10754,7 @@ diff --exclude-from=exclude -N -u -r nsa
allow httpd_t httpd_$1_content_t:dir list_dir_perms;
read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
-@@ -149,9 +131,13 @@
+@@ -149,9 +132,13 @@
# privileged users run the script:
domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t)
@@ -10730,10 +10768,12 @@ diff --exclude-from=exclude -N -u -r nsa
allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop };
allow httpd_t httpd_$1_script_exec_t:dir list_dir_perms;
-@@ -175,50 +161,6 @@
- miscfiles_read_localization(httpd_$1_script_t)
- ')
+@@ -173,50 +160,7 @@
+ libs_read_lib_files(httpd_$1_script_t)
+ miscfiles_read_localization(httpd_$1_script_t)
+- ')
+-
- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
- allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms;
- allow httpd_$1_script_t self:udp_socket create_socket_perms;
@@ -10776,12 +10816,11 @@ diff --exclude-from=exclude -N -u -r nsa
- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
- mysql_tcp_connect(httpd_$1_script_t)
- ')
-- ')
--
++ allow httpd_$1_script_t httpd_sys_content_t:dir search_dir_perms;
+ ')
+
optional_policy(`
- tunable_policy(`httpd_enable_cgi && allow_ypbind',`
- nis_use_ypbind_uncond(httpd_$1_script_t)
-@@ -227,15 +169,13 @@
+@@ -227,15 +171,13 @@
optional_policy(`
postgresql_unpriv_client(httpd_$1_script_t)
@@ -10799,7 +10838,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
########################################
-@@ -258,8 +198,8 @@
+@@ -258,8 +200,8 @@
attribute httpdcontent;
type httpd_user_content_t, httpd_user_htaccess_t;
type httpd_user_script_t, httpd_user_script_exec_t;
@@ -10810,7 +10849,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
role $1 types httpd_user_script_t;
-@@ -268,26 +208,26 @@
+@@ -268,26 +210,26 @@
allow $2 httpd_user_htaccess_t:file { manage_file_perms relabelto relabelfrom };
@@ -10857,7 +10896,7 @@ diff --exclude-from=exclude -N -u -r nsa
manage_dirs_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
manage_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
-@@ -365,6 +305,24 @@
+@@ -365,6 +307,24 @@
domtrans_pattern($1, httpd_exec_t, httpd_t)
')
@@ -10882,7 +10921,7 @@ diff --exclude-from=exclude -N -u -r nsa
########################################
## <summary>
## Send a null signal to apache.
-@@ -441,6 +399,25 @@
+@@ -441,6 +401,25 @@
########################################
## <summary>
## Do not audit attempts to read and write Apache
@@ -10908,7 +10947,7 @@ diff --exclude-from=exclude -N -u -r nsa
## TCP sockets.
## </summary>
## <param name="domain">
-@@ -503,6 +480,105 @@
+@@ -503,6 +482,105 @@
########################################
## <summary>
@@ -11014,7 +11053,7 @@ diff --exclude-from=exclude -N -u -r nsa
## Allow the specified domain to read
## apache configuration files.
## </summary>
-@@ -579,7 +655,7 @@
+@@ -579,7 +657,7 @@
## </param>
## <param name="role">
## <summary>
@@ -11023,7 +11062,7 @@ diff --exclude-from=exclude -N -u -r nsa
## </summary>
## </param>
## <rolecap/>
-@@ -715,6 +791,7 @@
+@@ -715,6 +793,7 @@
')
allow $1 httpd_modules_t:dir list_dir_perms;
@@ -11031,7 +11070,35 @@ diff --exclude-from=exclude -N -u -r nsa
')
########################################
-@@ -782,6 +859,32 @@
+@@ -758,6 +837,27 @@
+
+ ########################################
+ ## <summary>
++## Allow the specified domain to list
++## apache system content files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`apache_list_sys_content',`
++ gen_require(`
++ type httpd_sys_content_t;
++ ')
++
++ list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
++ read_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
++ files_search_var($1)
++')
++
++########################################
++## <summary>
+ ## Allow the specified domain to manage
+ ## apache system content files.
+ ## </summary>
+@@ -782,6 +882,32 @@
########################################
## <summary>
@@ -11064,7 +11131,7 @@ diff --exclude-from=exclude -N -u -r nsa
## Execute all web scripts in the system
## script domain.
## </summary>
-@@ -791,16 +894,18 @@
+@@ -791,16 +917,18 @@
## </summary>
## </param>
#
@@ -11087,7 +11154,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
')
-@@ -859,6 +964,8 @@
+@@ -859,6 +987,8 @@
## </summary>
## </param>
#
@@ -11096,7 +11163,7 @@ diff --exclude-from=exclude -N -u -r nsa
interface(`apache_run_all_scripts',`
gen_require(`
attribute httpd_exec_scripts, httpd_script_domains;
-@@ -884,7 +991,7 @@
+@@ -884,7 +1014,7 @@
type httpd_squirrelmail_t;
')
@@ -11105,7 +11172,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
########################################
-@@ -1043,6 +1150,44 @@
+@@ -1043,6 +1173,44 @@
########################################
## <summary>
@@ -11150,7 +11217,7 @@ diff --exclude-from=exclude -N -u -r nsa
## All of the rules required to administrate an apache environment
## </summary>
## <param name="prefix">
-@@ -1072,11 +1217,17 @@
+@@ -1072,11 +1240,17 @@
type httpd_modules_t, httpd_lock_t;
type httpd_var_run_t, httpd_php_tmp_t;
type httpd_suexec_tmp_t, httpd_tmp_t;
@@ -11168,7 +11235,7 @@ diff --exclude-from=exclude -N -u -r nsa
apache_manage_all_content($1)
miscfiles_manage_public_files($1)
-@@ -1096,12 +1247,57 @@
+@@ -1096,12 +1270,57 @@
kernel_search_proc($1)
allow $1 httpd_t:dir list_dir_perms;
@@ -11229,7 +11296,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.7.5/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.5/policy/modules/services/apache.te 2009-12-29 18:35:26.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/services/apache.te 2010-01-05 11:36:05.000000000 -0500
@@ -19,6 +19,8 @@
# Declarations
#
@@ -11640,15 +11707,15 @@ diff --exclude-from=exclude -N -u -r nsa
')
optional_policy(`
-+ cobbler_search_lib(httpd_t)
++ ccs_read_config(httpd_t)
+')
+
+optional_policy(`
-+ ccs_read_config(httpd_t)
++ cvs_read_data(httpd_t)
+')
+
+optional_policy(`
-+ cvs_read_data(httpd_t)
++ cobbler_search_var_lib(httpd_t)
+')
+
+optional_policy(`
@@ -12343,22 +12410,38 @@ diff --exclude-from=exclude -N -u -r nsa
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.7.5/policy/modules/services/bind.if
--- nsaserefpolicy/policy/modules/services/bind.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.5/policy/modules/services/bind.if 2010-01-04 16:21:41.000000000 -0500
-@@ -235,7 +235,7 @@
++++ serefpolicy-3.7.5/policy/modules/services/bind.if 2010-01-05 11:33:07.000000000 -0500
+@@ -2,6 +2,25 @@
########################################
## <summary>
--## Do not audit attempts to set the attributes
-+## Allow domain to set the attributes
- ## of the BIND pid directory.
++## Execute bind server in the bind domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++#
++interface(`bind_initrc_domtrans',`
++ gen_require(`
++ type named_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, named_initrc_exec_t)
++')
++
++########################################
++## <summary>
+ ## Execute ndc in the ndc domain.
## </summary>
## <param name="domain">
-@@ -254,6 +254,25 @@
+@@ -192,6 +211,25 @@
########################################
## <summary>
-+## Allow domain to set attributes
-+## of the BIND zone directory.
++## Manage BIND zone files.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -12366,46 +12449,56 @@ diff --exclude-from=exclude -N -u -r nsa
+## </summary>
+## </param>
+#
-+interface(`bind_setattr_zone_dirs',`
++interface(`bind_manage_zone',`
+ gen_require(`
+ type named_zone_t;
+ ')
+
-+ allow $1 named_zone_t:dir setattr;
++ files_search_var($1)
++ manage_files_pattern($1, named_zone_t, named_zone_t)
+')
+
+########################################
+## <summary>
- ## Read BIND zone files.
+ ## Search the BIND cache directory.
## </summary>
## <param name="domain">
-@@ -287,6 +306,25 @@
+@@ -235,7 +273,7 @@
########################################
## <summary>
-+## Execute bind server in the bind domain.
+-## Do not audit attempts to set the attributes
++## Allow domain to set the attributes
+ ## of the BIND pid directory.
+ ## </summary>
+ ## <param name="domain">
+@@ -254,6 +292,25 @@
+
+ ########################################
+ ## <summary>
++## Allow domain to set attributes
++## of the BIND zone directory.
+## </summary>
+## <param name="domain">
+## <summary>
-+## The type of the process performing this action.
++## Domain allowed access.
+## </summary>
+## </param>
+#
-+#
-+interface(`bind_initrc_domtrans',`
++interface(`bind_setattr_zone_dirs',`
+ gen_require(`
-+ type named_initrc_exec_t;
++ type named_zone_t;
+ ')
+
-+ init_labeled_script_domtrans($1, named_initrc_exec_t)
++ allow $1 named_zone_t:dir setattr;
+')
+
+########################################
+## <summary>
- ## All of the rules required to administrate
- ## an bind environment
+ ## Read BIND zone files.
## </summary>
-@@ -319,7 +357,7 @@
+ ## <param name="domain">
+@@ -319,7 +376,7 @@
bind_run_ndc($1, $2)
@@ -13487,21 +13580,56 @@ diff --exclude-from=exclude -N -u -r nsa
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.fc serefpolicy-3.7.5/policy/modules/services/cobbler.fc
--- nsaserefpolicy/policy/modules/services/cobbler.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.5/policy/modules/services/cobbler.fc 2009-12-21 13:07:09.000000000 -0500
-@@ -0,0 +1,2 @@
++++ serefpolicy-3.7.5/policy/modules/services/cobbler.fc 2010-01-05 11:53:21.000000000 -0500
+@@ -0,0 +1,9 @@
++/etc/cobbler(/.*)? gen_context(system_u:object_r:cobbler_etc_t, s0)
++/etc/rc\.d/init\.d/cobblerd -- gen_context(system_u:object_r:cobblerd_initrc_exec_t, s0)
+
-+/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
++/usr/bin/cobblerd -- gen_context(system_u:object_r:cobblerd_exec_t, s0)
++
++/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t, s0)
++/var/log/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_log_t, s0)
++
++/var/lib/cobbler/webui_sessions(/.*)? gen_context(system_u:object_r:httpd_cobbler_content_rw_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.if serefpolicy-3.7.5/policy/modules/services/cobbler.if
--- nsaserefpolicy/policy/modules/services/cobbler.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.5/policy/modules/services/cobbler.if 2009-12-21 13:07:09.000000000 -0500
-@@ -0,0 +1,44 @@
++++ serefpolicy-3.7.5/policy/modules/services/cobbler.if 2010-01-05 14:48:53.000000000 -0500
+@@ -0,0 +1,186 @@
++## <summary>Cobbler installation server.</summary>
++## <desc>
++## <p>
++## Cobbler is a Linux installation server that allows for
++## rapid setup of network installation environments. It
++## glues together and automates many associated Linux
++## tasks so you do not have to hop between lots of various
++## commands and applications when rolling out new systems,
++## and, in some cases, changing existing ones.
++## </p>
++## </desc>
++
++########################################
+## <summary>
-+## Cobbler var_lib_t
++## Read Cobbler content in /etc
+## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`cobbler_read_config',`
++ gen_require(`
++ type cobbler_etc_t;
++ ')
++
++ read_files_pattern($1, cobbler_etc_t, cobbler_etc_t);
++ files_search_etc($1)
++')
+
+########################################
+## <summary>
-+## Read cobbler lib files.
++## Do not audit attempts to read and write
++## Cobbler log files (leaked fd).
+## </summary>
+## <param name="domain">
+## <summary>
@@ -13509,20 +13637,55 @@ diff --exclude-from=exclude -N -u -r nsa
+## </summary>
+## </param>
+#
-+interface(`cobbler_read_lib_files',`
++interface(`cobbler_dontaudit_rw_log',`
++ gen_require(`
++ type cobbler_var_log_t;
++ ')
++
++ dontaudit $1 cobbler_var_log_t:file rw_file_perms;
++')
++
++########################################
++## <summary>
++## Read cobbler files in /var/lib
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`cobbler_read_var_lib_files',`
+ gen_require(`
+ type cobbler_var_lib_t;
+ ')
+
+ read_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
-+ allow $1 cobbler_var_lib_t:dir list_dir_perms;
+ files_search_var_lib($1)
+')
+
++########################################
++## <summary>
++## Manage cobbler files in /var/lib
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`cobbler_manage_var_lib_files',`
++ gen_require(`
++ type cobbler_var_lib_t;
++ ')
++
++ manage_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
++ files_search_var_lib($1)
++')
+
+########################################
+## <summary>
-+## Read cobbler lib files.
++## Search cobbler dirs in /var/lib
+## </summary>
+## <param name="domain">
+## <summary>
@@ -13530,24 +13693,213 @@ diff --exclude-from=exclude -N -u -r nsa
+## </summary>
+## </param>
+#
-+interface(`cobbler_search_lib',`
++interface(`cobbler_search_var_lib',`
+ gen_require(`
+ type cobbler_var_lib_t;
+ ')
+
-+ allow $1 cobbler_var_lib_t:dir search_dir_perms;
++ search_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+ files_search_var_lib($1)
+')
+
++########################################
++## <summary>
++## Execute a domain transition to run cobblerd.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`cobblerd_domtrans',`
++ gen_require(`
++ type cobblerd_t, cobblerd_exec_t;
++ ')
++
++ domtrans_pattern($1, cobblerd_exec_t, cobblerd_t)
++')
++
++########################################
++## <summary>
++## Execute cobblerd server in the cobblerd domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`cobblerd_initrc_domtrans',`
++ gen_require(`
++ type cobblerd_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, cobblerd_initrc_exec_t)
++')
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an cobblerd environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`cobblerd_admin',`
++ gen_require(`
++ type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t;
++ type cobbler_etc_t;
++ type httpd_cobbler_content_rw_t;
++ ')
++
++ allow $1 cobblerd_t:process { ptrace signal_perms getattr };
++ read_files_pattern($1, cobblerd_t, cobblerd_t)
++
++ files_search_etc($1)
++ admin_pattern($1, cobbler_etc_t)
++
++ files_list_var_lib($1)
++ admin_pattern($1, cobbler_var_lib_t)
++
++ files_search_var_log($1)
++ admin_pattern($1, cobbler_var_log_t)
++
++ admin_pattern($1, httpd_cobbler_content_rw_t)
++
++ cobblerd_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 cobblerd_initrc_exec_t system_r;
++ allow $2 system_r;
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.te serefpolicy-3.7.5/policy/modules/services/cobbler.te
--- nsaserefpolicy/policy/modules/services/cobbler.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.5/policy/modules/services/cobbler.te 2009-12-21 13:07:09.000000000 -0500
-@@ -0,0 +1,5 @@
++++ serefpolicy-3.7.5/policy/modules/services/cobbler.te 2010-01-05 14:49:42.000000000 -0500
+@@ -0,0 +1,115 @@
++
++policy_module(cobbler, 1.0.0)
++
++########################################
++#
++# Cobbler personal declarations.
++#
++type cobblerd_t;
++type cobblerd_exec_t;
++init_daemon_domain(cobblerd_t, cobblerd_exec_t)
++
++type cobblerd_initrc_exec_t;
++init_script_file(cobblerd_initrc_exec_t)
++
++type cobbler_etc_t;
++files_config_file(cobbler_etc_t)
+
-+policy_module(cobbler, 1.10.0)
++type cobbler_var_log_t;
++logging_log_file(cobbler_var_log_t)
+
+type cobbler_var_lib_t;
+files_type(cobbler_var_lib_t)
++
++apache_content_template(cobbler)
++manage_dirs_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
++manage_files_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
++
++########################################
++#
++# Cobbler personal policy.
++#
++
++allow cobblerd_t self:capability { chown dac_override fowner sys_nice };
++allow cobblerd_t self:process { getsched setsched signal };
++allow cobblerd_t self:fifo_file rw_fifo_file_perms;
++allow cobblerd_t self:tcp_socket create_stream_socket_perms;
++
++read_files_pattern(cobblerd_t, cobbler_etc_t, cobbler_etc_t)
++
++manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
++manage_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
++files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, { dir file })
++
++append_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
++create_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
++read_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
++setattr_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
++logging_log_filetrans(cobblerd_t, cobbler_var_log_t, file)
++
++corecmd_exec_bin(cobblerd_t)
++corecmd_exec_shell(cobblerd_t)
++
++corenet_all_recvfrom_netlabel(cobblerd_t)
++corenet_all_recvfrom_unlabeled(cobblerd_t)
++corenet_sendrecv_cobbler_server_packets(cobblerd_t)
++corenet_tcp_bind_cobbler_port(cobblerd_t)
++corenet_tcp_bind_generic_node(cobblerd_t)
++corenet_tcp_sendrecv_generic_if(cobblerd_t)
++corenet_tcp_sendrecv_generic_node(cobblerd_t)
++corenet_tcp_sendrecv_generic_port(cobblerd_t)
++
++dev_read_urand(cobblerd_t)
++
++files_read_usr_files(cobblerd_t)
++
++files_list_boot(cobblerd_t)
++
++files_list_tmp(cobblerd_t)
++
++kernel_read_system_state(cobblerd_t)
++
++miscfiles_read_localization(cobblerd_t)
++
++sysnet_read_config(cobblerd_t)
++sysnet_rw_dhcp_config(cobblerd_t)
++sysnet_write_config(cobblerd_t)
++
++
++optional_policy(`
++ apache_list_sys_content(cobblerd_t)
++')
++
++optional_policy(`
++ bind_read_config(cobblerd_t)
++ bind_write_config(cobblerd_t)
++ bind_domtrans_ndc(cobblerd_t)
++ bind_domtrans(cobblerd_t)
++ bind_initrc_domtrans(cobblerd_t)
++ bind_manage_zone(cobblerd_t)
++')
++
++optional_policy(`
++ dhcpd_domtrans(cobblerd_t)
++ dhcpd_initrc_domtrans(cobblerd_t)
++')
++
++optional_policy(`
++ dnsmasq_domtrans(cobblerd_t)
++ dnsmasq_initrc_domtrans(cobblerd_t)
++ dnsmasq_write_config(cobblerd_t)
++')
++
++optional_policy(`
++ rpm_exec(cobblerd_t)
++')
++
++optional_policy(`
++ rsync_read_config(cobblerd_t)
++ rsync_write_config(cobblerd_t)
++')
++
++optional_policy(`
++ tftp_manage_tftpdir_dirs(cobblerd_t)
++ tftp_manage_tftpdir_files(cobblerd_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.fc serefpolicy-3.7.5/policy/modules/services/consolekit.fc
--- nsaserefpolicy/policy/modules/services/consolekit.fc 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/consolekit.fc 2009-12-21 13:07:09.000000000 -0500
@@ -15389,14 +15741,127 @@ diff --exclude-from=exclude -N -u -r nsa
+optional_policy(`
vbetool_domtrans(devicekit_power_t)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.if serefpolicy-3.7.5/policy/modules/services/dhcp.if
+--- nsaserefpolicy/policy/modules/services/dhcp.if 2009-07-23 14:11:04.000000000 -0400
++++ serefpolicy-3.7.5/policy/modules/services/dhcp.if 2010-01-05 10:17:02.000000000 -0500
+@@ -2,6 +2,25 @@
+
+ ########################################
+ ## <summary>
++## Transition to dhcpd.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dhcpd_domtrans',`
++ gen_require(`
++ type dhcpd_t, dhcpd_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, dhcpd_exec_t, dhcpd_t)
++')
++
++########################################
++## <summary>
+ ## Set the attributes of the DCHP
+ ## server state files.
+ ## </summary>
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.fc serefpolicy-3.7.5/policy/modules/services/dnsmasq.fc
+--- nsaserefpolicy/policy/modules/services/dnsmasq.fc 2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.7.5/policy/modules/services/dnsmasq.fc 2010-01-05 10:17:02.000000000 -0500
+@@ -1,3 +1,4 @@
++/etc/dnsmasq\.conf -- gen_context(system_u:object_r:dnsmasq_etc_t, s0)
+ /etc/rc\.d/init\.d/dnsmasq -- gen_context(system_u:object_r:dnsmasq_initrc_exec_t,s0)
+
+ /usr/sbin/dnsmasq -- gen_context(system_u:object_r:dnsmasq_exec_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.if serefpolicy-3.7.5/policy/modules/services/dnsmasq.if
+--- nsaserefpolicy/policy/modules/services/dnsmasq.if 2009-07-23 14:11:04.000000000 -0400
++++ serefpolicy-3.7.5/policy/modules/services/dnsmasq.if 2010-01-05 10:17:02.000000000 -0500
+@@ -136,6 +136,44 @@
+
+ ########################################
+ ## <summary>
++## Read dnsmasq config files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed.
++## </summary>
++## </param>
++#
++interface(`dnsmasq_read_config',`
++ gen_require(`
++ type dnsmasq_etc_t;
++ ')
++
++ read_files_pattern($1, dnsmasq_etc_t, dnsmasq_etc_t)
++ files_search_etc($1)
++')
++
++########################################
++## <summary>
++## Write to dnsmasq config files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed.
++## </summary>
++## </param>
++#
++interface(`dnsmasq_write_config',`
++ gen_require(`
++ type dnsmasq_etc_t;
++ ')
++
++ write_files_pattern($1, dnsmasq_etc_t, dnsmasq_etc_t)
++ files_search_etc($1)
++')
++
++########################################
++## <summary>
+ ## All of the rules required to administrate
+ ## an dnsmasq environment
+ ## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.7.5/policy/modules/services/dnsmasq.te
--- nsaserefpolicy/policy/modules/services/dnsmasq.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.5/policy/modules/services/dnsmasq.te 2009-12-21 13:07:09.000000000 -0500
-@@ -83,6 +83,18 @@
++++ serefpolicy-3.7.5/policy/modules/services/dnsmasq.te 2010-01-05 11:38:45.000000000 -0500
+@@ -13,6 +13,9 @@
+ type dnsmasq_initrc_exec_t;
+ init_script_file(dnsmasq_initrc_exec_t)
+
++type dnsmasq_etc_t;
++files_config_file(dnsmasq_etc_t)
++
+ type dnsmasq_lease_t;
+ files_type(dnsmasq_lease_t)
+
+@@ -34,6 +37,8 @@
+ allow dnsmasq_t self:packet_socket create_socket_perms;
+ allow dnsmasq_t self:rawip_socket create_socket_perms;
+
++read_files_pattern(dnsmasq_t, dnsmasq_etc_t, dnsmasq_etc_t)
++
+ # dhcp leases
+ manage_files_pattern(dnsmasq_t, dnsmasq_lease_t, dnsmasq_lease_t)
+ files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file)
+@@ -66,8 +71,6 @@
+
+ domain_use_interactive_fds(dnsmasq_t)
+
+-# allow access to dnsmasq.conf
+-files_read_etc_files(dnsmasq_t)
+ files_read_etc_runtime_files(dnsmasq_t)
+
+ fs_getattr_all_fs(dnsmasq_t)
+@@ -83,6 +86,18 @@
userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
optional_policy(`
-+ cobbler_read_lib_files(dnsmasq_t)
++ cobbler_read_var_lib_files(dnsmasq_t)
+')
+
+optional_policy(`
@@ -20319,7 +20784,7 @@ diff --exclude-from=exclude -N -u -r nsa
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.7.5/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.5/policy/modules/services/postfix.te 2009-12-21 13:07:09.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/services/postfix.te 2010-01-05 10:56:37.000000000 -0500
@@ -6,6 +6,15 @@
# Declarations
#
@@ -20591,7 +21056,7 @@ diff --exclude-from=exclude -N -u -r nsa
optional_policy(`
procmail_domtrans(postfix_pipe_t)
')
-@@ -388,6 +437,15 @@
+@@ -388,6 +437,16 @@
')
optional_policy(`
@@ -20601,13 +21066,14 @@ diff --exclude-from=exclude -N -u -r nsa
+
+optional_policy(`
+ spamassassin_domtrans_client(postfix_pipe_t)
++ spamassassin_kill_client(postfix_pipe_t)
+')
+
+optional_policy(`
uucp_domtrans_uux(postfix_pipe_t)
')
-@@ -415,6 +473,10 @@
+@@ -415,6 +474,10 @@
mta_rw_user_mail_stream_sockets(postfix_postdrop_t)
optional_policy(`
@@ -20618,7 +21084,7 @@ diff --exclude-from=exclude -N -u -r nsa
cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t)
')
-@@ -424,8 +486,11 @@
+@@ -424,8 +487,11 @@
')
optional_policy(`
@@ -20632,7 +21098,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
#######################################
-@@ -451,6 +516,15 @@
+@@ -451,6 +517,15 @@
init_sigchld_script(postfix_postqueue_t)
init_use_script_fds(postfix_postqueue_t)
@@ -20648,7 +21114,7 @@ diff --exclude-from=exclude -N -u -r nsa
########################################
#
# Postfix qmgr local policy
-@@ -464,6 +538,7 @@
+@@ -464,6 +539,7 @@
manage_dirs_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
manage_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
manage_lnk_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
@@ -20656,7 +21122,7 @@ diff --exclude-from=exclude -N -u -r nsa
allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
-@@ -505,7 +580,7 @@
+@@ -505,7 +581,7 @@
allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
@@ -20665,7 +21131,7 @@ diff --exclude-from=exclude -N -u -r nsa
optional_policy(`
cyrus_stream_connect(postfix_smtp_t)
-@@ -535,9 +610,18 @@
+@@ -535,9 +611,18 @@
# for OpenSSL certificates
files_read_usr_files(postfix_smtpd_t)
@@ -20684,7 +21150,7 @@ diff --exclude-from=exclude -N -u -r nsa
mailman_read_data_files(postfix_smtpd_t)
')
-@@ -559,20 +643,22 @@
+@@ -559,20 +644,22 @@
allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
@@ -22674,9 +23140,62 @@ diff --exclude-from=exclude -N -u -r nsa
')
optional_policy(`
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.fc serefpolicy-3.7.5/policy/modules/services/rsync.fc
+--- nsaserefpolicy/policy/modules/services/rsync.fc 2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.7.5/policy/modules/services/rsync.fc 2010-01-05 10:17:02.000000000 -0500
+@@ -1,3 +1,4 @@
++/etc/rsyncd\.conf -- gen_context(system_u:object_r:rsync_etc_t, s0)
+
+ /usr/bin/rsync -- gen_context(system_u:object_r:rsync_exec_t,s0)
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.if serefpolicy-3.7.5/policy/modules/services/rsync.if
+--- nsaserefpolicy/policy/modules/services/rsync.if 2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.7.5/policy/modules/services/rsync.if 2010-01-05 10:17:02.000000000 -0500
+@@ -103,3 +103,41 @@
+
+ can_exec($1, rsync_exec_t)
+ ')
++
++########################################
++## <summary>
++## Read rsync config files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed.
++## </summary>
++## </param>
++#
++interface(`rsync_read_config',`
++ gen_require(`
++ type rsync_etc_t;
++ ')
++
++ read_files_pattern($1, rsync_etc_t, rsync_etc_t)
++ files_search_etc($1)
++')
++
++########################################
++## <summary>
++## Write to rsync config files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed.
++## </summary>
++## </param>
++#
++interface(`rsync_write_config',`
++ gen_require(`
++ type rsync_etc_t;
++ ')
++
++ write_files_pattern($1, rsync_etc_t, rsync_etc_t)
++ files_search_etc($1)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.7.5/policy/modules/services/rsync.te
--- nsaserefpolicy/policy/modules/services/rsync.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.5/policy/modules/services/rsync.te 2009-12-21 13:07:09.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/services/rsync.te 2010-01-05 10:17:02.000000000 -0500
@@ -8,6 +8,13 @@
## <desc>
@@ -22691,7 +23210,7 @@ diff --exclude-from=exclude -N -u -r nsa
## Allow rsync to export any files/directories read only.
## </p>
## </desc>
-@@ -24,7 +31,6 @@
+@@ -24,10 +31,12 @@
type rsync_t;
type rsync_exec_t;
@@ -22699,7 +23218,22 @@ diff --exclude-from=exclude -N -u -r nsa
application_executable_file(rsync_exec_t)
role system_r types rsync_t;
-@@ -126,4 +132,19 @@
++type rsync_etc_t;
++files_config_file(rsync_etc_t)
++
+ type rsync_data_t;
+ files_type(rsync_data_t)
+
+@@ -57,6 +66,8 @@
+ allow rsync_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+ #end for identd
+
++read_files_pattern(rsync_t, rsync_etc_t, rsync_etc_t)
++
+ allow rsync_t rsync_data_t:dir list_dir_perms;
+ read_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
+ read_lnk_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
+@@ -126,4 +137,19 @@
auth_read_all_symlinks_except_shadow(rsync_t)
auth_tunable_read_shadow(rsync_t)
')
@@ -22999,7 +23533,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.7.5/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.5/policy/modules/services/samba.te 2010-01-04 16:03:08.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/services/samba.te 2010-01-05 17:02:50.000000000 -0500
@@ -66,6 +66,13 @@
## </desc>
gen_tunable(samba_share_nfs, false)
@@ -23171,7 +23705,24 @@ diff --exclude-from=exclude -N -u -r nsa
allow swat_t self:process { setrlimit signal_perms };
allow swat_t self:fifo_file rw_fifo_file_perms;
allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
-@@ -638,11 +673,13 @@
+@@ -626,23 +661,23 @@
+ allow swat_t self:udp_socket create_socket_perms;
+ allow swat_t self:unix_stream_socket connectto;
+
+-allow swat_t nmbd_t:process { signal signull };
+-
+-allow swat_t nmbd_exec_t:file mmap_file_perms;
+-can_exec(swat_t, nmbd_exec_t)
+-
+-allow swat_t nmbd_var_run_t:file { lock read unlink };
+-
+ samba_domtrans_smbd(swat_t)
+ allow swat_t smbd_t:process { signal signull };
++allow smbd_t swat_t:process signal;
++
++samba_domtrans_nmbd(swat_t)
++allow swat_t nmbd_t:process { signal signull };
++allow nmbd_t swat_t:process signal;
allow swat_t smbd_var_run_t:file { lock unlink };
@@ -23187,7 +23738,7 @@ diff --exclude-from=exclude -N -u -r nsa
allow swat_t smbd_exec_t:file mmap_file_perms ;
allow swat_t smbd_t:process signull;
-@@ -657,7 +694,7 @@
+@@ -657,7 +692,7 @@
files_pid_filetrans(swat_t, swat_var_run_t, file)
allow swat_t winbind_exec_t:file mmap_file_perms;
@@ -23196,7 +23747,7 @@ diff --exclude-from=exclude -N -u -r nsa
allow swat_t winbind_var_run_t:dir { write add_name remove_name };
allow swat_t winbind_var_run_t:sock_file { create unlink };
-@@ -700,6 +737,8 @@
+@@ -700,6 +735,8 @@
miscfiles_read_localization(swat_t)
@@ -23205,7 +23756,7 @@ diff --exclude-from=exclude -N -u -r nsa
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
-@@ -713,12 +752,23 @@
+@@ -713,12 +750,23 @@
kerberos_use(swat_t)
')
@@ -23230,7 +23781,7 @@ diff --exclude-from=exclude -N -u -r nsa
dontaudit winbind_t self:capability sys_tty_config;
allow winbind_t self:process { signal_perms getsched setsched };
allow winbind_t self:fifo_file rw_fifo_file_perms;
-@@ -866,6 +916,18 @@
+@@ -866,6 +914,18 @@
#
optional_policy(`
@@ -23249,7 +23800,7 @@ diff --exclude-from=exclude -N -u -r nsa
type samba_unconfined_script_t;
type samba_unconfined_script_exec_t;
domain_type(samba_unconfined_script_t)
-@@ -876,9 +938,12 @@
+@@ -876,9 +936,12 @@
allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
allow smbd_t samba_unconfined_script_exec_t:file ioctl;
@@ -24120,8 +24671,8 @@ diff --exclude-from=exclude -N -u -r nsa
+/var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.7.5/policy/modules/services/spamassassin.if
--- nsaserefpolicy/policy/modules/services/spamassassin.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.5/policy/modules/services/spamassassin.if 2009-12-21 13:07:09.000000000 -0500
-@@ -111,6 +111,27 @@
++++ serefpolicy-3.7.5/policy/modules/services/spamassassin.if 2010-01-05 11:36:41.000000000 -0500
+@@ -111,6 +111,45 @@
')
domtrans_pattern($1, spamc_exec_t, spamc_t)
@@ -24130,6 +24681,24 @@ diff --exclude-from=exclude -N -u -r nsa
+
+########################################
+## <summary>
++## Send kill signal to spamassassin client
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`spamassassin_kill_client',`
++ gen_require(`
++ type spamc_t;
++ ')
++
++ allow $1 spamc_t:process sigkill;
++')
++
++########################################
++## <summary>
+## Manage spamc home files.
+## </summary>
+## <param name="domain">
@@ -24149,7 +24718,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
########################################
-@@ -166,7 +187,9 @@
+@@ -166,7 +205,9 @@
')
files_search_var_lib($1)
@@ -24159,7 +24728,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
########################################
-@@ -225,3 +248,69 @@
+@@ -225,3 +266,69 @@
dontaudit $1 spamd_tmp_t:sock_file getattr;
')
@@ -25439,6 +26008,54 @@ diff --exclude-from=exclude -N -u -r nsa
-/var/lib/tftpboot(/.*)? gen_context(system_u:object_r:tftpdir_t,s0)
+/var/lib/tftpboot(/.*)? gen_context(system_u:object_r:tftpdir_rw_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.if serefpolicy-3.7.5/policy/modules/services/tftp.if
+--- nsaserefpolicy/policy/modules/services/tftp.if 2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.7.5/policy/modules/services/tftp.if 2010-01-05 10:17:02.000000000 -0500
+@@ -2,6 +2,44 @@
+
+ ########################################
+ ## <summary>
++## Manage tftp /var/lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`tftp_manage_tftpdir_dirs',`
++ gen_require(`
++ type tftpdir_rw_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
++')
++
++########################################
++## <summary>
++## Manage tftp /var/lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`tftp_manage_tftpdir_files',`
++ gen_require(`
++ type tftpdir_rw_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
++')
++
++########################################
++## <summary>
+ ## Read tftp content
+ ## </summary>
+ ## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd.if serefpolicy-3.7.5/policy/modules/services/tgtd.if
--- nsaserefpolicy/policy/modules/services/tgtd.if 2009-11-12 12:51:51.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/services/tgtd.if 2009-12-21 13:07:09.000000000 -0500
@@ -25902,7 +26519,7 @@ diff --exclude-from=exclude -N -u -r nsa
+/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.7.5/policy/modules/services/virt.if
--- nsaserefpolicy/policy/modules/services/virt.if 2009-08-31 13:30:04.000000000 -0400
-+++ serefpolicy-3.7.5/policy/modules/services/virt.if 2009-12-21 13:07:09.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/services/virt.if 2010-01-05 07:43:54.000000000 -0500
@@ -136,7 +136,7 @@
')
@@ -26158,7 +26775,7 @@ diff --exclude-from=exclude -N -u -r nsa
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.7.5/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.5/policy/modules/services/virt.te 2010-01-04 13:22:20.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/services/virt.te 2010-01-05 11:47:44.000000000 -0500
@@ -8,6 +8,13 @@
## <desc>
@@ -26421,7 +27038,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
optional_policy(`
-@@ -196,8 +312,157 @@
+@@ -196,8 +312,159 @@
xen_stream_connect(virtd_t)
xen_stream_connect_xenstore(virtd_t)
@@ -26541,11 +27158,13 @@ diff --exclude-from=exclude -N -u -r nsa
+corenet_tcp_bind_virt_migration_port(virt_domain)
+corenet_tcp_connect_virt_migration_port(virt_domain)
+
++dev_read_rand(virt_domain)
+dev_read_sound(virt_domain)
-+dev_write_sound(virt_domain)
++dev_read_urand(virt_domain)
+dev_rw_ksm(virt_domain)
+dev_rw_kvm(virt_domain)
+dev_rw_qemu(virt_domain)
++dev_write_sound(virt_domain)
+
+domain_use_interactive_fds(virt_domain)
+
@@ -30385,7 +31004,7 @@ diff --exclude-from=exclude -N -u -r nsa
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.fc serefpolicy-3.7.5/policy/modules/system/miscfiles.fc
--- nsaserefpolicy/policy/modules/system/miscfiles.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.5/policy/modules/system/miscfiles.fc 2009-12-21 17:46:12.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/system/miscfiles.fc 2010-01-05 11:54:27.000000000 -0500
@@ -42,6 +42,7 @@
/usr/man(/.*)? gen_context(system_u:object_r:man_t,s0)
@@ -31684,11 +32303,13 @@ diff --exclude-from=exclude -N -u -r nsa
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.7.5/policy/modules/system/sysnetwork.fc
--- nsaserefpolicy/policy/modules/system/sysnetwork.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.5/policy/modules/system/sysnetwork.fc 2009-12-22 11:49:02.000000000 -0500
-@@ -11,15 +11,22 @@
++++ serefpolicy-3.7.5/policy/modules/system/sysnetwork.fc 2010-01-05 10:18:05.000000000 -0500
+@@ -11,15 +11,24 @@
/etc/dhclient-script -- gen_context(system_u:object_r:dhcp_etc_t,s0)
/etc/dhcpc.* gen_context(system_u:object_r:dhcp_etc_t,s0)
/etc/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
++/etc/dhcp/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
++/etc/ethers -- gen_context(system_u:object_r:net_conf_t,s0)
+/etc/hosts -- gen_context(system_u:object_r:net_conf_t,s0)
+/etc/hosts\.deny.* -- gen_context(system_u:object_r:net_conf_t,s0)
+/etc/denyhosts.* -- gen_context(system_u:object_r:net_conf_t,s0)
@@ -31709,7 +32330,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
#
-@@ -51,9 +58,12 @@
+@@ -51,9 +60,12 @@
/var/lib/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcpc_state_t,s0)
/var/lib/dhcpcd(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
/var/lib/dhclient(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.952
retrieving revision 1.953
diff -u -p -r1.952 -r1.953
--- selinux-policy.spec 4 Jan 2010 21:31:54 -0000 1.952
+++ selinux-policy.spec 5 Jan 2010 22:09:02 -0000 1.953
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.7.5
-Release: 6%{?dist}
+Release: 7%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -449,6 +449,9 @@ exit 0
%endif
%changelog
+* Tue Jan 5 2010 Dan Walsh <dwalsh at redhat.com> 3.7.5-7
+- Add cobbler policy from dgrift
+
* Mon Jan 4 2010 Dan Walsh <dwalsh at redhat.com> 3.7.5-6
- add usbmon device
- Add allow rulse for devicekit_disk
More information about the fedora-extras-commits
mailing list