rpms/selinux-policy/F-13 policy-F13.patch, 1.106, 1.107 selinux-policy.spec, 1.1009, 1.1010
Daniel J Walsh
dwalsh at fedoraproject.org
Tue May 4 19:38:00 UTC 2010
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-13
In directory cvs01.phx2.fedoraproject.org:/tmp/cvs-serv26085
Modified Files:
policy-F13.patch selinux-policy.spec
Log Message:
* Fri Apr 30 2010 Dan Walsh <dwalsh at redhat.com> 3.7.19-11
- Fix location of oddjob_mkhomedir
Resolves: #587385
- fix labeling on /root/.shosts and ~/.shosts
- Allow ipsec_mgmt_t to manage net_conf_t
Resolves: #586760
policy-F13.patch:
Makefile | 2
policy/global_tunables | 24
policy/mls | 2
policy/modules/admin/accountsd.fc | 4
policy/modules/admin/accountsd.if | 164 +++
policy/modules/admin/accountsd.te | 55 +
policy/modules/admin/acct.te | 1
policy/modules/admin/alsa.te | 2
policy/modules/admin/anaconda.te | 4
policy/modules/admin/certwatch.te | 2
policy/modules/admin/consoletype.if | 3
policy/modules/admin/consoletype.te | 1
policy/modules/admin/firstboot.te | 7
policy/modules/admin/kismet.te | 1
policy/modules/admin/logrotate.te | 42
policy/modules/admin/mcelog.te | 2
policy/modules/admin/mrtg.te | 1
policy/modules/admin/netutils.fc | 2
policy/modules/admin/netutils.te | 20
policy/modules/admin/prelink.fc | 4
policy/modules/admin/prelink.if | 28
policy/modules/admin/prelink.te | 79 +
policy/modules/admin/quota.te | 1
policy/modules/admin/readahead.te | 4
policy/modules/admin/rpm.fc | 21
policy/modules/admin/rpm.if | 387 +++++++
policy/modules/admin/rpm.te | 106 +-
policy/modules/admin/shorewall.te | 6
policy/modules/admin/shutdown.fc | 5
policy/modules/admin/shutdown.if | 118 ++
policy/modules/admin/shutdown.te | 57 +
policy/modules/admin/su.if | 11
policy/modules/admin/sudo.if | 9
policy/modules/admin/tmpreaper.te | 24
policy/modules/admin/usermanage.if | 20
policy/modules/admin/usermanage.te | 21
policy/modules/admin/vbetool.te | 6
policy/modules/admin/vpn.te | 8
policy/modules/apps/chrome.fc | 3
policy/modules/apps/chrome.if | 90 +
policy/modules/apps/chrome.te | 86 +
policy/modules/apps/cpufreqselector.te | 2
policy/modules/apps/execmem.fc | 47
policy/modules/apps/execmem.if | 110 ++
policy/modules/apps/execmem.te | 11
policy/modules/apps/firewallgui.fc | 3
policy/modules/apps/firewallgui.if | 23
policy/modules/apps/firewallgui.te | 66 +
policy/modules/apps/gitosis.if | 2
policy/modules/apps/gnome.fc | 24
policy/modules/apps/gnome.if | 438 ++++++++
policy/modules/apps/gnome.te | 116 ++
policy/modules/apps/gpg.fc | 1
policy/modules/apps/gpg.if | 77 +
policy/modules/apps/gpg.te | 114 ++
policy/modules/apps/irc.fc | 7
policy/modules/apps/irc.if | 37
policy/modules/apps/irc.te | 104 +
policy/modules/apps/java.fc | 7
policy/modules/apps/java.if | 4
policy/modules/apps/java.te | 9
policy/modules/apps/kdumpgui.fc | 2
policy/modules/apps/kdumpgui.if | 2
policy/modules/apps/kdumpgui.te | 68 +
policy/modules/apps/livecd.fc | 2
policy/modules/apps/livecd.if | 127 ++
policy/modules/apps/livecd.te | 34
policy/modules/apps/loadkeys.if | 3
policy/modules/apps/loadkeys.te | 6
policy/modules/apps/mono.if | 5
policy/modules/apps/mozilla.fc | 2
policy/modules/apps/mozilla.if | 62 +
policy/modules/apps/mozilla.te | 22
policy/modules/apps/mplayer.if | 36
policy/modules/apps/mplayer.te | 29
policy/modules/apps/nsplugin.fc | 10
policy/modules/apps/nsplugin.if | 391 +++++++
policy/modules/apps/nsplugin.te | 297 +++++
policy/modules/apps/openoffice.fc | 3
policy/modules/apps/openoffice.if | 129 ++
policy/modules/apps/openoffice.te | 17
policy/modules/apps/podsleuth.te | 3
policy/modules/apps/pulseaudio.fc | 1
policy/modules/apps/pulseaudio.if | 39
policy/modules/apps/pulseaudio.te | 2
policy/modules/apps/qemu.if | 84 +
policy/modules/apps/qemu.te | 11
policy/modules/apps/sambagui.fc | 1
policy/modules/apps/sambagui.if | 2
policy/modules/apps/sambagui.te | 66 +
policy/modules/apps/sandbox.fc | 1
policy/modules/apps/sandbox.if | 292 +++++
policy/modules/apps/sandbox.te | 383 +++++++
policy/modules/apps/seunshare.if | 78 -
policy/modules/apps/seunshare.te | 35
policy/modules/apps/slocate.te | 4
policy/modules/apps/telepathysofiasip.fc | 2
policy/modules/apps/telepathysofiasip.if | 69 +
policy/modules/apps/telepathysofiasip.te | 45
policy/modules/apps/userhelper.fc | 1
policy/modules/apps/userhelper.if | 56 +
policy/modules/apps/userhelper.te | 42
policy/modules/apps/vmware.if | 19
policy/modules/apps/vmware.te | 13
policy/modules/apps/wine.fc | 1
policy/modules/apps/wine.if | 11
policy/modules/apps/wine.te | 22
policy/modules/apps/wm.if | 16
policy/modules/kernel/corecommands.fc | 31
policy/modules/kernel/corecommands.if | 2
policy/modules/kernel/corenetwork.te.in | 31
policy/modules/kernel/devices.fc | 1
policy/modules/kernel/devices.if | 91 +
policy/modules/kernel/devices.te | 12
policy/modules/kernel/domain.if | 63 +
policy/modules/kernel/domain.te | 109 ++
policy/modules/kernel/files.fc | 21
policy/modules/kernel/files.if | 653 ++++++++++++
policy/modules/kernel/files.te | 15
policy/modules/kernel/filesystem.if | 176 ++-
policy/modules/kernel/filesystem.te | 11
policy/modules/kernel/kernel.if | 107 ++
policy/modules/kernel/kernel.te | 34
policy/modules/kernel/selinux.if | 25
policy/modules/kernel/storage.fc | 1
policy/modules/kernel/storage.if | 22
policy/modules/kernel/terminal.if | 29
policy/modules/roles/auditadm.te | 3
policy/modules/roles/guest.te | 6
policy/modules/roles/staff.te | 117 ++
policy/modules/roles/sysadm.te | 98 +
policy/modules/roles/unconfineduser.fc | 10
policy/modules/roles/unconfineduser.if | 667 ++++++++++++
policy/modules/roles/unconfineduser.te | 434 ++++++++
policy/modules/roles/unprivuser.te | 23
policy/modules/roles/xguest.te | 79 +
policy/modules/services/abrt.fc | 8
policy/modules/services/abrt.if | 143 ++
policy/modules/services/abrt.te | 157 ++-
policy/modules/services/afs.te | 5
policy/modules/services/aiccu.fc | 5
policy/modules/services/aiccu.if | 119 ++
policy/modules/services/aiccu.te | 41
policy/modules/services/aisexec.fc | 10
policy/modules/services/aisexec.if | 106 ++
policy/modules/services/aisexec.te | 118 ++
policy/modules/services/apache.fc | 17
policy/modules/services/apache.if | 161 ++-
policy/modules/services/apache.te | 230 ++++
policy/modules/services/apcupsd.te | 4
policy/modules/services/arpwatch.te | 4
policy/modules/services/asterisk.if | 19
policy/modules/services/asterisk.te | 45
policy/modules/services/automount.te | 1
policy/modules/services/avahi.if | 1
policy/modules/services/boinc.fc | 6
policy/modules/services/boinc.if | 151 ++
policy/modules/services/boinc.te | 92 +
policy/modules/services/bugzilla.fc | 4
policy/modules/services/bugzilla.if | 39
policy/modules/services/bugzilla.te | 57 +
policy/modules/services/cachefilesd.fc | 29
policy/modules/services/cachefilesd.if | 41
policy/modules/services/cachefilesd.te | 147 ++
policy/modules/services/ccs.te | 10
policy/modules/services/certmonger.fc | 6
policy/modules/services/certmonger.if | 217 ++++
policy/modules/services/certmonger.te | 74 +
policy/modules/services/cgroup.fc | 9
policy/modules/services/cgroup.if | 35
policy/modules/services/cgroup.te | 87 +
policy/modules/services/chronyd.if | 23
policy/modules/services/chronyd.te | 8
policy/modules/services/clamav.te | 19
policy/modules/services/clogd.fc | 4
policy/modules/services/clogd.if | 82 +
policy/modules/services/clogd.te | 65 +
policy/modules/services/cobbler.if | 4
policy/modules/services/cobbler.te | 14
policy/modules/services/consolekit.fc | 4
policy/modules/services/consolekit.if | 39
policy/modules/services/consolekit.te | 34
policy/modules/services/corosync.fc | 15
policy/modules/services/corosync.if | 108 ++
policy/modules/services/corosync.te | 122 ++
policy/modules/services/cron.fc | 6
policy/modules/services/cron.if | 99 +
policy/modules/services/cron.te | 98 +
policy/modules/services/cups.fc | 14
policy/modules/services/cups.te | 65 +
policy/modules/services/cvs.te | 2
policy/modules/services/cyrus.te | 2
policy/modules/services/dbus.if | 107 +-
policy/modules/services/dbus.te | 21
policy/modules/services/denyhosts.fc | 7
policy/modules/services/denyhosts.if | 87 +
policy/modules/services/denyhosts.te | 74 +
policy/modules/services/devicekit.fc | 8
policy/modules/services/devicekit.if | 22
policy/modules/services/devicekit.te | 101 +
policy/modules/services/dhcp.te | 4
policy/modules/services/djbdns.if | 38
policy/modules/services/djbdns.te | 8
policy/modules/services/dnsmasq.fc | 2
policy/modules/services/dnsmasq.if | 4
policy/modules/services/dnsmasq.te | 22
policy/modules/services/dovecot.fc | 6
policy/modules/services/dovecot.te | 46
policy/modules/services/exim.fc | 3
policy/modules/services/exim.if | 61 +
policy/modules/services/exim.te | 3
policy/modules/services/fail2ban.if | 20
policy/modules/services/fprintd.te | 2
policy/modules/services/ftp.fc | 2
policy/modules/services/ftp.if | 38
policy/modules/services/ftp.te | 179 +++
policy/modules/services/git.fc | 9
policy/modules/services/git.if | 533 ++++++++++
policy/modules/services/git.te | 190 +++
policy/modules/services/gnomeclock.if | 21
policy/modules/services/gpsd.te | 5
policy/modules/services/hal.if | 22
policy/modules/services/hal.te | 33
policy/modules/services/inn.te | 1
policy/modules/services/kerberos.if | 6
policy/modules/services/kerberos.te | 3
policy/modules/services/ksmtuned.te | 3
policy/modules/services/ldap.fc | 5
policy/modules/services/ldap.if | 81 +
policy/modules/services/ldap.te | 13
policy/modules/services/lircd.te | 23
policy/modules/services/milter.if | 20
policy/modules/services/milter.te | 8
policy/modules/services/modemmanager.te | 9
policy/modules/services/mta.fc | 2
policy/modules/services/mta.if | 68 +
policy/modules/services/mta.te | 24
policy/modules/services/munin.fc | 58 +
policy/modules/services/munin.if | 66 +
policy/modules/services/munin.te | 169 +++
policy/modules/services/mysql.te | 3
policy/modules/services/nagios.fc | 83 +
policy/modules/services/nagios.if | 142 ++
policy/modules/services/nagios.te | 283 ++++-
policy/modules/services/networkmanager.fc | 20
policy/modules/services/networkmanager.if | 107 ++
policy/modules/services/networkmanager.te | 125 ++
policy/modules/services/nis.fc | 10
policy/modules/services/nis.if | 78 +
policy/modules/services/nis.te | 21
policy/modules/services/nscd.if | 20
policy/modules/services/nscd.te | 27
policy/modules/services/nslcd.te | 2
policy/modules/services/ntop.te | 32
policy/modules/services/ntp.te | 3
policy/modules/services/nut.te | 4
policy/modules/services/nx.fc | 12
policy/modules/services/nx.if | 67 +
policy/modules/services/nx.te | 13
policy/modules/services/oddjob.fc | 1
policy/modules/services/oddjob.if | 1
policy/modules/services/oddjob.te | 5
policy/modules/services/oident.te | 1
policy/modules/services/openvpn.te | 7
policy/modules/services/pegasus.te | 28
policy/modules/services/piranha.fc | 21
policy/modules/services/piranha.if | 175 +++
policy/modules/services/piranha.te | 186 +++
policy/modules/services/plymouthd.fc | 9
policy/modules/services/plymouthd.if | 322 ++++++
policy/modules/services/plymouthd.te | 107 ++
policy/modules/services/policykit.fc | 5
policy/modules/services/policykit.if | 71 +
policy/modules/services/policykit.te | 84 +
policy/modules/services/portreserve.fc | 3
policy/modules/services/portreserve.if | 55 +
policy/modules/services/portreserve.te | 3
policy/modules/services/postfix.fc | 3
policy/modules/services/postfix.if | 282 +++++
policy/modules/services/postfix.te | 152 ++
policy/modules/services/ppp.te | 4
policy/modules/services/procmail.fc | 2
policy/modules/services/procmail.te | 26
policy/modules/services/pyzor.fc | 4
policy/modules/services/pyzor.if | 47
policy/modules/services/pyzor.te | 37
policy/modules/services/qpidd.fc | 9
policy/modules/services/qpidd.if | 236 ++++
policy/modules/services/qpidd.te | 61 +
policy/modules/services/razor.fc | 1
policy/modules/services/razor.if | 42
policy/modules/services/razor.te | 32
policy/modules/services/rgmanager.fc | 10
policy/modules/services/rgmanager.if | 141 ++
policy/modules/services/rgmanager.te | 229 ++++
policy/modules/services/rhcs.fc | 23
policy/modules/services/rhcs.if | 424 ++++++++
policy/modules/services/rhcs.te | 240 ++++
policy/modules/services/ricci.fc | 3
policy/modules/services/ricci.if | 62 +
policy/modules/services/ricci.te | 42
policy/modules/services/rlogin.fc | 3
policy/modules/services/rlogin.te | 1
policy/modules/services/rpc.if | 1
policy/modules/services/rpc.te | 15
policy/modules/services/rsync.if | 4
policy/modules/services/rsync.te | 26
policy/modules/services/rtkit.if | 21
policy/modules/services/samba.fc | 4
policy/modules/services/samba.if | 138 ++
policy/modules/services/samba.te | 123 +-
policy/modules/services/sasl.te | 3
policy/modules/services/sendmail.fc | 2
policy/modules/services/sendmail.if | 84 +
policy/modules/services/sendmail.te | 18
policy/modules/services/setroubleshoot.fc | 2
policy/modules/services/setroubleshoot.if | 124 ++
policy/modules/services/setroubleshoot.te | 91 +
policy/modules/services/smartmon.te | 2
policy/modules/services/snmp.te | 3
policy/modules/services/snort.te | 4
policy/modules/services/spamassassin.fc | 15
policy/modules/services/spamassassin.if | 107 ++
policy/modules/services/spamassassin.te | 141 ++
policy/modules/services/squid.te | 21
policy/modules/services/ssh.fc | 6
policy/modules/services/ssh.if | 154 ++
policy/modules/services/ssh.te | 56 -
policy/modules/services/sssd.te | 2
policy/modules/services/tgtd.te | 4
policy/modules/services/tuned.te | 5
policy/modules/services/ucspitcp.te | 5
policy/modules/services/varnishd.if | 19
policy/modules/services/vhostmd.te | 2
policy/modules/services/virt.fc | 6
policy/modules/services/virt.if | 58 -
policy/modules/services/virt.te | 81 +
policy/modules/services/w3c.te | 7
policy/modules/services/xserver.fc | 58 -
policy/modules/services/xserver.if | 393 +++++++
policy/modules/services/xserver.te | 401 ++++++-
policy/modules/system/application.te | 15
policy/modules/system/authlogin.fc | 1
policy/modules/system/authlogin.if | 52
policy/modules/system/daemontools.if | 62 +
policy/modules/system/daemontools.te | 26
policy/modules/system/fstools.fc | 2
policy/modules/system/fstools.te | 12
policy/modules/system/getty.te | 2
policy/modules/system/hostname.te | 3
policy/modules/system/init.fc | 3
policy/modules/system/init.if | 146 ++
policy/modules/system/init.te | 207 +++
policy/modules/system/ipsec.te | 17
policy/modules/system/iptables.fc | 9
policy/modules/system/iptables.if | 4
policy/modules/system/iptables.te | 20
policy/modules/system/libraries.fc | 148 ++
policy/modules/system/libraries.te | 8
policy/modules/system/locallogin.te | 40
policy/modules/system/logging.fc | 16
policy/modules/system/logging.if | 43
policy/modules/system/logging.te | 23
policy/modules/system/lvm.fc | 1
policy/modules/system/lvm.if | 2
policy/modules/system/lvm.te | 21
policy/modules/system/modutils.te | 14
policy/modules/system/mount.fc | 8
policy/modules/system/mount.if | 138 ++
policy/modules/system/mount.te | 148 ++
policy/modules/system/raid.te | 1
policy/modules/system/selinuxutil.fc | 17
policy/modules/system/selinuxutil.if | 330 ++++++
policy/modules/system/selinuxutil.te | 242 +---
policy/modules/system/sosreport.fc | 2
policy/modules/system/sosreport.if | 113 ++
policy/modules/system/sosreport.te | 128 ++
policy/modules/system/sysnetwork.fc | 2
policy/modules/system/sysnetwork.if | 96 +
policy/modules/system/sysnetwork.te | 20
policy/modules/system/udev.fc | 1
policy/modules/system/udev.if | 19
policy/modules/system/udev.te | 13
policy/modules/system/unconfined.fc | 14
policy/modules/system/unconfined.if | 440 --------
policy/modules/system/unconfined.te | 224 ----
policy/modules/system/userdomain.fc | 9
policy/modules/system/userdomain.if | 1569 ++++++++++++++++++++++++------
policy/modules/system/userdomain.te | 50
policy/modules/system/xen.if | 3
policy/modules/system/xen.te | 11
policy/support/misc_patterns.spt | 8
policy/support/obj_perm_sets.spt | 35
policy/users | 17
394 files changed, 22245 insertions(+), 2082 deletions(-)
Index: policy-F13.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-13/policy-F13.patch,v
retrieving revision 1.106
retrieving revision 1.107
diff -u -p -r1.106 -r1.107
--- policy-F13.patch 30 Apr 2010 15:15:45 -0000 1.106
+++ policy-F13.patch 4 May 2010 19:37:55 -0000 1.107
@@ -1797,7 +1797,7 @@ diff --exclude-from=exclude -N -u -r nsa
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdown.te serefpolicy-3.7.19/policy/modules/admin/shutdown.te
--- nsaserefpolicy/policy/modules/admin/shutdown.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/admin/shutdown.te 2010-04-14 10:48:18.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/admin/shutdown.te 2010-04-30 16:48:20.000000000 -0400
@@ -0,0 +1,57 @@
+policy_module(shutdown,1.0.0)
+
@@ -1825,7 +1825,7 @@ diff --exclude-from=exclude -N -u -r nsa
+#
+
+allow shutdown_t self:capability { dac_override kill setuid sys_tty_config };
-+allow shutdown_t self:process { fork signal };
++allow shutdown_t self:process { fork signal signull };
+
+allow shutdown_t self:fifo_file manage_fifo_file_perms;
+allow shutdown_t self:unix_stream_socket create_stream_socket_perms;
@@ -8731,7 +8731,13 @@ diff --exclude-from=exclude -N -u -r nsa
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.7.19/policy/modules/kernel/files.te
--- nsaserefpolicy/policy/modules/kernel/files.te 2010-04-05 14:44:26.000000000 -0400
-+++ serefpolicy-3.7.19/policy/modules/kernel/files.te 2010-04-21 10:00:10.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/kernel/files.te 2010-05-04 15:02:47.000000000 -0400
+@@ -1,4 +1,4 @@
+-
++
+ policy_module(files, 1.12.5)
+
+ ########################################
@@ -12,6 +12,7 @@
attribute mountpoint;
attribute pidfile;
@@ -9440,6 +9446,17 @@ diff --exclude-from=exclude -N -u -r nsa
+ fs_type($1)
+ mls_trusted_object($1)
+')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.7.19/policy/modules/kernel/storage.fc
+--- nsaserefpolicy/policy/modules/kernel/storage.fc 2010-03-05 10:46:32.000000000 -0500
++++ serefpolicy-3.7.19/policy/modules/kernel/storage.fc 2010-05-03 14:03:35.000000000 -0400
+@@ -20,6 +20,7 @@
+ /dev/gscd -b gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/hitcd -b gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/ht[0-1] -b gen_context(system_u:object_r:tape_device_t,s0)
++/dev/hwcdrom -b gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/initrd -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+ /dev/jsfd -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+ /dev/jsflash -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.if serefpolicy-3.7.19/policy/modules/kernel/storage.if
--- nsaserefpolicy/policy/modules/kernel/storage.if 2009-12-18 11:38:25.000000000 -0500
+++ serefpolicy-3.7.19/policy/modules/kernel/storage.if 2010-04-14 10:48:18.000000000 -0400
@@ -12174,8 +12191,8 @@ diff --exclude-from=exclude -N -u -r nsa
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.te serefpolicy-3.7.19/policy/modules/services/aisexec.te
--- nsaserefpolicy/policy/modules/services/aisexec.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/services/aisexec.te 2010-04-14 10:48:18.000000000 -0400
-@@ -0,0 +1,115 @@
++++ serefpolicy-3.7.19/policy/modules/services/aisexec.te 2010-05-04 13:38:36.000000000 -0400
+@@ -0,0 +1,118 @@
+
+policy_module(aisexec,1.0.0)
+
@@ -12291,6 +12308,9 @@ diff --exclude-from=exclude -N -u -r nsa
+ groupd_rw_semaphores(aisexec_t)
+ groupd_rw_shm(aisexec_t)
+')
++
++userdom_rw_semaphores(aisexec_t)
++userdom_rw_unpriv_user_shared_mem(aisexec_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.7.19/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2010-04-06 15:15:38.000000000 -0400
+++ serefpolicy-3.7.19/policy/modules/services/apache.fc 2010-04-30 09:52:59.000000000 -0400
@@ -14787,7 +14807,7 @@ diff --exclude-from=exclude -N -u -r nsa
role_transition $2 cobblerd_initrc_exec_t system_r;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.te serefpolicy-3.7.19/policy/modules/services/cobbler.te
--- nsaserefpolicy/policy/modules/services/cobbler.te 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/services/cobbler.te 2010-04-14 10:48:18.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/services/cobbler.te 2010-05-03 09:22:50.000000000 -0400
@@ -40,6 +40,7 @@
allow cobblerd_t self:fifo_file rw_fifo_file_perms;
allow cobblerd_t self:tcp_socket create_stream_socket_perms;
@@ -14805,6 +14825,15 @@ diff --exclude-from=exclude -N -u -r nsa
files_read_usr_files(cobblerd_t)
files_list_boot(cobblerd_t)
files_list_tmp(cobblerd_t)
+@@ -84,7 +87,7 @@
+ ')
+
+ optional_policy(`
+- apache_list_sys_content(cobblerd_t)
++ apache_read_sys_content(cobblerd_t)
+ ')
+
+ optional_policy(`
@@ -119,3 +122,12 @@
optional_policy(`
tftp_manage_rw_content(cobblerd_t)
@@ -16407,8 +16436,8 @@ diff --exclude-from=exclude -N -u -r nsa
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.te serefpolicy-3.7.19/policy/modules/services/denyhosts.te
--- nsaserefpolicy/policy/modules/services/denyhosts.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/services/denyhosts.te 2010-04-14 10:48:18.000000000 -0400
-@@ -0,0 +1,73 @@
++++ serefpolicy-3.7.19/policy/modules/services/denyhosts.te 2010-05-04 13:25:38.000000000 -0400
+@@ -0,0 +1,74 @@
+
+policy_module(denyhosts, 1.0.0)
+
@@ -16437,7 +16466,8 @@ diff --exclude-from=exclude -N -u -r nsa
+#
+# DenyHosts personal policy.
+#
-+
++# Bug #588563
++allow denyhosts_t self:capability sys_tty_config;
+allow denyhosts_t self:netlink_route_socket create_netlink_socket_perms;
+allow denyhosts_t self:tcp_socket create_socket_perms;
+allow denyhosts_t self:udp_socket create_socket_perms;
@@ -17140,6 +17170,81 @@ diff --exclude-from=exclude -N -u -r nsa
/usr/sbin/exim[0-9]? -- gen_context(system_u:object_r:exim_exec_t,s0)
/var/log/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_log_t,s0)
/var/run/exim[0-9]?\.pid -- gen_context(system_u:object_r:exim_var_run_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.if serefpolicy-3.7.19/policy/modules/services/exim.if
+--- nsaserefpolicy/policy/modules/services/exim.if 2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/services/exim.if 2010-05-03 14:32:10.000000000 -0400
+@@ -20,6 +20,24 @@
+
+ ########################################
+ ## <summary>
++## Execute exim in the exim domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`exim_initrc_domtrans', `
++ gen_require(`
++ type exim_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, exim_initrc_exec_t)
++')
++
++########################################
++## <summary>
+ ## Do not audit attempts to read,
+ ## exim tmp files
+ ## </summary>
+@@ -194,3 +212,46 @@
+ manage_files_pattern($1, exim_spool_t, exim_spool_t)
+ files_search_spool($1)
+ ')
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an exim environment.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++#
++interface(`exim_admin', `
++ gen_require(`
++ type exim_t, exim_initrc_exec_t, exim_log_t;
++ type exim_tmp_t, exim_spool_t, exim_var_run_t;
++ ')
++
++ allow $1 exim_t:process { ptrace signal_perms getattr };
++ read_files_pattern($1, exim_t, exim_t)
++
++ exim_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 exim_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ logging_search_logs($1)
++ admin_pattern($1, exim_log_t)
++
++ files_search_tmp($1)
++ admin_pattern($1, exim_tmp_t)
++
++ files_search_spool($1)
++ admin_pattern($1, exim_spool_t)
++
++ files_search_pids($1)
++ admin_pattern($1, exim_var_run_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.7.19/policy/modules/services/exim.te
--- nsaserefpolicy/policy/modules/services/exim.te 2010-03-04 11:17:25.000000000 -0500
+++ serefpolicy-3.7.19/policy/modules/services/exim.te 2010-04-30 09:53:00.000000000 -0400
@@ -18305,7 +18410,7 @@ diff --exclude-from=exclude -N -u -r nsa
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-3.7.19/policy/modules/services/hal.if
--- nsaserefpolicy/policy/modules/services/hal.if 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/services/hal.if 2010-04-20 08:14:46.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/services/hal.if 2010-05-04 15:34:12.000000000 -0400
@@ -367,7 +367,7 @@
## </param>
#
@@ -21091,6 +21196,15 @@ diff --exclude-from=exclude -N -u -r nsa
kernel_read_system_state(nx_server_t)
kernel_read_kernel_sysctls(nx_server_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.fc serefpolicy-3.7.19/policy/modules/services/oddjob.fc
+--- nsaserefpolicy/policy/modules/services/oddjob.fc 2009-07-28 13:28:33.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/services/oddjob.fc 2010-04-30 16:44:14.000000000 -0400
+@@ -1,4 +1,5 @@
+ /usr/lib(64)?/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
++/usr/libexec/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
+
+ /usr/sbin/oddjobd -- gen_context(system_u:object_r:oddjob_exec_t,s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.if serefpolicy-3.7.19/policy/modules/services/oddjob.if
--- nsaserefpolicy/policy/modules/services/oddjob.if 2009-07-28 13:28:33.000000000 -0400
+++ serefpolicy-3.7.19/policy/modules/services/oddjob.if 2010-04-14 10:48:18.000000000 -0400
@@ -22386,6 +22500,75 @@ diff --exclude-from=exclude -N -u -r nsa
/etc/portreserve(/.*)? gen_context(system_u:object_r:portreserve_etc_t,s0)
/sbin/portreserve -- gen_context(system_u:object_r:portreserve_exec_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.if serefpolicy-3.7.19/policy/modules/services/portreserve.if
+--- nsaserefpolicy/policy/modules/services/portreserve.if 2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/services/portreserve.if 2010-05-03 14:32:10.000000000 -0400
+@@ -18,6 +18,24 @@
+ domtrans_pattern($1, portreserve_exec_t, portreserve_t)
+ ')
+
++########################################
++## <summary>
++## Execute portreserve in the portreserve domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`portreserve_initrc_domtrans', `
++ gen_require(`
++ type portreserve_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, portreserve_initrc_exec_t)
++')
++
+ #######################################
+ ## <summary>
+ ## Allow the specified domain to read
+@@ -64,3 +82,40 @@
+ manage_files_pattern($1, portreserve_etc_t, portreserve_etc_t)
+ read_lnk_files_pattern($1, portreserve_etc_t, portreserve_etc_t)
+ ')
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an portreserve environment.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++#
++interface(`portreserve_admin', `
++ gen_require(`
++ type portreserve_t, portreserve_etc_t;
++ type portreserve_initrc_exec_t, portreserve_var_run_t;
++ ')
++
++ allow $1 portreserve_t:process { ptrace signal_perms getattr };
++ read_files_pattern($1, portreserve_t, portreserve_t)
++
++ portreserve_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 portreserve_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ files_search_etc($1)
++ admin_pattern($1, portreserve_etc_t)
++
++ files_search_pids($1)
++ admin_pattern($1, portreserve_var_run_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.te serefpolicy-3.7.19/policy/modules/services/portreserve.te
--- nsaserefpolicy/policy/modules/services/portreserve.te 2010-04-06 15:15:38.000000000 -0400
+++ serefpolicy-3.7.19/policy/modules/services/portreserve.te 2010-04-30 09:53:00.000000000 -0400
@@ -22423,7 +22606,7 @@ diff --exclude-from=exclude -N -u -r nsa
/usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.7.19/policy/modules/services/postfix.if
--- nsaserefpolicy/policy/modules/services/postfix.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.19/policy/modules/services/postfix.if 2010-04-14 10:48:18.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/services/postfix.if 2010-05-03 14:32:10.000000000 -0400
@@ -46,6 +46,7 @@
allow postfix_$1_t postfix_etc_t:dir list_dir_perms;
@@ -22492,7 +22675,33 @@ diff --exclude-from=exclude -N -u -r nsa
## Allow domain to read postfix local process state
## </summary>
## <param name="domain">
-@@ -368,6 +395,25 @@
+@@ -349,6 +376,25 @@
+ domtrans_pattern($1, postfix_master_exec_t, postfix_master_t)
+ ')
+
++
++########################################
++## <summary>
++## Execute the master postfix in the postfix master domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`postfix_initrc_domtrans', `
++ gen_require(`
++ type postfix_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, postfix_initrc_exec_t)
++')
++
+ ########################################
+ ## <summary>
+ ## Execute the master postfix program in the
+@@ -368,6 +414,25 @@
can_exec($1, postfix_master_exec_t)
')
@@ -22518,7 +22727,7 @@ diff --exclude-from=exclude -N -u -r nsa
########################################
## <summary>
## Create a named socket in a postfix private directory.
-@@ -378,7 +424,7 @@
+@@ -378,7 +443,7 @@
## </summary>
## </param>
#
@@ -22527,7 +22736,7 @@ diff --exclude-from=exclude -N -u -r nsa
gen_require(`
type postfix_private_t;
')
-@@ -389,6 +435,25 @@
+@@ -389,6 +454,25 @@
########################################
## <summary>
@@ -22553,7 +22762,7 @@ diff --exclude-from=exclude -N -u -r nsa
## Execute the master postfix program in the
## postfix_master domain.
## </summary>
-@@ -418,10 +483,10 @@
+@@ -418,10 +502,10 @@
#
interface(`postfix_search_spool',`
gen_require(`
@@ -22566,21 +22775,20 @@ diff --exclude-from=exclude -N -u -r nsa
files_search_spool($1)
')
-@@ -437,15 +502,34 @@
+@@ -437,11 +521,30 @@
#
interface(`postfix_list_spool',`
gen_require(`
- type postfix_spool_t;
+ attribute postfix_spool_type;
- ')
-
-- allow $1 postfix_spool_t:dir list_dir_perms;
++ ')
++
+ allow $1 postfix_spool_type:dir list_dir_perms;
- files_search_spool($1)
- ')
-
- ########################################
- ## <summary>
++ files_search_spool($1)
++')
++
++########################################
++## <summary>
+## Getattr postfix mail spool files.
+## </summary>
+## <param name="domain">
@@ -22592,18 +22800,15 @@ diff --exclude-from=exclude -N -u -r nsa
+interface(`postfix_getattr_spool_files',`
+ gen_require(`
+ attribute postfix_spool_type;
-+ ')
-+
-+ files_search_spool($1)
+ ')
+
+- allow $1 postfix_spool_t:dir list_dir_perms;
+ files_search_spool($1)
+ getattr_files_pattern($1, postfix_spool_type, postfix_spool_type)
-+')
-+
-+########################################
-+## <summary>
- ## Read postfix mail spool files.
- ## </summary>
- ## <param name="domain">
-@@ -456,16 +540,16 @@
+ ')
+
+ ########################################
+@@ -456,16 +559,16 @@
#
interface(`postfix_read_spool_files',`
gen_require(`
@@ -22623,7 +22828,7 @@ diff --exclude-from=exclude -N -u -r nsa
## </summary>
## <param name="domain">
## <summary>
-@@ -475,11 +559,11 @@
+@@ -475,11 +578,11 @@
#
interface(`postfix_manage_spool_files',`
gen_require(`
@@ -22637,7 +22842,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
########################################
-@@ -500,3 +584,80 @@
+@@ -500,3 +603,156 @@
typeattribute $1 postfix_user_domtrans;
')
@@ -22718,6 +22923,82 @@ diff --exclude-from=exclude -N -u -r nsa
+ role $2 types postfix_postdrop_t;
+')
+
++########################################
++## <summary>
++## All of the rules required to administrate
++## an postfix environment.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++#
++interface(`postfix_admin', `
++ gen_require(`
++ type postfix_bounce_t, postfix_cleanup_t, postfix_local_t;
++ type postfix_master_t, postfix_pickup_t, postfix_qmgr_t;
++ type postfix_smtpd_t;
++
++ attribute postfix_spool_type;
++
++ type postfix_initrc_exec_t, postfix_data_t, postfix_etc_t;
++ type postfix_var_run_t;
++
++ type postfix_map_tmp, postfix_prng_t, postfix_public_t;
++ ')
++
++ allow $1 postfix_bounce_t:process { ptrace signal_perms getattr };
++ read_files_pattern($1, postfix_bounce_t, postfix_bounce_t)
++
++ allow $1 postfix_cleanup_t:process { ptrace signal_perms getattr };
++ read_files_pattern($1, postfix_cleanup_t, postfix_cleanup_t)
++
++ allow $1 postfix_local_t:process { ptrace signal_perms getattr };
++ read_files_pattern($1, postfix_local_t, postfix_local_t)
++
++ allow $1 postfix_master_t:process { ptrace signal_perms getattr };
++ read_files_pattern($1, postfix_master_t, postfix_master_t)
++
++ allow $1 postfix_pickup_t:process { ptrace signal_perms getattr };
++ read_files_pattern($1, postfix_pickup_t, postfix_pickup_t)
++
++ allow $1 postfix_qmgr_t:process { ptrace signal_perms getattr };
++ read_files_pattern($1, postfix_qmgr_t, postfix_qmgr_t)
++
++ allow $1 postfix_smtpd_t:process { ptrace signal_perms getattr };
++ read_files_pattern($1, postfix_smtpd_t, postfix_smtpd_t)
++
++ postfix_run_map($1,$2)
++ postfix_run_postdrop($1,$2)
++
++ postfix_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 postfix_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ admin_pattern($1, postfix_data_t)
++
++ files_list_etc($1)
++ admin_pattern($1, postfix_etc_t)
++
++ files_search_spool($1)
++ admin_pattern($1,postfix_spool_type)
++
++ admin_pattern($1, postfix_var_run_t)
++
++ files_search_tmp($1)
++ admin_pattern($1, postfix_map_tmp)
++
++ admin_pattern($1, postfix_prng_t)
++
++ admin_pattern($1, postfix_public_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.7.19/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2010-02-12 10:33:09.000000000 -0500
+++ serefpolicy-3.7.19/policy/modules/services/postfix.te 2010-04-30 09:53:00.000000000 -0400
@@ -23828,8 +24109,8 @@ diff --exclude-from=exclude -N -u -r nsa
+/var/run/cluster/rgmanager\.sk -s gen_context(system_u:object_r:rgmanager_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.if serefpolicy-3.7.19/policy/modules/services/rgmanager.if
--- nsaserefpolicy/policy/modules/services/rgmanager.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/services/rgmanager.if 2010-04-14 10:48:18.000000000 -0400
-@@ -0,0 +1,98 @@
++++ serefpolicy-3.7.19/policy/modules/services/rgmanager.if 2010-05-03 14:32:10.000000000 -0400
+@@ -0,0 +1,141 @@
+## <summary>SELinux policy for rgmanager</summary>
+
+#######################################
@@ -23928,6 +24209,49 @@ diff --exclude-from=exclude -N -u -r nsa
+ manage_files_pattern($1, rgmanager_tmp_t, rgmanager_tmp_t)
+ manage_lnk_files_pattern($1, rgmanager_tmp_t, rgmanager_tmp_t)
+')
++
++######################################
++## <summary>
++## All of the rules required to administrate
++## an rgmanager environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to be allowed to manage the rgmanager domain.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`rgmanager_admin',`
++ gen_require(`
++ type rgmanager_t, rgmanager_initrc_exec_t, rgmanager_tmp_t;
++ type rgmanager_tmpfs_t, rgmanager_var_log_t, rgmanager_var_run_t;
++ ')
++
++ allow $1 rgmanager_t:process { ptrace signal_perms };
++ read_files_pattern($1, rgmanager_t, rgmanager_t)
++
++ init_labeled_script_domtrans($1, rgmanager_initrc_exec_t)
++ domain_system_change_exemption($1)
++ role_transition $2 rgmanager_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ files_search_tmp($1)
++ admin_pattern($1, rgmanager_tmp_t)
++
++ admin_pattern($1, rgmanager_tmpfs_t)
++
++ logging_search_logs($1)
++ admin_pattern($1, rgmanager_var_log_t)
++
++ files_search_pids($1)
++ admin_pattern($1, rgmanager_var_run_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.te serefpolicy-3.7.19/policy/modules/services/rgmanager.te
--- nsaserefpolicy/policy/modules/services/rgmanager.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.19/policy/modules/services/rgmanager.te 2010-04-30 09:53:00.000000000 -0400
@@ -24618,8 +24942,8 @@ diff --exclude-from=exclude -N -u -r nsa
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.te serefpolicy-3.7.19/policy/modules/services/rhcs.te
--- nsaserefpolicy/policy/modules/services/rhcs.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/services/rhcs.te 2010-04-29 14:10:35.000000000 -0400
-@@ -0,0 +1,239 @@
++++ serefpolicy-3.7.19/policy/modules/services/rhcs.te 2010-05-04 15:30:36.000000000 -0400
+@@ -0,0 +1,240 @@
+
+policy_module(rhcs,1.1.0)
+
@@ -24707,6 +25031,7 @@ diff --exclude-from=exclude -N -u -r nsa
+kernel_read_system_state(fenced_t)
+
+corecmd_exec_bin(fenced_t)
++corecmd_exec_shell(fenced_t)
+
+corenet_tcp_connect_http_port(fenced_t)
+
@@ -24869,6 +25194,82 @@ diff --exclude-from=exclude -N -u -r nsa
/usr/libexec/modcluster -- gen_context(system_u:object_r:ricci_modcluster_exec_t,s0)
/usr/libexec/ricci-modlog -- gen_context(system_u:object_r:ricci_modlog_exec_t,s0)
/usr/libexec/ricci-modrpm -- gen_context(system_u:object_r:ricci_modrpm_exec_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.if serefpolicy-3.7.19/policy/modules/services/ricci.if
+--- nsaserefpolicy/policy/modules/services/ricci.if 2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/services/ricci.if 2010-05-03 14:32:10.000000000 -0400
+@@ -18,6 +18,24 @@
+ domtrans_pattern($1, ricci_exec_t, ricci_t)
+ ')
+
++#######################################
++## <summary>
++## Execute ricci server in the ricci domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`ricci_initrc_domtrans', `
++ gen_require(`
++ type ricci_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, ricci_initrc_exec_t)
++')
++
+ ########################################
+ ## <summary>
+ ## Execute a domain transition to run ricci_modcluster.
+@@ -165,3 +183,47 @@
+
+ domtrans_pattern($1, ricci_modstorage_exec_t, ricci_modstorage_t)
+ ')
++
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an ricci environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`ricci_admin',`
++ gen_require(`
++ type ricci_t, ricci_initrc_exec_t, ricci_tmp_t;
++ type ricci_var_lib_t, ricci_var_log_t, ricci_var_run_t;
++ ')
++
++ allow $1 ricci_t:process { ptrace signal_perms getattr };
++ read_files_pattern($1, ricci_t, ricci_t)
++
++ ricci_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 ricci_initrc_exec_t system_r;
++
++ files_search_tmp($1)
++ admin_pattern($1, ricci_tmp_t)
++
++ files_search_var_lib($1)
++ admin_pattern($1, ricci_var_lib_t)
++
++ logging_search_logs($1)
++ admin_pattern($1, ricci_var_log_t)
++
++ files_search_pids($1)
++ admin_pattern($1, ricci_var_run_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.7.19/policy/modules/services/ricci.te
--- nsaserefpolicy/policy/modules/services/ricci.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.19/policy/modules/services/ricci.te 2010-04-30 09:53:00.000000000 -0400
@@ -25776,8 +26177,33 @@ diff --exclude-from=exclude -N -u -r nsa
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.7.19/policy/modules/services/sendmail.if
--- nsaserefpolicy/policy/modules/services/sendmail.if 2010-01-11 09:40:36.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/services/sendmail.if 2010-04-14 10:48:18.000000000 -0400
-@@ -277,3 +277,22 @@
++++ serefpolicy-3.7.19/policy/modules/services/sendmail.if 2010-05-03 14:32:10.000000000 -0400
+@@ -57,6 +57,24 @@
+ allow sendmail_t $1:process sigchld;
+ ')
+
++#######################################
++## <summary>
++## Execute sendmail in the sendmail domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`sendmail_initrc_domtrans', `
++ gen_require(`
++ type sendmail_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, sendmail_initrc_exec_t)
++')
++
+ ########################################
+ ## <summary>
+ ## Execute the sendmail program in the sendmail domain.
+@@ -277,3 +295,69 @@
sendmail_domtrans_unconfined($1)
role $2 types unconfined_sendmail_t;
')
@@ -25800,6 +26226,53 @@ diff --exclude-from=exclude -N -u -r nsa
+ domtrans_pattern($1, sendmail_exec_t, unconfined_sendmail_t)
+')
+
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an sendmail environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`sendmail_admin',`
++ gen_require(`
++ type sendmail_t, sendmail_initrc_exec_t, sendmail_log_t;
++ type sendmail_tmp_t, sendmail_var_run_t, unconfined_sendmail_t;
++ type mail_spool_t;
++ ')
++
++ allow $1 sendmail_t:process { ptrace signal_perms getattr };
++ read_files_pattern($1, sendmail_t, sendmail_t)
++
++ allow $1 unconfined_sendmail_t:process { ptrace signal_perms getattr };
++ read_files_pattern($1, unconfined_sendmail_t, unconfined_sendmail_t)
++
++ sendmail_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 sendmail_initrc_exec_t system_r;
++
++ logging_search_logs($1)
++ admin_pattern($1, sendmail_log_t)
++
++ files_search_tmp($1)
++ admin_pattern($1, sendmail_tmp_t)
++
++ files_search_pids($1)
++ admin_pattern($1, sendmail_var_run_t)
++
++ files_search_spool($1)
++ admin_pattern($1, mail_spool_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.7.19/policy/modules/services/sendmail.te
--- nsaserefpolicy/policy/modules/services/sendmail.te 2010-01-11 09:40:36.000000000 -0500
+++ serefpolicy-3.7.19/policy/modules/services/sendmail.te 2010-04-30 09:53:00.000000000 -0400
@@ -26768,24 +27241,25 @@ diff --exclude-from=exclude -N -u -r nsa
-') dnl end TODO
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.fc serefpolicy-3.7.19/policy/modules/services/ssh.fc
--- nsaserefpolicy/policy/modules/services/ssh.fc 2010-01-18 15:04:31.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/services/ssh.fc 2010-04-30 09:53:00.000000000 -0400
-@@ -1,5 +1,7 @@
++++ serefpolicy-3.7.19/policy/modules/services/ssh.fc 2010-05-03 09:10:35.000000000 -0400
+@@ -1,4 +1,7 @@
HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
-
-+/etc/rc\.d/init\.d/sshd -- gen_context(system_u:object_r:sshd_initrc_exec_t,s0)
++HOME_DIR/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
+
++/etc/rc\.d/init\.d/sshd -- gen_context(system_u:object_r:sshd_initrc_exec_t,s0)
+
/etc/ssh/primes -- gen_context(system_u:object_r:sshd_key_t,s0)
/etc/ssh/ssh_host_key -- gen_context(system_u:object_r:sshd_key_t,s0)
- /etc/ssh/ssh_host_dsa_key -- gen_context(system_u:object_r:sshd_key_t,s0)
-@@ -14,3 +16,5 @@
+@@ -14,3 +17,6 @@
/usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0)
/var/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0)
+
+/root/\.ssh(/.*)? gen_context(system_u:object_r:home_ssh_t,s0)
++/root/\.shosts gen_context(system_u:object_r:home_ssh_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.7.19/policy/modules/services/ssh.if
--- nsaserefpolicy/policy/modules/services/ssh.if 2010-02-18 14:06:31.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/services/ssh.if 2010-04-14 10:48:18.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/services/ssh.if 2010-05-03 14:32:10.000000000 -0400
@@ -36,6 +36,7 @@
gen_require(`
attribute ssh_server;
@@ -26866,9 +27340,9 @@ diff --exclude-from=exclude -N -u -r nsa
corenet_tcp_bind_ssh_port($1_t)
corenet_tcp_connect_all_ports($1_t)
+ corenet_tcp_bind_all_unreserved_ports($1_t)
- corenet_sendrecv_ssh_server_packets($1_t)
-+ # -R qualifier
+ corenet_sendrecv_ssh_server_packets($1_t)
++ # -R qualifier
+ corenet_sendrecv_ssh_server_packets($1_t)
+ # tunnel feature and -w (net_admin capability also)
+ corenet_rw_tun_tap_dev($1_t)
@@ -26925,7 +27399,33 @@ diff --exclude-from=exclude -N -u -r nsa
userdom_user_home_domtrans($1_ssh_agent_t, $3)
allow $3 $1_ssh_agent_t:fd use;
allow $3 $1_ssh_agent_t:fifo_file rw_file_perms;
-@@ -696,6 +708,50 @@
+@@ -582,6 +594,25 @@
+ domtrans_pattern($1, sshd_exec_t, sshd_t)
+ ')
+
++
++########################################
++## <summary>
++## Execute sshd server in the sshd domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`ssh_initrc_domtrans',`
++ gen_require(`
++ type sshdd_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, sshd_initrc_exec_t)
++')
++
+ ########################################
+ ## <summary>
+ ## Execute the ssh client in the caller domain.
+@@ -696,6 +727,50 @@
dontaudit $1 sshd_key_t:file { getattr read };
')
@@ -26976,6 +27476,57 @@ diff --exclude-from=exclude -N -u -r nsa
#######################################
## <summary>
## Delete from the ssh temp files.
+@@ -714,3 +789,50 @@
+ files_search_tmp($1)
+ delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
+ ')
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an sshd environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`ssh_admin_server',`
++ gen_require(`
++ type sshd_t, ssh_home_t, sshd_key_t, sshd_tmp_t;
++ type sshd_tmpfs_t, sshd_var_run_t;
++ type sshd_initrc_exec_t;
++ ')
++
++ allow $1 sshd_t:process { ptrace signal_perms getattr };
++ read_files_pattern($1, sshd_t, sshd_t)
++
++ ssh_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 sshd_initrc_exec_t system_r;
++
++ userdom_search_user_home_dirs($1)
++ userdom_search_admin_dir($1)
++ admin_pattern($1,ssh_home_t)
++
++ files_search_etc($1)
++ admin_pattern($1,sshd_key_t)
++
++ files_search_tmp($1)
++ admin_pattern($1, sshd_tmp_t)
++
++ admin_pattern($1, sshd_tmpfs_t)
++
++ files_search_pids($1)
++ admin_pattern($1, sshd_var_run_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.7.19/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2010-02-18 14:06:31.000000000 -0500
+++ serefpolicy-3.7.19/policy/modules/services/ssh.te 2010-04-30 09:53:00.000000000 -0400
@@ -28240,7 +28791,7 @@ diff --exclude-from=exclude -N -u -r nsa
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.7.19/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/services/xserver.te 2010-04-28 13:07:41.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/services/xserver.te 2010-05-04 10:22:41.000000000 -0400
@@ -36,6 +36,13 @@
## <desc>
@@ -28411,7 +28962,7 @@ diff --exclude-from=exclude -N -u -r nsa
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files(iceauth_t)
-@@ -250,30 +290,58 @@
+@@ -250,30 +290,60 @@
fs_manage_cifs_files(iceauth_t)
')
@@ -28456,6 +29007,8 @@ diff --exclude-from=exclude -N -u -r nsa
-allow xdm_t xauth_home_t:file manage_file_perms;
-userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file)
+stream_connect_pattern(xauth_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
++
++kernel_read_system_state(xauth_t)
domain_use_interactive_fds(xauth_t)
+domain_dontaudit_leaks(xauth_t)
@@ -28473,7 +29026,7 @@ diff --exclude-from=exclude -N -u -r nsa
fs_search_auto_mountpoints(xauth_t)
# cjp: why?
-@@ -283,17 +351,36 @@
+@@ -283,17 +353,36 @@
userdom_use_user_terminals(xauth_t)
userdom_read_user_tmp_files(xauth_t)
@@ -28510,7 +29063,7 @@ diff --exclude-from=exclude -N -u -r nsa
optional_policy(`
ssh_sigchld(xauth_t)
ssh_read_pipes(xauth_t)
-@@ -305,20 +392,31 @@
+@@ -305,20 +394,32 @@
# XDM Local policy
#
@@ -28542,10 +29095,11 @@ diff --exclude-from=exclude -N -u -r nsa
+userdom_user_home_dir_filetrans(xdm_t, xdm_home_t, file)
+#Handle mislabeled files in homedir
+userdom_delete_user_home_content_files(xdm_t)
++userdom_signull_unpriv_users(xdm_t)
# Allow gdm to run gdm-binary
can_exec(xdm_t, xdm_exec_t)
-@@ -332,26 +430,45 @@
+@@ -332,26 +433,45 @@
manage_dirs_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
manage_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
@@ -28596,7 +29150,7 @@ diff --exclude-from=exclude -N -u -r nsa
allow xdm_t xserver_t:unix_stream_socket connectto;
allow xdm_t xserver_tmp_t:sock_file rw_sock_file_perms;
-@@ -359,10 +476,13 @@
+@@ -359,10 +479,13 @@
# transition to the xdm xserver
domtrans_pattern(xdm_t, xserver_exec_t, xserver_t)
@@ -28610,7 +29164,7 @@ diff --exclude-from=exclude -N -u -r nsa
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -371,15 +491,21 @@
+@@ -371,15 +494,21 @@
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
@@ -28633,7 +29187,7 @@ diff --exclude-from=exclude -N -u -r nsa
corecmd_exec_shell(xdm_t)
corecmd_exec_bin(xdm_t)
-@@ -394,11 +520,14 @@
+@@ -394,11 +523,14 @@
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t)
@@ -28648,7 +29202,7 @@ diff --exclude-from=exclude -N -u -r nsa
dev_read_rand(xdm_t)
dev_read_sysfs(xdm_t)
dev_getattr_framebuffer_dev(xdm_t)
-@@ -406,6 +535,7 @@
+@@ -406,6 +538,7 @@
dev_getattr_mouse_dev(xdm_t)
dev_setattr_mouse_dev(xdm_t)
dev_rw_apm_bios(xdm_t)
@@ -28656,7 +29210,7 @@ diff --exclude-from=exclude -N -u -r nsa
dev_setattr_apm_bios_dev(xdm_t)
dev_rw_dri(xdm_t)
dev_rw_agp(xdm_t)
-@@ -414,18 +544,22 @@
+@@ -414,18 +547,22 @@
dev_getattr_misc_dev(xdm_t)
dev_setattr_misc_dev(xdm_t)
dev_dontaudit_rw_misc(xdm_t)
@@ -28682,7 +29236,7 @@ diff --exclude-from=exclude -N -u -r nsa
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -436,9 +570,17 @@
+@@ -436,9 +573,17 @@
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -28700,7 +29254,7 @@ diff --exclude-from=exclude -N -u -r nsa
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -447,14 +589,19 @@
+@@ -447,14 +592,19 @@
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -28720,7 +29274,7 @@ diff --exclude-from=exclude -N -u -r nsa
auth_rw_faillog(xdm_t)
auth_write_login_records(xdm_t)
-@@ -465,10 +612,12 @@
+@@ -465,10 +615,12 @@
logging_read_generic_logs(xdm_t)
@@ -28735,7 +29289,7 @@ diff --exclude-from=exclude -N -u -r nsa
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -477,6 +626,11 @@
+@@ -477,6 +629,11 @@
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -28747,7 +29301,7 @@ diff --exclude-from=exclude -N -u -r nsa
xserver_rw_session(xdm_t, xdm_tmpfs_t)
xserver_unconfined(xdm_t)
-@@ -509,10 +663,12 @@
+@@ -509,10 +666,12 @@
optional_policy(`
alsa_domtrans(xdm_t)
@@ -28760,7 +29314,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
optional_policy(`
-@@ -520,12 +676,50 @@
+@@ -520,12 +679,50 @@
')
optional_policy(`
@@ -28811,7 +29365,7 @@ diff --exclude-from=exclude -N -u -r nsa
hostname_exec(xdm_t)
')
-@@ -543,20 +737,59 @@
+@@ -543,20 +740,59 @@
')
optional_policy(`
@@ -28873,7 +29427,7 @@ diff --exclude-from=exclude -N -u -r nsa
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
-@@ -565,7 +798,6 @@
+@@ -565,7 +801,6 @@
ifdef(`distro_rhel4',`
allow xdm_t self:process { execheap execmem };
')
@@ -28881,7 +29435,7 @@ diff --exclude-from=exclude -N -u -r nsa
optional_policy(`
userhelper_dontaudit_search_config(xdm_t)
-@@ -576,6 +808,10 @@
+@@ -576,6 +811,10 @@
')
optional_policy(`
@@ -28892,7 +29446,7 @@ diff --exclude-from=exclude -N -u -r nsa
xfs_stream_connect(xdm_t)
')
-@@ -600,10 +836,9 @@
+@@ -600,10 +839,9 @@
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -28904,7 +29458,7 @@ diff --exclude-from=exclude -N -u -r nsa
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
allow xserver_t self:sock_file read_sock_file_perms;
-@@ -615,6 +850,18 @@
+@@ -615,6 +853,18 @@
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -28923,7 +29477,7 @@ diff --exclude-from=exclude -N -u -r nsa
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -634,12 +881,19 @@
+@@ -634,12 +884,19 @@
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -28945,7 +29499,7 @@ diff --exclude-from=exclude -N -u -r nsa
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -673,7 +927,6 @@
+@@ -673,7 +930,6 @@
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -28953,7 +29507,7 @@ diff --exclude-from=exclude -N -u -r nsa
dev_create_generic_dirs(xserver_t)
dev_setattr_generic_dirs(xserver_t)
# raw memory access is needed if not using the frame buffer
-@@ -683,9 +936,12 @@
+@@ -683,9 +939,12 @@
dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
@@ -28967,7 +29521,7 @@ diff --exclude-from=exclude -N -u -r nsa
files_read_etc_files(xserver_t)
files_read_etc_runtime_files(xserver_t)
-@@ -700,8 +956,13 @@
+@@ -700,8 +959,13 @@
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -28981,7 +29535,7 @@ diff --exclude-from=exclude -N -u -r nsa
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -723,11 +984,14 @@
+@@ -723,11 +987,14 @@
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -28996,7 +29550,7 @@ diff --exclude-from=exclude -N -u -r nsa
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -779,12 +1043,24 @@
+@@ -779,12 +1046,24 @@
')
optional_policy(`
@@ -29022,7 +29576,7 @@ diff --exclude-from=exclude -N -u -r nsa
unconfined_domtrans(xserver_t)
')
-@@ -811,7 +1087,7 @@
+@@ -811,7 +1090,7 @@
allow xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xserver_t xdm_var_lib_t:dir search;
@@ -29031,7 +29585,7 @@ diff --exclude-from=exclude -N -u -r nsa
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -832,9 +1108,14 @@
+@@ -832,9 +1111,14 @@
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -29046,7 +29600,7 @@ diff --exclude-from=exclude -N -u -r nsa
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
fs_manage_nfs_files(xserver_t)
-@@ -849,11 +1130,14 @@
+@@ -849,11 +1133,14 @@
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -29063,7 +29617,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
optional_policy(`
-@@ -999,3 +1283,33 @@
+@@ -999,3 +1286,33 @@
allow xserver_unconfined_type xextension_type:x_extension *;
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
@@ -29433,7 +29987,7 @@ diff --exclude-from=exclude -N -u -r nsa
/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.7.19/policy/modules/system/fstools.te
--- nsaserefpolicy/policy/modules/system/fstools.te 2010-03-09 15:39:06.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/system/fstools.te 2010-04-14 10:48:18.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/system/fstools.te 2010-04-30 13:26:42.000000000 -0400
@@ -118,6 +118,8 @@
fs_search_tmpfs(fsadm_t)
fs_getattr_tmpfs_dirs(fsadm_t)
@@ -29452,7 +30006,7 @@ diff --exclude-from=exclude -N -u -r nsa
ifdef(`distro_redhat',`
optional_policy(`
-@@ -167,6 +169,10 @@
+@@ -167,6 +169,14 @@
')
optional_policy(`
@@ -29460,6 +30014,10 @@ diff --exclude-from=exclude -N -u -r nsa
+')
+
+optional_policy(`
++ livecd_rw_tmp_files(fsadm_t)
++')
++
++optional_policy(`
nis_use_ypbind(fsadm_t)
')
@@ -29763,7 +30321,7 @@ diff --exclude-from=exclude -N -u -r nsa
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.7.19/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2010-03-18 10:35:11.000000000 -0400
-+++ serefpolicy-3.7.19/policy/modules/system/init.te 2010-04-28 13:08:01.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/system/init.te 2010-05-04 15:06:33.000000000 -0400
@@ -17,6 +17,20 @@
## </desc>
gen_tunable(init_upstart, false)
@@ -29830,7 +30388,15 @@ diff --exclude-from=exclude -N -u -r nsa
# For /var/run/shutdown.pid.
allow init_t init_var_run_t:file manage_file_perms;
-@@ -169,6 +187,8 @@
+@@ -121,6 +139,7 @@
+ corecmd_exec_bin(init_t)
+
+ dev_read_sysfs(init_t)
++dev_rw_generic_chr_files(init_t)
+
+ domain_getpgid_all_domains(init_t)
+ domain_kill_all_domains(init_t)
+@@ -169,6 +188,8 @@
miscfiles_read_localization(init_t)
@@ -29839,7 +30405,7 @@ diff --exclude-from=exclude -N -u -r nsa
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
')
-@@ -192,10 +212,23 @@
+@@ -192,10 +213,23 @@
')
optional_policy(`
@@ -29863,7 +30429,7 @@ diff --exclude-from=exclude -N -u -r nsa
nscd_socket_use(init_t)
')
-@@ -213,7 +246,7 @@
+@@ -213,7 +247,7 @@
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -29872,7 +30438,7 @@ diff --exclude-from=exclude -N -u -r nsa
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -242,6 +275,7 @@
+@@ -242,6 +276,7 @@
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -29880,7 +30446,7 @@ diff --exclude-from=exclude -N -u -r nsa
can_exec(initrc_t, initrc_tmp_t)
manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
-@@ -259,13 +293,22 @@
+@@ -259,13 +294,22 @@
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -29904,7 +30470,7 @@ diff --exclude-from=exclude -N -u -r nsa
corenet_all_recvfrom_unlabeled(initrc_t)
corenet_all_recvfrom_netlabel(initrc_t)
-@@ -299,6 +342,7 @@
+@@ -299,6 +343,7 @@
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -29912,7 +30478,7 @@ diff --exclude-from=exclude -N -u -r nsa
corecmd_exec_all_executables(initrc_t)
-@@ -325,8 +369,10 @@
+@@ -325,8 +370,10 @@
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -29924,7 +30490,7 @@ diff --exclude-from=exclude -N -u -r nsa
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -342,6 +388,8 @@
+@@ -342,6 +389,8 @@
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -29933,7 +30499,7 @@ diff --exclude-from=exclude -N -u -r nsa
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
-@@ -352,6 +400,11 @@
+@@ -352,6 +401,11 @@
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -29945,7 +30511,7 @@ diff --exclude-from=exclude -N -u -r nsa
# initrc_t needs to do a pidof which requires ptrace
mcs_ptrace_all(initrc_t)
-@@ -364,6 +417,7 @@
+@@ -364,6 +418,7 @@
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -29953,7 +30519,7 @@ diff --exclude-from=exclude -N -u -r nsa
selinux_get_enforce_mode(initrc_t)
-@@ -395,15 +449,16 @@
+@@ -395,15 +450,16 @@
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -29972,7 +30538,7 @@ diff --exclude-from=exclude -N -u -r nsa
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
# started from init should be placed in their own domain.
userdom_use_user_terminals(initrc_t)
-@@ -471,7 +526,7 @@
+@@ -471,7 +527,7 @@
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -29981,7 +30547,7 @@ diff --exclude-from=exclude -N -u -r nsa
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -517,6 +572,23 @@
+@@ -517,6 +573,23 @@
optional_policy(`
bind_manage_config_dirs(initrc_t)
bind_write_config(initrc_t)
@@ -30005,7 +30571,15 @@ diff --exclude-from=exclude -N -u -r nsa
')
optional_policy(`
-@@ -542,6 +614,35 @@
+@@ -528,6 +601,7 @@
+ optional_policy(`
+ sysnet_rw_dhcp_config(initrc_t)
+ sysnet_manage_config(initrc_t)
++ sysnet_delete_dhcpc_state(initrc_t)
+ ')
+
+ optional_policy(`
+@@ -542,6 +616,35 @@
')
')
@@ -30041,7 +30615,7 @@ diff --exclude-from=exclude -N -u -r nsa
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -554,6 +655,8 @@
+@@ -554,6 +657,8 @@
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -30050,7 +30624,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
optional_policy(`
-@@ -594,6 +697,7 @@
+@@ -594,6 +699,7 @@
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -30058,7 +30632,7 @@ diff --exclude-from=exclude -N -u -r nsa
optional_policy(`
consolekit_dbus_chat(initrc_t)
-@@ -647,11 +751,6 @@
+@@ -647,11 +753,6 @@
')
optional_policy(`
@@ -30070,7 +30644,7 @@ diff --exclude-from=exclude -N -u -r nsa
kerberos_use(initrc_t)
')
-@@ -690,12 +789,22 @@
+@@ -690,12 +791,22 @@
')
optional_policy(`
@@ -30093,7 +30667,7 @@ diff --exclude-from=exclude -N -u -r nsa
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -718,6 +827,10 @@
+@@ -718,6 +829,10 @@
')
optional_policy(`
@@ -30104,7 +30678,7 @@ diff --exclude-from=exclude -N -u -r nsa
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -760,8 +873,6 @@
+@@ -760,8 +875,6 @@
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -30113,7 +30687,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
optional_policy(`
-@@ -774,10 +885,12 @@
+@@ -774,10 +887,12 @@
squid_manage_logs(initrc_t)
')
@@ -30126,7 +30700,7 @@ diff --exclude-from=exclude -N -u -r nsa
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -790,6 +903,7 @@
+@@ -790,6 +905,7 @@
optional_policy(`
udev_rw_db(initrc_t)
@@ -30134,7 +30708,7 @@ diff --exclude-from=exclude -N -u -r nsa
udev_manage_pid_files(initrc_t)
')
-@@ -798,11 +912,18 @@
+@@ -798,11 +914,18 @@
')
optional_policy(`
@@ -30154,7 +30728,7 @@ diff --exclude-from=exclude -N -u -r nsa
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -812,6 +933,25 @@
+@@ -812,6 +935,25 @@
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -30180,7 +30754,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
optional_policy(`
-@@ -837,3 +977,34 @@
+@@ -837,3 +979,34 @@
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -30217,7 +30791,7 @@ diff --exclude-from=exclude -N -u -r nsa
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.7.19/policy/modules/system/ipsec.te
--- nsaserefpolicy/policy/modules/system/ipsec.te 2010-03-18 06:48:09.000000000 -0400
-+++ serefpolicy-3.7.19/policy/modules/system/ipsec.te 2010-04-27 10:28:39.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/system/ipsec.te 2010-05-03 10:21:07.000000000 -0400
@@ -73,7 +73,7 @@
#
@@ -30227,15 +30801,16 @@ diff --exclude-from=exclude -N -u -r nsa
allow ipsec_t self:process { getcap setcap getsched signal setsched };
allow ipsec_t self:tcp_socket create_stream_socket_perms;
allow ipsec_t self:udp_socket create_socket_perms;
-@@ -167,6 +167,7 @@
+@@ -167,6 +167,8 @@
miscfiles_read_localization(ipsec_t)
sysnet_domtrans_ifconfig(ipsec_t)
++sysnet_manage_config(ipsec_t)
+sysnet_etc_filetrans_config(ipsec_t)
userdom_dontaudit_use_unpriv_user_fds(ipsec_t)
userdom_dontaudit_search_user_home_dirs(ipsec_t)
-@@ -186,7 +187,7 @@
+@@ -186,7 +188,7 @@
allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice };
dontaudit ipsec_mgmt_t self:capability sys_tty_config;
@@ -30244,7 +30819,7 @@ diff --exclude-from=exclude -N -u -r nsa
allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
allow ipsec_mgmt_t self:udp_socket create_socket_perms;
-@@ -225,7 +226,6 @@
+@@ -225,7 +227,6 @@
manage_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)
manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)
@@ -30252,7 +30827,7 @@ diff --exclude-from=exclude -N -u -r nsa
# whack needs to connect to pluto
stream_connect_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t, ipsec_t)
-@@ -258,7 +258,7 @@
+@@ -258,7 +259,7 @@
domain_use_interactive_fds(ipsec_mgmt_t)
# denials when ps tries to search /proc. Do not audit these denials.
@@ -30261,7 +30836,7 @@ diff --exclude-from=exclude -N -u -r nsa
# suppress audit messages about unnecessary socket access
# cjp: this seems excessive
domain_dontaudit_rw_all_udp_sockets(ipsec_mgmt_t)
-@@ -276,7 +276,7 @@
+@@ -276,7 +277,7 @@
fs_list_tmpfs(ipsec_mgmt_t)
term_use_console(ipsec_mgmt_t)
@@ -30270,17 +30845,17 @@ diff --exclude-from=exclude -N -u -r nsa
init_use_script_ptys(ipsec_mgmt_t)
init_exec_script_files(ipsec_mgmt_t)
-@@ -291,7 +291,9 @@
+@@ -291,7 +292,9 @@
seutil_dontaudit_search_config(ipsec_mgmt_t)
-+sysnet_read_config(ipsec_mgmt_t)
++sysnet_manage_config(ipsec_mgmt_t)
sysnet_domtrans_ifconfig(ipsec_mgmt_t)
+sysnet_etc_filetrans_config(ipsec_mgmt_t)
userdom_use_user_terminals(ipsec_mgmt_t)
-@@ -386,6 +388,8 @@
+@@ -386,6 +389,8 @@
sysnet_exec_ifconfig(racoon_t)
@@ -30289,7 +30864,7 @@ diff --exclude-from=exclude -N -u -r nsa
auth_can_read_shadow_passwords(racoon_t)
tunable_policy(`racoon_read_shadow',`
auth_tunable_read_shadow(racoon_t)
-@@ -412,6 +416,7 @@
+@@ -412,6 +417,7 @@
files_read_etc_files(setkey_t)
init_dontaudit_use_fds(setkey_t)
@@ -30297,7 +30872,7 @@ diff --exclude-from=exclude -N -u -r nsa
# allow setkey to set the context for ipsec SAs and policy.
ipsec_setcontext_default_spd(setkey_t)
-@@ -423,3 +428,4 @@
+@@ -423,3 +429,4 @@
seutil_read_config(setkey_t)
userdom_use_user_terminals(setkey_t)
@@ -32685,7 +33260,7 @@ diff --exclude-from=exclude -N -u -r nsa
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.7.19/policy/modules/system/sysnetwork.if
--- nsaserefpolicy/policy/modules/system/sysnetwork.if 2010-03-23 10:55:15.000000000 -0400
-+++ serefpolicy-3.7.19/policy/modules/system/sysnetwork.if 2010-04-14 10:48:18.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/system/sysnetwork.if 2010-05-04 11:16:26.000000000 -0400
@@ -60,25 +60,24 @@
netutils_run(dhcpc_t, $2)
netutils_run_ping(dhcpc_t, $2)
@@ -32820,7 +33395,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.7.19/policy/modules/system/sysnetwork.te
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2010-03-23 10:55:15.000000000 -0400
-+++ serefpolicy-3.7.19/policy/modules/system/sysnetwork.te 2010-04-20 08:13:32.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/system/sysnetwork.te 2010-05-04 15:34:19.000000000 -0400
@@ -20,6 +20,9 @@
init_daemon_domain(dhcpc_t, dhcpc_exec_t)
role system_r types dhcpc_t;
@@ -32890,11 +33465,12 @@ diff --exclude-from=exclude -N -u -r nsa
userdom_use_user_terminals(ifconfig_t)
userdom_use_all_users_fds(ifconfig_t)
-@@ -328,6 +346,7 @@
+@@ -328,6 +346,8 @@
optional_policy(`
hal_dontaudit_rw_pipes(ifconfig_t)
hal_dontaudit_rw_dgram_sockets(ifconfig_t)
+ hal_dontaudit_read_pid_files(ifconfig_t)
++ hal_write_log(ifconfig_t)
')
optional_policy(`
@@ -33745,7 +34321,7 @@ diff --exclude-from=exclude -N -u -r nsa
+HOME_DIR/\.gvfs(/.*)? <<none>>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.7.19/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2010-03-03 23:26:37.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/system/userdomain.if 2010-04-28 11:59:42.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/system/userdomain.if 2010-05-04 13:38:19.000000000 -0400
@@ -30,8 +30,9 @@
')
@@ -35218,7 +35794,33 @@ diff --exclude-from=exclude -N -u -r nsa
## Get the attributes of a user domain tty.
## </summary>
## <param name="domain">
-@@ -2787,7 +3085,7 @@
+@@ -2747,6 +3045,25 @@
+
+ ########################################
+ ## <summary>
++## Read/Write unpriviledged user SysV shared
++## memory segments.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_rw_unpriv_user_shared_mem',`
++ gen_require(`
++ attribute unpriv_userdomain;
++ ')
++
++ allow $1 unpriv_userdomain:shm rw_shm_perms;
++')
++
++########################################
++## <summary>
+ ## Execute bin_t in the unprivileged user domains. This
+ ## is an explicit transition, requiring the
+ ## caller to use setexeccon().
+@@ -2787,7 +3104,7 @@
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -35227,7 +35829,7 @@ diff --exclude-from=exclude -N -u -r nsa
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2803,11 +3101,13 @@
+@@ -2803,11 +3120,13 @@
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -35243,7 +35845,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
########################################
-@@ -2944,7 +3244,7 @@
+@@ -2944,7 +3263,7 @@
type user_tmp_t;
')
@@ -35252,7 +35854,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
########################################
-@@ -2981,6 +3281,7 @@
+@@ -2981,6 +3300,7 @@
')
read_files_pattern($1, userdomain, userdomain)
@@ -35260,7 +35862,7 @@ diff --exclude-from=exclude -N -u -r nsa
kernel_search_proc($1)
')
-@@ -3111,3 +3412,664 @@
+@@ -3111,3 +3431,664 @@
allow $1 userdomain:dbus send_msg;
')
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-13/selinux-policy.spec,v
retrieving revision 1.1009
retrieving revision 1.1010
diff -u -p -r1.1009 -r1.1010
--- selinux-policy.spec 30 Apr 2010 14:52:24 -0000 1.1009
+++ selinux-policy.spec 4 May 2010 19:37:59 -0000 1.1010
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.7.19
-Release: 10%{?dist}
+Release: 11%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -468,10 +468,16 @@ exit 0
%endif
%changelog
+* Fri Apr 30 2010 Dan Walsh <dwalsh at redhat.com> 3.7.19-11
+- Fix location of oddjob_mkhomedir
+Resolves: #587385
+- fix labeling on /root/.shosts and ~/.shosts
+- Allow ipsec_mgmt_t to manage net_conf_t
+Resolves: #586760
+
* Fri Apr 30 2010 Dan Walsh <dwalsh at redhat.com> 3.7.19-10
- Dontaudit sandbox trying to connect to netlink sockets
Resolves: #587609
-- Add policy for piranha
* Thu Apr 29 2010 Dan Walsh <dwalsh at redhat.com> 3.7.19-9
- Fixups for xguest policy
More information about the scm-commits
mailing list