rpms/selinux-policy/F-7 policy-20070501.patch, 1.39, 1.40 selinux-policy.spec, 1.480, 1.481

Daniel J Walsh (dwalsh) fedora-extras-commits at redhat.com
Tue Jul 31 19:49:45 UTC 2007


Author: dwalsh

Update of /cvs/extras/rpms/selinux-policy/F-7
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv687

Modified Files:
	policy-20070501.patch selinux-policy.spec 
Log Message:
* Mon Jul 23 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-30
- Fix prelink to handle execmod
- Allow mount_ntfs to search file_type:dir


policy-20070501.patch:

Index: policy-20070501.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-7/policy-20070501.patch,v
retrieving revision 1.39
retrieving revision 1.40
diff -u -r1.39 -r1.40
--- policy-20070501.patch	23 Jul 2007 20:26:21 -0000	1.39
+++ policy-20070501.patch	31 Jul 2007 19:49:42 -0000	1.40
@@ -585,7 +585,7 @@
  ########################################
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-2.6.4/policy/modules/admin/prelink.te
 --- nsaserefpolicy/policy/modules/admin/prelink.te	2007-05-07 14:51:04.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/admin/prelink.te	2007-07-13 13:11:46.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/admin/prelink.te	2007-07-24 08:58:20.000000000 -0400
 @@ -26,7 +26,7 @@
  # Local policy
  #
@@ -595,6 +595,15 @@
  allow prelink_t self:process { execheap execmem execstack signal };
  allow prelink_t self:fifo_file rw_fifo_file_perms;
  
+@@ -40,7 +40,7 @@
+ read_lnk_files_pattern(prelink_t,prelink_log_t,prelink_log_t)
+ logging_log_filetrans(prelink_t, prelink_log_t, file)
+ 
+-allow prelink_t prelink_tmp_t:file { manage_file_perms execute relabelfrom };
++allow prelink_t prelink_tmp_t:file { manage_file_perms execute relabelfrom execmod };
+ files_tmp_filetrans(prelink_t, prelink_tmp_t, file)
+ fs_tmpfs_filetrans(prelink_t, prelink_tmp_t, file)
+ 
 @@ -49,8 +49,7 @@
  allow prelink_t prelink_object:file { manage_file_perms execute relabelto relabelfrom };
  
@@ -614,6 +623,14 @@
  
  fs_getattr_xattr_fs(prelink_t)
  
+@@ -81,6 +82,7 @@
+ libs_manage_lib_files(prelink_t)
+ libs_relabel_lib_files(prelink_t)
+ libs_delete_lib_symlinks(prelink_t)
++libs_legacy_use_shared_libs(prelink_t)
+ 
+ miscfiles_read_localization(prelink_t)
+ 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-2.6.4/policy/modules/admin/readahead.te
 --- nsaserefpolicy/policy/modules/admin/readahead.te	2007-05-07 14:51:05.000000000 -0400
 +++ serefpolicy-2.6.4/policy/modules/admin/readahead.te	2007-07-13 13:11:46.000000000 -0400
@@ -659,7 +676,7 @@
  /var/lib/alternatives(/.*)?		gen_context(system_u:object_r:rpm_var_lib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-2.6.4/policy/modules/admin/rpm.if
 --- nsaserefpolicy/policy/modules/admin/rpm.if	2007-05-07 14:51:05.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/admin/rpm.if	2007-07-13 13:11:46.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/admin/rpm.if	2007-07-31 14:04:26.000000000 -0400
 @@ -211,6 +211,24 @@
  
  ########################################
@@ -1422,7 +1439,7 @@
  	auth_search_pam_console_data($1_userhelper_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-2.6.4/policy/modules/kernel/corecommands.fc
 --- nsaserefpolicy/policy/modules/kernel/corecommands.fc	2007-05-07 14:51:04.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/kernel/corecommands.fc	2007-07-13 13:11:46.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/kernel/corecommands.fc	2007-07-31 13:44:59.000000000 -0400
 @@ -36,6 +36,11 @@
  /etc/cipe/ip-up.*		--	gen_context(system_u:object_r:bin_t,s0)
  /etc/cipe/ip-down.*		--	gen_context(system_u:object_r:bin_t,s0)
@@ -1435,7 +1452,17 @@
  /etc/hotplug/.*agent		--	gen_context(system_u:object_r:bin_t,s0)
  /etc/hotplug/.*rc		-- 	gen_context(system_u:object_r:bin_t,s0)
  /etc/hotplug/hotplug\.functions --	gen_context(system_u:object_r:bin_t,s0)
-@@ -248,6 +253,7 @@
+@@ -131,7 +136,8 @@
+ /usr/lib(64)?/apt/methods.+	--	gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib(64)?/courier(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib(64)?/cups/cgi-bin/.*	--	gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib(64)?/cups/filter/.*	--	gen_context(system_u:object_r:bin_t,s0)
++/usr/lib(64)?/cups/filter(/.*)?		gen_context(system_u:object_r:bin_t,s0)
++/usr/lib(64)?/cups/backend(/.*)? 	gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib(64)?/cyrus-imapd/.*	--	gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib(64)?/dpkg/.+		--	gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib(64)?/emacsen-common/.*		gen_context(system_u:object_r:bin_t,s0)
+@@ -248,6 +254,7 @@
  /var/ftp/bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
  
  /usr/lib/yp/.+			--	gen_context(system_u:object_r:bin_t,s0)
@@ -1443,7 +1470,7 @@
  
  /var/qmail/bin                  -d      gen_context(system_u:object_r:bin_t,s0)
  /var/qmail/bin(/.*)?                    gen_context(system_u:object_r:bin_t,s0)
-@@ -256,3 +262,13 @@
+@@ -256,3 +263,13 @@
  ifdef(`distro_suse',`
  /var/lib/samba/bin/.+			gen_context(system_u:object_r:bin_t,s0)
  ')
@@ -1537,16 +1564,17 @@
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-2.6.4/policy/modules/kernel/devices.fc
 --- nsaserefpolicy/policy/modules/kernel/devices.fc	2007-05-07 14:51:04.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/kernel/devices.fc	2007-07-13 13:11:46.000000000 -0400
-@@ -19,6 +19,7 @@
++++ serefpolicy-2.6.4/policy/modules/kernel/devices.fc	2007-07-31 13:38:08.000000000 -0400
+@@ -19,6 +19,8 @@
  /dev/evtchn		-c	gen_context(system_u:object_r:xen_device_t,s0)
  /dev/fb[0-9]*		-c	gen_context(system_u:object_r:framebuf_device_t,s0)
  /dev/full		-c	gen_context(system_u:object_r:null_device_t,s0)
++/dev/[0-9].*		-c	gen_context(system_u:object_r:usb_device_t,s0)
 +/dev/fw.*		-c	gen_context(system_u:object_r:usb_device_t,s0)
  /dev/hiddev.*		-c	gen_context(system_u:object_r:usb_device_t,s0)
  /dev/hpet		-c	gen_context(system_u:object_r:clock_device_t,s0)
  /dev/hw_random		-c	gen_context(system_u:object_r:random_device_t,s0)
-@@ -52,7 +53,7 @@
+@@ -52,7 +54,7 @@
  /dev/radio.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
  /dev/random		-c	gen_context(system_u:object_r:random_device_t,s0)
  /dev/raw1394.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
@@ -1555,7 +1583,7 @@
  /dev/sequencer		-c	gen_context(system_u:object_r:sound_device_t,s0)
  /dev/sequencer2		-c	gen_context(system_u:object_r:sound_device_t,s0)
  /dev/smpte.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
-@@ -64,6 +65,7 @@
+@@ -64,6 +66,7 @@
  /dev/tlk[0-3]		-c	gen_context(system_u:object_r:v4l_device_t,s0)
  /dev/urandom		-c	gen_context(system_u:object_r:urandom_device_t,s0)
  /dev/usbdev.*		-c	gen_context(system_u:object_r:usb_device_t,s0)
@@ -1563,7 +1591,7 @@
  /dev/usblp.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
  ifdef(`distro_suse', `
  /dev/usbscanner		-c	gen_context(system_u:object_r:scanner_device_t,s0)
-@@ -81,6 +83,8 @@
+@@ -81,6 +84,8 @@
  
  /dev/bus/usb/.*/[0-9]+	-c	gen_context(system_u:object_r:usb_device_t,s0)
  
@@ -1824,7 +1852,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-2.6.4/policy/modules/kernel/files.fc
 --- nsaserefpolicy/policy/modules/kernel/files.fc	2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/kernel/files.fc	2007-07-13 13:11:46.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/kernel/files.fc	2007-07-25 16:22:10.000000000 -0400
 @@ -45,7 +45,6 @@
  /etc			-d	gen_context(system_u:object_r:etc_t,s0)
  /etc/.*				gen_context(system_u:object_r:etc_t,s0)
@@ -1841,6 +1869,14 @@
  /etc/motd		--	gen_context(system_u:object_r:etc_runtime_t,s0)
  /etc/nohotplug		--	gen_context(system_u:object_r:etc_runtime_t,s0)
  /etc/nologin.*		--	gen_context(system_u:object_r:etc_runtime_t,s0)
+@@ -210,6 +210,7 @@
+ /usr/lost\+found/.*		<<none>>
+ 
+ /usr/share(/.*)?/lib(64)?(/.*)?	gen_context(system_u:object_r:usr_t,s0)
++/usr/share/doc(/.*)?		gen_context(system_u:object_r:usr_t,s0)
+ 
+ /usr/src(/.*)?			gen_context(system_u:object_r:src_t,s0)
+ /usr/src/kernels/.+/lib(/.*)?	gen_context(system_u:object_r:usr_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.6.4/policy/modules/kernel/files.if
 --- nsaserefpolicy/policy/modules/kernel/files.if	2007-05-07 14:51:02.000000000 -0400
 +++ serefpolicy-2.6.4/policy/modules/kernel/files.if	2007-07-13 13:11:46.000000000 -0400
@@ -2083,7 +2119,7 @@
  # etc_runtime_t is the type of various
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-2.6.4/policy/modules/kernel/filesystem.if
 --- nsaserefpolicy/policy/modules/kernel/filesystem.if	2007-05-07 14:51:04.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/kernel/filesystem.if	2007-07-13 13:11:46.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/kernel/filesystem.if	2007-07-30 10:20:41.000000000 -0400
 @@ -1096,6 +1096,24 @@
  
  ########################################
@@ -2136,7 +2172,7 @@
  ##	Mount a NFS filesystem.
  ## </summary>
  ## <param name="domain">
-@@ -3420,3 +3458,22 @@
+@@ -3420,3 +3458,42 @@
  	relabelfrom_blk_files_pattern($1,noxattrfs,noxattrfs)
  	relabelfrom_chr_files_pattern($1,noxattrfs,noxattrfs)
  ')
@@ -2159,6 +2195,26 @@
 +
 +        allow $1 fusefs_t:filesystem mount;
 +')
++
++########################################
++## <summary>
++##      unmount a FUSE filesystem.
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++#
++interface(`fs_unmount_fusefs',`
++        gen_require(`
++                type fusefs_t;
++        ')
++
++        allow $1 fusefs_t:filesystem unmount;
++')
++
++
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-2.6.4/policy/modules/kernel/filesystem.te
 --- nsaserefpolicy/policy/modules/kernel/filesystem.te	2007-05-07 14:51:02.000000000 -0400
 +++ serefpolicy-2.6.4/policy/modules/kernel/filesystem.te	2007-07-23 10:45:02.000000000 -0400
@@ -2850,7 +2906,14 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-2.6.4/policy/modules/services/apache.te
 --- nsaserefpolicy/policy/modules/services/apache.te	2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/apache.te	2007-07-23 16:18:32.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/apache.te	2007-07-26 13:46:31.000000000 -0400
+@@ -1,5 +1,5 @@
+ 
+-policy_module(apache,1.6.0)
++policy_module(apache,1.7.0)
+ 
+ #
+ # NOTES: 
 @@ -30,6 +30,13 @@
  
  ## <desc>
@@ -2879,6 +2942,15 @@
  gen_tunable(httpd_can_network_connect,false)
  
  ## <desc>
+@@ -97,7 +111,7 @@
+ ## Allow http daemon to communicate with the TTY
+ ## </p>
+ ## </desc>
+-gen_tunable(httpd_tty_comm,false)
++gen_tunable(httpd_tty_comm,true)
+ 
+ ## <desc>
+ ## <p>
 @@ -106,6 +120,27 @@
  ## </desc>
  gen_tunable(httpd_unified,false)
@@ -2907,7 +2979,19 @@
  attribute httpdcontent;
  
  # domains that can exec all users scripts
-@@ -215,7 +250,7 @@
+@@ -201,11 +236,6 @@
+ type squirrelmail_spool_t;
+ files_tmp_file(squirrelmail_spool_t)
+ 
+-ifdef(`targeted_policy',`
+-	typealias httpd_sys_content_t alias httpd_user_content_t;
+-	typealias httpd_sys_script_exec_t alias httpd_user_script_exec_t;
+-')
+-
+ optional_policy(`
+ 	prelink_object_file(httpd_modules_t)
+ ')
+@@ -215,7 +245,7 @@
  # Apache server local policy
  #
  
@@ -2916,7 +3000,7 @@
  dontaudit httpd_t self:capability { net_admin sys_tty_config };
  allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow httpd_t self:fd use;
-@@ -257,6 +292,7 @@
+@@ -257,6 +287,7 @@
  allow httpd_t httpd_modules_t:dir list_dir_perms;
  mmap_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t)
  read_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t)
@@ -2924,15 +3008,19 @@
  
  apache_domtrans_rotatelogs(httpd_t)
  # Apache-httpd needs to be able to send signals to the log rotate procs.
-@@ -297,6 +333,7 @@
+@@ -297,8 +328,10 @@
  kernel_read_kernel_sysctls(httpd_t)
  # for modules that want to access /proc/meminfo
  kernel_read_system_state(httpd_t)
 +kernel_search_network_sysctl(httpd_t)
  
- corenet_non_ipsec_sendrecv(httpd_t)
+-corenet_non_ipsec_sendrecv(httpd_t)
++corenet_all_recvfrom_unlabeled(httpd_t)
++corenet_all_recvfrom_netlabel(httpd_t)
  corenet_tcp_sendrecv_all_if(httpd_t)
-@@ -342,6 +379,9 @@
+ corenet_udp_sendrecv_all_if(httpd_t)
+ corenet_tcp_sendrecv_all_nodes(httpd_t)
+@@ -342,6 +375,9 @@
  files_read_var_lib_symlinks(httpd_t)
  
  fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -2942,18 +3030,29 @@
  
  libs_use_ld_so(httpd_t)
  libs_use_shared_libs(httpd_t)
-@@ -362,6 +402,10 @@
+@@ -360,16 +396,12 @@
  
- mta_send_mail(httpd_t)
+ userdom_use_unpriv_users_fds(httpd_t)
  
+-mta_send_mail(httpd_t)
+-
+-ifdef(`targeted_policy',`
+-	term_dontaudit_use_unallocated_ttys(httpd_t)
+-	term_dontaudit_use_generic_ptys(httpd_t)
+-	files_dontaudit_read_root_files(httpd_t)
 +optional_policy(`
 +	nscd_socket_use(httpd_t)
 +')
-+
- ifdef(`targeted_policy',`
- 	term_dontaudit_use_unallocated_ttys(httpd_t)
- 	term_dontaudit_use_generic_ptys(httpd_t)
-@@ -382,6 +426,7 @@
+ 
+-	tunable_policy(`httpd_enable_homedirs',`
+-		userdom_search_generic_user_home_dirs(httpd_t)
+-	')
++tunable_policy(`httpd_enable_homedirs',`
++	userdom_search_generic_user_home_dirs(httpd_t)
+ ')
+ 
+ tunable_policy(`allow_httpd_anon_write',`
+@@ -382,6 +414,7 @@
  #
  tunable_policy(`allow_httpd_mod_auth_pam',`
  	auth_domtrans_chk_passwd(httpd_t)
@@ -2961,7 +3060,7 @@
  ')
  ')
  
-@@ -389,6 +434,14 @@
+@@ -389,6 +422,16 @@
  	corenet_tcp_connect_all_ports(httpd_t)
  ')
  
@@ -2971,12 +3070,14 @@
 +	corenet_sendrecv_smtp_client_packets(httpd_t)
 +	corenet_tcp_connect_pop_port(httpd_t)
 +	corenet_sendrecv_pop_client_packets(httpd_t)
++	mta_send_mail(httpd_t)
++	mta_send_mail(httpd_sys_script_t)
 +')
 +
  tunable_policy(`httpd_can_network_connect_db',`
  	# allow httpd to connect to mysql/posgresql
  	corenet_tcp_connect_postgresql_port(httpd_t)
-@@ -416,6 +469,10 @@
+@@ -416,6 +459,10 @@
  	allow httpd_t httpd_unconfined_script_exec_t:dir list_dir_perms;
  ')
  
@@ -2987,7 +3088,7 @@
  tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
  	domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
  
-@@ -433,11 +490,21 @@
+@@ -433,11 +480,21 @@
  	fs_read_nfs_symlinks(httpd_t)
  ')
  
@@ -3009,21 +3110,76 @@
  tunable_policy(`httpd_ssi_exec',`
  	corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
  	allow httpd_sys_script_t httpd_t:fd use;
-@@ -445,6 +512,13 @@
- 	allow httpd_sys_script_t httpd_t:process sigchld;
+@@ -459,10 +516,20 @@
  ')
  
+ optional_policy(`
++	tunable_policy(`httpd_tty_comm',`
++		unconfined_use_terminals(httpd_t)
++	')
++')
++
 +optional_policy(`
-+	dbus_system_bus_client_template(httpd,httpd_t)
-+	tunable_policy(`allow_httpd_dbus_avahi',`
-+		avahi_dbus_chat(httpd_t)
+ 	calamaris_read_www_files(httpd_t)
+ ')
+ 
+ optional_policy(`
++	cron_system_entry(httpd_t, httpd_exec_t)
++')
++
++optional_policy(`
+ 	daemontools_service_domain(httpd_t, httpd_exec_t)
+ ')
+ 
+@@ -537,10 +604,16 @@
+ tunable_policy(`httpd_tty_comm',`
+ 	# cjp: this is redundant:
+ 	term_use_controlling_term(httpd_helper_t)
+-
+ 	userdom_use_sysadm_terms(httpd_helper_t)
+ ')
+ 
++optional_policy(`
++	tunable_policy(`httpd_tty_comm',`
++		unconfined_use_terminals(httpd_helper_t)
 +	')
 +')
 +
- # When the admin starts the server, the server wants to access
- # the TTY or PTY associated with the session. The httpd appears
- # to run correctly without this permission, so the permission
-@@ -668,6 +742,12 @@
++
+ ########################################
+ #
+ # Apache PHP script local policy
+@@ -631,17 +704,16 @@
+ 
+ miscfiles_read_localization(httpd_suexec_t)
+ 
+-ifdef(`targeted_policy',`
+-	tunable_policy(`httpd_enable_homedirs',`
+-		userdom_search_generic_user_home_dirs(httpd_suexec_t)
+-	')
++tunable_policy(`httpd_enable_homedirs',`
++	userdom_search_generic_user_home_dirs(httpd_suexec_t)
+ ')
+ 
+ tunable_policy(`httpd_can_network_connect',`
+ 	allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
+ 	allow httpd_suexec_t self:udp_socket create_socket_perms;
+ 
+-	corenet_non_ipsec_sendrecv(httpd_suexec_t)
++	corenet_all_recvfrom_unlabeled(httpd_suexec_t)
++	corenet_all_recvfrom_netlabel(httpd_suexec_t)
+ 	corenet_tcp_sendrecv_all_if(httpd_suexec_t)
+ 	corenet_udp_sendrecv_all_if(httpd_suexec_t)
+ 	corenet_tcp_sendrecv_all_nodes(httpd_suexec_t)
+@@ -650,7 +722,6 @@
+ 	corenet_udp_sendrecv_all_ports(httpd_suexec_t)
+ 	corenet_tcp_connect_all_ports(httpd_suexec_t)
+ 	corenet_sendrecv_all_client_packets(httpd_suexec_t)
+-
+ 	sysnet_read_config(httpd_suexec_t)
+ ')
+ 
+@@ -668,6 +739,12 @@
  	fs_exec_nfs_files(httpd_suexec_t)
  ')
  
@@ -3036,7 +3192,7 @@
  tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
  	fs_read_cifs_files(httpd_suexec_t)
  	fs_read_cifs_symlinks(httpd_suexec_t)
-@@ -706,7 +786,8 @@
+@@ -706,7 +783,8 @@
  
  dontaudit httpd_sys_script_t httpd_config_t:dir search;
  
@@ -3046,7 +3202,7 @@
  
  allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
  read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t)
-@@ -720,6 +801,8 @@
+@@ -720,21 +798,66 @@
  # Should we add a boolean?
  apache_domtrans_rotatelogs(httpd_sys_script_t)
  
@@ -3055,20 +3211,61 @@
  ifdef(`distro_redhat',`
  	allow httpd_sys_script_t httpd_log_t:file { getattr append };
  ')
-@@ -730,11 +813,21 @@
- 	')
+ 
+-ifdef(`targeted_policy',`
+-	tunable_policy(`httpd_enable_homedirs',`
+-		userdom_search_generic_user_home_dirs(httpd_sys_script_t)
+-	')
++tunable_policy(`httpd_enable_homedirs',`
++	userdom_search_generic_user_home_dirs(httpd_sys_script_t)
  ')
  
+-tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
 +tunable_policy(`httpd_use_nfs', `
-+	fs_read_nfs_files(httpd_sys_script_t)
-+	fs_read_nfs_symlinks(httpd_sys_script_t)
-+')
-+
- tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
  	fs_read_nfs_files(httpd_sys_script_t)
  	fs_read_nfs_symlinks(httpd_sys_script_t)
  ')
  
++tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs', `
++	fs_read_nfs_files(httpd_sys_script_t)
++	fs_read_nfs_symlinks(httpd_sys_script_t)
++')
++
++tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
++	allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
++	allow httpd_sys_script_t self:udp_socket create_socket_perms;
++
++	corenet_all_recvfrom_unlabeled(httpd_sys_script_t)
++	corenet_all_recvfrom_netlabel(httpd_sys_script_t)
++	corenet_tcp_sendrecv_all_if(httpd_sys_script_t)
++	corenet_udp_sendrecv_all_if(httpd_sys_script_t)
++	corenet_tcp_sendrecv_all_nodes(httpd_sys_script_t)
++	corenet_udp_sendrecv_all_nodes(httpd_sys_script_t)
++	corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
++	corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
++	corenet_tcp_connect_postgresql_port(httpd_sys_script_t)
++	corenet_tcp_connect_mysqld_port(httpd_sys_script_t)
++	corenet_sendrecv_postgresql_client_packets(httpd_sys_script_t)
++	corenet_sendrecv_mysqld_client_packets(httpd_sys_script_t)
++')
++
++tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
++	allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
++	allow httpd_sys_script_t self:udp_socket create_socket_perms;
++
++	corenet_all_recvfrom_unlabeled(httpd_sys_script_t)
++	corenet_all_recvfrom_netlabel(httpd_sys_script_t)
++	corenet_tcp_sendrecv_all_if(httpd_sys_script_t)
++	corenet_udp_sendrecv_all_if(httpd_sys_script_t)
++	corenet_tcp_sendrecv_all_nodes(httpd_sys_script_t)
++	corenet_udp_sendrecv_all_nodes(httpd_sys_script_t)
++	corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
++	corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
++	corenet_tcp_connect_all_ports(httpd_sys_script_t)
++	corenet_sendrecv_all_client_packets(httpd_sys_script_t)
++')
++
++
 +tunable_policy(`httpd_use_cifs', `
 +	fs_read_cifs_files(httpd_sys_script_t)
 +	fs_read_cifs_symlinks(httpd_sys_script_t)
@@ -3077,11 +3274,30 @@
  tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
  	fs_read_cifs_files(httpd_sys_script_t)
  	fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -788,3 +881,19 @@
- 	term_dontaudit_use_generic_ptys(httpd_rotatelogs_t)
- 	term_dontaudit_use_unallocated_ttys(httpd_rotatelogs_t)
+@@ -754,14 +877,12 @@
+ # Apache unconfined script local policy
+ #
+ 
+-unconfined_domain(httpd_unconfined_script_t)
+-
+ optional_policy(`
+-	cron_system_entry(httpd_t, httpd_exec_t)
++	nscd_socket_use(httpd_unconfined_script_t)
  ')
-+
+ 
+ optional_policy(`
+-	nscd_socket_use(httpd_unconfined_script_t)
++	unconfined_domain(httpd_unconfined_script_t)
+ ')
+ 
+ ########################################
+@@ -784,7 +905,25 @@
+ 
+ miscfiles_read_localization(httpd_rotatelogs_t)
+ 
+-ifdef(`targeted_policy',`
+-	term_dontaudit_use_generic_ptys(httpd_rotatelogs_t)
+-	term_dontaudit_use_unallocated_ttys(httpd_rotatelogs_t)
 +#============= bugzilla policy ==============
 +apache_content_template(bugzilla)
 +allow httpd_bugzilla_script_t self:netlink_route_socket r_netlink_socket_perms;
@@ -3097,11 +3313,21 @@
 +	postgresql_stream_connect(httpd_bugzilla_script_t)
 +')
 +
++
++optional_policy(`
++	dbus_system_bus_client_template(httpd,httpd_t)
++	tunable_policy(`allow_httpd_dbus_avahi',`
++		avahi_dbus_chat(httpd_t)
++	')
+ ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.fc serefpolicy-2.6.4/policy/modules/services/apcupsd.fc
 --- nsaserefpolicy/policy/modules/services/apcupsd.fc	2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/apcupsd.fc	2007-07-13 13:11:46.000000000 -0400
-@@ -3,3 +3,8 @@
++++ serefpolicy-2.6.4/policy/modules/services/apcupsd.fc	2007-07-30 11:42:49.000000000 -0400
+@@ -1,5 +1,11 @@
+ /usr/sbin/apcupsd		--	gen_context(system_u:object_r:apcupsd_exec_t,s0)
+ 
  /var/log/apcupsd\.events.*	--	gen_context(system_u:object_r:apcupsd_log_t,s0)
++/var/log/apcupsd\.status.*	--	gen_context(system_u:object_r:apcupsd_log_t,s0)
  
  /var/run/apcupsd\.pid		--	gen_context(system_u:object_r:apcupsd_var_run_t,s0)
 +
@@ -3140,7 +3366,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.te serefpolicy-2.6.4/policy/modules/services/apcupsd.te
 --- nsaserefpolicy/policy/modules/services/apcupsd.te	2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/apcupsd.te	2007-07-13 13:11:46.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/apcupsd.te	2007-07-30 11:42:24.000000000 -0400
 @@ -16,6 +16,9 @@
  type apcupsd_log_t;
  logging_log_file(apcupsd_log_t)
@@ -3186,20 +3412,23 @@
  
  dev_rw_generic_usb_dev(apcupsd_t)
  
-@@ -54,6 +66,12 @@
+@@ -53,6 +65,15 @@
+ 
  files_read_etc_files(apcupsd_t)
  files_search_locks(apcupsd_t)
- 
++# Creates /etc/nologin
++files_manage_etc_runtime_files(apcupsd_t)
++files_etc_filetrans_etc_runtime(apcuspd_t,file)
++
 +#apcupsd runs shutdown, probably need a shutdown domain
 +init_rw_utmp(apcupsd_t)
 +init_telinit(apcupsd_t)
 +
 +kernel_read_system_state(apcupsd_t)
-+
+ 
  libs_use_ld_so(apcupsd_t)
  libs_use_shared_libs(apcupsd_t)
- 
-@@ -61,7 +79,39 @@
+@@ -61,7 +82,39 @@
  
  miscfiles_read_localization(apcupsd_t)
  
@@ -3843,7 +4072,7 @@
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-2.6.4/policy/modules/services/cups.fc
 --- nsaserefpolicy/policy/modules/services/cups.fc	2007-05-07 14:50:57.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/cups.fc	2007-07-13 13:11:46.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/cups.fc	2007-07-31 13:45:11.000000000 -0400
 @@ -8,6 +8,7 @@
  /etc/cups/ppd/.*	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
  /etc/cups/ppds\.dat	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@@ -3852,15 +4081,24 @@
  /etc/cups/certs		-d	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
  /etc/cups/certs/.*	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
  
+@@ -17,7 +18,7 @@
+ 
+ /usr/bin/cups-config-daemon --	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+ 
+-/usr/lib(64)?/cups/backend/.* -- gen_context(system_u:object_r:cupsd_exec_t,s0)
++/usr/lib(64)?/cups/daemon -d gen_context(system_u:object_r:cupsd_exec_t,s0)
+ /usr/lib(64)?/cups/daemon/.*	-- gen_context(system_u:object_r:cupsd_exec_t,s0)
+ /usr/lib(64)?/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
+ 
 @@ -52,3 +53,5 @@
  /var/run/ptal-mlcd(/.*)?	gen_context(system_u:object_r:ptal_var_run_t,s0)
  
  /var/spool/cups(/.*)?		gen_context(system_u:object_r:print_spool_t,mls_systemhigh)
-+/usr/local/Brother/inf(/.*)?	gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh)
-+
++/usr/local/Brother/inf(/.*)?	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
++/usr/local/Brother/lpd(/.*)?	gen_context(system_u:object_r:cupsd_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-2.6.4/policy/modules/services/cups.te
 --- nsaserefpolicy/policy/modules/services/cups.te	2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/cups.te	2007-07-19 10:33:19.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/cups.te	2007-07-31 12:58:13.000000000 -0400
 @@ -93,8 +93,6 @@
  # generic socket here until appletalk socket is available in kernels
  allow cupsd_t self:socket create_socket_perms;
@@ -3870,6 +4108,15 @@
  allow cupsd_t cupsd_etc_t:{ dir file } setattr;
  read_files_pattern(cupsd_t,cupsd_etc_t,cupsd_etc_t)
  read_lnk_files_pattern(cupsd_t,cupsd_etc_t,cupsd_etc_t)
+@@ -107,7 +105,7 @@
+ 
+ # allow cups to execute its backend scripts
+ can_exec(cupsd_t, cupsd_exec_t)
+-allow cupsd_t cupsd_exec_t:dir search;
++allow cupsd_t cupsd_exec_t:dir search_dir_perms;
+ allow cupsd_t cupsd_exec_t:lnk_file read;
+ 
+ manage_files_pattern(cupsd_t,cupsd_log_t,cupsd_log_t)
 @@ -151,14 +149,16 @@
  corenet_tcp_bind_reserved_port(cupsd_t)
  corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
@@ -6488,8 +6735,8 @@
  	fs_search_auto_mountpoints($1_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-2.6.4/policy/modules/services/rpc.te
 --- nsaserefpolicy/policy/modules/services/rpc.te	2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/rpc.te	2007-07-16 16:14:39.000000000 -0400
-@@ -59,6 +59,8 @@
++++ serefpolicy-2.6.4/policy/modules/services/rpc.te	2007-07-31 14:16:39.000000000 -0400
+@@ -59,10 +59,13 @@
  manage_files_pattern(rpcd_t,rpcd_var_run_t,rpcd_var_run_t)
  files_pid_filetrans(rpcd_t,rpcd_var_run_t,file)
  
@@ -6498,7 +6745,12 @@
  kernel_read_system_state(rpcd_t) 
  kernel_search_network_state(rpcd_t) 
  # for rpc.rquotad
-@@ -79,6 +81,7 @@
+ kernel_read_sysctl(rpcd_t)  
++kernel_getattr_core_if(nfsd_t)
+ 
+ fs_list_rpc(rpcd_t)
+ fs_read_rpc_files(rpcd_t)
+@@ -79,6 +82,7 @@
  
  optional_policy(`
  	nis_read_ypserv_config(rpcd_t)
@@ -6506,7 +6758,7 @@
  ')
  
  ########################################
-@@ -91,6 +94,9 @@
+@@ -91,9 +95,13 @@
  allow nfsd_t exports_t:file { getattr read };
  allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
  
@@ -6516,7 +6768,11 @@
  # for /proc/fs/nfs/exports - should we have a new type?
  kernel_read_system_state(nfsd_t) 
  kernel_read_network_state(nfsd_t) 
-@@ -123,6 +129,7 @@
++kernel_dontaudit_getattr_core_if(nfsd_t) 
+ 
+ corenet_tcp_bind_all_rpc_ports(nfsd_t)
+ corenet_udp_bind_all_rpc_ports(nfsd_t)
+@@ -123,6 +131,7 @@
  tunable_policy(`nfs_export_all_rw',`
  	fs_read_noxattr_fs_files(nfsd_t) 
  	auth_manage_all_files_except_shadow(nfsd_t)
@@ -7621,7 +7877,7 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-2.6.4/policy/modules/services/xserver.te
 --- nsaserefpolicy/policy/modules/services/xserver.te	2007-05-07 14:50:57.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/xserver.te	2007-07-13 13:11:47.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/xserver.te	2007-07-31 10:08:59.000000000 -0400
 @@ -448,6 +448,10 @@
  	rhgb_rw_tmpfs_files(xdm_xserver_t)
  ')
@@ -8190,7 +8446,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/brctl.te serefpolicy-2.6.4/policy/modules/system/brctl.te
 --- nsaserefpolicy/policy/modules/system/brctl.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.6.4/policy/modules/system/brctl.te	2007-07-19 09:02:47.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/brctl.te	2007-07-30 11:23:46.000000000 -0400
 @@ -0,0 +1,50 @@
 +policy_module(brctl,1.0.0)
 +
@@ -8214,7 +8470,7 @@
 +allow brctl_t self:tcp_socket create_socket_perms;
 +allow brctl_t self:unix_dgram_socket create_socket_perms;
 +
-+dev_search_sysfs(brctl_t)
++dev_rw_sysfs(brctl_t)
 +
 +# Init script handling
 +domain_use_interactive_fds(brctl_t)
@@ -8307,7 +8563,7 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-2.6.4/policy/modules/system/fstools.te
 --- nsaserefpolicy/policy/modules/system/fstools.te	2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/fstools.te	2007-07-14 08:55:01.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/fstools.te	2007-07-25 10:26:51.000000000 -0400
 @@ -9,6 +9,7 @@
  type fsadm_t;
  type fsadm_exec_t;
@@ -8316,15 +8572,16 @@
  role system_r types fsadm_t;
  
  type fsadm_log_t;
-@@ -184,3 +185,8 @@
+@@ -184,3 +185,9 @@
  	fs_dontaudit_write_ramfs_pipes(fsadm_t)
  	rhgb_stub(fsadm_t)
  ')
 +
 +optional_policy(`
 +	xen_append_log(fsadm_t)
-+	xen_rw_image_files(udev_t)
++	xen_rw_image_files(fsadm_t)
 +')
++
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fusermount.fc serefpolicy-2.6.4/policy/modules/system/fusermount.fc
 --- nsaserefpolicy/policy/modules/system/fusermount.fc	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-2.6.4/policy/modules/system/fusermount.fc	2007-07-13 13:11:47.000000000 -0400
@@ -9083,7 +9340,7 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-2.6.4/policy/modules/system/logging.te
 --- nsaserefpolicy/policy/modules/system/logging.te	2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/logging.te	2007-07-13 13:11:47.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/logging.te	2007-07-26 14:57:05.000000000 -0400
 @@ -7,10 +7,15 @@
  #
  
@@ -9110,7 +9367,7 @@
  type syslogd_var_run_t;
  files_pid_file(syslogd_var_run_t)
  
-@@ -59,14 +67,17 @@
+@@ -59,13 +67,18 @@
  	init_ranged_daemon_domain(auditd_t,auditd_exec_t,mls_systemhigh)
  ')
  
@@ -9122,16 +9379,17 @@
 +
  ########################################
  #
- # Auditd local policy
+-# Auditd local policy
++# Auditctl local policy
  #
  
 -allow auditctl_t self:capability { audit_write audit_control };
 -allow auditctl_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv };
--
++allow auditctl_t self:capability { fsetid dac_read_search dac_override };
+ 
  read_files_pattern(auditctl_t,auditd_etc_t,auditd_etc_t)
  allow auditctl_t auditd_etc_t:dir list_dir_perms;
- 
-@@ -91,6 +102,7 @@
+@@ -91,6 +104,7 @@
  
  locallogin_dontaudit_use_fds(auditctl_t)
  
@@ -9139,7 +9397,7 @@
  logging_send_syslog_msg(auditctl_t)
  
  ifdef(`targeted_policy',`
-@@ -103,12 +115,11 @@
+@@ -103,12 +117,11 @@
  # Auditd local policy
  #
  
@@ -9153,7 +9411,7 @@
  allow auditd_t self:fifo_file rw_file_perms;
  
  allow auditd_t auditd_etc_t:dir list_dir_perms;
-@@ -146,6 +157,7 @@
+@@ -146,6 +159,7 @@
  
  init_telinit(auditd_t)
  
@@ -9161,7 +9419,7 @@
  logging_send_syslog_msg(auditd_t)
  
  libs_use_ld_so(auditd_t)
-@@ -265,8 +277,14 @@
+@@ -265,8 +279,14 @@
  allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
  files_pid_filetrans(syslogd_t,devlog_t,sock_file)
  
@@ -9176,7 +9434,7 @@
  # Allow access for syslog-ng
  allow syslogd_t var_log_t:dir { create setattr };
  
-@@ -331,6 +349,7 @@
+@@ -331,6 +351,7 @@
  domain_use_interactive_fds(syslogd_t)
  
  files_read_etc_files(syslogd_t)
@@ -9386,7 +9644,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-2.6.4/policy/modules/system/mount.te
 --- nsaserefpolicy/policy/modules/system/mount.te	2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/mount.te	2007-07-13 13:11:47.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/mount.te	2007-07-31 13:48:21.000000000 -0400
 @@ -9,6 +9,13 @@
  ifdef(`targeted_policy',`
  ## <desc>
@@ -9459,7 +9717,7 @@
  	')
  ')
  
-@@ -204,4 +225,58 @@
+@@ -204,4 +225,65 @@
  ifdef(`targeted_policy',`
  	files_etc_filetrans_etc_runtime(unconfined_mount_t,file)
  	unconfined_domain(unconfined_mount_t)
@@ -9473,7 +9731,9 @@
 +#
 +# mount_ntfs local policy
 +#
-+allow mount_ntfs_t self:capability { setuid sys_admin };
++mount_ntfs_domtrans(mount_t)
++
++allow mount_ntfs_t self:capability { dac_override setuid sys_admin };
 +allow mount_ntfs_t self:fifo_file { read write };
 +allow mount_ntfs_t self:unix_stream_socket create_stream_socket_perms;
 +allow mount_ntfs_t self:unix_dgram_socket { connect create };
@@ -9482,6 +9742,11 @@
 +corecmd_exec_shell(mount_ntfs_t)
 +
 +files_read_etc_files(mount_ntfs_t)
++files_search_all(mount_ntfs_t)
++files_mounton_non_security_dir(mount_ntfs_t)
++
++fs_mount_fusefs(mount_ntfs_t)
++fs_unmount_fusefs(mount_ntfs_t)
 +
 +libs_use_ld_so(mount_ntfs_t)
 +libs_use_shared_libs(mount_ntfs_t)
@@ -9499,7 +9764,7 @@
 +
 +modutils_domtrans_insmod(mount_ntfs_t)
 +
-+mount_ntfs_domtrans(mount_t)
++mount_domtrans(mount_ntfs_t)
 +
 +storage_raw_read_fixed_disk(mount_ntfs_t)
 +storage_raw_write_fixed_disk(mount_ntfs_t)
@@ -9534,7 +9799,7 @@
  libs_use_ld_so(netlabel_mgmt_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-2.6.4/policy/modules/system/raid.te
 --- nsaserefpolicy/policy/modules/system/raid.te	2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/raid.te	2007-07-13 13:11:47.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/raid.te	2007-07-31 09:57:06.000000000 -0400
 @@ -19,7 +19,7 @@
  # Local policy
  #
@@ -9552,6 +9817,14 @@
  
  term_dontaudit_list_ptys(mdadm_t)
  
+@@ -69,6 +70,7 @@
+ 
+ userdom_dontaudit_use_unpriv_user_fds(mdadm_t)
+ userdom_dontaudit_use_sysadm_ttys(mdadm_t)
++userdom_dontaudit_search_all_users_home_content(mdadm_t)
+ 
+ mta_send_mail(mdadm_t)
+ 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-2.6.4/policy/modules/system/selinuxutil.fc
 --- nsaserefpolicy/policy/modules/system/selinuxutil.fc	2007-05-07 14:51:02.000000000 -0400
 +++ serefpolicy-2.6.4/policy/modules/system/selinuxutil.fc	2007-07-13 13:11:47.000000000 -0400
@@ -10179,7 +10452,7 @@
  		init_dbus_chat_script(unconfined_execmem_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-2.6.4/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/userdomain.if	2007-07-13 13:11:47.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/userdomain.if	2007-07-28 11:08:16.000000000 -0400
 @@ -114,6 +114,22 @@
  		# Allow making the stack executable via mprotect.
  		allow $1_t self:process execstack;
@@ -10275,6 +10548,15 @@
  
  	# port access is audited even if dac would not have allowed it, so dontaudit it here
  	corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
+@@ -1028,7 +1071,7 @@
+ 	# and may change other protocols
+ 	tunable_policy(`user_tcp_server',`
+ 		corenet_tcp_bind_all_nodes($1_t)
+-		corenet_tcp_bind_generic_port($1_t)
++		corenet_tcp_bind_all_unreserved_ports($1_t)
+ 	')
+ 
+ 	optional_policy(`
 @@ -1059,10 +1102,6 @@
  		dontaudit xdm_t $1_home_t:file rw_file_perms;
  	')


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-7/selinux-policy.spec,v
retrieving revision 1.480
retrieving revision 1.481
diff -u -r1.480 -r1.481
--- selinux-policy.spec	23 Jul 2007 20:07:20 -0000	1.480
+++ selinux-policy.spec	31 Jul 2007 19:49:42 -0000	1.481
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 2.6.4
-Release: 29%{?dist}
+Release: 30%{?dist}
 License: GPL
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -361,8 +361,12 @@
 %endif
 
 %changelog
+* Mon Jul 23 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-30
+- Fix prelink to handle execmod
+- Allow mount_ntfs to search file_type:dir
+
 * Mon Jul 23 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-29
--
+- Multiple fixes
 
 * Fri Jul 13 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-28
 - Additional rules for openvpn reading homedirs




More information about the scm-commits mailing list