rpms/selinux-policy/F-9 modules-mls.conf, 1.34, 1.35 policy-20071130.patch, 1.235, 1.236 selinux-policy.spec, 1.724, 1.725
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Nov 13 19:32:14 UTC 2008
- Previous message: rpms/gnash/F-9 gnash-kde4-no-excessive-linkage.patch, NONE, 1.1 gnash-kde4-x11embed-resize.patch, NONE, 1.1 gnash-kde4-x11embed.patch, NONE, 1.1 gnash.spec, 1.26, 1.27
- Next message: rpms/nautilus-open-terminal/devel nautilus-open-terminal.spec, 1.26, 1.27
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-9
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv25381
Modified Files:
modules-mls.conf policy-20071130.patch selinux-policy.spec
Log Message:
* Thu Nov 13 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-109
- Allow openvpn to create /etc/openvpn/ipp.txt
Index: modules-mls.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-9/modules-mls.conf,v
retrieving revision 1.34
retrieving revision 1.35
diff -u -r1.34 -r1.35
--- modules-mls.conf 12 Sep 2008 14:46:46 -0000 1.34
+++ modules-mls.conf 13 Nov 2008 19:31:41 -0000 1.35
@@ -1004,6 +1004,13 @@
setrans = base
# Layer: services
+# Module: setroubleshoot
+#
+# Policy for the SELinux troubleshooting utility
+#
+setroubleshoot = base
+
+# Layer: services
# Module: openvpn
#
# Policy for OPENVPN full-featured SSL VPN solution
policy-20071130.patch:
Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-9/policy-20071130.patch,v
retrieving revision 1.235
retrieving revision 1.236
diff -u -r1.235 -r1.236
--- policy-20071130.patch 3 Nov 2008 22:12:29 -0000 1.235
+++ policy-20071130.patch 13 Nov 2008 19:31:41 -0000 1.236
@@ -6974,7 +6974,16 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate.te serefpolicy-3.3.1/policy/modules/apps/slocate.te
--- nsaserefpolicy/policy/modules/apps/slocate.te 2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/apps/slocate.te 2008-11-03 16:14:47.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/apps/slocate.te 2008-11-13 11:45:59.000000000 -0500
+@@ -22,7 +22,7 @@
+ #
+
+ allow locate_t self:capability { chown dac_read_search dac_override fowner fsetid };
+-allow locate_t self:process { execmem execheap execstack };
++allow locate_t self:process { execmem execheap execstack signal };
+ allow locate_t self:fifo_file rw_fifo_file_perms;
+ allow locate_t self:unix_stream_socket create_socket_perms;
+
@@ -39,6 +39,7 @@
files_list_all(locate_t)
@@ -7686,7 +7695,7 @@
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.3.1/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/kernel/corenetwork.te.in 2008-11-03 16:02:14.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/kernel/corenetwork.te.in 2008-11-13 14:23:30.000000000 -0500
@@ -1,5 +1,5 @@
-policy_module(corenetwork,1.2.15)
@@ -7702,15 +7711,16 @@
network_port(auth, tcp,113,s0)
network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0)
type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict
-@@ -82,6 +83,7 @@
+@@ -82,6 +83,8 @@
network_port(clockspeed, udp,4041,s0)
network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006,s0, udp,50006,s0, tcp,50007,s0, udp,50007,s0, tcp,50008,s0, udp,50008,s0)
network_port(comsat, udp,512,s0)
+network_port(cyphesis, udp,32771,s0, tcp,6767,s0, tcp,6769,s0)
++portcon tcp 6780-6799 gen_context(system_u:object_r:cyphesis_port_t, s0)
network_port(cvs, tcp,2401,s0, udp,2401,s0)
network_port(dcc, udp,6276,s0, udp,6277,s0)
network_port(dbskkd, tcp,1178,s0)
-@@ -90,7 +92,9 @@
+@@ -90,7 +93,9 @@
network_port(dict, tcp,2628,s0)
network_port(distccd, tcp,3632,s0)
network_port(dns, udp,53,s0, tcp,53,s0)
@@ -7720,7 +7730,7 @@
network_port(ftp_data, tcp,20,s0)
network_port(ftp, tcp,21,s0)
network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
-@@ -109,11 +113,14 @@
+@@ -109,11 +114,14 @@
network_port(ircd, tcp,6667,s0)
network_port(isakmp, udp,500,s0)
network_port(iscsi, tcp,3260,s0)
@@ -7735,7 +7745,7 @@
network_port(ktalkd, udp,517,s0, udp,518,s0)
network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0)
type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
-@@ -122,6 +129,8 @@
+@@ -122,6 +130,8 @@
network_port(mmcc, tcp,5050,s0, udp,5050,s0)
network_port(monopd, tcp,1234,s0)
network_port(msnp, tcp,1863,s0, udp,1863,s0)
@@ -7744,9 +7754,16 @@
network_port(mysqld, tcp,1186,s0, tcp,3306,s0)
portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0)
network_port(nessus, tcp,1241,s0)
-@@ -133,10 +142,13 @@
+@@ -132,11 +142,20 @@
+ network_port(openvpn, tcp,1194,s0, udp,1194,s0)
network_port(pegasus_http, tcp,5988,s0)
network_port(pegasus_https, tcp,5989,s0)
++network_port(pki_ca, tcp, 9180, s0, tcp, 9701, s0, tcp, 9443, s0, tcp, 9444, s0, tcp, 9445, s0)
++network_port(pki_kra, tcp, 10180, s0, tcp, 10701, s0, tcp, 10443, s0, tcp, 10444, s0, tcp, 10445, s0)
++network_port(pki_ospc, tcp, 11180, s0, tcp, 11701, s0, tcp, 11443, s0, tcp, 11444, s0, tcp, 11445, s0)
++network_port(pki_tks, tcp, 13180, s0, tcp, 13701, s0, tcp, 13443, s0, tcp, 13444, s0, tcp, 13445, s0)
++network_port(pki_ra, tcp, 12888, s0, tcp, 12889, s0)
++network_port(pki_tps, tcp, 7888, s0, tcp, 7889, s0)
network_port(postfix_policyd, tcp,10031,s0)
+network_port(pulseaudio, tcp,4713,s0)
+network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0)
@@ -7758,7 +7775,7 @@
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
network_port(pxe, udp,4011,s0)
-@@ -148,11 +160,11 @@
+@@ -148,11 +167,11 @@
network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
network_port(rlogind, tcp,513,s0)
network_port(rndc, tcp,953,s0)
@@ -7772,7 +7789,7 @@
network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0)
network_port(spamd, tcp,783,s0)
-@@ -165,12 +177,18 @@
+@@ -165,12 +184,18 @@
network_port(syslogd, udp,514,s0)
network_port(telnetd, tcp,23,s0)
network_port(tftp, udp,69,s0)
@@ -8551,7 +8568,7 @@
# /emul
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.3.1/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/kernel/files.if 2008-11-03 16:02:14.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/kernel/files.if 2008-11-10 12:25:31.000000000 -0500
@@ -110,6 +110,11 @@
## </param>
#
@@ -8564,6 +8581,17 @@
files_type($1)
')
+@@ -891,8 +896,8 @@
+ relabel_lnk_files_pattern($1,{ file_type $2 },{ file_type $2 })
+ relabel_fifo_files_pattern($1,{ file_type $2 },{ file_type $2 })
+ relabel_sock_files_pattern($1,{ file_type $2 },{ file_type $2 })
+- relabelfrom_blk_files_pattern($1,{ file_type $2 },{ file_type $2 })
+- relabelfrom_chr_files_pattern($1,{ file_type $2 },{ file_type $2 })
++ relabel_blk_files_pattern($1,{ file_type $2 },{ file_type $2 })
++ relabel_chr_files_pattern($1,{ file_type $2 },{ file_type $2 })
+
+ # satisfy the assertions:
+ seutil_relabelto_bin_policy($1)
@@ -1023,6 +1028,24 @@
## </summary>
## </param>
@@ -10396,7 +10424,7 @@
neverallow ~{ selinux_unconfined_type can_setenforce } security_t:security setenforce;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.3.1/policy/modules/kernel/storage.fc
--- nsaserefpolicy/policy/modules/kernel/storage.fc 2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/kernel/storage.fc 2008-11-03 16:02:14.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/kernel/storage.fc 2008-11-05 13:22:49.000000000 -0500
@@ -13,6 +13,7 @@
/dev/cm20.* -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/dasd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
@@ -10405,7 +10433,15 @@
/dev/fd[^/]+ -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/flash[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/gscd -b gen_context(system_u:object_r:removable_device_t,s0)
-@@ -34,7 +35,7 @@
+@@ -26,6 +27,7 @@
+ /dev/mcdx? -b gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/megadev.* -c gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/mmcblk.* -b gen_context(system_u:object_r:removable_device_t,s0)
++/dev/mspblk.* -b gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/nb[^/]+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+ /dev/optcd -b gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/p[fg][0-3] -b gen_context(system_u:object_r:removable_device_t,s0)
+@@ -34,7 +36,7 @@
/dev/pg[0-3] -c gen_context(system_u:object_r:removable_device_t,s0)
/dev/ps3d.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/ram.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
@@ -10414,7 +10450,7 @@
/dev/rd.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
ifdef(`distro_redhat', `
/dev/root -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
-@@ -48,6 +49,7 @@
+@@ -48,6 +50,7 @@
/dev/tw[a-z][^/]+ -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/ub[a-z][^/]+ -b gen_context(system_u:object_r:removable_device_t,mls_systemhigh)
/dev/ubd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
@@ -11356,7 +11392,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.3.1/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/apache.te 2008-11-03 16:14:20.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/apache.te 2008-11-13 14:29:46.000000000 -0500
@@ -20,6 +20,8 @@
# Declarations
#
@@ -11617,14 +11653,14 @@
+ filetrans_pattern(httpd_sys_script_t,httpd_sys_content_t,httpd_sys_content_rw_t, { file dir lnk_file })
+ can_exec(httpd_sys_script_t, httpd_sys_content_t)
+')
++
++tunable_policy(`allow_httpd_sys_script_anon_write',`
++ miscfiles_manage_public_files(httpd_sys_script_t)
++')
- manage_dirs_pattern(httpd_t,httpdcontent,httpdcontent)
- manage_files_pattern(httpd_t,httpdcontent,httpdcontent)
- manage_lnk_files_pattern(httpd_t,httpdcontent,httpdcontent)
-+tunable_policy(`allow_httpd_sys_script_anon_write',`
-+ miscfiles_manage_public_files(httpd_sys_script_t)
-+')
-+
+tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
+ domtrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_script_t)
+ filetrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_rw_t, { file dir lnk_file })
@@ -11638,13 +11674,20 @@
')
tunable_policy(`httpd_enable_ftp_server',`
-@@ -399,11 +493,21 @@
+@@ -399,11 +493,28 @@
fs_read_nfs_symlinks(httpd_t)
')
+tunable_policy(`httpd_use_nfs',`
-+ fs_read_nfs_files(httpd_t)
-+ fs_read_nfs_symlinks(httpd_t)
++ fs_manage_nfs_files(httpd_t)
++ fs_manage_nfs_symlinks(httpd_t)
++ fs_manage_nfs_symlinks(httpd_t)
++')
++
++tunable_policy(`httpd_use_nfs',`
++ fs_manage_nfs_dirs(httpd_suexec_t)
++ fs_manage_nfs_files(httpd_suexec_t)
++ fs_manage_nfs_symlinks(httpd_suexec_t)
+')
+
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
@@ -11660,7 +11703,7 @@
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
allow httpd_sys_script_t httpd_t:fd use;
-@@ -437,8 +541,13 @@
+@@ -437,8 +548,13 @@
')
optional_policy(`
@@ -11676,7 +11719,7 @@
')
optional_policy(`
-@@ -450,19 +559,13 @@
+@@ -450,19 +566,13 @@
')
optional_policy(`
@@ -11697,7 +11740,7 @@
')
optional_policy(`
-@@ -472,13 +575,23 @@
+@@ -472,13 +582,23 @@
openca_kill(httpd_t)
')
@@ -11725,7 +11768,7 @@
')
optional_policy(`
-@@ -486,6 +599,7 @@
+@@ -486,6 +606,7 @@
')
optional_policy(`
@@ -11733,7 +11776,7 @@
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -521,6 +635,22 @@
+@@ -521,6 +642,22 @@
userdom_use_sysadm_terms(httpd_helper_t)
')
@@ -11756,7 +11799,7 @@
########################################
#
# Apache PHP script local policy
-@@ -550,18 +680,26 @@
+@@ -550,18 +687,26 @@
fs_search_auto_mountpoints(httpd_php_t)
@@ -11786,7 +11829,7 @@
')
########################################
-@@ -585,6 +723,8 @@
+@@ -585,6 +730,8 @@
manage_files_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -11795,7 +11838,7 @@
kernel_read_kernel_sysctls(httpd_suexec_t)
kernel_list_proc(httpd_suexec_t)
kernel_read_proc_symlinks(httpd_suexec_t)
-@@ -593,9 +733,7 @@
+@@ -593,9 +740,7 @@
fs_search_auto_mountpoints(httpd_suexec_t)
@@ -11806,7 +11849,7 @@
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -628,6 +766,7 @@
+@@ -628,6 +773,7 @@
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -11814,7 +11857,7 @@
tunable_policy(`httpd_enable_cgi && httpd_unified',`
domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
')
-@@ -638,6 +777,12 @@
+@@ -638,6 +784,12 @@
fs_exec_nfs_files(httpd_suexec_t)
')
@@ -11827,7 +11870,7 @@
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_suexec_t)
fs_read_cifs_symlinks(httpd_suexec_t)
-@@ -655,10 +800,6 @@
+@@ -655,10 +807,6 @@
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -11838,7 +11881,7 @@
########################################
#
# Apache system script local policy
-@@ -668,7 +809,8 @@
+@@ -668,7 +816,8 @@
dontaudit httpd_sys_script_t httpd_config_t:dir search;
@@ -11848,7 +11891,7 @@
allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t)
-@@ -682,15 +824,46 @@
+@@ -682,15 +831,48 @@
# Should we add a boolean?
apache_domtrans_rotatelogs(httpd_sys_script_t)
@@ -11860,11 +11903,13 @@
-tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+tunable_policy(`httpd_use_nfs', `
-+ fs_read_nfs_files(httpd_sys_script_t)
-+ fs_read_nfs_symlinks(httpd_sys_script_t)
++ fs_manage_nfs_files(httpd_sys_script_t)
++ fs_manage_nfs_symlinks(httpd_sys_script_t)
++ fs_manage_nfs_symlinks(httpd_sys_script_t)
+')
+
+tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs', `
++ fs_read_nfs_dirs(httpd_sys_script_t)
fs_read_nfs_files(httpd_sys_script_t)
fs_read_nfs_symlinks(httpd_sys_script_t)
')
@@ -11896,7 +11941,7 @@
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -703,6 +876,10 @@
+@@ -703,6 +885,10 @@
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -11907,7 +11952,7 @@
')
########################################
-@@ -724,3 +901,71 @@
+@@ -724,3 +910,71 @@
logging_search_logs(httpd_rotatelogs_t)
miscfiles_read_localization(httpd_rotatelogs_t)
@@ -15376,10 +15421,14 @@
+files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir })
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyphesis.fc serefpolicy-3.3.1/policy/modules/services/cyphesis.fc
--- nsaserefpolicy/policy/modules/services/cyphesis.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/cyphesis.fc 2008-11-03 16:14:20.000000000 -0500
-@@ -0,0 +1,2 @@
++++ serefpolicy-3.3.1/policy/modules/services/cyphesis.fc 2008-11-04 09:01:22.000000000 -0500
+@@ -0,0 +1,6 @@
+
+/usr/bin/cyphesis -- gen_context(system_u:object_r:cyphesis_exec_t,s0)
++
++/var/log/cyphesis(/.*)? gen_context(system_u:object_r:cyphesis_log_t,s0)
++
++/var/run/cyphesis(/.*)? gen_context(system_u:object_r:cyphesis_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyphesis.if serefpolicy-3.3.1/policy/modules/services/cyphesis.if
--- nsaserefpolicy/policy/modules/services/cyphesis.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/services/cyphesis.if 2008-11-03 16:14:20.000000000 -0500
@@ -18684,8 +18733,8 @@
# Local policy
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.fc serefpolicy-3.3.1/policy/modules/services/kerberos.fc
--- nsaserefpolicy/policy/modules/services/kerberos.fc 2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/kerberos.fc 2008-11-03 16:14:20.000000000 -0500
-@@ -7,12 +7,21 @@
++++ serefpolicy-3.3.1/policy/modules/services/kerberos.fc 2008-11-10 14:48:54.000000000 -0500
+@@ -7,12 +7,22 @@
/usr/(local/)?(kerberos/)?sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0)
/usr/(local/)?(kerberos/)?sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
@@ -18698,6 +18747,7 @@
/var/kerberos/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
+/var/kerberos/krb5kdc/principal\.ok gen_context(system_u:object_r:krb5kdc_lock_t,s0)
+/var/kerberos/krb5kdc/from_master.* gen_context(system_u:object_r:krb5kdc_lock_t,s0)
++/var/kerberos/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0)
/var/log/krb5kdc\.log gen_context(system_u:object_r:krb5kdc_log_t,s0)
/var/log/kadmin(d)?\.log gen_context(system_u:object_r:kadmind_log_t,s0)
@@ -18994,7 +19044,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.3.1/policy/modules/services/kerberos.te
--- nsaserefpolicy/policy/modules/services/kerberos.te 2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/kerberos.te 2008-11-03 16:14:20.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/kerberos.te 2008-11-10 14:43:51.000000000 -0500
@@ -16,6 +16,7 @@
type kadmind_t;
type kadmind_exec_t;
@@ -21902,8 +21952,16 @@
kernel_read_kernel_sysctls(openct_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.fc serefpolicy-3.3.1/policy/modules/services/openvpn.fc
--- nsaserefpolicy/policy/modules/services/openvpn.fc 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/openvpn.fc 2008-11-03 16:14:20.000000000 -0500
-@@ -11,5 +11,7 @@
++++ serefpolicy-3.3.1/policy/modules/services/openvpn.fc 2008-11-13 11:40:23.000000000 -0500
+@@ -2,6 +2,7 @@
+ # /etc
+ #
+ /etc/openvpn(/.*)? gen_context(system_u:object_r:openvpn_etc_t,s0)
++/etc/openvpn/ipp.txt -- gen_context(system_u:object_r:openvpn_etc_rw_t,s0)
+
+ #
+ # /usr
+@@ -11,5 +12,7 @@
#
# /var
#
@@ -22036,7 +22094,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.3.1/policy/modules/services/openvpn.te
--- nsaserefpolicy/policy/modules/services/openvpn.te 2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/openvpn.te 2008-11-03 16:14:20.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/openvpn.te 2008-11-13 11:41:08.000000000 -0500
@@ -8,7 +8,7 @@
## <desc>
@@ -22046,16 +22104,19 @@
## </p>
## </desc>
gen_tunable(openvpn_enable_homedirs,false)
-@@ -20,7 +20,7 @@
+@@ -20,7 +20,10 @@
# configuration files
type openvpn_etc_t;
-files_type(openvpn_etc_t)
+files_config_file(openvpn_etc_t)
++
++type openvpn_etc_rw_t;
++files_config_file(openvpn_etc_rw_t)
# log files
type openvpn_var_log_t;
-@@ -30,12 +30,15 @@
+@@ -30,12 +33,15 @@
type openvpn_var_run_t;
files_pid_file(openvpn_var_run_t)
@@ -22072,15 +22133,20 @@
allow openvpn_t self:process { signal getsched };
allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto };
-@@ -47,6 +50,7 @@
- allow openvpn_t openvpn_etc_t:dir list_dir_perms;
+@@ -44,9 +50,11 @@
+ allow openvpn_t self:tcp_socket server_stream_socket_perms;
+ allow openvpn_t self:netlink_route_socket rw_netlink_socket_perms;
+
+-allow openvpn_t openvpn_etc_t:dir list_dir_perms;
++manage_files_pattern(openvpn_t,openvpn_etc_rw_t,openvpn_etc_rw_t)
read_files_pattern(openvpn_t,openvpn_etc_t,openvpn_etc_t)
read_lnk_files_pattern(openvpn_t,openvpn_etc_t,openvpn_etc_t)
++filetrans_pattern(openvpn_t,openvpn_etc_t,openvpn_etc_rw_t, file)
+can_exec(openvpn_t,openvpn_etc_t)
allow openvpn_t openvpn_var_log_t:file manage_file_perms;
logging_log_filetrans(openvpn_t,openvpn_var_log_t,file)
-@@ -77,6 +81,7 @@
+@@ -77,6 +85,7 @@
corenet_sendrecv_openvpn_server_packets(openvpn_t)
corenet_rw_tun_tap_dev(openvpn_t)
corenet_tcp_connect_openvpn_port(openvpn_t)
@@ -22088,7 +22154,7 @@
dev_search_sysfs(openvpn_t)
dev_read_rand(openvpn_t)
-@@ -110,3 +115,12 @@
+@@ -110,3 +119,12 @@
networkmanager_dbus_chat(openvpn_t)
')
@@ -22161,6 +22227,818 @@
rpm_exec(pegasus_t)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pki.fc serefpolicy-3.3.1/policy/modules/services/pki.fc
+--- nsaserefpolicy/policy/modules/services/pki.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/pki.fc 2008-11-13 14:24:04.000000000 -0500
+@@ -0,0 +1,66 @@
++
++/usr/bin/dtomcat5-pki-ca -- gen_context(system_u:object_r:pki_ca_exec_t,s0)
++
++/etc/init.d/pki-ca -- gen_context(system_u:object_r:pki_ca_script_exec_t,s0)
++
++/etc/pki-ca(/.*)? gen_context(system_u:object_r:pki_ca_etc_rw_t,s0)
++/etc/pki-ca/tomcat5.conf -- gen_context(system_u:object_r:pki_ca_tomcat_exec_t,s0)
++
++/var/lib/pki-ca(/.*)? gen_context(system_u:object_r:pki_ca_var_lib_t,s0)
++
++/var/run/pki-ca.pid gen_context(system_u:object_r:pki_ca_var_run_t,s0)
++
++/var/log/pki-ca(/.*)? gen_context(system_u:object_r:pki_ca_log_t,s0)
++
++/usr/bin/dtomcat5-pki-kra -- gen_context(system_u:object_r:pki_kra_exec_t,s0)
++
++/etc/init.d/pki-kra -- gen_context(system_u:object_r:pki_kra_script_exec_t,s0)
++
++/etc/pki-kra(/.*)? gen_context(system_u:object_r:pki_kra_etc_rw_t,s0)
++/etc/pki-kra/tomcat5.conf -- gen_context(system_u:object_r:pki_kra_tomcat_exec_t,s0)
++
++/var/lib/pki-kra(/.*)? gen_context(system_u:object_r:pki_kra_var_lib_t,s0)
++
++/var/run/pki-kra.pid gen_context(system_u:object_r:pki_kra_var_run_t,s0)
++
++/var/log/pki-kra(/.*)? gen_context(system_u:object_r:pki_kra_log_t,s0)
++
++/usr/bin/dtomcat5-pki-ocsp -- gen_context(system_u:object_r:pki_ocsp_exec_t,s0)
++
++/etc/init.d/pki-ocsp -- gen_context(system_u:object_r:pki_ocsp_script_exec_t,s0)
++
++/etc/pki-ocsp(/.*)? gen_context(system_u:object_r:pki_ocsp_etc_rw_t,s0)
++/etc/pki-ocsp/tomcat5.conf -- gen_context(system_u:object_r:pki_ocsp_tomcat_exec_t,s0)
++
++/var/lib/pki-ocsp(/.*)? gen_context(system_u:object_r:pki_ocsp_var_lib_t,s0)
++
++/var/run/pki-ocsp.pid gen_context(system_u:object_r:pki_ocsp_var_run_t,s0)
++
++/var/log/pki-ocsp(/.*)? gen_context(system_u:object_r:pki_ocsp_log_t,s0)
++
++/usr/sbin/httpd.worker -- gen_context(system_u:object_r:pki_ra_exec_t,s0)
++/etc/init.d/pki-ra -- gen_context(system_u:object_r:pki_ra_script_exec_t,s0)
++/etc/pki-ra(/.*)? gen_context(system_u:object_r:pki_ra_etc_rw_t,s0)
++/var/lib/pki-ra(/.*)? gen_context(system_u:object_r:pki_ra_var_lib_t,s0)
++/var/log/pki-ra(/.*)? gen_context(system_u:object_r:pki_ra_log_t,s0)
++
++
++/usr/bin/dtomcat5-pki-tks -- gen_context(system_u:object_r:pki_tks_exec_t,s0)
++
++/etc/init.d/pki-tks -- gen_context(system_u:object_r:pki_tks_script_exec_t,s0)
++
++/etc/pki-tks(/.*)? gen_context(system_u:object_r:pki_tks_etc_rw_t,s0)
++/etc/pki-tks/tomcat5.conf -- gen_context(system_u:object_r:pki_tks_tomcat_exec_t,s0)
++
++/var/lib/pki-tks(/.*)? gen_context(system_u:object_r:pki_tks_var_lib_t,s0)
++
++/var/run/pki-tks.pid gen_context(system_u:object_r:pki_tks_var_run_t,s0)
++
++/var/log/pki-tks(/.*)? gen_context(system_u:object_r:pki_tks_log_t,s0)
++
++/usr/sbin/httpd.worker -- gen_context(system_u:object_r:pki_ra_exec_t,s0)
++/etc/init.d/pki-tps -- gen_context(system_u:object_r:pki_tps_script_exec_t,s0)
++/etc/pki-tps(/.*)? gen_context(system_u:object_r:pki_tps_etc_rw_t,s0)
++/var/lib/pki-tps(/.*)? gen_context(system_u:object_r:pki_tps_var_lib_t,s0)
++/var/log/pki-tps(/.*)? gen_context(system_u:object_r:pki_tps_log_t,s0)
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pki.if serefpolicy-3.3.1/policy/modules/services/pki.if
+--- nsaserefpolicy/policy/modules/services/pki.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/pki.if 2008-11-13 14:24:04.000000000 -0500
+@@ -0,0 +1,643 @@
++
++## <summary>policy for pki</summary>
++
++########################################
++## <summary>
++## Execute pki_ca server in the pki_ca domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`pki_ca_script_domtrans',`
++ gen_require(`
++ attribute pki_ca_script;
++ ')
++
++ init_script_domtrans_spec($1,pki_ca_script)
++')
++
++########################################
++## <summary>
++## Create a set of derived types for apache
++## web content.
++## </summary>
++## <param name="prefix">
++## <summary>
++## The prefix to be used for deriving type names.
++## </summary>
++## </param>
++#
++template(`pki_ca_template',`
++ gen_require(`
++ attribute pki_ca_process;
++ attribute pki_ca_config, pki_ca_var_lib, pki_ca_var_run;
++ attribute pki_ca_executable, pki_ca_script, pki_ca_var_log;
++ type pki_ca_tomcat_exec_t;
++ type $1_port_t;
++ ')
++ ########################################
++ #
++ # Declarations
++ #
++
++ type $1_t, pki_ca_process;
++ type $1_exec_t, pki_ca_executable;
++ domain_type($1_t)
++ init_daemon_domain($1_t, $1_exec_t)
++
++ type $1_script_exec_t, pki_ca_script;
++ init_script_file($1_script_exec_t)
++
++ type $1_etc_rw_t, pki_ca_config;
++ files_type($1_etc_rw_t)
++
++ type $1_var_run_t, pki_ca_var_run;
++ files_pid_file($1_var_run_t)
++
++ type $1_var_lib_t, pki_ca_var_lib;
++ files_type($1_var_lib_t)
++
++ type $1_log_t, pki_ca_var_log;
++ logging_log_file($1_log_t)
++
++ ########################################
++ #
++ # $1 local policy
++ #
++
++ # Execstack/execmem caused by java app.
++ allow $1_t self:process { execstack execmem getsched setsched };
++
++ ## internal communication is often done using fifo and unix sockets.
++ allow $1_t self:fifo_file rw_file_perms;
++ allow $1_t self:unix_stream_socket create_stream_socket_perms;
++ allow $1_t self:tcp_socket create_stream_socket_perms;
++ allow $1_t self:process signull;
++
++ allow $1_t $1_port_t:tcp_socket {name_bind name_connect};
++
++ corenet_all_recvfrom_unlabeled($1_t)
++ corenet_tcp_sendrecv_all_if($1_t)
++ corenet_tcp_sendrecv_all_nodes($1_t)
++ corenet_tcp_sendrecv_all_ports($1_t)
++
++ corenet_tcp_bind_all_nodes($1_t)
++ corenet_tcp_bind_ocsp_port($1_t)
++ corenet_tcp_connect_ocsp_port($1_t)
++
++ # This is for /etc/$1/tomcat.conf:
++ can_exec($1_t, pki_ca_tomcat_exec_t)
++
++ # Init script handling
++ domain_use_interactive_fds($1_t)
++
++ files_read_etc_files($1_t)
++
++ manage_dirs_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t)
++ manage_files_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t)
++ files_etc_filetrans($1_t,$1_etc_rw_t, { file dir })
++
++ manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t)
++ manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
++ files_pid_filetrans($1_t,$1_var_run_t, { file dir })
++
++ manage_dirs_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
++ manage_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
++ read_lnk_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
++ files_var_lib_filetrans($1_t, $1_var_lib_t, { file dir } )
++
++ manage_dirs_pattern($1_t, $1_log_t, $1_log_t)
++ manage_files_pattern($1_t, $1_log_t, $1_log_t)
++ logging_log_filetrans($1_t, $1_log_t, { file dir } )
++
++ corecmd_exec_bin($1_t)
++ corecmd_read_bin_symlinks($1_t)
++ corecmd_exec_shell($1_t)
++
++ dev_list_sysfs($1_t)
++ dev_read_rand($1_t)
++ dev_read_urand($1_t)
++
++ # Java is looking in /tmp for some reason...:
++ files_manage_generic_tmp_dirs($1_t)
++ files_manage_generic_tmp_files($1_t)
++ files_read_usr_files($1_t)
++ files_read_usr_symlinks($1_t)
++ # These are used to read tomcat class files in /var/lib/tomcat
++ files_read_var_lib_files($1_t)
++ files_read_var_lib_symlinks($1_t)
++
++ kernel_read_network_state($1_t)
++ kernel_read_system_state($1_t)
++ kernel_search_network_state($1_t)
++ # audit2allow
++ kernel_signull_unlabeled($1_t)
++
++ auth_use_nsswitch($1_t)
++
++ init_dontaudit_write_utmp($1_t)
++
++ libs_use_ld_so($1_t)
++ libs_use_shared_libs($1_t)
++
++ miscfiles_read_localization($1_t)
++
++ ifdef(`targeted_policy',`
++ term_dontaudit_use_unallocated_ttys($1_t)
++ term_dontaudit_use_generic_ptys($1_t)
++ ')
++
++#This is broken in selinux-policy we need java_exec defined, Will add to policy
++ gen_require(`
++ type java_exec_t;
++ ')
++ can_exec($1_t, java_exec_t)
++
++')
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an pki_ca environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to be allowed to manage the syslog domain.
++## </summary>
++## </param>
++## <param name="terminal">
++## <summary>
++## The type of the user terminal.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`pki_ca_admin',`
++ gen_require(`
++ type pki_ca_tomcat_exec_t;
++ attribute pki_ca_process;
++ attribute pki_ca_config;
++ attribute pki_ca_executable;
++ attribute pki_ca_var_lib;
++ attribute pki_ca_var_log;
++ attribute pki_ca_var_run;
++ attribute pki_ca_pidfiles;
++ attribute pki_ca_script;
++ ')
++
++ allow $1 pki_ca_process:process { ptrace signal_perms };
++ ps_process_pattern($1, pki_ca_t)
++
++ # Allow pki_ca_t to restart the service
++ pki_ca_script_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 pki_ca_script system_r;
++ allow $2 system_r;
++
++ manage_all_pattern($1, pki_ca_config)
++ manage_all_pattern($1, pki_ca_var_run)
++ manage_all_pattern($1, pki_ca_var_lib)
++ manage_all_pattern($1, pki_ca_var_log)
++ manage_all_pattern($1, pki_ca_config)
++ manage_all_pattern($1, pki_ca_tomcat_exec_t)
++')
++
++########################################
++## <summary>
++## Execute pki_kra server in the pki_kra domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`pki_kra_script_domtrans',`
++ gen_require(`
++ attribute pki_kra_script;
++ ')
++
++ init_script_domtrans_spec($1,pki_kra_script)
++')
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an pki_kra environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to be allowed to manage the syslog domain.
++## </summary>
++## </param>
++## <param name="terminal">
++## <summary>
++## The type of the user terminal.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`pki_kra_admin',`
++ gen_require(`
++ type pki_kra_tomcat_exec_t;
++ attribute pki_kra_process;
++ attribute pki_kra_config;
++ attribute pki_kra_executable;
++ attribute pki_kra_var_lib;
++ attribute pki_kra_var_log;
++ attribute pki_kra_var_run;
++ attribute pki_kra_pidfiles;
++ attribute pki_kra_script;
++ ')
++
++ allow $1 pki_kra_process:process { ptrace signal_perms };
++ ps_process_pattern($1, pki_kra_t)
++
++ # Allow pki_kra_t to restart the service
++ pki_kra_script_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 pki_kra_script system_r;
++ allow $2 system_r;
++
++ manage_all_pattern($1, pki_kra_config)
++ manage_all_pattern($1, pki_kra_var_run)
++ manage_all_pattern($1, pki_kra_var_lib)
++ manage_all_pattern($1, pki_kra_var_log)
++ manage_all_pattern($1, pki_kra_config)
++ manage_all_pattern($1, pki_kra_tomcat_exec_t)
++')
++
++########################################
++## <summary>
++## Execute pki_ocsp server in the pki_ocsp domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`pki_ocsp_script_domtrans',`
++ gen_require(`
++ attribute pki_ocsp_script;
++ ')
++
++ init_script_domtrans_spec($1,pki_ocsp_script)
++')
++
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an pki_ocsp environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to be allowed to manage the syslog domain.
++## </summary>
++## </param>
++## <param name="terminal">
++## <summary>
++## The type of the user terminal.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`pki_ocsp_admin',`
++ gen_require(`
++ type pki_ocsp_tomcat_exec_t;
++ attribute pki_ocsp_process;
++ attribute pki_ocsp_config;
++ attribute pki_ocsp_executable;
++ attribute pki_ocsp_var_lib;
++ attribute pki_ocsp_var_log;
++ attribute pki_ocsp_var_run;
++ attribute pki_ocsp_pidfiles;
++ attribute pki_ocsp_script;
++ ')
++
++ allow $1 pki_ocsp_process:process { ptrace signal_perms };
++ ps_process_pattern($1, pki_ocsp_t)
++
++ # Allow pki_ocsp_t to restart the service
++ pki_ocsp_script_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 pki_ocsp_script system_r;
++ allow $2 system_r;
++
++ manage_all_pattern($1, pki_ocsp_config)
++ manage_all_pattern($1, pki_ocsp_var_run)
++ manage_all_pattern($1, pki_ocsp_var_lib)
++ manage_all_pattern($1, pki_ocsp_var_log)
++ manage_all_pattern($1, pki_ocsp_config)
++ manage_all_pattern($1, pki_ocsp_tomcat_exec_t)
++')
++
++########################################
++## <summary>
++## Execute pki_ra server in the pki_ra domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`pki_ra_script_domtrans',`
++ gen_require(`
++ attribute pki_ra_script;
++ ')
++
++ init_script_domtrans_spec($1,pki_ra_script)
++')
++
++########################################
++## <summary>
++## Create a set of derived types for apache
++## web content.
++## </summary>
++## <param name="prefix">
++## <summary>
++## The prefix to be used for deriving type names.
++## </summary>
++## </param>
++#
++template(`pki_ra_template',`
++ gen_require(`
++ attribute pki_ra_process;
++ attribute pki_ra_config, pki_ra_var_lib;
++ attribute pki_ra_executable, pki_ra_script, pki_ra_var_log;
++ ')
++ ########################################
++ #
++ # Declarations
++ #
++
++ type $1_t, pki_ra_process;
++ type $1_exec_t, pki_ra_executable;
++ domain_type($1_t)
++ init_daemon_domain($1_t, $1_exec_t)
++
++ type $1_script_exec_t, pki_ra_script;
++ init_script_file($1_script_exec_t)
++
++ type $1_etc_rw_t, pki_ra_config;
++ files_type($1_etc_rw_t)
++
++ type $1_var_lib_t, pki_ra_var_lib;
++ files_type($1_var_lib_t)
++
++ type $1_log_t, pki_ra_var_log;
++ logging_log_file($1_log_t)
++
++ ########################################
++ #
++ # $1 local policy
++ #
++
++ ## internal communication is often done using fifo and unix sockets.
++ allow $1_t self:fifo_file rw_file_perms;
++ allow $1_t self:unix_stream_socket create_stream_socket_perms;
++
++ # Init script handling
++ domain_use_interactive_fds($1_t)
++
++ files_read_etc_files($1_t)
++
++ manage_dirs_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t)
++ manage_files_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t)
++ files_etc_filetrans($1_t,$1_etc_rw_t, { file dir })
++
++ manage_dirs_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
++ manage_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
++ read_lnk_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
++ files_var_lib_filetrans($1_t, $1_var_lib_t, { file dir } )
++
++ manage_dirs_pattern($1_t, $1_log_t, $1_log_t)
++ manage_files_pattern($1_t, $1_log_t, $1_log_t)
++ logging_log_filetrans($1_t, $1_log_t, { file dir } )
++
++ init_dontaudit_write_utmp($1_t)
++
++ libs_use_ld_so($1_t)
++ libs_use_shared_libs($1_t)
++
++ miscfiles_read_localization($1_t)
++
++ ifdef(`targeted_policy',`
++ term_dontaudit_use_unallocated_ttys($1_t)
++ term_dontaudit_use_generic_ptys($1_t)
++ ')
++
++ gen_require(`
++ type httpd_t;
++ ')
++
++ allow httpd_t pki_ra_etc_rw_t:file { read getattr };
++ allow httpd_t pki_ra_log_t:file read;
++ allow httpd_t pki_ra_var_lib_t:lnk_file read;
++
++
++')
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an pki_ra environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to be allowed to manage the syslog domain.
++## </summary>
++## </param>
++## <param name="terminal">
++## <summary>
++## The type of the user terminal.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`pki_ra_admin',`
++ gen_require(`
++ attribute pki_ra_process;
++ attribute pki_ra_config;
++ attribute pki_ra_executable;
++ attribute pki_ra_var_lib;
++ attribute pki_ra_var_log;
++ attribute pki_ra_script;
++ ')
++
++ allow $1 pki_ra_process:process { ptrace signal_perms };
++ ps_process_pattern($1, pki_ra_t)
++
++ # Allow pki_ra_t to restart the service
++ pki_ra_script_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 pki_ra_script system_r;
++ allow $2 system_r;
++
++ manage_all_pattern($1, pki_ra_config)
++ manage_all_pattern($1, pki_ra_var_lib)
++ manage_all_pattern($1, pki_ra_var_log)
++ manage_all_pattern($1, pki_ra_config)
++')
++
++########################################
++## <summary>
++## Execute pki_tks server in the pki_tks domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`pki_tks_script_domtrans',`
++ gen_require(`
++ attribute pki_tks_script;
++ ')
++
++ init_script_domtrans_spec($1,pki_tks_script)
++')
++
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an pki_tks environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to be allowed to manage the syslog domain.
++## </summary>
++## </param>
++## <param name="terminal">
++## <summary>
++## The type of the user terminal.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`pki_tks_admin',`
++ gen_require(`
++ type pki_tks_tomcat_exec_t;
++ attribute pki_tks_process;
++ attribute pki_tks_config;
++ attribute pki_tks_executable;
++ attribute pki_tks_var_lib;
++ attribute pki_tks_var_log;
++ attribute pki_tks_var_run;
++ attribute pki_tks_pidfiles;
++ attribute pki_tks_script;
++ ')
++
++ allow $1 pki_tks_process:process { ptrace signal_perms };
++ ps_process_pattern($1, pki_tks_t)
++
++ # Allow pki_tks_t to restart the service
++ pki_tks_script_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 pki_tks_script system_r;
++ allow $2 system_r;
++
++ manage_all_pattern($1, pki_tks_config)
++ manage_all_pattern($1, pki_tks_var_run)
++ manage_all_pattern($1, pki_tks_var_lib)
++ manage_all_pattern($1, pki_tks_var_log)
++ manage_all_pattern($1, pki_tks_config)
++ manage_all_pattern($1, pki_tks_tomcat_exec_t)
++')
++
++########################################
++## <summary>
++## Execute pki_tps server in the pki_tps domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`pki_tps_script_domtrans',`
++ gen_require(`
++ attribute pki_tps_script;
++ ')
++
++ init_script_domtrans_spec($1,pki_tps_script)
++')
++
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an pki_tps environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to be allowed to manage the syslog domain.
++## </summary>
++## </param>
++## <param name="terminal">
++## <summary>
++## The type of the user terminal.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`pki_tps_admin',`
++ gen_require(`
++ attribute pki_tps_process;
++ attribute pki_tps_config;
++ attribute pki_tps_executable;
++ attribute pki_tps_var_lib;
++ attribute pki_tps_var_log;
++ attribute pki_tps_script;
++ ')
++
++ allow $1 pki_tps_process:process { ptrace signal_perms };
++ ps_process_pattern($1, pki_tps_t)
++
++ # Allow pki_tps_t to restart the service
++ pki_tps_script_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 pki_tps_script system_r;
++ allow $2 system_r;
++
++ manage_all_pattern($1, pki_tps_config)
++ manage_all_pattern($1, pki_tps_var_lib)
++ manage_all_pattern($1, pki_tps_var_log)
++ manage_all_pattern($1, pki_tps_config)
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pki.te serefpolicy-3.3.1/policy/modules/services/pki.te
+--- nsaserefpolicy/policy/modules/services/pki.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/pki.te 2008-11-13 14:24:04.000000000 -0500
+@@ -0,0 +1,91 @@
++policy_module(pki,1.0.0)
++
++attribute pki_ca_config;
++attribute pki_ca_executable;
++attribute pki_ca_var_lib;
++attribute pki_ca_var_log;
++attribute pki_ca_var_run;
++attribute pki_ca_pidfiles;
++attribute pki_ca_script;
++attribute pki_ca_process;
++
++type pki_ca_tomcat_exec_t;
++files_type(pki_ca_tomcat_exec_t)
++
++pki_ca_template(pki_ca)
++
++attribute pki_kra_config;
++attribute pki_kra_executable;
++attribute pki_kra_var_lib;
++attribute pki_kra_var_log;
++attribute pki_kra_var_run;
++attribute pki_kra_pidfiles;
++attribute pki_kra_script;
++attribute pki_kra_process;
++
++type pki_kra_tomcat_exec_t;
++files_type(pki_kra_tomcat_exec_t)
++
++pki_ca_template(pki_kra)
++
++
++attribute pki_ocsp_config;
++attribute pki_ocsp_executable;
++attribute pki_ocsp_var_lib;
++attribute pki_ocsp_var_log;
++attribute pki_ocsp_var_run;
++attribute pki_ocsp_pidfiles;
++attribute pki_ocsp_script;
++attribute pki_ocsp_process;
++
++type pki_ocsp_tomcat_exec_t;
++files_type(pki_ocsp_tomcat_exec_t)
++
++pki_ca_template(pki_ocsp)
++
++
++attribute pki_ra_config;
++attribute pki_ra_executable;
++attribute pki_ra_var_lib;
++attribute pki_ra_var_log;
++attribute pki_ra_var_run;
++attribute pki_ra_pidfiles;
++attribute pki_ra_script;
++attribute pki_ra_process;
++
++type pki_ra_tomcat_exec_t;
++files_type(pki_ra_tomcat_exec_t)
++
++pki_ra_template(pki_ra)
++
++
++attribute pki_tks_config;
++attribute pki_tks_executable;
++attribute pki_tks_var_lib;
++attribute pki_tks_var_log;
++attribute pki_tks_var_run;
++attribute pki_tks_pidfiles;
++attribute pki_tks_script;
++attribute pki_tks_process;
++
++type pki_tks_tomcat_exec_t;
++files_type(pki_tks_tomcat_exec_t)
++
++pki_ca_template(pki_tks)
++
++
++attribute pki_tps_config;
++attribute pki_tps_executable;
++attribute pki_tps_var_lib;
++attribute pki_tps_var_log;
++attribute pki_tps_var_run;
++attribute pki_tps_pidfiles;
++attribute pki_tps_script;
++attribute pki_tps_process;
++
++type pki_tps_tomcat_exec_t;
++files_type(pki_tps_tomcat_exec_t)
++
++pki_ra_template(pki_tps)
++
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/podsleuth.fc serefpolicy-3.3.1/policy/modules/services/podsleuth.fc
--- nsaserefpolicy/policy/modules/services/podsleuth.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/services/podsleuth.fc 2008-11-03 16:14:20.000000000 -0500
@@ -22536,8 +23414,8 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.3.1/policy/modules/services/polkit.te
--- nsaserefpolicy/policy/modules/services/polkit.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/polkit.te 2008-11-03 16:14:20.000000000 -0500
-@@ -0,0 +1,220 @@
++++ serefpolicy-3.3.1/policy/modules/services/polkit.te 2008-11-05 11:49:08.000000000 -0500
+@@ -0,0 +1,221 @@
+policy_module(polkit_auth,1.0.0)
+
+########################################
@@ -22693,6 +23571,7 @@
+logging_send_syslog_msg(polkit_grant_t)
+
+polkit_domtrans_auth(polkit_grant_t)
++polkit_domtrans_resolve(polkit_grant_t)
+
+manage_files_pattern(polkit_grant_t,polkit_var_run_t,polkit_var_run_t)
+
@@ -26911,7 +27790,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.3.1/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/samba.te 2008-11-03 16:14:20.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/samba.te 2008-11-05 12:58:33.000000000 -0500
@@ -17,6 +17,13 @@
## <desc>
@@ -27093,7 +27972,7 @@
')
optional_policy(`
-@@ -363,6 +412,12 @@
+@@ -363,10 +412,18 @@
udev_read_db(smbd_t)
')
@@ -27105,8 +27984,14 @@
+
tunable_policy(`samba_export_all_ro',`
fs_read_noxattr_fs_files(smbd_t)
++ auth_read_all_dirs_except_shadow(smbd_t)
auth_read_all_files_except_shadow(smbd_t)
-@@ -391,7 +446,7 @@
+ fs_read_noxattr_fs_files(nmbd_t)
++ auth_read_all_dirs_except_shadow(nmbd_t)
+ auth_read_all_files_except_shadow(nmbd_t)
+ ')
+
+@@ -391,7 +448,7 @@
allow nmbd_t self:msgq create_msgq_perms;
allow nmbd_t self:sem create_sem_perms;
allow nmbd_t self:shm create_shm_perms;
@@ -27115,7 +28000,7 @@
allow nmbd_t self:tcp_socket create_stream_socket_perms;
allow nmbd_t self:udp_socket create_socket_perms;
allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto };
-@@ -403,8 +458,7 @@
+@@ -403,8 +460,7 @@
read_files_pattern(nmbd_t,samba_etc_t,samba_etc_t)
manage_dirs_pattern(nmbd_t,samba_log_t,samba_log_t)
@@ -27125,7 +28010,7 @@
read_files_pattern(nmbd_t,samba_log_t,samba_log_t)
create_files_pattern(nmbd_t,samba_log_t,samba_log_t)
-@@ -439,6 +493,7 @@
+@@ -439,6 +495,7 @@
dev_getattr_mtrr_dev(nmbd_t)
fs_getattr_all_fs(nmbd_t)
@@ -27133,7 +28018,7 @@
fs_search_auto_mountpoints(nmbd_t)
domain_use_interactive_fds(nmbd_t)
-@@ -522,6 +577,7 @@
+@@ -522,6 +579,7 @@
storage_raw_write_fixed_disk(smbmount_t)
term_list_ptys(smbmount_t)
@@ -27141,7 +28026,7 @@
corecmd_list_bin(smbmount_t)
-@@ -533,41 +589,50 @@
+@@ -533,41 +591,50 @@
auth_use_nsswitch(smbmount_t)
@@ -27202,7 +28087,7 @@
allow swat_t smbd_var_run_t:file read;
manage_dirs_pattern(swat_t,swat_tmp_t,swat_tmp_t)
-@@ -577,7 +642,9 @@
+@@ -577,7 +644,9 @@
manage_files_pattern(swat_t,swat_var_run_t,swat_var_run_t)
files_pid_filetrans(swat_t,swat_var_run_t,file)
@@ -27213,7 +28098,7 @@
kernel_read_kernel_sysctls(swat_t)
kernel_read_system_state(swat_t)
-@@ -602,10 +669,12 @@
+@@ -602,10 +671,12 @@
dev_read_urand(swat_t)
@@ -27226,7 +28111,7 @@
auth_domtrans_chk_passwd(swat_t)
auth_use_nsswitch(swat_t)
-@@ -614,6 +683,7 @@
+@@ -614,6 +685,7 @@
libs_use_shared_libs(swat_t)
logging_send_syslog_msg(swat_t)
@@ -27234,7 +28119,7 @@
logging_search_logs(swat_t)
miscfiles_read_localization(swat_t)
-@@ -631,6 +701,17 @@
+@@ -631,6 +703,17 @@
kerberos_use(swat_t)
')
@@ -27252,7 +28137,7 @@
########################################
#
# Winbind local policy
-@@ -673,12 +754,15 @@
+@@ -673,12 +756,15 @@
manage_dirs_pattern(winbind_t,winbind_tmp_t,winbind_tmp_t)
manage_files_pattern(winbind_t,winbind_tmp_t,winbind_tmp_t)
@@ -27268,7 +28153,7 @@
kernel_read_kernel_sysctls(winbind_t)
kernel_list_proc(winbind_t)
kernel_read_proc_symlinks(winbind_t)
-@@ -764,8 +848,13 @@
+@@ -764,8 +850,13 @@
miscfiles_read_localization(winbind_helper_t)
optional_policy(`
@@ -27282,7 +28167,7 @@
')
########################################
-@@ -774,19 +863,64 @@
+@@ -774,19 +865,64 @@
#
optional_policy(`
@@ -28182,7 +29067,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.3.1/policy/modules/services/snmp.te
--- nsaserefpolicy/policy/modules/services/snmp.te 2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/snmp.te 2008-11-03 16:14:20.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/snmp.te 2008-11-13 13:38:35.000000000 -0500
@@ -18,12 +18,16 @@
type snmpd_var_lib_t;
files_type(snmpd_var_lib_t)
@@ -28195,13 +29080,13 @@
# Local policy
#
-allow snmpd_t self:capability { dac_override kill net_admin sys_nice sys_tty_config };
-+allow snmpd_t self:capability { dac_override kill net_admin sys_nice sys_tty_config sys_ptrace };
++allow snmpd_t self:capability { dac_override ipc_lock kill net_admin sys_nice sys_tty_config sys_ptrace };
dontaudit snmpd_t self:capability { sys_module sys_tty_config };
+allow snmpd_t self:process { getsched setsched };
allow snmpd_t self:fifo_file rw_fifo_file_perms;
allow snmpd_t self:unix_dgram_socket create_socket_perms;
allow snmpd_t self:unix_stream_socket create_stream_socket_perms;
-@@ -45,6 +49,7 @@
+@@ -45,10 +49,13 @@
kernel_read_device_sysctls(snmpd_t)
kernel_read_kernel_sysctls(snmpd_t)
@@ -28209,7 +29094,13 @@
kernel_read_net_sysctls(snmpd_t)
kernel_read_proc_symlinks(snmpd_t)
kernel_read_system_state(snmpd_t)
-@@ -76,13 +81,14 @@
+ kernel_read_network_state(snmpd_t)
++kernel_read_xen_state(snmpd_t)
++kernel_write_xen_state(snmpd_t)
+
+ corecmd_exec_bin(snmpd_t)
+ corecmd_exec_shell(snmpd_t)
+@@ -76,13 +83,14 @@
domain_use_interactive_fds(snmpd_t)
domain_signull_all_domains(snmpd_t)
domain_read_all_domains_state(snmpd_t)
@@ -28226,7 +29117,7 @@
fs_getattr_all_dirs(snmpd_t)
fs_getattr_all_fs(snmpd_t)
-@@ -94,6 +100,8 @@
+@@ -94,6 +102,8 @@
init_read_utmp(snmpd_t)
init_dontaudit_write_utmp(snmpd_t)
@@ -28235,7 +29126,7 @@
libs_use_ld_so(snmpd_t)
libs_use_shared_libs(snmpd_t)
-@@ -120,7 +128,7 @@
+@@ -120,7 +130,7 @@
')
optional_policy(`
@@ -28244,6 +29135,19 @@
')
optional_policy(`
+@@ -151,3 +161,12 @@
+ optional_policy(`
+ udev_read_db(snmpd_t)
+ ')
++
++optional_policy(`
++ virt_stream_connect(snmpd_t)
++')
++
++optional_policy(`
++ xen_stream_connect(snmpd_t)
++ xen_stream_connect_xenstore(snmpd_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.fc serefpolicy-3.3.1/policy/modules/services/snort.fc
--- nsaserefpolicy/policy/modules/services/snort.fc 2008-06-12 23:38:01.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/services/snort.fc 2008-11-03 16:14:20.000000000 -0500
@@ -34194,6 +35098,17 @@
zebra_read_config(initrc_t)
')
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.fc serefpolicy-3.3.1/policy/modules/system/ipsec.fc
+--- nsaserefpolicy/policy/modules/system/ipsec.fc 2008-06-12 23:38:01.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/ipsec.fc 2008-11-05 10:39:34.000000000 -0500
+@@ -26,6 +26,7 @@
+ /usr/local/lib(64)?/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0)
+ /usr/local/lib(64)?/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0)
+
++/usr/sbin/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
+ /usr/sbin/racoon -- gen_context(system_u:object_r:racoon_exec_t,s0)
+ /usr/sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.if serefpolicy-3.3.1/policy/modules/system/ipsec.if
--- nsaserefpolicy/policy/modules/system/ipsec.if 2008-06-12 23:38:01.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/system/ipsec.if 2008-11-03 16:14:39.000000000 -0500
@@ -34341,7 +35256,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.3.1/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/system/libraries.fc 2008-11-03 16:14:39.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/system/libraries.fc 2008-11-05 11:29:06.000000000 -0500
@@ -69,8 +69,10 @@
ifdef(`distro_gentoo',`
# despite the extensions, they are actually libs
@@ -34434,7 +35349,7 @@
/var/ftp/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
-@@ -304,3 +318,13 @@
+@@ -304,3 +318,16 @@
/var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
@@ -34448,6 +35363,9 @@
+/usr/lib/oracle/.*/lib/libnnz10\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/opt/novell/groupwise/client/lib/libgwapijni\.so\.1 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/usr/lib(64)?/libav.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/sse2/libav.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.3.1/policy/modules/system/libraries.te
--- nsaserefpolicy/policy/modules/system/libraries.te 2008-06-12 23:38:01.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/system/libraries.te 2008-11-03 16:14:39.000000000 -0500
@@ -34598,7 +35516,7 @@
-')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.3.1/policy/modules/system/logging.fc
--- nsaserefpolicy/policy/modules/system/logging.fc 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/system/logging.fc 2008-11-03 16:14:39.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/system/logging.fc 2008-11-07 08:14:42.000000000 -0500
@@ -4,6 +4,8 @@
/etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
/etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
@@ -34618,7 +35536,7 @@
ifdef(`distro_suse', `
/var/lib/stunnel/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
')
-@@ -45,10 +50,10 @@
+@@ -45,15 +50,21 @@
/var/named/chroot/var/log -d gen_context(system_u:object_r:var_log_t,s0)
')
@@ -34633,8 +35551,10 @@
/var/run/klogd\.pid -- gen_context(system_u:object_r:klogd_var_run_t,s0)
/var/run/log -s gen_context(system_u:object_r:devlog_t,s0)
/var/run/metalog\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
-@@ -57,3 +62,8 @@
+ /var/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
+
/var/spool/postfix/pid -d gen_context(system_u:object_r:var_run_t,s0)
++/var/spool/rsyslog(/.*)? gen_context(system_u:object_r:var_log_t,s0)
/var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
@@ -38389,7 +39309,7 @@
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.3.1/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-11-03 16:14:39.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-11-03 17:15:11.000000000 -0500
@@ -29,9 +29,14 @@
')
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-9/selinux-policy.spec,v
retrieving revision 1.724
retrieving revision 1.725
diff -u -r1.724 -r1.725
--- selinux-policy.spec 3 Nov 2008 22:12:29 -0000 1.724
+++ selinux-policy.spec 13 Nov 2008 19:31:43 -0000 1.725
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.3.1
-Release: 107%{?dist}
+Release: 109%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -382,6 +382,12 @@
%endif
%changelog
+* Thu Nov 13 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-109
+- Allow openvpn to create /etc/openvpn/ipp.txt
+
+* Tue Nov 5 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-108
+- Add label to /dev/mspblk.*
+
* Mon Nov 3 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-107
- Allow kismet to send signals to itself
- Allow NetworkManager to transition to dnsmasq
- Previous message: rpms/gnash/F-9 gnash-kde4-no-excessive-linkage.patch, NONE, 1.1 gnash-kde4-x11embed-resize.patch, NONE, 1.1 gnash-kde4-x11embed.patch, NONE, 1.1 gnash.spec, 1.26, 1.27
- Next message: rpms/nautilus-open-terminal/devel nautilus-open-terminal.spec, 1.26, 1.27
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the scm-commits
mailing list