rpms/selinux-policy/F-11 policy-20090105.patch, 1.112, 1.113 selinux-policy.spec, 1.849, 1.850

Mon May 4 18:20:52 UTC 2009

Author: dwalsh

Update of /cvs/extras/rpms/selinux-policy/F-11
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv30878

Modified Files:
	policy-20090105.patch selinux-policy.spec 
Log Message:
* Fri May 1 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-27
- Fix /sbin/ip6tables-save context
- Allod udev to transition to mount
- Fix loading of mls policy file


policy-20090105.patch:

Index: policy-20090105.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-11/policy-20090105.patch,v
retrieving revision 1.112
retrieving revision 1.113
diff -u -p -r1.112 -r1.113

--- policy-20090105.patch	30 Apr 2009 22:21:52 -0000	1.112
+++ policy-20090105.patch	4 May 2009 18:20:20 -0000	1.113
@@ -655,7 +655,16 @@ diff -b -B --ignore-all-space --exclude-
  	corenet_udp_sendrecv_lo_if(mrtg_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.6.12/policy/modules/admin/netutils.te
 --- nsaserefpolicy/policy/modules/admin/netutils.te	2009-03-12 11:16:47.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/admin/netutils.te	2009-04-23 09:44:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/admin/netutils.te	2009-05-04 11:25:11.000000000 -0400
+@@ -50,7 +50,7 @@
+ files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir })
+ 
+ kernel_search_proc(netutils_t)
+-kernel_read_sysctl(netutils_t)
++kernel_read_all_sysctls(netutils_t)
+ 
+ corenet_all_recvfrom_unlabeled(netutils_t)
+ corenet_all_recvfrom_netlabel(netutils_t)
 @@ -152,6 +152,10 @@
  ')
  
@@ -4479,6 +4488,42 @@ diff -b -B --ignore-all-space --exclude-
 +')
 +
 +permissive sambagui_t;
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.fc serefpolicy-3.6.12/policy/modules/apps/screen.fc
+--- nsaserefpolicy/policy/modules/apps/screen.fc	2008-11-11 16:13:42.000000000 -0500
++++ serefpolicy-3.6.12/policy/modules/apps/screen.fc	2009-05-02 07:46:25.000000000 -0400
+@@ -13,3 +13,4 @@
+ #
+ /var/run/screens?/S-[^/]+	-d	gen_context(system_u:object_r:screen_dir_t,s0)
+ /var/run/screens?/S-[^/]+/.*		<<none>>
++/var/run/screen(/.*)?			gen_context(system_u:object_r:screen_var_run_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.6.12/policy/modules/apps/screen.if
+--- nsaserefpolicy/policy/modules/apps/screen.if	2009-01-19 11:03:28.000000000 -0500
++++ serefpolicy-3.6.12/policy/modules/apps/screen.if	2009-05-04 11:30:29.000000000 -0400
+@@ -165,3 +165,24 @@
+ 		nscd_socket_use($1_screen_t)
+ 	')
+ ')
++
++########################################
++## <summary>
++##	Manage screen var_run files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`screen_manage_var_run',`
++	gen_require(`
++		type screen_var_run_t;
++	')
++
++         manage_dirs_pattern($1,screen_var_run_t,screen_var_run_t)
++         manage_files_pattern($1,screen_var_run_t,screen_var_run_t)
++         manage_lnk_files_pattern($1,screen_var_run_t,screen_var_run_t)
++         manage_fifo_files_pattern($1,screen_var_run_t,screen_var_run_t)
++')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/uml.te serefpolicy-3.6.12/policy/modules/apps/uml.te
 --- nsaserefpolicy/policy/modules/apps/uml.te	2009-01-19 11:03:28.000000000 -0500
 +++ serefpolicy-3.6.12/policy/modules/apps/uml.te	2009-04-28 11:42:33.000000000 -0400
@@ -5913,7 +5958,7 @@ diff -b -B --ignore-all-space --exclude-
  #
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.6.12/policy/modules/kernel/kernel.if
 --- nsaserefpolicy/policy/modules/kernel/kernel.if	2009-01-05 15:39:38.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/kernel/kernel.if	2009-04-23 09:44:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/kernel/kernel.if	2009-05-04 11:25:35.000000000 -0400
 @@ -1197,6 +1197,26 @@
  	')
  
@@ -6039,7 +6084,7 @@ diff -b -B --ignore-all-space --exclude-
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.6.12/policy/modules/kernel/kernel.te
 --- nsaserefpolicy/policy/modules/kernel/kernel.te	2009-02-03 22:50:50.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/kernel/kernel.te	2009-04-23 09:44:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/kernel/kernel.te	2009-05-01 13:41:10.000000000 -0400
 @@ -63,6 +63,15 @@
  genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0)
  
@@ -6056,7 +6101,15 @@ diff -b -B --ignore-all-space --exclude-
  # kvmFS
  #
  
-@@ -120,6 +129,10 @@
+@@ -100,6 +109,7 @@
+ genfscon proc /net gen_context(system_u:object_r:proc_net_t,s0)
+ 
+ type proc_xen_t, proc_type;
++files_mountpoint(proc_xen_t)
+ genfscon proc /xen gen_context(system_u:object_r:proc_xen_t,s0)
+ 
+ #
+@@ -120,6 +130,10 @@
  type sysctl_rpc_t, sysctl_type;
  genfscon proc /net/rpc gen_context(system_u:object_r:sysctl_rpc_t,s0)
  
@@ -6067,7 +6120,7 @@ diff -b -B --ignore-all-space --exclude-
  # /proc/sys/fs directory and files
  type sysctl_fs_t, sysctl_type;
  files_mountpoint(sysctl_fs_t)
-@@ -160,6 +173,7 @@
+@@ -160,6 +174,7 @@
  #
  type unlabeled_t;
  sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
@@ -6075,7 +6128,7 @@ diff -b -B --ignore-all-space --exclude-
  
  # These initial sids are no longer used, and can be removed:
  sid any_socket		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
-@@ -198,6 +212,8 @@
+@@ -198,6 +213,8 @@
  allow kernel_t self:sock_file read_sock_file_perms;
  allow kernel_t self:fd use;
  
@@ -6084,7 +6137,7 @@ diff -b -B --ignore-all-space --exclude-
  allow kernel_t proc_t:dir list_dir_perms;
  allow kernel_t proc_t:file read_file_perms;
  allow kernel_t proc_t:lnk_file read_lnk_file_perms;
-@@ -248,7 +264,8 @@
+@@ -248,7 +265,8 @@
  
  selinux_load_policy(kernel_t)
  
@@ -6094,7 +6147,7 @@ diff -b -B --ignore-all-space --exclude-
  
  corecmd_exec_shell(kernel_t)
  corecmd_list_bin(kernel_t)
-@@ -262,6 +279,8 @@
+@@ -262,6 +280,8 @@
  files_list_etc(kernel_t)
  files_list_home(kernel_t)
  files_read_usr_files(kernel_t)
@@ -6103,7 +6156,7 @@ diff -b -B --ignore-all-space --exclude-
  
  mcs_process_set_categories(kernel_t)
  
-@@ -269,12 +288,18 @@
+@@ -269,12 +289,18 @@
  mls_process_write_down(kernel_t)
  mls_file_write_all_levels(kernel_t)
  mls_file_read_all_levels(kernel_t) 
@@ -6122,7 +6175,7 @@ diff -b -B --ignore-all-space --exclude-
  tunable_policy(`read_default_t',`
  	files_list_default(kernel_t)
  	files_read_default_files(kernel_t)
-@@ -356,7 +381,11 @@
+@@ -356,7 +382,11 @@
  ')
  
  optional_policy(`
@@ -6135,7 +6188,7 @@ diff -b -B --ignore-all-space --exclude-
  ')
  
  ########################################
-@@ -388,3 +417,7 @@
+@@ -388,3 +418,7 @@
  allow kern_unconfined unlabeled_t:association *;
  allow kern_unconfined unlabeled_t:packet *;
  allow kern_unconfined unlabeled_t:process ~{ transition dyntransition execmem execstack execheap };
@@ -6257,48 +6310,46 @@ diff -b -B --ignore-all-space --exclude-
 +gen_user(guest_u, user, guest_r, s0, s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.6.12/policy/modules/roles/staff.te
 --- nsaserefpolicy/policy/modules/roles/staff.te	2008-11-11 16:13:47.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/roles/staff.te	2009-04-23 09:44:57.000000000 -0400
-@@ -15,156 +15,90 @@
++++ serefpolicy-3.6.12/policy/modules/roles/staff.te	2009-05-02 07:50:07.000000000 -0400
+@@ -15,156 +15,95 @@
  # Local policy
  #
  
 -optional_policy(`
 -	apache_role(staff_r, staff_t)
 -')
--
--optional_policy(`
--	auth_role(staff_r, staff_t)
--')
--
--optional_policy(`
--	auditadm_role_change(staff_r)
--')
 +kernel_read_ring_buffer(staff_t)
 +kernel_getattr_core_if(staff_t)
 +kernel_getattr_message_if(staff_t)
 +kernel_read_software_raid_state(staff_t)
  
 -optional_policy(`
--	bluetooth_role(staff_r, staff_t)
+-	auth_role(staff_r, staff_t)
 -')
 +auth_domtrans_pam_console(staff_t)
  
 -optional_policy(`
--	cdrecord_role(staff_r, staff_t)
+-	auditadm_role_change(staff_r)
 -')
 +libs_manage_shared_libs(staff_t)
  
 -optional_policy(`
+-	bluetooth_role(staff_r, staff_t)
+-')
+-
+-optional_policy(`
+-	cdrecord_role(staff_r, staff_t)
+-')
+-
+-optional_policy(`
 -	cron_role(staff_r, staff_t)
 -')
 -
 -optional_policy(`
 -	dbus_role_template(staff, staff_r, staff_t)
 -')
-+seutil_run_newrole(staff_t, staff_r)
-+netutils_run_ping(staff_t, staff_r)
- 
- optional_policy(`
+-
+-optional_policy(`
 -	ethereal_role(staff_r, staff_t)
 -')
 -
@@ -6317,8 +6368,10 @@ diff -b -B --ignore-all-space --exclude-
 -optional_policy(`
 -	gnome_role(staff_r, staff_t)
 -')
--
--optional_policy(`
++seutil_run_newrole(staff_t, staff_r)
++netutils_run_ping(staff_t, staff_r)
+ 
+ optional_policy(`
 -	gpg_role(staff_r, staff_t)
 -')
 -
@@ -6332,122 +6385,123 @@ diff -b -B --ignore-all-space --exclude-
 -
 -optional_policy(`
 -	lockdev_role(staff_r, staff_t)
--')
--
--optional_policy(`
--	lpd_role(staff_r, staff_t)
--')
--
--optional_policy(`
--	mozilla_role(staff_r, staff_t)
 +	sudo_role_template(staff, staff_r, staff_t)
  ')
  
  optional_policy(`
--	mplayer_role(staff_r, staff_t)
+-	lpd_role(staff_r, staff_t)
 +	auditadm_role_change(staff_r)
  ')
  
  optional_policy(`
--	mta_role(staff_r, staff_t)
+-	mozilla_role(staff_r, staff_t)
 +	kerneloops_manage_tmp_files(staff_t)
  ')
  
  optional_policy(`
--	oident_manage_user_content(staff_t)
--	oident_relabel_user_content(staff_t)
+-	mplayer_role(staff_r, staff_t)
 +	logadm_role_change(staff_r)
  ')
  
  optional_policy(`
--	pyzor_role(staff_r, staff_t)
+-	mta_role(staff_r, staff_t)
 +	secadm_role_change(staff_r)
  ')
  
  optional_policy(`
--	razor_role(staff_r, staff_t)
+-	oident_manage_user_content(staff_t)
+-	oident_relabel_user_content(staff_t)
 +	ssh_role_template(staff, staff_r, staff_t)
  ')
  
  optional_policy(`
--	rssh_role(staff_r, staff_t)
+-	pyzor_role(staff_r, staff_t)
 +	sysadm_role_change(staff_r)
  ')
  
  optional_policy(`
--	screen_role_template(staff, staff_r, staff_t)
+-	razor_role(staff_r, staff_t)
 +	usernetctl_run(staff_t, staff_r)
  ')
  
  optional_policy(`
--	secadm_role_change(staff_r)
+-	rssh_role(staff_r, staff_t)
 +	unconfined_role_change(staff_r)
  ')
  
  optional_policy(`
--	spamassassin_role(staff_r, staff_t)
+-	screen_role_template(staff, staff_r, staff_t)
 +	webadm_role_change(staff_r)
  ')
  
 -optional_policy(`
--	ssh_role_template(staff, staff_r, staff_t)
+-	secadm_role_change(staff_r)
 -')
 +domain_read_all_domains_state(staff_t)
 +domain_getattr_all_domains(staff_t)
 +domain_obj_id_change_exemption(staff_t)
  
 -optional_policy(`
--	su_role_template(staff, staff_r, staff_t)
+-	spamassassin_role(staff_r, staff_t)
 -')
 +files_read_kernel_modules(staff_t)
  
 -optional_policy(`
--	sudo_role_template(staff, staff_r, staff_t)
+-	ssh_role_template(staff, staff_r, staff_t)
 -')
 +kernel_read_fs_sysctls(staff_t)
  
 -optional_policy(`
--	sysadm_role_change(staff_r)
--	userdom_dontaudit_use_user_terminals(staff_t)
+-	su_role_template(staff, staff_r, staff_t)
 -')
 +modutils_read_module_config(staff_t)
 +modutils_read_module_deps(staff_t)
  
 -optional_policy(`
--	thunderbird_role(staff_r, staff_t)
+-	sudo_role_template(staff, staff_r, staff_t)
 -')
 +miscfiles_read_hwdata(staff_t)
  
 -optional_policy(`
--	tvtime_role(staff_r, staff_t)
+-	sysadm_role_change(staff_r)
+-	userdom_dontaudit_use_user_terminals(staff_t)
 -')
 +term_use_unallocated_ttys(staff_t)
  
  optional_policy(`
--	uml_role(staff_r, staff_t)
+-	thunderbird_role(staff_r, staff_t)
 +	gnomeclock_dbus_chat(staff_t)
  ')
  
  optional_policy(`
--	userhelper_role_template(staff, staff_r, staff_t)
+-	tvtime_role(staff_r, staff_t)
 +	kerneloops_dbus_chat(staff_t)
  ')
  
  optional_policy(`
--	vmware_role(staff_r, staff_t)
+-	uml_role(staff_r, staff_t)
 +	rpm_dbus_chat(staff_usertype)
  ')
  
  optional_policy(`
--	wireshark_role(staff_r, staff_t)
+-	userhelper_role_template(staff, staff_r, staff_t)
++	screen_manage_var_run(staff_t)
+ ')
+ 
+ optional_policy(`
+-	vmware_role(staff_r, staff_t)
 +	setroubleshoot_stream_connect(staff_t)
 +	setroubleshoot_dbus_chat(staff_t)
  ')
  
  optional_policy(`
--	xserver_role(staff_r, staff_t)
+-	wireshark_role(staff_r, staff_t)
 +	virt_stream_connect(staff_t)
  ')
+ 
+-optional_policy(`
+-	xserver_role(staff_r, staff_t)
+-')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.if serefpolicy-3.6.12/policy/modules/roles/sysadm.if
 --- nsaserefpolicy/policy/modules/roles/sysadm.if	2009-01-19 11:07:34.000000000 -0500
 +++ serefpolicy-3.6.12/policy/modules/roles/sysadm.if	2009-04-23 09:44:57.000000000 -0400
@@ -12280,7 +12334,7 @@ diff -b -B --ignore-all-space --exclude-
 +/var/run/DeviceKit-disk(/.*)?		gen_context(system_u:object_r:devicekit_var_run_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.if serefpolicy-3.6.12/policy/modules/services/devicekit.if
 --- nsaserefpolicy/policy/modules/services/devicekit.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/devicekit.if	2009-04-23 09:44:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/devicekit.if	2009-05-02 07:48:49.000000000 -0400
 @@ -0,0 +1,197 @@
 +
 +## <summary>policy for devicekit</summary>
@@ -13432,8 +13486,8 @@ diff -b -B --ignore-all-space --exclude-
 +/usr/libexec/fprintd	--	gen_context(system_u:object_r:fprintd_exec_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.if serefpolicy-3.6.12/policy/modules/services/fprintd.if
 --- nsaserefpolicy/policy/modules/services/fprintd.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/fprintd.if	2009-04-28 15:26:38.000000000 -0400
-@@ -0,0 +1,22 @@
++++ serefpolicy-3.6.12/policy/modules/services/fprintd.if	2009-05-01 09:45:48.000000000 -0400
+@@ -0,0 +1,42 @@
 +
 +## <summary>policy for fprintd</summary>
 +
@@ -13456,6 +13510,26 @@ diff -b -B --ignore-all-space --exclude-
 +	domtrans_pattern($1,fprintd_exec_t,fprintd_t)
 +')
 +
++########################################
++## <summary>
++##	Send and receive messages from
++##	fprintd over dbus.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`fprintd_dbus_chat',`
++	gen_require(`
++		type fprintd_t;
++		class dbus send_msg;
++	')
++
++	allow $1 fprintd_t:dbus send_msg;
++	allow fprintd_t $1:dbus send_msg;
++')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.6.12/policy/modules/services/fprintd.te
 --- nsaserefpolicy/policy/modules/services/fprintd.te	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-3.6.12/policy/modules/services/fprintd.te	2009-04-29 10:10:42.000000000 -0400
@@ -14625,7 +14699,7 @@ diff -b -B --ignore-all-space --exclude-
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.te serefpolicy-3.6.12/policy/modules/services/kerneloops.te
 --- nsaserefpolicy/policy/modules/services/kerneloops.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/kerneloops.te	2009-04-23 09:44:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/kerneloops.te	2009-05-01 13:21:26.000000000 -0400
 @@ -13,6 +13,9 @@
  type kerneloops_initrc_exec_t;
  init_script_file(kerneloops_initrc_exec_t)
@@ -14636,13 +14710,15 @@ diff -b -B --ignore-all-space --exclude-
  ########################################
  #
  # kerneloops local policy
-@@ -23,8 +26,13 @@
+@@ -21,10 +24,14 @@
+ allow kerneloops_t self:capability sys_nice;
+ allow kerneloops_t self:process { setsched getsched signal };
  allow kerneloops_t self:fifo_file rw_file_perms;
- allow kerneloops_t self:netlink_route_socket r_netlink_socket_perms;
- 
+-allow kerneloops_t self:netlink_route_socket r_netlink_socket_perms;
++
 +manage_files_pattern(kerneloops_t, kerneloops_tmp_t, kerneloops_tmp_t)
 +files_tmp_filetrans(kerneloops_t,kerneloops_tmp_t,file)
-+
+ 
  kernel_read_ring_buffer(kerneloops_t)
  
 +fs_list_inotifyfs(kerneloops_t)
@@ -14650,9 +14726,19 @@ diff -b -B --ignore-all-space --exclude-
  # Init script handling
  domain_use_interactive_fds(kerneloops_t)
  
-@@ -46,6 +54,5 @@
- sysnet_dns_name_resolve(kerneloops_t)
+@@ -38,14 +45,13 @@
+ 
+ files_read_etc_files(kerneloops_t)
+ 
++auth_use_nsswitch(kerneloops_t)
++
+ logging_send_syslog_msg(kerneloops_t)
+ logging_read_generic_logs(kerneloops_t)
+ 
+ miscfiles_read_localization(kerneloops_t)
  
+-sysnet_dns_name_resolve(kerneloops_t)
+-
  optional_policy(`
 -	dbus_system_bus_client(kerneloops_t)
 -	dbus_connect_system_bus(kerneloops_t)
@@ -20431,7 +20517,7 @@ diff -b -B --ignore-all-space --exclude-
  
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.6.12/policy/modules/services/rpc.te
 --- nsaserefpolicy/policy/modules/services/rpc.te	2009-03-20 12:39:39.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/services/rpc.te	2009-04-23 09:44:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/rpc.te	2009-05-04 12:28:35.000000000 -0400
 @@ -23,7 +23,7 @@
  gen_tunable(allow_nfsd_anon_write, false)
  
@@ -20441,7 +20527,7 @@ diff -b -B --ignore-all-space --exclude-
  
  rpc_domain_template(gssd)
  
-@@ -74,21 +74,31 @@
+@@ -74,21 +74,33 @@
  
  files_manage_mounttab(rpcd_t)
  
@@ -20451,6 +20537,8 @@ diff -b -B --ignore-all-space --exclude-
  fs_read_rpc_symlinks(rpcd_t)
  fs_rw_rpc_sockets(rpcd_t) 
  
++storage_getattr_fixed_disk_dev(rpcd_t)
++
 +kernel_signal(rpcd_t) 
 +
  selinux_dontaudit_read_fs(rpcd_t)
@@ -20473,7 +20561,7 @@ diff -b -B --ignore-all-space --exclude-
  ########################################
  #
  # NFSD local policy
-@@ -116,8 +126,9 @@
+@@ -116,8 +128,9 @@
  # for exportfs and rpc.mountd
  files_getattr_tmp_dirs(nfsd_t) 
  # cjp: this should really have its own type
@@ -20484,7 +20572,7 @@ diff -b -B --ignore-all-space --exclude-
  fs_mount_nfsd_fs(nfsd_t) 
  fs_search_nfsd_fs(nfsd_t) 
  fs_getattr_all_fs(nfsd_t) 
-@@ -125,6 +136,7 @@
+@@ -125,6 +138,7 @@
  fs_rw_nfsd_fs(nfsd_t) 
  
  storage_dontaudit_read_fixed_disk(nfsd_t)
@@ -20492,7 +20580,7 @@ diff -b -B --ignore-all-space --exclude-
  
  # Read access to public_content_t and public_content_rw_t
  miscfiles_read_public_files(nfsd_t)
-@@ -141,6 +153,7 @@
+@@ -141,6 +155,7 @@
  	fs_read_noxattr_fs_files(nfsd_t) 
  	auth_manage_all_files_except_shadow(nfsd_t)
  ')
@@ -20500,7 +20588,7 @@ diff -b -B --ignore-all-space --exclude-
  
  tunable_policy(`nfs_export_all_ro',`
  	dev_getattr_all_blk_files(nfsd_t)
-@@ -175,6 +188,7 @@
+@@ -175,6 +190,7 @@
  
  corecmd_exec_bin(gssd_t)
  
@@ -20508,7 +20596,7 @@ diff -b -B --ignore-all-space --exclude-
  fs_list_rpc(gssd_t) 
  fs_rw_rpc_sockets(gssd_t) 
  fs_read_rpc_files(gssd_t) 
-@@ -183,9 +197,12 @@
+@@ -183,9 +199,12 @@
  files_read_usr_symlinks(gssd_t) 
  
  auth_use_nsswitch(gssd_t)
@@ -25914,7 +26002,7 @@ diff -b -B --ignore-all-space --exclude-
 +/var/cache/coolkey(/.*)?	gen_context(system_u:object_r:auth_cache_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.12/policy/modules/system/authlogin.if
 --- nsaserefpolicy/policy/modules/system/authlogin.if	2008-11-11 16:13:48.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/system/authlogin.if	2009-04-23 09:44:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/system/authlogin.if	2009-05-01 09:46:46.000000000 -0400
 @@ -43,20 +43,38 @@
  interface(`auth_login_pgm_domain',`
  	gen_require(`
@@ -25962,7 +26050,7 @@ diff -b -B --ignore-all-space --exclude-
  
  	init_rw_utmp($1)
  
-@@ -100,11 +119,40 @@
+@@ -100,9 +119,42 @@
  	seutil_read_config($1)
  	seutil_read_default_contexts($1)
  
@@ -25975,16 +26063,16 @@ diff -b -B --ignore-all-space --exclude-
 +
 +	optional_policy(`
 +		afs_rw_udp_sockets($1)
-+	')
+ 	')
 +
 +	optional_policy(`
 +		dbus_system_bus_client($1)
 +		optional_policy(`
 +			oddjob_dbus_chat($1)
 +			oddjob_domtrans_mkhomedir($1)
- 	')
- ')
- 
++	')
++')
++
 +	optional_policy(`
 +		corecmd_exec_bin($1)
 +		storage_getattr_fixed_disk_dev($1)
@@ -25992,6 +26080,10 @@ diff -b -B --ignore-all-space --exclude-
 +	')
 +
 +	optional_policy(`
++		fprintd_dbus_chat($1)
++	')
++
++	optional_policy(`
 +		nis_authenticate($1)
 +	')
 +
@@ -26000,12 +26092,10 @@ diff -b -B --ignore-all-space --exclude-
 +		userdom_read_user_home_content_files($1)
 +	')
 +
-+')
-+
+ ')
+ 
  ########################################
- ## <summary>
- ##	Use the login program as an entry point program.
-@@ -197,8 +245,11 @@
+@@ -197,8 +249,11 @@
  interface(`auth_domtrans_chk_passwd',`
  	gen_require(`
  		type chkpwd_t, chkpwd_exec_t, shadow_t;
@@ -26017,7 +26107,7 @@ diff -b -B --ignore-all-space --exclude-
  	corecmd_search_bin($1)
  	domtrans_pattern($1, chkpwd_exec_t, chkpwd_t)
  
-@@ -207,19 +258,16 @@
+@@ -207,19 +262,16 @@
  	dev_read_rand($1)
  	dev_read_urand($1)
  
@@ -26042,7 +26132,7 @@ diff -b -B --ignore-all-space --exclude-
  	')
  
  	optional_policy(`
-@@ -230,6 +278,29 @@
+@@ -230,6 +282,29 @@
  	optional_policy(`
  		samba_stream_connect_winbind($1)
  	')
@@ -26072,7 +26162,7 @@ diff -b -B --ignore-all-space --exclude-
  ')
  
  ########################################
-@@ -254,6 +325,7 @@
+@@ -254,6 +329,7 @@
  
  	auth_domtrans_chk_passwd($1)
  	role $2 types chkpwd_t;
@@ -26080,7 +26170,7 @@ diff -b -B --ignore-all-space --exclude-
  ')
  
  ########################################
-@@ -650,7 +722,7 @@
+@@ -650,7 +726,7 @@
  
  ########################################
  ## <summary>
@@ -26089,7 +26179,7 @@ diff -b -B --ignore-all-space --exclude-
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1031,6 +1103,32 @@
+@@ -1031,6 +1107,32 @@
  
  ########################################
  ## <summary>
@@ -26122,7 +26212,7 @@ diff -b -B --ignore-all-space --exclude-
  ##	Manage all files on the filesystem, except
  ##	the shadow passwords and listed exceptions.
  ## </summary>
-@@ -1297,6 +1395,14 @@
+@@ -1297,6 +1399,14 @@
  	')
  
  	optional_policy(`
@@ -26137,7 +26227,7 @@ diff -b -B --ignore-all-space --exclude-
  		nis_use_ypbind($1)
  	')
  
-@@ -1305,8 +1411,13 @@
+@@ -1305,8 +1415,13 @@
  	')
  
  	optional_policy(`
@@ -26151,7 +26241,7 @@ diff -b -B --ignore-all-space --exclude-
  	')
  ')
  
-@@ -1341,3 +1452,99 @@
+@@ -1341,3 +1456,99 @@
  	typeattribute $1 can_write_shadow_passwords;
  	typeattribute $1 can_relabelto_shadow_passwords;
  ')
@@ -27102,9 +27192,9 @@ diff -b -B --ignore-all-space --exclude-
  dev_read_urand(racoon_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.fc serefpolicy-3.6.12/policy/modules/system/iptables.fc
 --- nsaserefpolicy/policy/modules/system/iptables.fc	2009-04-06 12:42:08.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/system/iptables.fc	2009-04-30 08:29:56.000000000 -0400
-@@ -1,9 +1,11 @@
- /sbin/ip6tables.*	--	gen_context(system_u:object_r:iptables_exec_t,s0)
++++ serefpolicy-3.6.12/policy/modules/system/iptables.fc	2009-04-30 18:57:54.000000000 -0400
+@@ -1,9 +1,10 @@
+-/sbin/ip6tables.*	--	gen_context(system_u:object_r:iptables_exec_t,s0)
  /sbin/ipchains.*	--	gen_context(system_u:object_r:iptables_exec_t,s0)
 -/sbin/iptables.* 	--	gen_context(system_u:object_r:iptables_exec_t,s0)
 +/sbin/ip6?tables		--	gen_context(system_u:object_r:iptables_exec_t,s0)
@@ -29523,7 +29613,7 @@ diff -b -B --ignore-all-space --exclude-
  	xen_append_log(ifconfig_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.6.12/policy/modules/system/udev.te
 --- nsaserefpolicy/policy/modules/system/udev.te	2009-04-07 15:53:36.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/system/udev.te	2009-04-23 09:44:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/system/udev.te	2009-05-04 14:18:49.000000000 -0400
 @@ -50,6 +50,7 @@
  allow udev_t self:unix_stream_socket connectto;
  allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -29560,7 +29650,18 @@ diff -b -B --ignore-all-space --exclude-
  ')
  
  optional_policy(`
-@@ -242,6 +250,10 @@
+@@ -228,6 +236,10 @@
+ ')
+ 
+ optional_policy(`
++	mount_domtrans(udev_t)
++')
++
++optional_policy(`
+ 	openct_read_pid_files(udev_t)
+ 	openct_domtrans(udev_t)
+ ')
+@@ -242,6 +254,10 @@
  ')
  
  optional_policy(`


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-11/selinux-policy.spec,v
retrieving revision 1.849
retrieving revision 1.850
diff -u -p -r1.849 -r1.850
--- selinux-policy.spec	30 Apr 2009 22:21:53 -0000	1.849
+++ selinux-policy.spec	4 May 2009 18:20:22 -0000	1.850
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.12
-Release: 26%{?dist}
+Release: 27%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -165,11 +165,6 @@ if [ -s /etc/selinux/config ]; then \
 	fi \
 fi
 
-%define loadminpolicy() \
-( cd /usr/share/selinux/%1; \
-semodule -b base.pp.bz2 -i unconfined.pp.bz2 unconfineduser.pp.bz2 -s %1; \
-); \
-
 %define loadpolicy() \
 ( cd /usr/share/selinux/%1; \
 semodule -b base.pp.bz2 -i %{expand:%%moduleList %1} %2 -s %1; \
@@ -351,12 +346,12 @@ echo $packages
 }
 
 if [ $1 -eq 1 ]; then
-   packages="unconfined.pp.bz2 unconfineduser.pp.bz2"
+   packages="%{expand:%%moduleList targeted} unconfined.pp.bz2 unconfineduser.pp.bz2"
    %loadpolicy targeted $packages
    restorecon -R /root /var/log /var/run 2> /dev/null
 else
    semodule -n -s targeted -r moilscanner -r mailscanner -r gamin -r audio_entropy -r iscsid 2>/dev/null
-   packages=`get_unconfined $(semodule -l)`
+   packages="%{expand:%%moduleList targeted} `get_unconfined $(semodule -l)`"
    %loadpolicy targeted $packages
    %relabel targeted
 fi
@@ -402,7 +397,8 @@ SELinux Reference policy minimum base mo
 
 %post minimum
 if [ $1 -eq 1 ]; then
-%loadminpolicy minimum
+packages="unconfined.pp.bz2 unconfineduser.pp.bz2"
+%loadpolicy minimum $packages
 semanage -S minimum -i - << __eof
 login -m  -s unconfined_u -r s0-s0:c0.c1023 __default__
 login -m  -s unconfined_u -r s0-s0:c0.c1023 root
@@ -435,7 +431,8 @@ SELinux Reference policy olpc base modul
 %saveFileContext olpc
 
 %post olpc 
-%loadpolicy olpc ""
+packages="%{expand:%%moduleList olpc} unconfined.pp.bz2 unconfineduser.pp.bz2"
+%loadpolicy olpc $packages
 
 if [ $1 -ne 1 ]; then
 %relabel olpc
@@ -466,7 +463,8 @@ SELinux Reference policy mls base module
 
 %post mls 
 semodule -n -s mls -r mailscanner 2>/dev/null
-%loadpolicy mls ""
+packages="%{expand:%%moduleList mls}"
+%loadpolicy mls $packages
 
 if [ $1 != 1 ]; then
 %relabel mls
@@ -480,6 +478,11 @@ exit 0
 %endif
 
 %changelog
+* Fri May 1 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-27
+- Fix /sbin/ip6tables-save context
+- Allod udev to transition to mount
+- Fix loading of mls policy file
+
 * Thu Apr 30 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-26
 - Add shorewall policy
 


