rpms/selinux-policy/F-13 modules-minimum.conf, 1.67, 1.68 modules-mls.conf, 1.80, 1.81 modules-targeted.conf, 1.176, 1.177 policy-F13.patch, 1.127, 1.128 selinux-policy.spec, 1.1029, 1.1030
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Jun 15 16:48:46 UTC 2010
Author: mgrepl
Update of /cvs/pkgs/rpms/selinux-policy/F-13
In directory cvs01.phx2.fedoraproject.org:/tmp/cvs-serv20573
Modified Files:
modules-minimum.conf modules-mls.conf modules-targeted.conf
policy-F13.patch selinux-policy.spec
Log Message:
- Allow abrt sigkill
- Add ncftool policy
- Add cluster fixes
- Fixes for audisp-remote
Index: modules-minimum.conf
===================================================================
RCS file: /cvs/pkgs/rpms/selinux-policy/F-13/modules-minimum.conf,v
retrieving revision 1.67
retrieving revision 1.68
diff -u -p -r1.67 -r1.68
--- modules-minimum.conf 14 Jun 2010 18:34:41 -0000 1.67
+++ modules-minimum.conf 15 Jun 2010 16:48:45 -0000 1.68
@@ -1074,6 +1074,13 @@ mysql = module
nagios = module
# Layer: admin
+# Module: ncftool
+#
+# Tool to modify the network configuration of a system
+#
+ncftool = module
+
+# Layer: admin
# Module: netutils
#
# Network analysis utilities
Index: modules-mls.conf
===================================================================
RCS file: /cvs/pkgs/rpms/selinux-policy/F-13/modules-mls.conf,v
retrieving revision 1.80
retrieving revision 1.81
diff -u -p -r1.80 -r1.81
--- modules-mls.conf 1 Jun 2010 15:56:40 -0000 1.80
+++ modules-mls.conf 15 Jun 2010 16:48:45 -0000 1.81
@@ -1012,6 +1012,13 @@ mysql = module
nagios = module
# Layer: admin
+# Module: ncftool
+#
+# Tool to modify the network configuration of a system
+#
+ncftool = module
+
+# Layer: admin
# Module: netutils
#
# Network analysis utilities
Index: modules-targeted.conf
===================================================================
RCS file: /cvs/pkgs/rpms/selinux-policy/F-13/modules-targeted.conf,v
retrieving revision 1.176
retrieving revision 1.177
diff -u -p -r1.176 -r1.177
--- modules-targeted.conf 14 Jun 2010 18:34:41 -0000 1.176
+++ modules-targeted.conf 15 Jun 2010 16:48:45 -0000 1.177
@@ -1074,6 +1074,13 @@ mysql = module
nagios = module
# Layer: admin
+# Module: ncftool
+#
+# Tool to modify the network configuration of a system
+#
+ncftool = module
+
+# Layer: admin
# Module: netutils
#
# Network analysis utilities
policy-F13.patch:
Makefile | 2
policy/global_tunables | 24
policy/mls | 2
policy/modules/admin/accountsd.fc | 4
policy/modules/admin/accountsd.if | 164 ++
policy/modules/admin/accountsd.te | 64 +
policy/modules/admin/acct.te | 1
policy/modules/admin/alsa.te | 2
policy/modules/admin/anaconda.te | 4
policy/modules/admin/certwatch.te | 2
policy/modules/admin/consoletype.if | 3
policy/modules/admin/consoletype.te | 3
policy/modules/admin/dmesg.te | 5
policy/modules/admin/firstboot.te | 7
policy/modules/admin/kismet.te | 1
policy/modules/admin/logrotate.te | 42
policy/modules/admin/logwatch.fc | 6
policy/modules/admin/mcelog.te | 2
policy/modules/admin/mrtg.te | 1
policy/modules/admin/ncftool.fc | 2
policy/modules/admin/ncftool.if | 74 +
policy/modules/admin/ncftool.te | 78 +
policy/modules/admin/netutils.fc | 2
policy/modules/admin/netutils.if | 1
policy/modules/admin/netutils.te | 24
policy/modules/admin/prelink.fc | 4
policy/modules/admin/prelink.if | 28
policy/modules/admin/prelink.te | 79 +
policy/modules/admin/quota.te | 1
policy/modules/admin/readahead.te | 4
policy/modules/admin/rpm.fc | 21
policy/modules/admin/rpm.if | 387 +++++++
policy/modules/admin/rpm.te | 110 +-
policy/modules/admin/shorewall.te | 7
policy/modules/admin/shutdown.fc | 5
policy/modules/admin/shutdown.if | 136 ++
policy/modules/admin/shutdown.te | 63 +
policy/modules/admin/su.if | 11
policy/modules/admin/sudo.if | 12
policy/modules/admin/tmpreaper.te | 24
policy/modules/admin/usermanage.if | 20
policy/modules/admin/usermanage.te | 24
policy/modules/admin/vbetool.te | 6
policy/modules/admin/vpn.if | 20
policy/modules/admin/vpn.te | 8
policy/modules/apps/chrome.fc | 3
policy/modules/apps/chrome.if | 90 +
policy/modules/apps/chrome.te | 86 +
policy/modules/apps/cpufreqselector.te | 4
policy/modules/apps/execmem.fc | 47
policy/modules/apps/execmem.if | 110 ++
policy/modules/apps/execmem.te | 11
policy/modules/apps/firewallgui.fc | 3
policy/modules/apps/firewallgui.if | 23
policy/modules/apps/firewallgui.te | 66 +
policy/modules/apps/gitosis.fc | 2
policy/modules/apps/gitosis.if | 2
policy/modules/apps/gitosis.te | 7
policy/modules/apps/gnome.fc | 24
policy/modules/apps/gnome.if | 438 +++++++-
policy/modules/apps/gnome.te | 118 ++
policy/modules/apps/gpg.fc | 1
policy/modules/apps/gpg.if | 114 ++
policy/modules/apps/gpg.te | 157 ++
policy/modules/apps/irc.fc | 7
policy/modules/apps/irc.if | 37
policy/modules/apps/irc.te | 104 +
policy/modules/apps/java.fc | 7
policy/modules/apps/java.if | 4
policy/modules/apps/java.te | 9
policy/modules/apps/kdumpgui.fc | 2
policy/modules/apps/kdumpgui.if | 2
policy/modules/apps/kdumpgui.te | 68 +
policy/modules/apps/livecd.fc | 2
policy/modules/apps/livecd.if | 127 ++
policy/modules/apps/livecd.te | 34
policy/modules/apps/loadkeys.if | 3
policy/modules/apps/loadkeys.te | 6
policy/modules/apps/mono.if | 5
policy/modules/apps/mozilla.fc | 2
policy/modules/apps/mozilla.if | 62 +
policy/modules/apps/mozilla.te | 22
policy/modules/apps/mplayer.if | 36
policy/modules/apps/mplayer.te | 29
policy/modules/apps/nsplugin.fc | 10
policy/modules/apps/nsplugin.if | 391 +++++++
policy/modules/apps/nsplugin.te | 297 +++++
policy/modules/apps/openoffice.fc | 4
policy/modules/apps/openoffice.if | 129 ++
policy/modules/apps/openoffice.te | 17
policy/modules/apps/podsleuth.te | 3
policy/modules/apps/pulseaudio.if | 57 +
policy/modules/apps/pulseaudio.te | 11
policy/modules/apps/qemu.fc | 4
policy/modules/apps/qemu.if | 84 +
policy/modules/apps/qemu.te | 11
policy/modules/apps/sambagui.fc | 1
policy/modules/apps/sambagui.if | 2
policy/modules/apps/sambagui.te | 66 +
policy/modules/apps/sandbox.fc | 1
policy/modules/apps/sandbox.if | 314 +++++
policy/modules/apps/sandbox.te | 386 +++++++
policy/modules/apps/seunshare.if | 78 -
policy/modules/apps/seunshare.te | 35
policy/modules/apps/slocate.te | 4
policy/modules/apps/telepathysofiasip.fc | 2
policy/modules/apps/telepathysofiasip.if | 69 +
policy/modules/apps/telepathysofiasip.te | 45
policy/modules/apps/userhelper.fc | 1
policy/modules/apps/userhelper.if | 56 +
policy/modules/apps/userhelper.te | 42
policy/modules/apps/vmware.if | 19
policy/modules/apps/vmware.te | 14
policy/modules/apps/wine.fc | 1
policy/modules/apps/wine.if | 11
policy/modules/apps/wine.te | 22
policy/modules/apps/wm.if | 16
policy/modules/kernel/corecommands.fc | 34
policy/modules/kernel/corecommands.if | 2
policy/modules/kernel/corenetwork.te.in | 37
policy/modules/kernel/devices.fc | 9
policy/modules/kernel/devices.if | 214 +++
policy/modules/kernel/devices.te | 18
policy/modules/kernel/domain.if | 63 +
policy/modules/kernel/domain.te | 112 ++
policy/modules/kernel/files.fc | 27
policy/modules/kernel/files.if | 653 +++++++++++
policy/modules/kernel/files.te | 15
policy/modules/kernel/filesystem.if | 296 ++++-
policy/modules/kernel/filesystem.te | 11
policy/modules/kernel/kernel.if | 107 +
policy/modules/kernel/kernel.te | 36
policy/modules/kernel/selinux.if | 25
policy/modules/kernel/storage.fc | 1
policy/modules/kernel/storage.if | 22
policy/modules/kernel/terminal.if | 29
policy/modules/roles/auditadm.te | 3
policy/modules/roles/guest.te | 8
policy/modules/roles/secadm.te | 2
policy/modules/roles/staff.te | 118 ++
policy/modules/roles/sysadm.te | 102 +
policy/modules/roles/unconfineduser.fc | 10
policy/modules/roles/unconfineduser.if | 667 ++++++++++++
policy/modules/roles/unconfineduser.te | 443 ++++++++
policy/modules/roles/unprivuser.te | 23
policy/modules/roles/xguest.te | 79 +
policy/modules/services/abrt.fc | 18
policy/modules/services/abrt.if | 208 +++
policy/modules/services/abrt.te | 167 ++-
policy/modules/services/afs.te | 5
policy/modules/services/aiccu.fc | 6
policy/modules/services/aiccu.if | 118 ++
policy/modules/services/aiccu.te | 71 +
policy/modules/services/aisexec.fc | 10
policy/modules/services/aisexec.if | 106 +
policy/modules/services/aisexec.te | 114 ++
policy/modules/services/apache.fc | 18
policy/modules/services/apache.if | 221 +++-
policy/modules/services/apache.te | 234 +++-
policy/modules/services/apcupsd.te | 4
policy/modules/services/arpwatch.te | 4
policy/modules/services/asterisk.if | 19
policy/modules/services/asterisk.te | 45
policy/modules/services/automount.te | 1
policy/modules/services/avahi.if | 1
policy/modules/services/avahi.te | 4
policy/modules/services/bitlbee.te | 7
policy/modules/services/bluetooth.if | 21
policy/modules/services/boinc.fc | 6
policy/modules/services/boinc.if | 151 ++
policy/modules/services/boinc.te | 97 +
policy/modules/services/bugzilla.fc | 4
policy/modules/services/bugzilla.if | 39
policy/modules/services/bugzilla.te | 57 +
policy/modules/services/cachefilesd.fc | 29
policy/modules/services/cachefilesd.if | 41
policy/modules/services/cachefilesd.te | 147 ++
policy/modules/services/ccs.te | 10
policy/modules/services/certmonger.fc | 6
policy/modules/services/certmonger.if | 217 +++
policy/modules/services/certmonger.te | 75 +
policy/modules/services/cgroup.fc | 12
policy/modules/services/cgroup.if | 243 ++++
policy/modules/services/cgroup.te | 102 +
policy/modules/services/chronyd.if | 77 +
policy/modules/services/chronyd.te | 10
policy/modules/services/clamav.te | 21
policy/modules/services/clogd.fc | 4
policy/modules/services/clogd.if | 82 +
policy/modules/services/clogd.te | 65 +
policy/modules/services/cmirrord.fc | 6
policy/modules/services/cmirrord.if | 118 ++
policy/modules/services/cmirrord.te | 63 +
policy/modules/services/cobbler.if | 4
policy/modules/services/cobbler.te | 14
policy/modules/services/consolekit.fc | 4
policy/modules/services/consolekit.if | 39
policy/modules/services/consolekit.te | 42
policy/modules/services/corosync.fc | 15
policy/modules/services/corosync.if | 108 +
policy/modules/services/corosync.te | 120 ++
policy/modules/services/cron.fc | 6
policy/modules/services/cron.if | 101 +
policy/modules/services/cron.te | 100 +
policy/modules/services/cups.fc | 15
policy/modules/services/cups.te | 68 +
policy/modules/services/cvs.te | 2
policy/modules/services/cyrus.te | 2
policy/modules/services/dbus.if | 107 +
policy/modules/services/dbus.te | 21
policy/modules/services/denyhosts.fc | 7
policy/modules/services/denyhosts.if | 87 +
policy/modules/services/denyhosts.te | 76 +
policy/modules/services/devicekit.fc | 8
policy/modules/services/devicekit.if | 22
policy/modules/services/devicekit.te | 101 +
policy/modules/services/dhcp.te | 4
policy/modules/services/djbdns.if | 38
policy/modules/services/djbdns.te | 8
policy/modules/services/dnsmasq.fc | 2
policy/modules/services/dnsmasq.if | 4
policy/modules/services/dnsmasq.te | 22
policy/modules/services/dovecot.fc | 6
policy/modules/services/dovecot.te | 48
policy/modules/services/exim.fc | 3
policy/modules/services/exim.if | 61 +
policy/modules/services/exim.te | 3
policy/modules/services/fail2ban.if | 20
policy/modules/services/fprintd.te | 2
policy/modules/services/ftp.fc | 2
policy/modules/services/ftp.if | 38
policy/modules/services/ftp.te | 179 +++
policy/modules/services/git.fc | 9
policy/modules/services/git.if | 526 +++++++++
policy/modules/services/git.te | 190 +++
policy/modules/services/gnomeclock.if | 21
policy/modules/services/gpsd.te | 5
policy/modules/services/hal.if | 22
policy/modules/services/hal.te | 38
policy/modules/services/icecast.te | 6
policy/modules/services/inn.te | 1
policy/modules/services/kerberos.if | 6
policy/modules/services/kerberos.te | 8
policy/modules/services/ksmtuned.fc | 2
policy/modules/services/ksmtuned.te | 11
policy/modules/services/ldap.fc | 5
policy/modules/services/ldap.if | 81 +
policy/modules/services/ldap.te | 13
policy/modules/services/lircd.te | 23
policy/modules/services/milter.if | 20
policy/modules/services/milter.te | 8
policy/modules/services/modemmanager.te | 9
policy/modules/services/mpd.fc | 10
policy/modules/services/mpd.if | 295 +++++
policy/modules/services/mpd.te | 111 ++
policy/modules/services/mta.fc | 2
policy/modules/services/mta.if | 68 +
policy/modules/services/mta.te | 25
policy/modules/services/munin.fc | 58 +
policy/modules/services/munin.if | 66 +
policy/modules/services/munin.te | 175 +++
policy/modules/services/mysql.te | 3
policy/modules/services/nagios.fc | 83 +
policy/modules/services/nagios.if | 160 ++
policy/modules/services/nagios.te | 294 ++++-
policy/modules/services/networkmanager.fc | 20
policy/modules/services/networkmanager.if | 126 ++
policy/modules/services/networkmanager.te | 127 +-
policy/modules/services/nis.fc | 10
policy/modules/services/nis.if | 81 +
policy/modules/services/nis.te | 23
policy/modules/services/nscd.if | 20
policy/modules/services/nscd.te | 29
policy/modules/services/nslcd.te | 2
policy/modules/services/ntop.te | 32
policy/modules/services/ntp.te | 3
policy/modules/services/nut.te | 4
policy/modules/services/nx.fc | 12
policy/modules/services/nx.if | 67 +
policy/modules/services/nx.te | 13
policy/modules/services/oddjob.fc | 1
policy/modules/services/oddjob.if | 1
policy/modules/services/oddjob.te | 5
policy/modules/services/oident.te | 1
policy/modules/services/openvpn.te | 7
policy/modules/services/pegasus.te | 28
policy/modules/services/piranha.fc | 21
policy/modules/services/piranha.if | 175 +++
policy/modules/services/piranha.te | 187 +++
policy/modules/services/plymouthd.fc | 9
policy/modules/services/plymouthd.if | 322 +++++
policy/modules/services/plymouthd.te | 109 +
policy/modules/services/policykit.fc | 5
policy/modules/services/policykit.if | 71 +
policy/modules/services/policykit.te | 86 +
policy/modules/services/portreserve.fc | 3
policy/modules/services/portreserve.if | 55 +
policy/modules/services/portreserve.te | 3
policy/modules/services/postfix.fc | 3
policy/modules/services/postfix.if | 282 ++++-
policy/modules/services/postfix.te | 154 ++
policy/modules/services/ppp.te | 4
policy/modules/services/procmail.fc | 2
policy/modules/services/procmail.te | 26
policy/modules/services/psad.te | 1
policy/modules/services/puppet.te | 2
policy/modules/services/pyzor.fc | 4
policy/modules/services/pyzor.if | 47
policy/modules/services/pyzor.te | 37
policy/modules/services/qpidd.fc | 9
policy/modules/services/qpidd.if | 236 ++++
policy/modules/services/qpidd.te | 61 +
policy/modules/services/radius.te | 2
policy/modules/services/razor.fc | 1
policy/modules/services/razor.if | 42
policy/modules/services/razor.te | 32
policy/modules/services/rgmanager.fc | 10
policy/modules/services/rgmanager.if | 141 ++
policy/modules/services/rgmanager.te | 223 ++++
policy/modules/services/rhcs.fc | 23
policy/modules/services/rhcs.if | 415 +++++++
policy/modules/services/rhcs.te | 243 ++++
policy/modules/services/ricci.fc | 3
policy/modules/services/ricci.if | 62 +
policy/modules/services/ricci.te | 42
policy/modules/services/rlogin.fc | 3
policy/modules/services/rlogin.te | 1
policy/modules/services/rpc.if | 21
policy/modules/services/rpc.te | 15
policy/modules/services/rpcbind.te | 4
policy/modules/services/rsync.if | 4
policy/modules/services/rsync.te | 26
policy/modules/services/rtkit.if | 21
policy/modules/services/rtkit.te | 4
policy/modules/services/samba.fc | 4
policy/modules/services/samba.if | 138 ++
policy/modules/services/samba.te | 123 +-
policy/modules/services/sasl.te | 3
policy/modules/services/sendmail.fc | 2
policy/modules/services/sendmail.if | 84 +
policy/modules/services/sendmail.te | 20
policy/modules/services/setroubleshoot.fc | 2
policy/modules/services/setroubleshoot.if | 124 ++
policy/modules/services/setroubleshoot.te | 91 +
policy/modules/services/smartmon.te | 2
policy/modules/services/smokeping.te | 2
policy/modules/services/snmp.te | 3
policy/modules/services/snort.te | 4
policy/modules/services/spamassassin.fc | 15
policy/modules/services/spamassassin.if | 107 +
policy/modules/services/spamassassin.te | 141 ++
policy/modules/services/squid.te | 21
policy/modules/services/ssh.fc | 6
policy/modules/services/ssh.if | 158 ++
policy/modules/services/ssh.te | 56 -
policy/modules/services/sssd.te | 3
policy/modules/services/sysstat.te | 4
policy/modules/services/tgtd.te | 6
policy/modules/services/tor.te | 3
policy/modules/services/tuned.te | 5
policy/modules/services/ucspitcp.te | 5
policy/modules/services/usbmuxd.fc | 2
policy/modules/services/varnishd.if | 19
policy/modules/services/vhostmd.te | 2
policy/modules/services/virt.fc | 6
policy/modules/services/virt.if | 59 -
policy/modules/services/virt.te | 95 +
policy/modules/services/w3c.te | 7
policy/modules/services/xserver.fc | 61 -
policy/modules/services/xserver.if | 456 ++++++++
policy/modules/services/xserver.te | 425 ++++++-
policy/modules/system/application.te | 16
policy/modules/system/authlogin.fc | 1
policy/modules/system/authlogin.if | 56 -
policy/modules/system/daemontools.if | 62 +
policy/modules/system/daemontools.te | 26
policy/modules/system/fstools.fc | 2
policy/modules/system/fstools.te | 12
policy/modules/system/getty.te | 2
policy/modules/system/hostname.te | 7
policy/modules/system/init.fc | 3
policy/modules/system/init.if | 148 ++
policy/modules/system/init.te | 213 +++
policy/modules/system/ipsec.te | 17
policy/modules/system/iptables.fc | 7
policy/modules/system/iptables.if | 4
policy/modules/system/iptables.te | 21
policy/modules/system/iscsi.if | 18
policy/modules/system/iscsi.te | 2
policy/modules/system/libraries.fc | 152 ++
policy/modules/system/libraries.te | 8
policy/modules/system/locallogin.te | 40
policy/modules/system/logging.fc | 16
policy/modules/system/logging.if | 43
policy/modules/system/logging.te | 33
policy/modules/system/lvm.fc | 2
policy/modules/system/lvm.if | 2
policy/modules/system/lvm.te | 21
policy/modules/system/miscfiles.fc | 2
policy/modules/system/miscfiles.if | 3
policy/modules/system/modutils.if | 1
policy/modules/system/modutils.te | 14
policy/modules/system/mount.fc | 8
policy/modules/system/mount.if | 163 ++
policy/modules/system/mount.te | 153 ++
policy/modules/system/raid.te | 1
policy/modules/system/selinuxutil.fc | 17
policy/modules/system/selinuxutil.if | 330 ++++++
policy/modules/system/selinuxutil.te | 246 +---
policy/modules/system/setrans.te | 1
policy/modules/system/sosreport.fc | 2
policy/modules/system/sosreport.if | 131 ++
policy/modules/system/sosreport.te | 155 ++
policy/modules/system/sysnetwork.fc | 2
policy/modules/system/sysnetwork.if | 171 ++-
policy/modules/system/sysnetwork.te | 30
policy/modules/system/udev.fc | 1
policy/modules/system/udev.if | 19
policy/modules/system/udev.te | 13
policy/modules/system/unconfined.fc | 14
policy/modules/system/unconfined.if | 440 --------
policy/modules/system/unconfined.te | 224 ----
policy/modules/system/userdomain.fc | 11
policy/modules/system/userdomain.if | 1641 ++++++++++++++++++++++++------
policy/modules/system/userdomain.te | 54
policy/modules/system/xen.if | 3
policy/modules/system/xen.te | 14
policy/support/misc_patterns.spt | 8
policy/support/obj_perm_sets.spt | 38
policy/users | 17
430 files changed, 24508 insertions(+), 2161 deletions(-)
Index: policy-F13.patch
===================================================================
RCS file: /cvs/pkgs/rpms/selinux-policy/F-13/policy-F13.patch,v
retrieving revision 1.127
retrieving revision 1.128
diff -u -p -r1.127 -r1.128
--- policy-F13.patch 14 Jun 2010 18:34:41 -0000 1.127
+++ policy-F13.patch 15 Jun 2010 16:48:45 -0000 1.128
@@ -383,7 +383,7 @@ diff --exclude-from=exclude -N -u -r nsa
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.7.19/policy/modules/admin/consoletype.te
--- nsaserefpolicy/policy/modules/admin/consoletype.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/admin/consoletype.te 2010-06-01 14:04:47.354160745 +0200
++++ serefpolicy-3.7.19/policy/modules/admin/consoletype.te 2010-06-15 07:03:31.488859559 +0200
@@ -10,7 +10,6 @@
type consoletype_exec_t;
application_executable_file(consoletype_exec_t)
@@ -392,11 +392,12 @@ diff --exclude-from=exclude -N -u -r nsa
role system_r types consoletype_t;
########################################
-@@ -85,6 +84,7 @@
+@@ -85,6 +84,8 @@
hal_dontaudit_use_fds(consoletype_t)
hal_dontaudit_rw_pipes(consoletype_t)
hal_dontaudit_rw_dgram_sockets(consoletype_t)
+ hal_dontaudit_write_log(consoletype_t)
++ hal_dontaudit_read_pid_files(consoletype_t)
')
optional_policy(`
@@ -602,6 +603,172 @@ diff --exclude-from=exclude -N -u -r nsa
netutils_domtrans_ping(mrtg_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool.fc serefpolicy-3.7.19/policy/modules/admin/ncftool.fc
+--- nsaserefpolicy/policy/modules/admin/ncftool.fc 1970-01-01 01:00:00.000000000 +0100
++++ serefpolicy-3.7.19/policy/modules/admin/ncftool.fc 2010-06-15 18:40:03.048768063 +0200
+@@ -0,0 +1,2 @@
++
++/usr/bin/ncftool -- gen_context(system_u:object_r:ncftool_exec_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool.if serefpolicy-3.7.19/policy/modules/admin/ncftool.if
+--- nsaserefpolicy/policy/modules/admin/ncftool.if 1970-01-01 01:00:00.000000000 +0100
++++ serefpolicy-3.7.19/policy/modules/admin/ncftool.if 2010-06-15 18:40:03.049767991 +0200
+@@ -0,0 +1,74 @@
++
++## <summary>policy for ncftool</summary>
++
++########################################
++## <summary>
++## Execute a domain transition to run ncftool.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`ncftool_domtrans',`
++ gen_require(`
++ type ncftool_t, ncftool_exec_t;
++ ')
++
++ domtrans_pattern($1, ncftool_exec_t, ncftool_t)
++')
++
++########################################
++## <summary>
++## Execute ncftool in the ncftool domain, and
++## allow the specified role the ncftool domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to be allowed the ncftool domain.
++## </summary>
++## </param>
++#
++interface(`ncftool_run',`
++ gen_require(`
++ type ncftool_t;
++ ')
++
++ ncftool_domtrans($1)
++ role $2 types ncftool_t;
++')
++
++########################################
++## <summary>
++## Role access for ncftool
++## </summary>
++## <param name="role">
++## <summary>
++## Role allowed access
++## </summary>
++## </param>
++## <param name="domain">
++## <summary>
++## User domain for the role
++## </summary>
++## </param>
++#
++interface(`ncftool_role',`
++ gen_require(`
++ type ncftool_t;
++ ')
++
++ role $1 types ncftool_t;
++
++ ncftool_domtrans($2)
++
++ ps_process_pattern($2, ncftool_t)
++ allow $2 ncftool_t:process signal;
++')
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool.te serefpolicy-3.7.19/policy/modules/admin/ncftool.te
+--- nsaserefpolicy/policy/modules/admin/ncftool.te 1970-01-01 01:00:00.000000000 +0100
++++ serefpolicy-3.7.19/policy/modules/admin/ncftool.te 2010-06-15 18:46:57.405767946 +0200
+@@ -0,0 +1,78 @@
++
++policy_module(ncftool,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type ncftool_t;
++type ncftool_exec_t;
++application_domain(ncftool_t, ncftool_exec_t)
++domain_obj_id_change_exemption(ncftool_t)
++domain_system_change_exemption(ncftool_t)
++role system_r types ncftool_t;
++
++permissive ncftool_t;
++
++########################################
++#
++# ncftool local policy
++#
++
++allow ncftool_t self:capability { net_admin sys_ptrace };
++
++allow ncftool_t self:process signal;
++
++allow ncftool_t self:fifo_file manage_fifo_file_perms;
++allow ncftool_t self:unix_stream_socket create_stream_socket_perms;
++
++allow ncftool_t self:netlink_route_socket create_netlink_socket_perms;
++allow ncftool_t self:tcp_socket { create ioctl };
++
++kernel_read_system_state(ncftool_t)
++kernel_read_network_state(ncftool_t)
++kernel_read_kernel_sysctls(ncftool_t)
++kernel_request_load_module(ncftool_t)
++kernel_read_modprobe_sysctls(ncftool_t)
++kernel_rw_net_sysctls(ncftool_t)
++
++corecmd_exec_bin(ncftool_t)
++corecmd_exec_shell(ncftool_t)
++consoletype_exec(ncftool_t)
++
++domain_read_all_domains_state(ncftool_t)
++
++dev_read_sysfs(ncftool_t)
++
++files_read_etc_files(ncftool_t)
++files_read_etc_runtime_files(ncftool_t)
++files_read_usr_files(ncftool_t)
++
++modutils_read_module_config(ncftool_t)
++
++term_use_all_terms(ncftool_t)
++
++miscfiles_read_localization(ncftool_t)
++
++modutils_domtrans_insmod(ncftool_t)
++
++sysnet_delete_dhcpc_pid(ncftool_t)
++sysnet_domtrans_dhcpc(ncftool_t)
++sysnet_domtrans_ifconfig(ncftool_t)
++sysnet_etc_filetrans_config(ncftool_t)
++sysnet_manage_config(ncftool_t)
++sysnet_read_dhcpc_state(ncftool_t)
++sysnet_relabelfrom_net_conf(ncftool_t)
++sysnet_relabelto_net_conf(ncftool_t)
++
++userdom_read_user_tmp_files(ncftool_t)
++
++optional_policy(`
++ brctl_domtrans(ncftool_t)
++')
++
++optional_policy(`
++ dbus_system_bus_client(ncftool_t)
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.fc serefpolicy-3.7.19/policy/modules/admin/netutils.fc
--- nsaserefpolicy/policy/modules/admin/netutils.fc 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/admin/netutils.fc 2010-05-28 09:41:59.953610894 +0200
@@ -614,6 +781,14 @@ diff --exclude-from=exclude -N -u -r nsa
/usr/sbin/hping2 -- gen_context(system_u:object_r:ping_exec_t,s0)
/usr/sbin/tcpdump -- gen_context(system_u:object_r:netutils_exec_t,s0)
+/usr/sbin/send_arp -- gen_context(system_u:object_r:ping_exec_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.if serefpolicy-3.7.19/policy/modules/admin/netutils.if
+--- nsaserefpolicy/policy/modules/admin/netutils.if 2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/admin/netutils.if 2010-06-15 18:40:03.058768889 +0200
+@@ -299,3 +299,4 @@
+
+ can_exec($1, traceroute_exec_t)
+ ')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.7.19/policy/modules/admin/netutils.te
--- nsaserefpolicy/policy/modules/admin/netutils.te 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/admin/netutils.te 2010-06-14 11:19:18.240056520 +0200
@@ -1725,8 +1900,15 @@ diff --exclude-from=exclude -N -u -r nsa
java_domtrans_unconfined(rpm_script_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.te serefpolicy-3.7.19/policy/modules/admin/shorewall.te
--- nsaserefpolicy/policy/modules/admin/shorewall.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/admin/shorewall.te 2010-05-28 09:41:59.961611278 +0200
-@@ -87,7 +87,11 @@
++++ serefpolicy-3.7.19/policy/modules/admin/shorewall.te 2010-06-14 20:23:23.332218554 +0200
+@@ -81,13 +81,18 @@
+
+ init_rw_utmp(shorewall_t)
+
++logging_read_generic_logs(shorewall_t)
+ logging_send_syslog_msg(shorewall_t)
+
+ miscfiles_read_localization(shorewall_t)
sysnet_domtrans_ifconfig(shorewall_t)
@@ -10578,7 +10760,7 @@ diff --exclude-from=exclude -N -u -r nsa
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.7.19/policy/modules/roles/sysadm.te
--- nsaserefpolicy/policy/modules/roles/sysadm.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/roles/sysadm.te 2010-05-28 09:42:00.046610802 +0200
++++ serefpolicy-3.7.19/policy/modules/roles/sysadm.te 2010-06-15 18:40:03.060767978 +0200
@@ -28,17 +28,29 @@
corecmd_exec_shell(sysadm_t)
@@ -10725,10 +10907,14 @@ diff --exclude-from=exclude -N -u -r nsa
')
optional_policy(`
-@@ -212,12 +246,18 @@
+@@ -212,12 +246,22 @@
')
optional_policy(`
++ iptables_run(sysadm_t, sysadm_r)
++')
++
++optional_policy(`
+ kerberos_exec_kadmind(sysadm_t)
+')
+
@@ -10744,7 +10930,7 @@ diff --exclude-from=exclude -N -u -r nsa
optional_policy(`
kudzu_run(sysadm_t, sysadm_r)
-@@ -227,9 +267,11 @@
+@@ -227,9 +271,11 @@
libs_run_ldconfig(sysadm_t, sysadm_r)
')
@@ -10756,7 +10942,7 @@ diff --exclude-from=exclude -N -u -r nsa
optional_policy(`
logrotate_run(sysadm_t, sysadm_r)
-@@ -252,8 +294,10 @@
+@@ -252,8 +298,10 @@
optional_policy(`
mount_run(sysadm_t, sysadm_r)
@@ -10767,7 +10953,7 @@ diff --exclude-from=exclude -N -u -r nsa
optional_policy(`
mozilla_role(sysadm_r, sysadm_t)
')
-@@ -261,6 +305,7 @@
+@@ -261,6 +309,7 @@
optional_policy(`
mplayer_role(sysadm_r, sysadm_t)
')
@@ -10775,7 +10961,7 @@ diff --exclude-from=exclude -N -u -r nsa
optional_policy(`
mta_role(sysadm_r, sysadm_t)
-@@ -308,8 +353,14 @@
+@@ -308,8 +357,14 @@
')
optional_policy(`
@@ -10790,7 +10976,7 @@ diff --exclude-from=exclude -N -u -r nsa
optional_policy(`
quota_run(sysadm_t, sysadm_r)
-@@ -319,9 +370,11 @@
+@@ -319,9 +374,11 @@
raid_domtrans_mdadm(sysadm_t)
')
@@ -10802,7 +10988,7 @@ diff --exclude-from=exclude -N -u -r nsa
optional_policy(`
rpc_domtrans_nfsd(sysadm_t)
-@@ -331,9 +384,11 @@
+@@ -331,9 +388,11 @@
rpm_run(sysadm_t, sysadm_r)
')
@@ -10814,7 +11000,7 @@ diff --exclude-from=exclude -N -u -r nsa
optional_policy(`
rsync_exec(sysadm_t)
-@@ -358,8 +413,14 @@
+@@ -358,8 +417,14 @@
')
optional_policy(`
@@ -10829,7 +11015,7 @@ diff --exclude-from=exclude -N -u -r nsa
optional_policy(`
ssh_role_template(sysadm, sysadm_r, sysadm_t)
-@@ -382,9 +443,11 @@
+@@ -382,9 +447,11 @@
sysnet_run_dhcpc(sysadm_t, sysadm_r)
')
@@ -10841,7 +11027,7 @@ diff --exclude-from=exclude -N -u -r nsa
optional_policy(`
tripwire_run_siggen(sysadm_t, sysadm_r)
-@@ -393,17 +456,21 @@
+@@ -393,17 +460,21 @@
tripwire_run_twprint(sysadm_t, sysadm_r)
')
@@ -10863,7 +11049,7 @@ diff --exclude-from=exclude -N -u -r nsa
optional_policy(`
unconfined_domtrans(sysadm_t)
-@@ -417,9 +484,11 @@
+@@ -417,9 +488,11 @@
usbmodules_run(sysadm_t, sysadm_r)
')
@@ -10875,7 +11061,7 @@ diff --exclude-from=exclude -N -u -r nsa
optional_policy(`
usermanage_run_admin_passwd(sysadm_t, sysadm_r)
-@@ -427,9 +496,15 @@
+@@ -427,9 +500,15 @@
usermanage_run_useradd(sysadm_t, sysadm_r)
')
@@ -10891,7 +11077,7 @@ diff --exclude-from=exclude -N -u -r nsa
optional_policy(`
vpn_run(sysadm_t, sysadm_r)
-@@ -440,13 +515,30 @@
+@@ -440,13 +519,30 @@
')
optional_policy(`
@@ -11609,8 +11795,8 @@ diff --exclude-from=exclude -N -u -r nsa
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.7.19/policy/modules/roles/unconfineduser.te
--- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/roles/unconfineduser.te 2010-05-28 09:42:00.049610676 +0200
-@@ -0,0 +1,439 @@
++++ serefpolicy-3.7.19/policy/modules/roles/unconfineduser.te 2010-06-15 18:40:03.061767907 +0200
+@@ -0,0 +1,443 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -11770,6 +11956,10 @@ diff --exclude-from=exclude -N -u -r nsa
+ ')
+
+ optional_policy(`
++ ncftool_run(unconfined_usertype, unconfined_r)
++ ')
++
++ optional_policy(`
+ networkmanager_dbus_chat(unconfined_usertype)
+ ')
+
@@ -12522,7 +12712,7 @@ diff --exclude-from=exclude -N -u -r nsa
admin_pattern($1, abrt_var_cache_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.7.19/policy/modules/services/abrt.te
--- nsaserefpolicy/policy/modules/services/abrt.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/abrt.te 2010-06-09 16:27:06.470757212 +0200
++++ serefpolicy-3.7.19/policy/modules/services/abrt.te 2010-06-15 06:54:27.545609592 +0200
@@ -1,5 +1,5 @@
-policy_module(abrt, 1.0.1)
@@ -12530,7 +12720,7 @@ diff --exclude-from=exclude -N -u -r nsa
########################################
#
-@@ -33,12 +33,24 @@
+@@ -33,13 +33,25 @@
type abrt_var_run_t;
files_pid_file(abrt_var_run_t)
@@ -12551,11 +12741,13 @@ diff --exclude-from=exclude -N -u -r nsa
#
-allow abrt_t self:capability { setuid setgid sys_nice dac_override };
+-allow abrt_t self:process { signal signull setsched getsched };
+allow abrt_t self:capability { chown kill setuid setgid sys_nice dac_override };
+dontaudit abrt_t self:capability sys_rawio;
- allow abrt_t self:process { signal signull setsched getsched };
++allow abrt_t self:process { signal signull sigkill setsched getsched };
allow abrt_t self:fifo_file rw_fifo_file_perms;
+ allow abrt_t self:tcp_socket create_stream_socket_perms;
@@ -54,20 +66,25 @@
manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t)
logging_log_filetrans(abrt_t, abrt_var_log_t, file)
@@ -13114,8 +13306,8 @@ diff --exclude-from=exclude -N -u -r nsa
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.te serefpolicy-3.7.19/policy/modules/services/aisexec.te
--- nsaserefpolicy/policy/modules/services/aisexec.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/aisexec.te 2010-05-28 09:42:00.056610845 +0200
-@@ -0,0 +1,118 @@
++++ serefpolicy-3.7.19/policy/modules/services/aisexec.te 2010-06-15 18:40:09.962020397 +0200
+@@ -0,0 +1,114 @@
+
+policy_module(aisexec,1.0.0)
+
@@ -13216,20 +13408,16 @@ diff --exclude-from=exclude -N -u -r nsa
+')
+
+optional_policy(`
-+ # to communication with RHCS
-+ dlm_controld_manage_tmpfs_files(aisexec_t)
-+ dlm_controld_rw_semaphores(aisexec_t)
++ # to communication with RHCS
++ rhcs_rw_dlm_controld_semaphores(aisexec_t)
+
-+ fenced_manage_tmpfs_files(aisexec_t)
-+ fenced_rw_semaphores(aisexec_t)
++ rhcs_rw_fenced_semaphores(aisexec_t)
+
-+ gfs_controld_manage_tmpfs_files(aisexec_t)
-+ gfs_controld_rw_semaphores(aisexec_t)
-+ gfs_controld_t_rw_shm(aisexec_t)
-+
-+ groupd_manage_tmpfs_files(aisexec_t)
-+ groupd_rw_semaphores(aisexec_t)
-+ groupd_rw_shm(aisexec_t)
++ rhcs_rw_gfs_controld_semaphores(aisexec_t)
++ rhcs_rw_gfs_controld_shm(aisexec_t)
++
++ rhcs_rw_groupd_semaphores(aisexec_t)
++ rhcs_rw_groupd_shm(aisexec_t)
+')
+
+userdom_rw_semaphores(aisexec_t)
@@ -14440,6 +14628,20 @@ diff --exclude-from=exclude -N -u -r nsa
allow $1 avahi_t:dbus send_msg;
allow avahi_t $1:dbus send_msg;
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.7.19/policy/modules/services/avahi.te
+--- nsaserefpolicy/policy/modules/services/avahi.te 2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/services/avahi.te 2010-06-15 18:00:13.770018228 +0200
+@@ -104,6 +104,10 @@
+ ')
+
+ optional_policy(`
++ mpd_dbus_chat(avahi_t)
++')
++
++optional_policy(`
+ seutil_sigchld_newrole(avahi_t)
+ ')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitlbee.te serefpolicy-3.7.19/policy/modules/services/bitlbee.te
--- nsaserefpolicy/policy/modules/services/bitlbee.te 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/services/bitlbee.te 2010-06-09 23:44:39.315208775 +0200
@@ -16485,7 +16687,7 @@ diff --exclude-from=exclude -N -u -r nsa
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.7.19/policy/modules/services/consolekit.te
--- nsaserefpolicy/policy/modules/services/consolekit.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/consolekit.te 2010-05-28 09:42:00.086610824 +0200
++++ serefpolicy-3.7.19/policy/modules/services/consolekit.te 2010-06-15 18:01:58.476767291 +0200
@@ -16,12 +16,15 @@
type consolekit_var_run_t;
files_pid_file(consolekit_var_run_t)
@@ -16541,7 +16743,18 @@ diff --exclude-from=exclude -N -u -r nsa
')
optional_policy(`
-@@ -100,19 +110,37 @@
+@@ -91,6 +101,10 @@
+ ')
+
+ optional_policy(`
++ mpd_dbus_chat(consolekit_t)
++ ')
++
++ optional_policy(`
+ rpm_dbus_chat(consolekit_t)
+ ')
+
+@@ -100,19 +114,37 @@
')
optional_policy(`
@@ -16712,8 +16925,8 @@ diff --exclude-from=exclude -N -u -r nsa
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.te serefpolicy-3.7.19/policy/modules/services/corosync.te
--- nsaserefpolicy/policy/modules/services/corosync.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/corosync.te 2010-05-28 12:24:51.498860537 +0200
-@@ -0,0 +1,126 @@
++++ serefpolicy-3.7.19/policy/modules/services/corosync.te 2010-06-15 18:40:09.963018230 +0200
+@@ -0,0 +1,120 @@
+
+policy_module(corosync,1.0.0)
+
@@ -16826,14 +17039,8 @@ diff --exclude-from=exclude -N -u -r nsa
+
+optional_policy(`
+ # to communication with RHCS
-+ dlm_controld_manage_tmpfs_files(corosync_t)
-+ dlm_controld_rw_semaphores(corosync_t)
-+
-+ fenced_manage_tmpfs_files(corosync_t)
-+ fenced_rw_semaphores(corosync_t)
-+
-+ gfs_controld_manage_tmpfs_files(corosync_t)
-+ gfs_controld_rw_semaphores(corosync_t)
++ rhcs_rw_cluster_shm(corosync_t)
++ rhcs_rw_cluster_semaphores(corosync_t)
+')
+
+optional_policy(`
@@ -20670,8 +20877,8 @@ diff --exclude-from=exclude -N -u -r nsa
+/var/lib/mpd/playlists(/.*)? gen_context(system_u:object_r:mpd_data_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.if serefpolicy-3.7.19/policy/modules/services/mpd.if
--- nsaserefpolicy/policy/modules/services/mpd.if 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/mpd.if 2010-06-14 18:37:18.471468823 +0200
-@@ -0,0 +1,274 @@
++++ serefpolicy-3.7.19/policy/modules/services/mpd.if 2010-06-15 17:58:09.853018142 +0200
+@@ -0,0 +1,295 @@
+
+## <summary>policy for daemon for playing music</summary>
+
@@ -20899,6 +21106,27 @@ diff --exclude-from=exclude -N -u -r nsa
+ manage_dirs_pattern($1, mpd_var_lib_t, mpd_var_lib_t)
+')
+
++#######################################
++## <summary>
++## Send and receive messages from
++## mpd over dbus.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mpd_dbus_chat',`
++ gen_require(`
++ type mpd_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 mpd_t:dbus send_msg;
++ allow mpd_t $1:dbus send_msg;
++')
++
+########################################
+## <summary>
+## All of the rules required to administrate
@@ -25238,7 +25466,7 @@ diff --exclude-from=exclude -N -u -r nsa
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.7.19/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/postfix.te 2010-05-28 09:42:00.158610990 +0200
++++ serefpolicy-3.7.19/policy/modules/services/postfix.te 2010-06-15 07:28:56.615609284 +0200
@@ -6,6 +6,15 @@
# Declarations
#
@@ -25567,10 +25795,12 @@ diff --exclude-from=exclude -N -u -r nsa
')
#######################################
-@@ -451,6 +525,15 @@
+@@ -451,6 +525,17 @@
init_sigchld_script(postfix_postqueue_t)
init_use_script_fds(postfix_postqueue_t)
++mta_mailserver_user_agent(postfix_postqueue_t)
++
+optional_policy(`
+ cron_system_entry(postfix_postqueue_t, postfix_postqueue_exec_t)
+')
@@ -25583,7 +25813,7 @@ diff --exclude-from=exclude -N -u -r nsa
########################################
#
# Postfix qmgr local policy
-@@ -464,6 +547,7 @@
+@@ -464,6 +549,7 @@
manage_dirs_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
manage_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
manage_lnk_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
@@ -25591,7 +25821,7 @@ diff --exclude-from=exclude -N -u -r nsa
allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
-@@ -499,13 +583,14 @@
+@@ -499,13 +585,14 @@
#
# connect to master process
@@ -25607,7 +25837,7 @@ diff --exclude-from=exclude -N -u -r nsa
optional_policy(`
cyrus_stream_connect(postfix_smtp_t)
-@@ -535,9 +620,18 @@
+@@ -535,9 +622,18 @@
# for OpenSSL certificates
files_read_usr_files(postfix_smtpd_t)
@@ -25626,7 +25856,7 @@ diff --exclude-from=exclude -N -u -r nsa
mailman_read_data_files(postfix_smtpd_t)
')
-@@ -559,20 +653,22 @@
+@@ -559,20 +655,22 @@
allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
@@ -26526,7 +26756,7 @@ diff --exclude-from=exclude -N -u -r nsa
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.te serefpolicy-3.7.19/policy/modules/services/rgmanager.te
--- nsaserefpolicy/policy/modules/services/rgmanager.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/rgmanager.te 2010-05-28 09:42:00.169610746 +0200
++++ serefpolicy-3.7.19/policy/modules/services/rgmanager.te 2010-06-15 18:40:09.964045327 +0200
@@ -0,0 +1,223 @@
+
+policy_module(rgmanager, 1.0.0)
@@ -26668,7 +26898,7 @@ diff --exclude-from=exclude -N -u -r nsa
+')
+
+optional_policy(`
-+ groupd_stream_connect(rgmanager_t)
++ rhcs_stream_connect_groupd(rgmanager_t)
+')
+
+optional_policy(`
@@ -26678,7 +26908,7 @@ diff --exclude-from=exclude -N -u -r nsa
+optional_policy(`
+ ccs_manage_config(rgmanager_t)
+ ccs_stream_connect(rgmanager_t)
-+ gfs_controld_stream_connect(rgmanager_t)
++ rhcs_stream_connect_gfs_controld(rgmanager_t)
+')
+
+optional_policy(`
@@ -26753,463 +26983,454 @@ diff --exclude-from=exclude -N -u -r nsa
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.fc serefpolicy-3.7.19/policy/modules/services/rhcs.fc
--- nsaserefpolicy/policy/modules/services/rhcs.fc 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/rhcs.fc 2010-05-28 09:42:00.169610746 +0200
++++ serefpolicy-3.7.19/policy/modules/services/rhcs.fc 2010-06-15 18:40:09.966019131 +0200
@@ -0,0 +1,23 @@
-+/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0)
-+/var/log/cluster/dlm_controld\.log.* -- gen_context(system_u:object_r:dlm_controld_var_log_t,s0)
-+/var/run/dlm_controld\.pid -- gen_context(system_u:object_r:dlm_controld_var_run_t,s0)
-+
-+/usr/sbin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0)
-+/usr/sbin/fence_node -- gen_context(system_u:object_r:fenced_exec_t,s0)
-+/var/lock/fence_manual\.lock -- gen_context(system_u:object_r:fenced_lock_t,s0)
-+/var/log/cluster/fenced\.log.* -- gen_context(system_u:object_r:fenced_var_log_t,s0)
-+/var/run/fenced\.pid -- gen_context(system_u:object_r:fenced_var_run_t,s0)
-+/var/run/cluster/fenced_override -- gen_context(system_u:object_r:fenced_var_run_t,s0)
-+
-+/usr/sbin/gfs_controld -- gen_context(system_u:object_r:gfs_controld_exec_t,s0)
-+/var/log/cluster/gfs_controld\.log.* -- gen_context(system_u:object_r:gfs_controld_var_log_t,s0)
-+/var/run/gfs_controld\.pid -- gen_context(system_u:object_r:gfs_controld_var_run_t,s0)
-+
-+/usr/sbin/groupd -- gen_context(system_u:object_r:groupd_exec_t,s0)
-+/var/run/groupd\.pid -- gen_context(system_u:object_r:groupd_var_run_t,s0)
-+
-+/usr/sbin/qdiskd -- gen_context(system_u:object_r:qdiskd_exec_t,s0)
-+/var/lib/qdiskd(/.*)? gen_context(system_u:object_r:qdiskd_var_lib_t,s0)
-+/var/log/cluster/qdiskd\.log.* -- gen_context(system_u:object_r:qdiskd_var_log_t,s0)
-+/var/run/qdiskd\.pid -- gen_context(system_u:object_r:qdiskd_var_run_t,s0)
++/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0)
++/usr/sbin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0)
++/usr/sbin/fence_node -- gen_context(system_u:object_r:fenced_exec_t,s0)
++/usr/sbin/gfs_controld -- gen_context(system_u:object_r:gfs_controld_exec_t,s0)
++/usr/sbin/groupd -- gen_context(system_u:object_r:groupd_exec_t,s0)
++/usr/sbin/qdiskd -- gen_context(system_u:object_r:qdiskd_exec_t,s0)
++
++/var/lock/fence_manual\.lock -- gen_context(system_u:object_r:fenced_lock_t,s0)
++
++/var/lib/qdiskd(/.*)? gen_context(system_u:object_r:qdiskd_var_lib_t,s0)
++
++/var/log/cluster/dlm_controld\.log.* -- gen_context(system_u:object_r:dlm_controld_var_log_t,s0)
++/var/log/cluster/fenced\.log.* -- gen_context(system_u:object_r:fenced_var_log_t,s0)
++/var/log/cluster/gfs_controld\.log.* -- gen_context(system_u:object_r:gfs_controld_var_log_t,s0)
++/var/log/cluster/qdiskd\.log.* -- gen_context(system_u:object_r:qdiskd_var_log_t,s0)
++
++/var/run/cluster/fenced_override -- gen_context(system_u:object_r:fenced_var_run_t,s0)
++/var/run/dlm_controld\.pid -- gen_context(system_u:object_r:dlm_controld_var_run_t,s0)
++/var/run/fenced\.pid -- gen_context(system_u:object_r:fenced_var_run_t,s0)
++/var/run/gfs_controld\.pid -- gen_context(system_u:object_r:gfs_controld_var_run_t,s0)
++/var/run/groupd\.pid -- gen_context(system_u:object_r:groupd_var_run_t,s0)
++/var/run/qdiskd\.pid -- gen_context(system_u:object_r:qdiskd_var_run_t,s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.if serefpolicy-3.7.19/policy/modules/services/rhcs.if
--- nsaserefpolicy/policy/modules/services/rhcs.if 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/rhcs.if 2010-05-28 09:42:00.170610889 +0200
-@@ -0,0 +1,424 @@
-+## <summary>SELinux policy for RHCS - Red Hat Cluster Suite </summary>
++++ serefpolicy-3.7.19/policy/modules/services/rhcs.if 2010-06-15 18:40:09.967767835 +0200
+@@ -0,0 +1,415 @@
++## <summary>RHCS - Red Hat Cluster Suite</summary>
+
+#######################################
+## <summary>
-+## Creates types and rules for a basic
-+## rhcs init daemon domain.
++## Creates types and rules for a basic
++## rhcs init daemon domain.
+## </summary>
+## <param name="prefix">
-+## <summary>
-+## Prefix for the domain.
-+## </summary>
++## <summary>
++## Prefix for the domain.
++## </summary>
+## </param>
+#
+template(`rhcs_domain_template',`
-+
+ gen_require(`
-+ attribute cluster_domain;
++ attribute cluster_domain;
++ attribute cluster_tmpfs;
+ ')
+
+ ##############################
-+ #
-+ # $1_t declarations
-+ #
++ #
++ # Declarations
++ #
+
+ type $1_t, cluster_domain;
+ type $1_exec_t;
+ init_daemon_domain($1_t, $1_exec_t)
+
-+ type $1_tmpfs_t;
++ type $1_tmpfs_t, cluster_tmpfs;
+ files_tmpfs_file($1_tmpfs_t)
+
-+ # log files
+ type $1_var_log_t;
+ logging_log_file($1_var_log_t)
+
-+ # pid files
+ type $1_var_run_t;
+ files_pid_file($1_var_run_t)
+
+ ##############################
-+ #
-+ # $1_t local policy
-+ #
++ #
++ # Local policy
++ #
+
+ manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
+ manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
-+ fs_tmpfs_filetrans($1_t, $1_tmpfs_t,{ dir file })
++ fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file })
++
++ manage_files_pattern($1_t, $1_var_log_t, $1_var_log_t)
++ manage_sock_files_pattern($1_t, $1_var_log_t, $1_var_log_t)
++ logging_log_filetrans($1_t, $1_var_log_t, { file sock_file })
+
+ manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
+ manage_fifo_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
+ manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
+ files_pid_filetrans($1_t, $1_var_run_t, { file fifo_file })
+
-+ manage_files_pattern($1_t, $1_var_log_t,$1_var_log_t)
-+ manage_sock_files_pattern($1_t, $1_var_log_t,$1_var_log_t)
-+ logging_log_filetrans($1_t,$1_var_log_t,{ file sock_file })
-+
+')
+
+######################################
+## <summary>
-+## Execute a domain transition to run groupd.
++## Execute a domain transition to run dlm_controld.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed to transition.
++## Domain allowed to transition.
+## </summary>
+## </param>
+#
-+interface(`groupd_domtrans',`
-+ gen_require(`
-+ type groupd_t, groupd_exec_t;
-+ ')
++interface(`rhcs_domtrans_dlm_controld',`
++ gen_require(`
++ type dlm_controld_t, dlm_controld_exec_t;
++ ')
+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1,groupd_exec_t,groupd_t)
++ corecmd_search_bin($1)
++ domtrans_pattern($1, dlm_controld_exec_t, dlm_controld_t)
+')
+
+#####################################
+## <summary>
-+## Connect to groupd over a unix domain
-+## stream socket.
++## Connect to dlm_controld over a unix domain
++## stream socket.
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
+## </param>
+#
-+interface(`groupd_stream_connect',`
-+ gen_require(`
-+ type groupd_t, groupd_var_run_t;
-+ ')
++interface(`rhcs_stream_connect_dlm_controld',`
++ gen_require(`
++ type dlm_controld_t, dlm_controld_var_run_t;
++ ')
+
-+ files_search_pids($1)
-+ stream_connect_pattern($1, groupd_var_run_t, groupd_var_run_t, groupd_t)
++ files_search_pids($1)
++ stream_connect_pattern($1, dlm_controld_var_run_t, dlm_controld_var_run_t, dlm_controld_t)
+')
+
+#####################################
+## <summary>
-+## Manage groupd tmpfs files.
++## Allow read and write access to dlm_controld semaphores.
+## </summary>
+## <param name="domain">
-+## <summary>
-+## The type of the process performing this action.
-+## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
+## </param>
+#
-+interface(`groupd_manage_tmpfs_files',`
-+ gen_require(`
-+ type groupd_tmpfs_t;
-+ ')
-+
-+ fs_search_tmpfs($1)
-+ manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
-+ manage_lnk_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
-+')
++interface(`rhcs_rw_dlm_controld_semaphores',`
++ gen_require(`
++ type dlm_controld_t, dlm_controld_tmpfs_t;
++ ')
+
-+#####################################
-+## <summary>
-+## Allow read and write access to groupd semaphores.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`groupd_rw_semaphores',`
-+ gen_require(`
-+ type groupd_t;
-+ ')
++ allow $1 dlm_controld_t:sem { rw_sem_perms destroy };
+
-+ allow $1 groupd_t:sem { rw_sem_perms destroy };
++ fs_search_tmpfs($1)
++ manage_files_pattern($1, dlm_controld_tmpfs_t, dlm_controld_tmpfs_t)
+')
+
-+########################################
++######################################
+## <summary>
-+## Read and write to group shared memory.
++## Execute a domain transition to run fenced.
+## </summary>
+## <param name="domain">
-+## <summary>
-+## The type of the process performing this action.
-+## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
+## </param>
+#
-+interface(`groupd_rw_shm',`
-+ gen_require(`
-+ type groupd_t;
-+ ')
++interface(`rhcs_domtrans_fenced',`
++ gen_require(`
++ type fenced_t, fenced_exec_t;
++ ')
+
-+ allow $1 groupd_t:shm { rw_shm_perms destroy };
++ corecmd_search_bin($1)
++ domtrans_pattern($1, fenced_exec_t, fenced_t)
+')
+
+######################################
+## <summary>
-+## Execute a domain transition to run dlm_controld.
++## Allow read and write access to fenced semaphores.
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain allowed to transition.
-+## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
+## </param>
+#
-+interface(`dlm_controld_domtrans',`
-+ gen_require(`
-+ type dlm_controld_t, dlm_controld_exec_t;
-+ ')
++interface(`rhcs_rw_fenced_semaphores',`
++ gen_require(`
++ type fenced_t, fenced_tmpfs_t;
++ ')
+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1,dlm_controld_exec_t,dlm_controld_t)
++ allow $1 fenced_t:sem { rw_sem_perms destroy };
+
++ fs_search_tmpfs($1)
++ manage_files_pattern($1, fenced_tmpfs_t, fenced_tmpfs_t)
+')
+
-+#####################################
++######################################
+## <summary>
-+## Connect to dlm_controld over a unix domain
-+## stream socket.
++## Connect to fenced over an unix domain stream socket.
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
+## </param>
+#
-+interface(`dlm_controld_stream_connect',`
-+ gen_require(`
-+ type dlm_controld_t, dlm_controld_var_run_t;
-+ ')
++interface(`rhcs_stream_connect_fenced',`
++ gen_require(`
++ type fenced_var_run_t, fenced_t;
++ ')
+
-+ files_search_pids($1)
-+ stream_connect_pattern($1, dlm_controld_var_run_t, dlm_controld_var_run_t, dlm_controld_t)
++ allow $1 fenced_t:unix_stream_socket connectto;
++ allow $1 fenced_var_run_t:sock_file { getattr write };
++ files_search_pids($1)
+')
+
+#####################################
+## <summary>
-+## Manage dlm_controld tmpfs files.
++## Execute a domain transition to run gfs_controld.
+## </summary>
+## <param name="domain">
-+## <summary>
-+## The type of the process performing this action.
-+## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
+## </param>
+#
-+interface(`dlm_controld_manage_tmpfs_files',`
-+ gen_require(`
-+ type dlm_controld_tmpfs_t;
-+ ')
++interface(`rhcs_domtrans_gfs_controld',`
++ gen_require(`
++ type gfs_controld_t, gfs_controld_exec_t;
++ ')
+
-+ fs_search_tmpfs($1)
-+ manage_files_pattern($1, dlm_controld_tmpfs_t, dlm_controld_tmpfs_t)
-+ manage_lnk_files_pattern($1, dlm_controld_tmpfs_t, dlm_controld_tmpfs_t)
++ corecmd_search_bin($1)
++ domtrans_pattern($1, gfs_controld_exec_t, gfs_controld_t)
+')
+
-+#####################################
++####################################
+## <summary>
-+## Allow read and write access to dlm_controld semaphores.
++## Allow read and write access to gfs_controld semaphores.
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
+## </param>
+#
-+interface(`dlm_controld_rw_semaphores',`
-+ gen_require(`
-+ type dlm_controld_t;
-+ ')
++interface(`rhcs_rw_gfs_controld_semaphores',`
++ gen_require(`
++ type gfs_controld_t, gfs_controld_tmpfs_t;
++ ')
+
-+ allow $1 dlm_controld_t:sem { rw_sem_perms destroy };
++ allow $1 gfs_controld_t:sem { rw_sem_perms destroy };
++
++ fs_search_tmpfs($1)
++ manage_files_pattern($1, gfs_controld_tmpfs_t, gfs_controld_tmpfs_t)
+')
+
-+######################################
++########################################
+## <summary>
-+## Execute a domain transition to run fenced.
++## Read and write to gfs_controld_t shared memory.
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain allowed to transition.
-+## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
+## </param>
+#
-+interface(`fenced_domtrans',`
-+ gen_require(`
-+ type fenced_t, fenced_exec_t;
-+ ')
++interface(`rhcs_rw_gfs_controld_shm',`
++ gen_require(`
++ type gfs_controld_t, gfs_controld_tmpfs_t;
++ ')
+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1,fenced_exec_t,fenced_t)
++ allow $1 gfs_controld_t:shm { rw_shm_perms destroy };
+
++ fs_search_tmpfs($1)
++ manage_files_pattern($1, gfs_controld_tmpfs_t, gfs_controld_tmpfs_t)
+')
+
-+######################################
++#####################################
+## <summary>
-+## Connect to fenced over an unix domain stream socket.
++## Connect to gfs_controld_t over an unix domain stream socket.
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
+## </param>
+#
-+interface(`fenced_stream_connect',`
-+ gen_require(`
-+ type fenced_var_run_t, fenced_t;
-+ ')
++interface(`rhcs_stream_connect_gfs_controld',`
++ gen_require(`
++ type gfs_controld_t, gfs_controld_var_run_t;
++ ')
+
-+ allow $1 fenced_t:unix_stream_socket connectto;
-+ allow $1 fenced_var_run_t:sock_file { getattr write };
-+ files_search_pids($1)
++ files_search_pids($1)
++ stream_connect_pattern($1, gfs_controld_var_run_t, gfs_controld_var_run_t, gfs_controld_t)
+')
+
-+#####################################
++######################################
+## <summary>
-+## Managed fenced tmpfs files.
++## Execute a domain transition to run groupd.
+## </summary>
+## <param name="domain">
-+## <summary>
-+## The type of the process performing this action.
-+## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
+## </param>
+#
-+interface(`fenced_manage_tmpfs_files',`
-+ gen_require(`
-+ type fenced_tmpfs_t;
-+ ')
++interface(`rhcs_domtrans_groupd',`
++ gen_require(`
++ type groupd_t, groupd_exec_t;
++ ')
+
-+ fs_search_tmpfs($1)
-+ manage_files_pattern($1, fenced_tmpfs_t, fenced_tmpfs_t)
-+ manage_lnk_files_pattern($1, fenced_tmpfs_t, fenced_tmpfs_t)
++ corecmd_search_bin($1)
++ domtrans_pattern($1, groupd_exec_t, groupd_t)
+')
+
-+######################################
++#####################################
+## <summary>
-+## Allow read and write access to fenced semaphores.
++## Connect to groupd over a unix domain
++## stream socket.
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
+## </param>
+#
-+interface(`fenced_rw_semaphores',`
-+ gen_require(`
-+ type fenced_t;
-+ ')
++interface(`rhcs_stream_connect_groupd',`
++ gen_require(`
++ type groupd_t, groupd_var_run_t;
++ ')
+
-+ allow $1 fenced_t:sem { rw_sem_perms destroy };
++ files_search_pids($1)
++ stream_connect_pattern($1, groupd_var_run_t, groupd_var_run_t, groupd_t)
+')
+
+#####################################
+## <summary>
-+## Execute a domain transition to run gfs_controld.
++## Allow read and write access to groupd semaphores.
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain allowed to transition.
-+## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
+## </param>
+#
-+interface(`gfs_controld_domtrans',`
-+ gen_require(`
-+ type gfs_controld_t, gfs_controld_exec_t;
-+ ')
++interface(`rhcs_rw_groupd_semaphores',`
++ gen_require(`
++ type groupd_t, groupd_tmpfs_t;
++ ')
+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1,gfs_controld_exec_t,gfs_controld_t)
++ allow $1 groupd_t:sem { rw_sem_perms destroy };
++
++ fs_search_tmpfs($1)
++ manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
+')
+
-+###################################
++########################################
+## <summary>
-+## Manage gfs_controld tmpfs files.
++## Read and write to group shared memory.
+## </summary>
+## <param name="domain">
-+## <summary>
-+## The type of the process performing this action.
-+## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
+## </param>
+#
-+interface(`gfs_controld_manage_tmpfs_files',`
-+ gen_require(`
-+ type gfs_controld_tmpfs_t;
-+ ')
++interface(`rhcs_rw_groupd_shm',`
++ gen_require(`
++ type groupd_t, groupd_tmpfs_t;
++ ')
+
-+ fs_search_tmpfs($1)
-+ manage_files_pattern($1, gfs_controld_tmpfs_t, gfs_controld_tmpfs_t)
-+ manage_lnk_files_pattern($1, gfs_controld_tmpfs_t, gfs_controld_tmpfs_t)
++ allow $1 groupd_t:shm { rw_shm_perms destroy };
++
++ fs_search_tmpfs($1)
++ manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
+')
+
-+####################################
++########################################
+## <summary>
-+## Allow read and write access to gfs_controld semaphores.
++## Read and write to cluster domains shared memory.
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
+## </param>
+#
-+interface(`gfs_controld_rw_semaphores',`
-+ gen_require(`
-+ type gfs_controld_t;
-+ ')
++interface(`rhcs_rw_cluster_shm',`
++ gen_require(`
++ attribute cluster_domain;
++ attribute cluster_tmpfs;
++ ')
++
++ allow $1 cluster_domain:shm { rw_shm_perms destroy };
+
-+ allow $1 gfs_controld_t:sem { rw_sem_perms destroy };
++ fs_search_tmpfs($1)
++ manage_files_pattern($1, cluster_tmpfs, cluster_tmpfs)
++ manage_lnk_files_pattern($1, cluster_tmpfs, cluster_tmpfs)
+')
+
-+########################################
++####################################
+## <summary>
-+## Read and write to gfs_controld_t shared memory.
++## Read and write access to cluster domains semaphores.
+## </summary>
+## <param name="domain">
+## <summary>
-+## The type of the process performing this action.
++## Domain allowed access.
+## </summary>
+## </param>
+#
-+interface(`gfs_controld_t_rw_shm',`
++interface(`rhcs_rw_cluster_semaphores',`
+ gen_require(`
-+ type gfs_controld_t;
++ type cluster_domain;
+ ')
+
-+ allow $1 gfs_controld_t:shm { rw_shm_perms destroy };
++ allow $1 cluster_domain:sem { rw_sem_perms destroy };
+')
+
-+#####################################
++######################################
+## <summary>
-+## Connect to gfs_controld_t over an unix domain stream socket.
++## Execute a domain transition to run qdiskd.
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
+## </param>
+#
-+interface(`gfs_controld_stream_connect',`
-+ gen_require(`
-+ type gfs_controld_t, gfs_controld_var_run_t;
-+ ')
++interface(`rhcs_domtrans_qdiskd',`
++ gen_require(`
++ type qdiskd_t, qdiskd_exec_t;
++ ')
+
-+ files_search_pids($1)
-+ stream_connect_pattern($1, gfs_controld_var_run_t, gfs_controld_var_run_t, gfs_controld_t)
++ corecmd_search_bin($1)
++ domtrans_pattern($1, qdiskd_exec_t, qdiskd_t)
+')
+
-+######################################
++########################################
+## <summary>
-+## Execute a domain transition to run qdiskd.
++## Allow domain to read qdiskd tmpfs files
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain allowed to transition.
-+## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
+## </param>
+#
-+interface(`qdiskd_domtrans',`
-+ gen_require(`
-+ type qdiskd_t, qdiskd_exec_t;
-+ ')
++interface(`rhcs_read_qdiskd_tmpfs_files',`
++ gen_require(`
++ type qdiskd_tmpfs_t;
++ ')
+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1,qdiskd_exec_t,qdiskd_t)
++ allow $1 qdiskd_tmpfs_t:file read_file_perms;
+')
-+
-+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.te serefpolicy-3.7.19/policy/modules/services/rhcs.te
--- nsaserefpolicy/policy/modules/services/rhcs.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/rhcs.te 2010-05-28 12:24:14.508611285 +0200
-@@ -0,0 +1,242 @@
++++ serefpolicy-3.7.19/policy/modules/services/rhcs.te 2010-06-15 18:40:09.968779078 +0200
+@@ -0,0 +1,243 @@
+
+policy_module(rhcs,1.1.0)
+
@@ -27226,6 +27447,7 @@ diff --exclude-from=exclude -N -u -r nsa
+gen_tunable(fenced_can_network_connect, false)
+
+attribute cluster_domain;
++attribute cluster_tmpfs;
+
+rhcs_domain_template(dlm_controld)
+
@@ -27897,6 +28119,19 @@ diff --exclude-from=exclude -N -u -r nsa
## Allow rtkit to control scheduling for your process
## </summary>
## <param name="domain">
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit.te serefpolicy-3.7.19/policy/modules/services/rtkit.te
+--- nsaserefpolicy/policy/modules/services/rtkit.te 2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/services/rtkit.te 2010-06-15 18:00:58.428018646 +0200
+@@ -32,5 +32,9 @@
+ miscfiles_read_localization(rtkit_daemon_t)
+
+ optional_policy(`
++ mpd_dbus_chat(rtkit_daemon_t)
++')
++
++optional_policy(`
+ policykit_dbus_chat(rtkit_daemon_t)
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.7.19/policy/modules/services/samba.fc
--- nsaserefpolicy/policy/modules/services/samba.fc 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/services/samba.fc 2010-05-28 09:42:00.178610776 +0200
@@ -32654,7 +32889,7 @@ diff --exclude-from=exclude -N -u -r nsa
# /var
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.7.19/policy/modules/system/init.if
--- nsaserefpolicy/policy/modules/system/init.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/init.if 2010-05-28 09:42:00.216612297 +0200
++++ serefpolicy-3.7.19/policy/modules/system/init.if 2010-06-15 17:06:19.819626772 +0200
@@ -193,8 +193,10 @@
gen_require(`
attribute direct_run_init, direct_init, direct_init_entry;
@@ -32747,7 +32982,16 @@ diff --exclude-from=exclude -N -u -r nsa
')
########################################
-@@ -682,6 +728,8 @@
+@@ -674,6 +720,8 @@
+
+ init_exec($1)
+
++ corecmd_exec_bin($1)
++
+ tunable_policy(`init_upstart',`
+ gen_require(`
+ type init_t;
+@@ -682,6 +730,8 @@
# upstart uses a datagram socket instead of initctl pipe
allow $1 self:unix_dgram_socket create_socket_perms;
allow $1 init_t:unix_dgram_socket sendto;
@@ -32756,7 +33000,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
')
-@@ -754,18 +802,19 @@
+@@ -754,18 +804,19 @@
#
interface(`init_spec_domtrans_script',`
gen_require(`
@@ -32780,7 +33024,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
')
-@@ -781,19 +830,41 @@
+@@ -781,23 +832,45 @@
#
interface(`init_domtrans_script',`
gen_require(`
@@ -32803,11 +33047,11 @@ diff --exclude-from=exclude -N -u -r nsa
ifdef(`enable_mls',`
- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
+ range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
-+ ')
-+')
-+
-+########################################
-+## <summary>
+ ')
+ ')
+
+ ########################################
+ ## <summary>
+## Execute a file in a bin directory
+## in the initrc_t domain
+## </summary>
@@ -32820,13 +33064,17 @@ diff --exclude-from=exclude -N -u -r nsa
+interface(`init_bin_domtrans_spec',`
+ gen_require(`
+ type initrc_t;
- ')
++ ')
+
+ corecmd_bin_domtrans($1, initrc_t)
- ')
-
- ########################################
-@@ -849,8 +920,10 @@
++')
++
++########################################
++## <summary>
+ ## Execute a init script in a specified domain.
+ ## </summary>
+ ## <desc>
+@@ -849,8 +922,10 @@
interface(`init_labeled_script_domtrans',`
gen_require(`
type initrc_t;
@@ -32837,7 +33085,7 @@ diff --exclude-from=exclude -N -u -r nsa
domtrans_pattern($1, $2, initrc_t)
files_search_etc($1)
')
-@@ -1637,7 +1710,7 @@
+@@ -1637,7 +1712,7 @@
type initrc_var_run_t;
')
@@ -32846,7 +33094,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
########################################
-@@ -1712,3 +1785,56 @@
+@@ -1712,3 +1787,56 @@
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -33483,8 +33731,8 @@ diff --exclude-from=exclude -N -u -r nsa
+userdom_read_user_tmp_files(setkey_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.fc serefpolicy-3.7.19/policy/modules/system/iptables.fc
--- nsaserefpolicy/policy/modules/system/iptables.fc 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/iptables.fc 2010-05-28 09:42:00.220610773 +0200
-@@ -1,13 +1,18 @@
++++ serefpolicy-3.7.19/policy/modules/system/iptables.fc 2010-06-15 18:40:03.062767626 +0200
+@@ -1,13 +1,16 @@
/etc/rc\.d/init\.d/ip6?tables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
-/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
-/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
@@ -33503,8 +33751,6 @@ diff --exclude-from=exclude -N -u -r nsa
/usr/sbin/iptables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
/usr/sbin/iptables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
+
-+/usr/bin/ncftool -- gen_context(system_u:object_r:iptables_exec_t,s0)
-+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.if serefpolicy-3.7.19/policy/modules/system/iptables.if
--- nsaserefpolicy/policy/modules/system/iptables.if 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/system/iptables.if 2010-05-28 09:42:00.220610773 +0200
@@ -34088,7 +34334,7 @@ diff --exclude-from=exclude -N -u -r nsa
domain_system_change_exemption($1)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.7.19/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/logging.te 2010-06-09 23:05:38.904506480 +0200
++++ serefpolicy-3.7.19/policy/modules/system/logging.te 2010-06-15 17:07:51.140615800 +0200
@@ -61,6 +61,7 @@
type syslogd_t;
type syslogd_exec_t;
@@ -34129,27 +34375,33 @@ diff --exclude-from=exclude -N -u -r nsa
')
########################################
-@@ -252,6 +263,8 @@
+@@ -252,6 +263,9 @@
# Audit remote logger local policy
#
++allow audisp_remote_t self:capability { setuid setpcap };
+allow audisp_remote_t self:process { getcap setcap };
+
allow audisp_remote_t self:tcp_socket create_socket_perms;
corenet_all_recvfrom_unlabeled(audisp_remote_t)
-@@ -268,6 +281,10 @@
+@@ -266,6 +280,15 @@
- logging_send_syslog_msg(audisp_remote_t)
+ files_read_etc_files(audisp_remote_t)
+auth_use_nsswitch(audisp_remote_t)
++auth_dontaudit_write_login_records(audisp_remote_t)
+
++init_read_utmp(audisp_remote_t)
++init_dontaudit_write_utmp(audisp_remote_t)
+init_telinit(audisp_remote_t)
+
- miscfiles_read_localization(audisp_remote_t)
++logging_search_logs(audisp_remote_t)
++logging_send_audit_msgs(audisp_remote_t)
+ logging_send_syslog_msg(audisp_remote_t)
- sysnet_dns_name_resolve(audisp_remote_t)
-@@ -372,8 +389,10 @@
+ miscfiles_read_localization(audisp_remote_t)
+@@ -372,8 +395,10 @@
manage_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t)
files_search_var_lib(syslogd_t)
@@ -34162,7 +34414,7 @@ diff --exclude-from=exclude -N -u -r nsa
# manage pid file
manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
-@@ -491,6 +510,10 @@
+@@ -491,6 +516,10 @@
')
optional_policy(`
@@ -34307,6 +34559,17 @@ diff --exclude-from=exclude -N -u -r nsa
')
########################################
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.if serefpolicy-3.7.19/policy/modules/system/modutils.if
+--- nsaserefpolicy/policy/modules/system/modutils.if 2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/system/modutils.if 2010-06-15 18:40:03.063767415 +0200
+@@ -59,6 +59,7 @@
+ files_search_etc($1)
+ files_search_boot($1)
+
++ list_dirs_pattern($1, modules_conf_t, modules_conf_t)
+ read_files_pattern($1, modules_conf_t, modules_conf_t)
+ read_lnk_files_pattern($1, modules_conf_t, modules_conf_t)
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.7.19/policy/modules/system/modutils.te
--- nsaserefpolicy/policy/modules/system/modutils.te 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/system/modutils.te 2010-05-28 09:42:00.507610874 +0200
@@ -36057,7 +36320,7 @@ diff --exclude-from=exclude -N -u -r nsa
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.7.19/policy/modules/system/sysnetwork.if
--- nsaserefpolicy/policy/modules/system/sysnetwork.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/sysnetwork.if 2010-05-28 09:42:00.518610770 +0200
++++ serefpolicy-3.7.19/policy/modules/system/sysnetwork.if 2010-06-15 18:40:03.064777332 +0200
@@ -60,25 +60,24 @@
netutils_run(dhcpc_t, $2)
netutils_run_ping(dhcpc_t, $2)
@@ -36143,7 +36406,52 @@ diff --exclude-from=exclude -N -u -r nsa
#######################################
## <summary>
## Set the attributes of network config files.
-@@ -403,11 +439,8 @@
+@@ -270,6 +306,44 @@
+
+ #######################################
+ ## <summary>
++## Allow caller to relabel net_conf files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`sysnet_relabelfrom_net_conf',`
++
++ gen_require(`
++ type net_conf_t;
++ ')
++
++ allow $1 net_conf_t:file relabelfrom;
++')
++
++######################################
++## <summary>
++## Allow caller to relabel net_conf files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`sysnet_relabelto_net_conf',`
++
++ gen_require(`
++ type net_conf_t;
++ ')
++
++ allow $1 net_conf_t:file relabelto;
++')
++
++#######################################
++## <summary>
+ ## Read network config files.
+ ## </summary>
+ ## <desc>
+@@ -403,11 +477,8 @@
type net_conf_t;
')
@@ -36157,7 +36465,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
#######################################
-@@ -464,6 +497,10 @@
+@@ -464,6 +535,10 @@
corecmd_search_bin($1)
domtrans_pattern($1, ifconfig_exec_t, ifconfig_t)
@@ -36168,7 +36476,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
########################################
-@@ -677,7 +714,10 @@
+@@ -677,7 +752,10 @@
corenet_tcp_connect_ldap_port($1)
corenet_sendrecv_ldap_client_packets($1)
@@ -36180,7 +36488,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
########################################
-@@ -709,5 +749,52 @@
+@@ -709,5 +787,52 @@
corenet_tcp_connect_portmap_port($1)
corenet_sendrecv_portmap_client_packets($1)
@@ -36236,7 +36544,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.7.19/policy/modules/system/sysnetwork.te
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/sysnetwork.te 2010-06-08 15:28:13.716610680 +0200
++++ serefpolicy-3.7.19/policy/modules/system/sysnetwork.te 2010-06-15 07:01:15.534609419 +0200
@@ -1,5 +1,5 @@
-policy_module(sysnetwork, 1.10.3)
@@ -36291,15 +36599,16 @@ diff --exclude-from=exclude -N -u -r nsa
init_dbus_chat_script(dhcpc_t)
dbus_system_bus_client(dhcpc_t)
-@@ -172,6 +184,7 @@
+@@ -172,6 +184,8 @@
optional_policy(`
hal_dontaudit_rw_dgram_sockets(dhcpc_t)
+ hal_dontaudit_write_log(dhcpc_t)
++ hal_dontaudit_read_pid_files(dhcpc_t)
')
optional_policy(`
-@@ -193,6 +206,12 @@
+@@ -193,6 +207,12 @@
')
optional_policy(`
@@ -36312,7 +36621,7 @@ diff --exclude-from=exclude -N -u -r nsa
nis_read_ypbind_pid(dhcpc_t)
')
-@@ -214,6 +233,7 @@
+@@ -214,6 +234,7 @@
optional_policy(`
seutil_sigchld_newrole(dhcpc_t)
seutil_dontaudit_search_config(dhcpc_t)
@@ -36320,7 +36629,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
optional_policy(`
-@@ -277,8 +297,11 @@
+@@ -277,8 +298,11 @@
domain_use_interactive_fds(ifconfig_t)
@@ -36332,7 +36641,7 @@ diff --exclude-from=exclude -N -u -r nsa
fs_getattr_xattr_fs(ifconfig_t)
fs_search_auto_mountpoints(ifconfig_t)
-@@ -306,6 +329,8 @@
+@@ -306,6 +330,8 @@
seutil_use_runinit_fds(ifconfig_t)
@@ -36341,7 +36650,7 @@ diff --exclude-from=exclude -N -u -r nsa
userdom_use_user_terminals(ifconfig_t)
userdom_use_all_users_fds(ifconfig_t)
-@@ -328,6 +353,8 @@
+@@ -328,6 +354,8 @@
optional_policy(`
hal_dontaudit_rw_pipes(ifconfig_t)
hal_dontaudit_rw_dgram_sockets(ifconfig_t)
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/pkgs/rpms/selinux-policy/F-13/selinux-policy.spec,v
retrieving revision 1.1029
retrieving revision 1.1030
diff -u -p -r1.1029 -r1.1030
--- selinux-policy.spec 14 Jun 2010 18:34:42 -0000 1.1029
+++ selinux-policy.spec 15 Jun 2010 16:48:46 -0000 1.1030
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.7.19
-Release: 28%{?dist}
+Release: 29%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,12 @@ exit 0
%endif
%changelog
+* Tue Jun 15 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-29
+- Allow abrt sigkill
+- Add ncftool policy
+- Add cluster fixes
+- Fixes for audisp-remote
+
* Mon Jun 14 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-28
- Fixes for netutils
- Cleanup of aiccu policy
More information about the scm-commits
mailing list