latest rawhide with strict policy and audit

[Russell Coker]

allow $1_t self:netlink_audit_socket { create bind write nlmsg_read read };

After updating the the latest rawhide stuff I needed the above rule in sshd.te 
to allow sshd to work correctly (unified diff attached).  The first two 
accesses (create and bind) are needed to allow sshd to work to the stage of 
permitting logins.  The last three to stop it spewing messages.

What is this self:netlink_audit_socket access?  What is the appropriate access 
for such things?

newrole has the same issue, the file newrole.diff applies to 
newrole_macros.te.  Even after applying that patch I get an error as follows:

[root at community ~]# newrole -r sysadm_r
Authenticating root.
Password:
Error sending status request (Operation not permitted)
[root at community ~]# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6
(disk),10(wheel) context=root:sysadm_r:sysadm_t
[root at community ~]#


I guess that this is in the new pam so local_login_t, xdm_t and other domains 
will need similar changes.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ssh.diff
Type: text/x-diff
Size: 448 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20050414/e180dadb/attachment.bin 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: newrole.diff
Type: text/x-diff
Size: 357 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20050414/e180dadb/attachment-0001.bin