diff --git a/policy-20070703.patch b/policy-20070703.patch index ef3316b..4a8480a 100644 --- a/policy-20070703.patch +++ b/policy-20070703.patch @@ -280,8 +280,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors class key diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.0.5/policy/global_tunables --- nsaserefpolicy/policy/global_tunables 2007-05-29 14:10:59.000000000 -0400 -+++ serefpolicy-3.0.5/policy/global_tunables 2007-08-07 09:39:49.000000000 -0400 -@@ -133,3 +133,10 @@ ++++ serefpolicy-3.0.5/policy/global_tunables 2007-08-21 14:01:26.000000000 -0400 +@@ -133,3 +133,18 @@ ## gen_tunable(write_untrusted_content,false) @@ -292,6 +292,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables seref +## +gen_tunable(allow_console_login,false) + ++ ++## ++##

++## Allow xen to manage nfs files ++##

++##
++gen_tunable(xen_use_nfs,false) ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mls serefpolicy-3.0.5/policy/mls --- nsaserefpolicy/policy/mls 2007-07-03 07:06:36.000000000 -0400 +++ serefpolicy-3.0.5/policy/mls 2007-08-07 09:39:49.000000000 -0400 @@ -2903,7 +2911,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. # etc_runtime_t is the type of various diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.0.5/policy/modules/kernel/filesystem.if --- nsaserefpolicy/policy/modules/kernel/filesystem.if 2007-07-03 07:05:38.000000000 -0400 -+++ serefpolicy-3.0.5/policy/modules/kernel/filesystem.if 2007-08-07 09:39:49.000000000 -0400 ++++ serefpolicy-3.0.5/policy/modules/kernel/filesystem.if 2007-08-21 13:48:48.000000000 -0400 @@ -1192,6 +1192,24 @@ ######################################## @@ -3560,7 +3568,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.0.5/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2007-07-25 10:37:42.000000000 -0400 -+++ serefpolicy-3.0.5/policy/modules/services/apache.te 2007-08-20 15:04:52.000000000 -0400 ++++ serefpolicy-3.0.5/policy/modules/services/apache.te 2007-08-21 14:00:56.000000000 -0400 @@ -30,6 +30,13 @@ ## @@ -4164,7 +4172,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/audi fs_getattr_all_fs(entropyd_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.0.5/policy/modules/services/automount.te --- nsaserefpolicy/policy/modules/services/automount.te 2007-07-25 10:37:42.000000000 -0400 -+++ serefpolicy-3.0.5/policy/modules/services/automount.te 2007-08-07 09:39:49.000000000 -0400 ++++ serefpolicy-3.0.5/policy/modules/services/automount.te 2007-08-21 13:37:55.000000000 -0400 @@ -69,6 +69,7 @@ files_mounton_all_mountpoints(automount_t) files_mount_all_file_type_fs(automount_t) @@ -4192,6 +4200,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/auto bind_search_cache(automount_t) ') +@@ -173,6 +171,11 @@ + ') + + optional_policy(` ++ samba_read_config(automount_t) ++ samba_read_var_files(automount_t) ++') ++ ++optional_policy(` + seutil_sigchld_newrole(automount_t) + ') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.0.5/policy/modules/services/avahi.te --- nsaserefpolicy/policy/modules/services/avahi.te 2007-07-25 10:37:42.000000000 -0400 +++ serefpolicy-3.0.5/policy/modules/services/avahi.te 2007-08-07 09:39:49.000000000 -0400 @@ -5807,6 +5827,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inet unconfined_domain(inetd_child_t) + inetd_service_domain(inetd_child_t,bin_t) ') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.0.5/policy/modules/services/kerberos.if +--- nsaserefpolicy/policy/modules/services/kerberos.if 2007-07-03 07:06:27.000000000 -0400 ++++ serefpolicy-3.0.5/policy/modules/services/kerberos.if 2007-08-21 10:33:38.000000000 -0400 +@@ -42,6 +42,10 @@ + dontaudit $1 krb5_conf_t:file write; + dontaudit $1 krb5kdc_conf_t:dir list_dir_perms; + dontaudit $1 krb5kdc_conf_t:file rw_file_perms; ++ ++ #kerberos libraries are attempting to set the correct file context ++ dontaudit $1 self:process setfscreate; ++ seutil_dontaudit_read_file_contexts($1) + + tunable_policy(`allow_kerberos',` + allow $1 self:tcp_socket create_socket_perms; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.0.5/policy/modules/services/kerberos.te --- nsaserefpolicy/policy/modules/services/kerberos.te 2007-07-25 10:37:42.000000000 -0400 +++ serefpolicy-3.0.5/policy/modules/services/kerberos.te 2007-08-07 09:39:49.000000000 -0400 @@ -5969,7 +6003,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail +files_type(mailscanner_spool_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.0.5/policy/modules/services/mta.if --- nsaserefpolicy/policy/modules/services/mta.if 2007-07-25 10:37:42.000000000 -0400 -+++ serefpolicy-3.0.5/policy/modules/services/mta.if 2007-08-07 09:39:49.000000000 -0400 ++++ serefpolicy-3.0.5/policy/modules/services/mta.if 2007-08-21 15:32:16.000000000 -0400 @@ -392,6 +392,7 @@ allow $1 mail_spool_t:dir list_dir_perms; create_files_pattern($1,mail_spool_t,mail_spool_t) @@ -7457,7 +7491,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb /var/run/samba/brlock\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.0.5/policy/modules/services/samba.if --- nsaserefpolicy/policy/modules/services/samba.if 2007-06-19 16:23:35.000000000 -0400 -+++ serefpolicy-3.0.5/policy/modules/services/samba.if 2007-08-07 09:39:49.000000000 -0400 ++++ serefpolicy-3.0.5/policy/modules/services/samba.if 2007-08-21 13:36:36.000000000 -0400 @@ -349,6 +349,7 @@ files_search_var($1) files_search_var_lib($1) @@ -7754,8 +7788,56 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.0.5/policy/modules/services/sendmail.te --- nsaserefpolicy/policy/modules/services/sendmail.te 2007-07-25 10:37:42.000000000 -0400 -+++ serefpolicy-3.0.5/policy/modules/services/sendmail.te 2007-08-10 13:14:09.000000000 -0400 -@@ -130,6 +130,10 @@ ++++ serefpolicy-3.0.5/policy/modules/services/sendmail.te 2007-08-21 15:36:07.000000000 -0400 +@@ -32,7 +32,6 @@ + allow sendmail_t self:unix_dgram_socket create_socket_perms; + allow sendmail_t self:tcp_socket create_stream_socket_perms; + allow sendmail_t self:udp_socket create_socket_perms; +-allow sendmail_t self:netlink_route_socket r_netlink_socket_perms; + + allow sendmail_t sendmail_log_t:dir setattr; + manage_files_pattern(sendmail_t,sendmail_log_t,sendmail_log_t) +@@ -49,6 +48,8 @@ + # for piping mail to a command + kernel_read_system_state(sendmail_t) + ++auth_use_nsswitch(sendmail_t) ++ + corenet_all_recvfrom_unlabeled(sendmail_t) + corenet_all_recvfrom_netlabel(sendmail_t) + corenet_tcp_sendrecv_all_if(sendmail_t) +@@ -93,9 +94,6 @@ + + miscfiles_read_localization(sendmail_t) + +-sysnet_dns_name_resolve(sendmail_t) +-sysnet_read_config(sendmail_t) +- + userdom_dontaudit_use_unpriv_user_fds(sendmail_t) + userdom_dontaudit_search_sysadm_home_dirs(sendmail_t) + +@@ -106,17 +104,14 @@ + # Write to /var/spool/mail and /var/spool/mqueue. + mta_manage_queue(sendmail_t) + mta_manage_spool(sendmail_t) ++mta_sendmail_exec(sendmail_t) + + optional_policy(` +- clamav_search_lib(sendmail_t) +-') +- +-optional_policy(` +- nis_use_ypbind(sendmail_t) ++ cron_read_pipes(sendmail_t) + ') + + optional_policy(` +- nscd_socket_use(sendmail_t) ++ clamav_search_lib(sendmail_t) + ') + + optional_policy(` +@@ -130,6 +125,10 @@ ') optional_policy(` @@ -7884,7 +7966,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soun +/usr/bin/nasd -- gen_context(system_u:object_r:soundd_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soundserver.if serefpolicy-3.0.5/policy/modules/services/soundserver.if --- nsaserefpolicy/policy/modules/services/soundserver.if 2007-05-29 14:10:57.000000000 -0400 -+++ serefpolicy-3.0.5/policy/modules/services/soundserver.if 2007-08-20 18:36:50.000000000 -0400 ++++ serefpolicy-3.0.5/policy/modules/services/soundserver.if 2007-08-21 13:15:20.000000000 -0400 @@ -13,3 +13,64 @@ interface(`soundserver_tcp_connect',` refpolicywarn(`$0($*) has been deprecated.') @@ -7926,10 +8008,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soun +# +interface(`soundserver_dontaudit_read_socket_files',` + gen_require(` -+ type soundd_socket_t; ++ type soundd_var_run_t; + ') + -+ dontaudit $1 soundd_socket_t:sock_file r_file_perms; ++ dontaudit $1 soundd_var_run_t:sock_file r_file_perms; +') + +######################################## @@ -7944,7 +8026,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soun +# +interface(`soundserver_read_socket_files',` + gen_require(` -+ type soundd_socket_t; ++ type soundd_var_run_t; + ') + + allow $1 soundd_var_run_t:sock_file r_file_perms; @@ -7952,7 +8034,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soun + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soundserver.te serefpolicy-3.0.5/policy/modules/services/soundserver.te --- nsaserefpolicy/policy/modules/services/soundserver.te 2007-07-25 10:37:42.000000000 -0400 -+++ serefpolicy-3.0.5/policy/modules/services/soundserver.te 2007-08-20 16:59:45.000000000 -0400 ++++ serefpolicy-3.0.5/policy/modules/services/soundserver.te 2007-08-21 13:15:59.000000000 -0400 @@ -1,5 +1,5 @@ -policy_module(soundserver,1.3.0) @@ -8012,7 +8094,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soun manage_files_pattern(soundd_t,soundd_var_run_t,soundd_var_run_t) -files_pid_filetrans(soundd_t,soundd_var_run_t,file) +manage_dirs_pattern(soundd_t,soundd_var_run_t,soundd_var_run_t) -+files_pid_filetrans(soundd_t,soundd_var_run_t,{ file dir sock_file }) ++files_pid_filetrans(soundd_t,soundd_var_run_t,{ file dir }) kernel_read_kernel_sysctls(soundd_t) kernel_list_proc(soundd_t) @@ -8212,7 +8294,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.0.5/policy/modules/services/ssh.te --- nsaserefpolicy/policy/modules/services/ssh.te 2007-07-25 10:37:42.000000000 -0400 -+++ serefpolicy-3.0.5/policy/modules/services/ssh.te 2007-08-20 15:13:39.000000000 -0400 ++++ serefpolicy-3.0.5/policy/modules/services/ssh.te 2007-08-21 10:15:49.000000000 -0400 @@ -24,7 +24,7 @@ # Type for the ssh-agent executable. @@ -8222,7 +8304,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. # ssh client executable. type ssh_exec_t; -@@ -73,8 +73,12 @@ +@@ -73,6 +73,8 @@ manage_sock_files_pattern(sshd_t,sshd_tmp_t,sshd_tmp_t) files_tmp_filetrans(sshd_t, sshd_tmp_t, { dir file sock_file }) @@ -8230,12 +8312,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. + kernel_search_key(sshd_t) kernel_link_key(sshd_t) -+# needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321 -+kernel_write_proc_files(sshd_t) - # for X forwarding - corenet_tcp_bind_xserver_port(sshd_t) -@@ -100,6 +104,11 @@ +@@ -100,6 +102,11 @@ userdom_use_unpriv_users_ptys(sshd_t) ') @@ -8247,7 +8325,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. optional_policy(` daemontools_service_domain(sshd_t, sshd_exec_t) ') -@@ -119,7 +128,12 @@ +@@ -119,7 +126,12 @@ ') optional_policy(` @@ -8819,7 +8897,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.0.5/policy/modules/system/authlogin.if --- nsaserefpolicy/policy/modules/system/authlogin.if 2007-07-25 10:37:42.000000000 -0400 -+++ serefpolicy-3.0.5/policy/modules/system/authlogin.if 2007-08-20 15:21:45.000000000 -0400 ++++ serefpolicy-3.0.5/policy/modules/system/authlogin.if 2007-08-21 10:18:43.000000000 -0400 @@ -26,7 +26,8 @@ type $1_chkpwd_t, can_read_shadow_passwords; application_domain($1_chkpwd_t,chkpwd_exec_t) @@ -8849,10 +8927,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo domain_type($1) domain_subj_id_change_exemption($1) -@@ -176,6 +180,12 @@ +@@ -176,6 +180,16 @@ domain_obj_id_change_exemption($1) role system_r types $1; ++ # needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321 ++ kernel_write_proc_files(sshd_t) ++ ++ + auth_keyring_domain($1) + allow $1 keyring_type:key { search link }; + @@ -8862,7 +8944,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo # for SSP/ProPolice dev_read_urand($1) -@@ -196,22 +206,27 @@ +@@ -196,22 +210,27 @@ mls_fd_share_all_levels($1) auth_domtrans_chk_passwd($1) @@ -8891,7 +8973,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ') ') -@@ -309,9 +324,6 @@ +@@ -309,9 +328,6 @@ type system_chkpwd_t, chkpwd_exec_t, shadow_t; ') @@ -8901,7 +8983,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo corecmd_search_bin($1) domtrans_pattern($1,chkpwd_exec_t,system_chkpwd_t) -@@ -347,6 +359,37 @@ +@@ -329,6 +345,7 @@ + + optional_policy(` + kerberos_use($1) ++ kerberos_read_keytab($1) + ') + + optional_policy(` +@@ -347,6 +364,37 @@ ######################################## ## @@ -8939,7 +9029,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ## Get the attributes of the shadow passwords file. ## ## -@@ -695,6 +738,24 @@ +@@ -695,6 +743,24 @@ ######################################## ## @@ -8964,7 +9054,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ## Execute pam programs in the PAM domain. ## ## -@@ -1318,14 +1379,9 @@ +@@ -1318,14 +1384,9 @@ ## # interface(`auth_use_nsswitch',` @@ -8979,7 +9069,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo files_list_var_lib($1) miscfiles_read_certs($1) -@@ -1381,3 +1437,163 @@ +@@ -1381,3 +1442,163 @@ typeattribute $1 can_write_shadow_passwords; typeattribute $1 can_relabelto_shadow_passwords; ') @@ -9348,7 +9438,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.0.5/policy/modules/system/fstools.te --- nsaserefpolicy/policy/modules/system/fstools.te 2007-07-25 10:37:42.000000000 -0400 -+++ serefpolicy-3.0.5/policy/modules/system/fstools.te 2007-08-07 09:39:49.000000000 -0400 ++++ serefpolicy-3.0.5/policy/modules/system/fstools.te 2007-08-21 14:01:43.000000000 -0400 @@ -69,6 +69,7 @@ dev_getattr_all_chr_files(fsadm_t) @@ -9357,7 +9447,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool # mkreiserfs and other programs need this for UUID dev_read_rand(fsadm_t) dev_read_urand(fsadm_t) -@@ -179,3 +180,8 @@ +@@ -179,3 +180,12 @@ fs_dontaudit_write_ramfs_pipes(fsadm_t) rhgb_stub(fsadm_t) ') @@ -9366,6 +9456,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool + xen_append_log(fsadm_t) + xen_rw_image_files(fsadm_t) +') ++ ++tunable_policy(`xen_use_nfs',` ++ fs_manage_nfs_files(fsadm_t) ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fusermount.fc serefpolicy-3.0.5/policy/modules/system/fusermount.fc --- nsaserefpolicy/policy/modules/system/fusermount.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.0.5/policy/modules/system/fusermount.fc 2007-08-07 09:39:49.000000000 -0400 @@ -10540,7 +10634,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi /var/spool/texmf(/.*)? gen_context(system_u:object_r:tetex_data_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.0.5/policy/modules/system/modutils.te --- nsaserefpolicy/policy/modules/system/modutils.te 2007-07-25 10:37:42.000000000 -0400 -+++ serefpolicy-3.0.5/policy/modules/system/modutils.te 2007-08-10 14:08:13.000000000 -0400 ++++ serefpolicy-3.0.5/policy/modules/system/modutils.te 2007-08-21 09:07:48.000000000 -0400 @@ -42,7 +42,7 @@ # insmod local policy # @@ -10839,7 +10933,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.0.5/policy/modules/system/selinuxutil.if --- nsaserefpolicy/policy/modules/system/selinuxutil.if 2007-05-30 11:47:29.000000000 -0400 -+++ serefpolicy-3.0.5/policy/modules/system/selinuxutil.if 2007-08-07 09:39:49.000000000 -0400 ++++ serefpolicy-3.0.5/policy/modules/system/selinuxutil.if 2007-08-21 10:32:03.000000000 -0400 @@ -432,6 +432,7 @@ role $2 types run_init_t; allow run_init_t $3:chr_file rw_term_perms; @@ -10848,7 +10942,36 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu ') ######################################## -@@ -968,6 +969,26 @@ +@@ -778,6 +779,28 @@ + + ######################################## + ## ++## dontaudit Read the file_contexts files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`seutil_dontaudit_read_file_contexts',` ++ gen_require(` ++ type selinux_config_t, default_context_t, file_context_t; ++ ') ++ ++ files_search_etc($1) ++ dontaudit $1 { selinux_config_t default_context_t }:dir search_dir_perms; ++ dontaudit $1 file_context_t:dir search_dir_perms; ++ dontaudit $1 file_context_t:file r_file_perms; ++') ++ ++######################################## ++## + ## Read and write the file_contexts files. + ## + ## +@@ -968,6 +991,26 @@ ######################################## ## @@ -10875,7 +10998,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu ## Execute semanage in the semanage domain, and ## allow the specified role the semanage domain, ## and use the caller's terminal. -@@ -979,7 +1000,7 @@ +@@ -979,7 +1022,7 @@ ## ## ## @@ -10884,7 +11007,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu ## ## ## -@@ -1001,6 +1022,39 @@ +@@ -1001,6 +1044,39 @@ ######################################## ## @@ -10924,7 +11047,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu ## Full management of the semanage ## module store. ## -@@ -1058,3 +1112,120 @@ +@@ -1058,3 +1134,120 @@ files_search_etc($1) rw_files_pattern($1,selinux_config_t,semanage_trans_lock_t) ') @@ -12919,7 +13042,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.0.5/policy/modules/system/xen.te --- nsaserefpolicy/policy/modules/system/xen.te 2007-07-25 10:37:42.000000000 -0400 -+++ serefpolicy-3.0.5/policy/modules/system/xen.te 2007-08-09 14:54:50.000000000 -0400 ++++ serefpolicy-3.0.5/policy/modules/system/xen.te 2007-08-21 14:01:46.000000000 -0400 @@ -176,6 +176,7 @@ files_manage_etc_runtime_files(xend_t) files_etc_filetrans_etc_runtime(xend_t,file) @@ -12962,7 +13085,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te corenet_tcp_sendrecv_generic_if(xm_t) corenet_tcp_sendrecv_all_nodes(xm_t) -@@ -366,3 +369,13 @@ +@@ -366,3 +369,14 @@ xen_append_log(xm_t) xen_stream_connect(xm_t) xen_stream_connect_xenstore(xm_t) @@ -12973,9 +13096,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te +fs_getattr_all_fs(xend_t) +fs_read_dos_files(xend_t) + -+fs_write_nfs_files(xend_t) -+fs_read_nfs_files(xend_t) -+fs_read_nfs_symlinks(xend_t) ++tunable_policy(`xen_use_nfs',` ++ fs_manage_nfs_files(xend_t) ++ fs_read_nfs_symlinks(xend_t) ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.fc serefpolicy-3.0.5/policy/modules/users/guest.fc --- nsaserefpolicy/policy/modules/users/guest.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.0.5/policy/modules/users/guest.fc 2007-08-07 09:39:49.000000000 -0400 diff --git a/selinux-policy.spec b/selinux-policy.spec index 7f47bf0..9dd82ff 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -12,12 +12,12 @@ %endif %define POLICYVER 21 %define libsepolver 2.0.3-2 -%define POLICYCOREUTILSVER 2.0.22-10 +%define POLICYCOREUTILSVER 2.0.23-1 %define CHECKPOLICYVER 2.0.3-1 Summary: SELinux policy configuration Name: selinux-policy Version: 3.0.5 -Release: 10%{?dist} +Release: 11%{?dist} License: GPL Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -74,7 +74,7 @@ SELinux Policy development package %attr(755,root,root) %{_usr}/share/selinux/devel/policyhelp %post devel -[ -x /usr/sbin/sepolgen-ifgen ] && /usr/sbin/sepolgen-ifgen > /dev/null +[ -x /usr/bin/sepolgen-ifgen ] && /usr/bin/sepolgen-ifgen > /dev/null exit 0 %define setupCmds() \ @@ -338,7 +338,7 @@ Summary: SELinux mls base policy Group: System Environment/Base Provides: selinux-policy-base Obsoletes: selinux-policy-mls-sources -Requires: policycoreutils-newrole >= %{POLICYCOREUTILSVER} +Requires: policycoreutils-newrole >= %{POLICYCOREUTILSVER} setransd Prereq: policycoreutils >= %{POLICYCOREUTILSVER} Prereq: coreutils Prereq: selinux-policy = %{version}-%{release} @@ -360,6 +360,9 @@ exit 0 %endif %changelog +* Tue Aug 21 2007 Dan Walsh 3.0.5-11 +- Add setransd for mls policy + * Mon Aug 20 2007 Dan Walsh 3.0.5-10 - Add ldconfig_cache_t