-+##
-+## Allow xen to manage nfs files
-+##
-+##
-+gen_tunable(xen_use_nfs, false)
-+
- # console ptys
- type xen_devpts_t;
- term_pty(xen_devpts_t)
-@@ -42,25 +49,31 @@
- # pid files
- type xend_var_run_t;
- files_pid_file(xend_var_run_t)
-+files_mountpoint(xend_var_run_t)
-
- type xenstored_t;
- type xenstored_exec_t;
--domain_type(xenstored_t)
--domain_entry_file(xenstored_t, xenstored_exec_t)
--role system_r types xenstored_t;
-+init_daemon_domain(xenstored_t, xenstored_exec_t)
-+
-+# tmp files
-+type xenstored_tmp_t;
-+files_tmp_file(xenstored_tmp_t)
-
- # var/lib files
- type xenstored_var_lib_t;
- files_type(xenstored_var_lib_t)
-
-+# log files
-+type xenstored_var_log_t;
-+logging_log_file(xenstored_var_log_t)
-+
- # pid files
- type xenstored_var_run_t;
- files_pid_file(xenstored_var_run_t)
-
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.7.3/policy/modules/system/xen.te
+--- nsaserefpolicy/policy/modules/system/xen.te 2009-11-25 11:47:19.000000000 -0500
++++ serefpolicy-3.7.3/policy/modules/system/xen.te 2009-11-25 12:39:13.000000000 -0500
+@@ -85,6 +85,7 @@
type xenconsoled_t;
type xenconsoled_exec_t;
--domain_type(xenconsoled_t)
--domain_entry_file(xenconsoled_t, xenconsoled_exec_t)
-+init_daemon_domain(xenconsoled_t, xenconsoled_exec_t)
- role system_r types xenconsoled_t;
+ init_daemon_domain(xenconsoled_t, xenconsoled_exec_t)
++role system_r types xenconsoled_t;
# pid files
-@@ -72,6 +85,18 @@
- domain_type(xm_t)
- init_system_domain(xm_t, xm_exec_t)
-
-+type evtchnd_t;
-+type evtchnd_exec_t;
-+init_daemon_domain(evtchnd_t, evtchnd_exec_t)
-+
-+# log files
-+type evtchnd_var_log_t;
-+logging_log_file(evtchnd_var_log_t)
-+
-+# pid files
-+type evtchnd_var_run_t;
-+files_pid_file(evtchnd_var_run_t)
-+
- ########################################
- #
- # xend local policy
-@@ -95,7 +120,7 @@
- read_lnk_files_pattern(xend_t, xen_image_t, xen_image_t)
- rw_blk_files_pattern(xend_t, xen_image_t, xen_image_t)
-
--allow xend_t xenctl_t:fifo_file manage_file_perms;
-+allow xend_t xenctl_t:fifo_file manage_fifo_file_perms;
- dev_filetrans(xend_t, xenctl_t, fifo_file)
-
- manage_files_pattern(xend_t, xend_tmp_t, xend_tmp_t)
-@@ -103,14 +128,14 @@
- files_tmp_filetrans(xend_t, xend_tmp_t, { file dir })
-
- # pid file
--allow xend_t xend_var_run_t:dir setattr;
-+manage_dirs_pattern(xend_t, xend_var_run_t, xend_var_run_t)
- manage_files_pattern(xend_t, xend_var_run_t, xend_var_run_t)
- manage_sock_files_pattern(xend_t, xend_var_run_t, xend_var_run_t)
- manage_fifo_files_pattern(xend_t, xend_var_run_t, xend_var_run_t)
--files_pid_filetrans(xend_t, xend_var_run_t, { file sock_file fifo_file })
-+files_pid_filetrans(xend_t, xend_var_run_t, { file sock_file fifo_file dir })
-
- # log files
--allow xend_t xend_var_log_t:dir setattr;
-+manage_dirs_pattern(xend_t, xend_var_log_t, xend_var_log_t)
- manage_files_pattern(xend_t, xend_var_log_t, xend_var_log_t)
- manage_sock_files_pattern(xend_t, xend_var_log_t, xend_var_log_t)
- logging_log_filetrans(xend_t, xend_var_log_t,{ sock_file file dir })
-@@ -122,12 +147,13 @@
- manage_fifo_files_pattern(xend_t, xend_var_lib_t, xend_var_lib_t)
- files_var_lib_filetrans(xend_t, xend_var_lib_t,{ file dir })
-
-+init_stream_connect_script(xend_t)
-+
- # transition to store
- domtrans_pattern(xend_t, xenstored_exec_t, xenstored_t)
-
- # transition to console
--domain_auto_trans(xend_t, xenconsoled_exec_t, xenconsoled_t)
--allow xenconsoled_t xend_t:fd use;
-+domtrans_pattern(xend_t, xenconsoled_exec_t, xenconsoled_t)
-
- kernel_read_kernel_sysctls(xend_t)
- kernel_read_system_state(xend_t)
-@@ -173,6 +199,7 @@
+ type xenconsoled_var_run_t;
+@@ -209,6 +210,7 @@
files_manage_etc_runtime_files(xend_t)
files_etc_filetrans_etc_runtime(xend_t, file)
files_read_usr_files(xend_t)
@@ -34151,208 +32631,26 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
storage_raw_read_fixed_disk(xend_t)
storage_raw_write_fixed_disk(xend_t)
-@@ -208,6 +235,10 @@
- netutils_domtrans(xend_t)
-
- optional_policy(`
-+ brctl_domtrans(xend_t)
-+')
-+
-+optional_policy(`
- consoletype_exec(xend_t)
- ')
-
-@@ -239,6 +270,10 @@
-
- files_read_usr_files(xenconsoled_t)
-
-+fs_list_tmpfs(xenconsoled_t)
-+fs_manage_xenfs_dirs(xenconsoled_t)
-+fs_manage_xenfs_files(xenconsoled_t)
-+
- term_create_pty(xenconsoled_t, xen_devpts_t)
- term_use_generic_ptys(xenconsoled_t)
- term_use_console(xenconsoled_t)
-@@ -248,7 +283,7 @@
-
- miscfiles_read_localization(xenconsoled_t)
+@@ -438,6 +440,8 @@
+ fs_manage_xenfs_dirs(xm_ssh_t)
+ fs_manage_xenfs_files(xm_ssh_t)
--xen_append_log(xenconsoled_t)
-+xen_manage_log(xenconsoled_t)
- xen_stream_connect_xenstore(xenconsoled_t)
-
- ########################################
-@@ -256,21 +291,33 @@
- # Xen store local policy
- #
-
--allow xenstored_t self:capability { dac_override mknod ipc_lock };
-+allow xenstored_t self:capability { dac_override mknod ipc_lock sys_resource };
- allow xenstored_t self:unix_stream_socket create_stream_socket_perms;
- allow xenstored_t self:unix_dgram_socket create_socket_perms;
-
-+manage_files_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t)
-+manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t)
-+files_tmp_filetrans(xenstored_t, xenstored_tmp_t, { file dir })
-+
- # pid file
- manage_files_pattern(xenstored_t, xenstored_var_run_t, xenstored_var_run_t)
- manage_sock_files_pattern(xenstored_t, xenstored_var_run_t, xenstored_var_run_t)
- files_pid_filetrans(xenstored_t, xenstored_var_run_t, { file sock_file })
-
-+# log files
-+manage_dirs_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t)
-+manage_files_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t)
-+manage_sock_files_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t)
-+logging_log_filetrans(xenstored_t, xenstored_var_log_t, { sock_file file dir })
-+
- # var/lib files for xenstored
- manage_dirs_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t)
- manage_files_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t)
- manage_sock_files_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t)
- files_var_lib_filetrans(xenstored_t, xenstored_var_lib_t,{ file dir sock_file })
-
-+stream_connect_pattern(xenstored_t, evtchnd_var_run_t, evtchnd_var_run_t, evtchnd_t)
++userdom_search_admin_dir(xm_ssh_t)
+
- kernel_write_xen_state(xenstored_t)
- kernel_read_xen_state(xenstored_t)
-
-@@ -304,6 +351,7 @@
+ #Should have a boolean wrapping these
+ fs_list_auto_mountpoints(xend_t)
+ files_search_mnt(xend_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.7.3/policy/support/obj_perm_sets.spt
+--- nsaserefpolicy/policy/support/obj_perm_sets.spt 2009-11-25 11:47:19.000000000 -0500
++++ serefpolicy-3.7.3/policy/support/obj_perm_sets.spt 2009-11-25 12:39:13.000000000 -0500
+@@ -317,3 +317,15 @@
+ # Keys
#
-
- allow xm_t self:capability { dac_override ipc_lock sys_tty_config };
-+allow xm_t self:process { getsched signal };
-
- # internal communication is often done using fifo and unix sockets.
- allow xm_t self:fifo_file rw_fifo_file_perms;
-@@ -312,24 +360,28 @@
-
- manage_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t)
- manage_fifo_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t)
-+manage_sock_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t)
- files_search_var_lib(xm_t)
-
- allow xm_t xen_image_t:dir rw_dir_perms;
- allow xm_t xen_image_t:file read_file_perms;
- allow xm_t xen_image_t:blk_file read_blk_file_perms;
-
--kernel_read_system_state(xm_t)
- kernel_read_kernel_sysctls(xm_t)
-+kernel_read_sysctl(xm_t)
-+kernel_read_system_state(xm_t)
- kernel_read_xen_state(xm_t)
- kernel_write_xen_state(xm_t)
-
- corecmd_exec_bin(xm_t)
-+corecmd_exec_shell(xm_t)
-
- corenet_tcp_sendrecv_generic_if(xm_t)
- corenet_tcp_sendrecv_generic_node(xm_t)
- corenet_tcp_connect_soundd_port(xm_t)
-
- dev_read_urand(xm_t)
-+dev_read_sysfs(xm_t)
-
- files_read_etc_runtime_files(xm_t)
- files_read_usr_files(xm_t)
-@@ -339,15 +391,70 @@
-
- storage_raw_read_fixed_disk(xm_t)
-
-+fs_getattr_all_fs(xm_t)
-+fs_manage_xenfs_dirs(xm_t)
-+fs_manage_xenfs_files(xm_t)
-+
- term_use_all_terms(xm_t)
-
-+init_stream_connect_script(xm_t)
- init_rw_script_stream_sockets(xm_t)
- init_use_fds(xm_t)
-
- miscfiles_read_localization(xm_t)
-
--sysnet_read_config(xm_t)
-+sysnet_dns_name_resolve(xm_t)
-
- xen_append_log(xm_t)
- xen_stream_connect(xm_t)
- xen_stream_connect_xenstore(xm_t)
-+
-+optional_policy(`
-+ virt_manage_images(xm_t)
-+ virt_stream_connect(xm_t)
-+')
+ define(`manage_key_perms', `{ create link read search setattr view write } ')
+
-+########################################
-+#
-+# SSH component local policy
+#
-+ssh_basic_client_template(xm,xm_t,system_r)
-+kernel_read_xen_state(xm_ssh_t)
-+kernel_write_xen_state(xm_ssh_t)
-+
-+fs_manage_xenfs_dirs(xm_ssh_t)
-+fs_manage_xenfs_files(xm_ssh_t)
-+
-+userdom_search_admin_dir(xm_ssh_t)
-+
-+#Should have a boolean wrapping these
-+fs_list_auto_mountpoints(xend_t)
-+files_search_mnt(xend_t)
-+fs_getattr_all_fs(xend_t)
-+fs_read_dos_files(xend_t)
-+fs_manage_xenfs_dirs(xend_t)
-+fs_manage_xenfs_files(xend_t)
-+
-+tunable_policy(`xen_use_nfs',`
-+ fs_manage_nfs_files(xend_t)
-+ fs_read_nfs_symlinks(xend_t)
-+')
-+
-+optional_policy(`
-+ unconfined_domain(xend_t)
-+')
-+
-+#######################################
++# All
+#
-+# evtchnd local policy
-+#
-+
-+manage_dirs_pattern(evtchnd_t, evtchnd_var_log_t, evtchnd_var_log_t)
-+manage_files_pattern(evtchnd_t,evtchnd_var_log_t,evtchnd_var_log_t)
-+logging_log_filetrans(evtchnd_t,evtchnd_var_log_t,{ file dir })
-+
-+manage_dirs_pattern(evtchnd_t, evtchnd_var_run_t, evtchnd_var_run_t)
-+manage_files_pattern(evtchnd_t,evtchnd_var_run_t,evtchnd_var_run_t)
-+manage_sock_files_pattern(evtchnd_t,evtchnd_var_run_t,evtchnd_var_run_t)
-+files_pid_filetrans(evtchnd_t, evtchnd_var_run_t, { file sock_file dir })
-+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.7.1/policy/support/obj_perm_sets.spt
---- nsaserefpolicy/policy/support/obj_perm_sets.spt 2009-11-12 12:51:51.000000000 -0500
-+++ serefpolicy-3.7.1/policy/support/obj_perm_sets.spt 2009-11-17 11:06:58.000000000 -0500
-@@ -201,7 +201,7 @@
- define(`setattr_file_perms',`{ setattr }')
- define(`read_file_perms',`{ getattr open read lock ioctl }')
- define(`mmap_file_perms',`{ getattr open read execute ioctl }')
--define(`exec_file_perms',`{ getattr open read execute execute_no_trans }')
-+define(`exec_file_perms',`{ getattr open read execute ioctl execute_no_trans }')
- define(`append_file_perms',`{ getattr open append lock ioctl }')
- define(`write_file_perms',`{ getattr open write append lock ioctl }')
- define(`rw_file_perms',`{ getattr open read write append ioctl lock }')
-@@ -225,7 +225,7 @@
- define(`create_lnk_file_perms',`{ create getattr }')
- define(`rename_lnk_file_perms',`{ getattr rename }')
- define(`delete_lnk_file_perms',`{ getattr unlink }')
--define(`manage_lnk_file_perms',`{ create read getattr setattr unlink rename }')
-+define(`manage_lnk_file_perms',`{ create read getattr setattr link unlink rename }')
- define(`relabelfrom_lnk_file_perms',`{ getattr relabelfrom }')
- define(`relabelto_lnk_file_perms',`{ getattr relabelto }')
- define(`relabel_lnk_file_perms',`{ getattr relabelfrom relabelto }')
-@@ -312,3 +312,13 @@
- #
- define(`client_stream_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }')
- define(`server_stream_socket_perms', `{ client_stream_socket_perms listen accept }')
-+
+define(`all_capabilities', `{ chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap }
+')
+
@@ -34361,10 +32659,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+define(`all_passwd_perms', `{ passwd chfn chsh rootok crontab } ')
+define(`all_association_perms', `{ sendto recvfrom setcontext polmatch } ')
+
-+define(`manage_key_perms', `{ create link read search setattr view write } ')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.7.1/policy/users
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.7.3/policy/users
--- nsaserefpolicy/policy/users 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.1/policy/users 2009-11-17 11:06:58.000000000 -0500
++++ serefpolicy-3.7.3/policy/users 2009-11-25 12:39:13.000000000 -0500
@@ -25,11 +25,8 @@
# permit any access to such users, then remove this entry.
#
@@ -34389,9 +32686,3 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
-')
+gen_user(root, user, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/VERSION serefpolicy-3.7.1/VERSION
---- nsaserefpolicy/VERSION 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.1/VERSION 2009-11-17 11:06:58.000000000 -0500
-@@ -1 +1 @@
--2.20091117
-+2.20090730
diff --git a/selinux-policy.spec b/selinux-policy.spec
index e844528..27c7f2a 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
%define CHECKPOLICYVER 2.0.16-3
Summary: SELinux policy configuration
Name: selinux-policy
-Version: 3.7.2
+Version: 3.7.3
Release: 1%{?dist}
License: GPLv2+
Group: System Environment/Base
@@ -449,8 +449,9 @@ exit 0
%endif
%changelog
-* Mon Nov 16 2009 Dan Walsh