-@@ -126,6 +127,7 @@
+@@ -91,6 +92,7 @@
+ kernel_read_kernel_sysctls(kadmind_t)
+ kernel_list_proc(kadmind_t)
+ kernel_read_proc_symlinks(kadmind_t)
++kernel_read_system_state(kadmind_t)
+
+ corenet_non_ipsec_sendrecv(kadmind_t)
+ corenet_tcp_sendrecv_all_if(kadmind_t)
+@@ -117,6 +119,9 @@
+ domain_use_interactive_fds(kadmind_t)
+
+ files_read_etc_files(kadmind_t)
++files_read_usr_symlinks(kadmind_t)
++files_read_usr_files(kadmind_t)
++files_read_var_files(kadmind_t)
+
+ libs_use_ld_so(kadmind_t)
+ libs_use_shared_libs(kadmind_t)
+@@ -126,6 +131,7 @@
miscfiles_read_localization(kadmind_t)
sysnet_read_config(kadmind_t)
@@ -4517,7 +4617,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
userdom_dontaudit_use_unpriv_user_fds(kadmind_t)
userdom_dontaudit_search_sysadm_home_dirs(kadmind_t)
-@@ -227,6 +229,7 @@
+@@ -227,6 +233,7 @@
miscfiles_read_localization(krb5kdc_t)
sysnet_read_config(krb5kdc_t)
@@ -4525,7 +4625,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t)
userdom_dontaudit_search_sysadm_home_dirs(krb5kdc_t)
-@@ -248,3 +251,36 @@
+@@ -248,3 +255,36 @@
optional_policy(`
udev_read_db(krb5kdc_t)
')
@@ -5473,7 +5573,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-2.6.4/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/postfix.te 2007-06-18 10:19:49.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/postfix.te 2007-06-22 09:40:25.000000000 -0400
@@ -84,6 +84,12 @@
type postfix_var_run_t;
files_pid_file(postfix_var_run_t)
@@ -5557,7 +5657,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
# connect to master process
stream_connect_pattern(postfix_smtp_t,{ postfix_private_t postfix_public_t },{ postfix_private_t postfix_public_t },postfix_master_t)
-@@ -552,9 +574,45 @@
+@@ -528,6 +550,8 @@
+
+ allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
+
++files_dontaudit_getattr_home_dir(postfix_smtp_t)
++
+ optional_policy(`
+ cyrus_stream_connect(postfix_smtp_t)
+ ')
+@@ -552,9 +576,45 @@
mta_read_aliases(postfix_smtpd_t)
optional_policy(`
@@ -7013,8 +7122,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.
+miscfiles_read_certs(httpd_w3c_validator_script_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-2.6.4/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/xserver.if 2007-06-18 10:18:55.000000000 -0400
-@@ -1136,7 +1136,7 @@
++++ serefpolicy-2.6.4/policy/modules/services/xserver.if 2007-06-22 14:12:37.000000000 -0400
+@@ -83,6 +83,8 @@
+ manage_files_pattern($1_xserver_t,xserver_log_t,xserver_log_t)
+ logging_log_filetrans($1_xserver_t,xserver_log_t,file)
+
++ domain_mmap_low($1_xserver_t)
++
+ kernel_read_system_state($1_xserver_t)
+ kernel_read_device_sysctls($1_xserver_t)
+ kernel_read_modprobe_sysctls($1_xserver_t)
+@@ -540,6 +542,9 @@
+ allow $2 self:unix_dgram_socket create_socket_perms;
+ allow $2 self:unix_stream_socket { connectto create_stream_socket_perms };
+
++ # this should cause the .xsession-errors file to be written to /tmp
++ dontaudit xdm_t $1_home_t:file rw_file_perms;
++
+ # Read .Xauthority file
+ allow $2 $1_xauth_home_t:file { getattr read };
+ allow $2 $1_iceauth_home_t:file { getattr read };
+@@ -1136,7 +1141,7 @@
type xdm_xserver_tmp_t;
')
@@ -8004,7 +8132,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-2.6.4/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/libraries.fc 2007-06-19 08:52:19.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/libraries.fc 2007-06-22 09:06:18.000000000 -0400
@@ -81,8 +81,8 @@
/opt/cisco-vpnclient/lib/libvpnapi\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/netbeans(.*/)?jdk.*/linux/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -8033,7 +8161,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
/usr/lib(64)?/(nvidia/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/fglrx/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libGLU\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -254,6 +257,8 @@
+@@ -157,6 +160,8 @@
+ /usr/(local/)?lib(64)?/(sse2/)?libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/NX/lib/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/NX/lib/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/NX/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/NX/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+ /usr/X11R6/lib/libGL\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/X11R6/lib/libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+@@ -254,6 +259,8 @@
/usr/lib(64)?/libdivxdecore\.so\.0 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libdivxencore\.so\.0 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -8044,7 +8181,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
# vmware
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-2.6.4/policy/modules/system/libraries.te
--- nsaserefpolicy/policy/modules/system/libraries.te 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/libraries.te 2007-06-18 10:18:55.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/libraries.te 2007-06-21 09:35:57.000000000 -0400
@@ -62,7 +62,8 @@
manage_dirs_pattern(ldconfig_t,ldconfig_tmp_t,ldconfig_tmp_t)
@@ -8065,6 +8202,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
')
optional_policy(`
+@@ -113,4 +113,6 @@
+ # and executes ldconfig on it. If you dont allow this kernel installs
+ # blow up.
+ rpm_manage_script_tmp_files(ldconfig_t)
++ # smart package manager needs the following for the same reason
++ rpm_rw_tmp_files(ldconfig_t)
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-2.6.4/policy/modules/system/locallogin.te
--- nsaserefpolicy/policy/modules/system/locallogin.te 2007-05-07 14:51:02.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/system/locallogin.te 2007-06-18 10:18:55.000000000 -0400
@@ -9082,7 +9226,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-2.6.4/policy/modules/system/udev.te
--- nsaserefpolicy/policy/modules/system/udev.te 2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/udev.te 2007-06-18 11:26:44.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/udev.te 2007-06-22 11:40:29.000000000 -0400
@@ -18,11 +18,6 @@
type udev_etc_t alias etc_udev_t;
files_config_file(udev_etc_t)
@@ -9129,20 +9273,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t
files_read_etc_runtime_files(udev_t)
files_read_etc_files(udev_t)
files_exec_etc_files(udev_t)
-@@ -142,8 +144,12 @@
+@@ -142,8 +144,14 @@
seutil_read_file_contexts(udev_t)
seutil_domtrans_restorecon(udev_t)
+sysnet_read_dhcpc_pid(udev_t)
-+sysnet_read_dhcp_config(udev_t)
++sysnet_rw_dhcp_config(udev_t)
+sysnet_delete_dhcpc_pid(udev_t)
sysnet_domtrans_ifconfig(udev_t)
sysnet_domtrans_dhcpc(udev_t)
+sysnet_signal_dhcpc(udev_t)
++sysnet_etc_filetrans_config(udev_t)
++sysnet_manage_config(udev_t)
userdom_use_sysadm_ttys(udev_t)
userdom_dontaudit_search_all_users_home_content(udev_t)
-@@ -194,5 +200,24 @@
+@@ -194,5 +202,24 @@
')
optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index e239c86..eee173b 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 2.6.4
-Release: 21%{?dist}
+Release: 22%{?dist}
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -360,6 +360,8 @@ semodule -b base.pp -r bootloader -r clock -r dpkg -r fstools -r hotplug -r init
%endif
%changelog
+* Thu Jun 21 2007 Dan Walsh