fedora-cvs-commits@redhat.com
[Top] [All Lists]

rpms/selinux-policy/devel .cvsignore, 1.88, 1.89 modules-targeted.conf,

Subject: rpms/selinux-policy/devel .cvsignore, 1.88, 1.89 modules-targeted.conf, 1.36, 1.37 policy-20060915.patch, 1.12, 1.13 selinux-policy.spec, 1.292, 1.293 sources, 1.92, 1.93
From:
Date: Tue, 26 Sep 2006 11:00:00 -0400
Author: dwalsh

Update of /cvs/dist/rpms/selinux-policy/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv22995

Modified Files:
        .cvsignore modules-targeted.conf policy-20060915.patch 
        selinux-policy.spec sources 
Log Message:
* Mon Sep 25 2006 Dan Walsh <dwalsh@xxxxxxxxxx> 2.3.16-1
- Update with upstream



Index: .cvsignore
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/.cvsignore,v
retrieving revision 1.88
retrieving revision 1.89
diff -u -r1.88 -r1.89
--- .cvsignore  22 Sep 2006 20:41:12 -0000      1.88
+++ .cvsignore  26 Sep 2006 14:59:58 -0000      1.89
@@ -90,3 +90,4 @@
 serefpolicy-2.3.13.tgz
 serefpolicy-2.3.14.tgz
 serefpolicy-2.3.15.tgz
+serefpolicy-2.3.16.tgz


Index: modules-targeted.conf
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/modules-targeted.conf,v
retrieving revision 1.36
retrieving revision 1.37
diff -u -r1.36 -r1.37
--- modules-targeted.conf       21 Sep 2006 23:05:49 -0000      1.36
+++ modules-targeted.conf       26 Sep 2006 14:59:58 -0000      1.37
@@ -924,13 +924,6 @@
 libraries = base
 
 # Layer: system
-# Module: raid
-#
-# RAID array management tools
-# 
-raid = off
-
-# Layer: system
 # Module: userdomain
 #
 # Policy for user domains
@@ -1158,3 +1151,10 @@
 # 
 smartmon = module
 
+# Layer: system
+# Module: iscsi
+#
+# Open-iSCSI daemon
+# 
+iscsi = module
+

policy-20060915.patch:
 Rules.modular                                |   10 
 config/appconfig-strict-mcs/seusers          |    3 
 config/appconfig-strict-mls/initrc_context   |    2 
 config/appconfig-strict-mls/seusers          |    3 
 config/appconfig-strict/seusers              |    1 
 config/appconfig-targeted-mcs/seusers        |    3 
 config/appconfig-targeted-mls/initrc_context |    2 
 config/appconfig-targeted-mls/seusers        |    3 
 config/appconfig-targeted/seusers            |    1 
 policy/mcs                                   |    6 
 policy/mls                                   |   36 +-
 policy/modules/admin/bootloader.fc           |    1 
 policy/modules/admin/bootloader.te           |    7 
 policy/modules/admin/consoletype.te          |    7 
 policy/modules/admin/prelink.if              |    2 
 policy/modules/admin/readahead.te            |    1 
 policy/modules/admin/rpm.fc                  |    2 
 policy/modules/apps/java.fc                  |    2 
 policy/modules/apps/slocate.te               |    1 
 policy/modules/kernel/corenetwork.te.in      |   13 
 policy/modules/kernel/devices.fc             |    8 
 policy/modules/kernel/devices.if             |   20 +
 policy/modules/kernel/domain.if              |    4 
 policy/modules/kernel/files.fc               |   27 -
 policy/modules/kernel/files.if               |   20 +
 policy/modules/kernel/filesystem.if          |   22 +
 policy/modules/kernel/kernel.te              |   25 -
 policy/modules/kernel/mcs.te                 |   18 -
 policy/modules/kernel/selinux.te             |    2 
 policy/modules/kernel/storage.fc             |   48 +--
 policy/modules/kernel/storage.if             |    1 
 policy/modules/kernel/terminal.fc            |    2 
 policy/modules/services/apache.fc            |    9 
 policy/modules/services/automount.te         |    4 
 policy/modules/services/ccs.fc               |    8 
 policy/modules/services/ccs.if               |   65 ++++
 policy/modules/services/ccs.te               |   87 ++++++
 policy/modules/services/cron.te              |   19 +
 policy/modules/services/dbus.if              |    1 
 policy/modules/services/lpd.fc               |    9 
 policy/modules/services/nscd.if              |   20 +
 policy/modules/services/oddjob.fc            |    8 
 policy/modules/services/oddjob.if            |   99 ++++++
 policy/modules/services/oddjob.te            |   85 +++++
 policy/modules/services/pegasus.if           |   31 ++
 policy/modules/services/pegasus.te           |    5 
 policy/modules/services/ricci.fc             |   20 +
 policy/modules/services/ricci.if             |  184 ++++++++++++
 policy/modules/services/ricci.te             |  386 +++++++++++++++++++++++++++
 policy/modules/services/sendmail.te          |    1 
 policy/modules/services/setroubleshoot.te    |    2 
 policy/modules/services/smartmon.te          |    3 
 policy/modules/system/hostname.te            |    5 
 policy/modules/system/init.fc                |    3 
 policy/modules/system/init.te                |    5 
 policy/modules/system/iscsi.fc               |    7 
 policy/modules/system/iscsi.if               |   24 +
 policy/modules/system/iscsi.te               |   74 +++++
 policy/modules/system/logging.fc             |    8 
 policy/modules/system/logging.te             |    1 
 policy/modules/system/raid.te                |    2 
 policy/modules/system/selinuxutil.fc         |    6 
 policy/modules/system/setrans.fc             |    2 
 policy/modules/system/unconfined.if          |    1 
 policy/modules/system/userdomain.fc          |    2 
 policy/modules/system/userdomain.if          |    1 
 policy/modules/system/userdomain.te          |    3 
 policy/users                                 |   14 
 68 files changed, 1385 insertions(+), 122 deletions(-)

Index: policy-20060915.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/policy-20060915.patch,v
retrieving revision 1.12
retrieving revision 1.13
diff -u -r1.12 -r1.13
--- policy-20060915.patch       25 Sep 2006 17:40:51 -0000      1.12
+++ policy-20060915.patch       26 Sep 2006 14:59:58 -0000      1.13
@@ -1,100 +1,64 @@
-diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/config/appconfig-strict/seusers 
serefpolicy-2.3.15/config/appconfig-strict/seusers
+diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/config/appconfig-strict/seusers 
serefpolicy-2.3.16/config/appconfig-strict/seusers
 --- nsaserefpolicy/config/appconfig-strict/seusers     2006-07-14 
17:04:47.000000000 -0400
-+++ serefpolicy-2.3.15/config/appconfig-strict/seusers 2006-09-25 
13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/config/appconfig-strict/seusers 2006-09-26 
09:53:18.000000000 -0400
 @@ -1,2 +1,3 @@
 +system_u:system_u
  root:root
  __default__:user_u
-diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/config/appconfig-strict-mcs/seusers 
serefpolicy-2.3.15/config/appconfig-strict-mcs/seusers
+diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/config/appconfig-strict-mcs/seusers 
serefpolicy-2.3.16/config/appconfig-strict-mcs/seusers
 --- nsaserefpolicy/config/appconfig-strict-mcs/seusers 2006-07-14 
17:04:48.000000000 -0400
-+++ serefpolicy-2.3.15/config/appconfig-strict-mcs/seusers     2006-09-25 
13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/config/appconfig-strict-mcs/seusers     2006-09-26 
09:53:18.000000000 -0400
 @@ -1,2 +1,3 @@
 -root:root:s0-s0:c0.c255
 +system_u:system_u:s0-s0:c0.c1023
 +root:root:s0-s0:c0.c1023
  __default__:user_u:s0
-diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/config/appconfig-strict-mls/initrc_context 
serefpolicy-2.3.15/config/appconfig-strict-mls/initrc_context
+diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/config/appconfig-strict-mls/initrc_context 
serefpolicy-2.3.16/config/appconfig-strict-mls/initrc_context
 --- nsaserefpolicy/config/appconfig-strict-mls/initrc_context  2006-07-14 
17:04:47.000000000 -0400
-+++ serefpolicy-2.3.15/config/appconfig-strict-mls/initrc_context      
2006-09-25 13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/config/appconfig-strict-mls/initrc_context      
2006-09-26 09:53:18.000000000 -0400
 @@ -1 +1 @@
 -system_u:system_r:initrc_t:s0-s15:c0.c255
 +system_u:system_r:initrc_t:s0-s15:c0.c1023
-diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/config/appconfig-strict-mls/seusers 
serefpolicy-2.3.15/config/appconfig-strict-mls/seusers
+diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/config/appconfig-strict-mls/seusers 
serefpolicy-2.3.16/config/appconfig-strict-mls/seusers
 --- nsaserefpolicy/config/appconfig-strict-mls/seusers 2006-07-14 
17:04:47.000000000 -0400
-+++ serefpolicy-2.3.15/config/appconfig-strict-mls/seusers     2006-09-25 
13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/config/appconfig-strict-mls/seusers     2006-09-26 
09:53:18.000000000 -0400
 @@ -1,2 +1,3 @@
 -root:root:s0-s15:c0.c255
 +system_u:system_u:s0-s15:c0.c1023
 +root:root:s0-s15:c0.c1023
  __default__:user_u:s0
-diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/config/appconfig-targeted/seusers 
serefpolicy-2.3.15/config/appconfig-targeted/seusers
+diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/config/appconfig-targeted/seusers 
serefpolicy-2.3.16/config/appconfig-targeted/seusers
 --- nsaserefpolicy/config/appconfig-targeted/seusers   2006-07-14 
17:04:46.000000000 -0400
-+++ serefpolicy-2.3.15/config/appconfig-targeted/seusers       2006-09-25 
13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/config/appconfig-targeted/seusers       2006-09-26 
09:53:18.000000000 -0400
 @@ -1,2 +1,3 @@
 +system_u:system_u
  root:root
  __default__:user_u
-diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/config/appconfig-targeted-mcs/seusers 
serefpolicy-2.3.15/config/appconfig-targeted-mcs/seusers
+diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/config/appconfig-targeted-mcs/seusers 
serefpolicy-2.3.16/config/appconfig-targeted-mcs/seusers
 --- nsaserefpolicy/config/appconfig-targeted-mcs/seusers       2006-07-14 
17:04:47.000000000 -0400
-+++ serefpolicy-2.3.15/config/appconfig-targeted-mcs/seusers   2006-09-25 
13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/config/appconfig-targeted-mcs/seusers   2006-09-26 
09:53:18.000000000 -0400
 @@ -1,2 +1,3 @@
 -root:root:s0-s0:c0.c255
 +system_u:system_u:s0-s0:c0.c1023
 +root:root:s0-s0:c0.c1023
  __default__:user_u:s0
-diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/config/appconfig-targeted-mls/initrc_context 
serefpolicy-2.3.15/config/appconfig-targeted-mls/initrc_context
+diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/config/appconfig-targeted-mls/initrc_context 
serefpolicy-2.3.16/config/appconfig-targeted-mls/initrc_context
 --- nsaserefpolicy/config/appconfig-targeted-mls/initrc_context        
2006-07-14 17:04:48.000000000 -0400
-+++ serefpolicy-2.3.15/config/appconfig-targeted-mls/initrc_context    
2006-09-25 13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/config/appconfig-targeted-mls/initrc_context    
2006-09-26 09:53:18.000000000 -0400
 @@ -1 +1 @@
 -user_u:system_r:initrc_t:s0-s15:c0.c255
 +user_u:system_r:initrc_t:s0-s15:c0.c1023
-diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/config/appconfig-targeted-mls/seusers 
serefpolicy-2.3.15/config/appconfig-targeted-mls/seusers
+diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/config/appconfig-targeted-mls/seusers 
serefpolicy-2.3.16/config/appconfig-targeted-mls/seusers
 --- nsaserefpolicy/config/appconfig-targeted-mls/seusers       2006-07-14 
17:04:48.000000000 -0400
-+++ serefpolicy-2.3.15/config/appconfig-targeted-mls/seusers   2006-09-25 
13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/config/appconfig-targeted-mls/seusers   2006-09-26 
09:53:18.000000000 -0400
 @@ -1,2 +1,3 @@
 -root:root:s0-s15:c0.c255
 +system_u:system_u:s0-s15:c0.c1023
 +root:root:s0-s15:c0.c1023
  __default__:user_u:s0
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/local.te 
serefpolicy-2.3.15/local.te
---- nsaserefpolicy/local.te    1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.3.15/local.te        2006-09-25 13:31:59.000000000 -0400
-@@ -0,0 +1,16 @@
-+module local 1.0;
-+
-+require {
-+      class association polmatch;
-+      class unix_stream_socket { read write }; 
-+      type ifconfig_t; 
-+      type initrc_t; 
-+      type unlabeled_t; 
-+      role object_r; 
-+      role system_r; 
-+};
-+
-+allow ifconfig_t initrc_t:unix_stream_socket { read write };
-+allow initrc_t self:association polmatch;
-+allow unlabeled_t initrc_t:association polmatch;
-+allow unlabeled_t self:association polmatch;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables 
serefpolicy-2.3.15/policy/global_tunables
---- nsaserefpolicy/policy/global_tunables      2006-09-15 13:14:28.000000000 
-0400
-+++ serefpolicy-2.3.15/policy/global_tunables  2006-09-25 13:31:59.000000000 
-0400
-@@ -587,3 +587,12 @@
- ## </desc>
- gen_tunable(spamd_enable_home_dirs,true)
- ')
-+
-+## <desc>
-+## <p>
-+## Allow all daemons the ability to use unallocated ttys
-+## </p>
-+## </desc>
-+#
-+gen_tunable(allow_daemons_use_tty,false)
-+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs 
serefpolicy-2.3.15/policy/mcs
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs 
serefpolicy-2.3.16/policy/mcs
 --- nsaserefpolicy/policy/mcs  2006-09-22 14:07:08.000000000 -0400
-+++ serefpolicy-2.3.15/policy/mcs      2006-09-25 13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/policy/mcs      2006-09-26 09:53:18.000000000 -0400
 @@ -20,14 +20,14 @@
  # Each category has a name and zero or more aliases.
  #
@@ -113,9 +77,9 @@
  
  #
  # Define the MCS policy
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mls 
serefpolicy-2.3.15/policy/mls
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mls 
serefpolicy-2.3.16/policy/mls
 --- nsaserefpolicy/policy/mls  2006-09-22 09:35:45.000000000 -0400
-+++ serefpolicy-2.3.15/policy/mls      2006-09-25 13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/policy/mls      2006-09-26 09:53:18.000000000 -0400
 @@ -33,30 +33,30 @@
  # Each category has a name and zero or more aliases.
  #
@@ -165,24 +129,17 @@
  
  
  #
-diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/admin/bootloader.fc 
serefpolicy-2.3.15/policy/modules/admin/bootloader.fc
---- nsaserefpolicy/policy/modules/admin/bootloader.fc  2006-07-14 
17:04:46.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/admin/bootloader.fc      2006-09-25 
13:31:59.000000000 -0400
-@@ -6,7 +6,10 @@
- 
- /usr/sbin/mkinitrd    --      
gen_context(system_u:object_r:bootloader_exec_t,s0)
- 
--/sbin/grub.*          --      
gen_context(system_u:object_r:bootloader_exec_t,s0)
-+/sbin/grub            --      
gen_context(system_u:object_r:bootloader_exec_t,s0)
-+#/sbin/grub-.*                --      
gen_context(system_u:object_r:bootloader_helper_exec_t,s0)
-+#/sbin/grubby         --      
gen_context(system_u:object_r:bootloader_helper_exec_t,s0)
+diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/admin/bootloader.fc 
serefpolicy-2.3.16/policy/modules/admin/bootloader.fc
+--- nsaserefpolicy/policy/modules/admin/bootloader.fc  2006-09-25 
15:11:11.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/admin/bootloader.fc      2006-09-26 
09:53:18.000000000 -0400
+@@ -12,3 +12,4 @@
  /sbin/lilo.*          --      
gen_context(system_u:object_r:bootloader_exec_t,s0)
  /sbin/mkinitrd                --      
gen_context(system_u:object_r:bootloader_exec_t,s0)
  /sbin/ybin.*          --      
gen_context(system_u:object_r:bootloader_exec_t,s0)
 +/boot/grub/.*         --      gen_context(system_u:object_r:boot_runtime_t,s0)
-diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/admin/bootloader.te 
serefpolicy-2.3.15/policy/modules/admin/bootloader.te
---- nsaserefpolicy/policy/modules/admin/bootloader.te  2006-08-29 
09:00:30.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/admin/bootloader.te      2006-09-25 
13:31:59.000000000 -0400
+diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/admin/bootloader.te 
serefpolicy-2.3.16/policy/modules/admin/bootloader.te
+--- nsaserefpolicy/policy/modules/admin/bootloader.te  2006-09-25 
15:11:11.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/admin/bootloader.te      2006-09-26 
09:53:18.000000000 -0400
 @@ -21,6 +21,13 @@
  type bootloader_exec_t;
  domain_entry_file(bootloader_t,bootloader_exec_t)
@@ -197,9 +154,9 @@
  #
  # bootloader_etc_t is the configuration file,
  # grub.conf, lilo.conf, etc.
-diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/admin/consoletype.te 
serefpolicy-2.3.15/policy/modules/admin/consoletype.te
+diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/admin/consoletype.te 
serefpolicy-2.3.16/policy/modules/admin/consoletype.te
 --- nsaserefpolicy/policy/modules/admin/consoletype.te 2006-08-29 
09:00:30.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/admin/consoletype.te     2006-09-25 
13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/admin/consoletype.te     2006-09-26 
09:53:18.000000000 -0400
 @@ -8,7 +8,12 @@
  
  type consoletype_t;
@@ -214,24 +171,9 @@
  mls_file_read_up(consoletype_t)
  mls_file_write_down(consoletype_t)
  role system_r types consoletype_t;
-diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/admin/firstboot.te 
serefpolicy-2.3.15/policy/modules/admin/firstboot.te
---- nsaserefpolicy/policy/modules/admin/firstboot.te   2006-09-05 
07:41:01.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/admin/firstboot.te       2006-09-25 
13:31:59.000000000 -0400
-@@ -3,7 +3,11 @@
- 
- gen_require(`
-       class passwd rootok;
-+      type etc_runtime_t;
- ')
-+#Temporarily in policy until FC5 dissappears
-+typealias etc_runtime_t alias firstboot_rw_t;
-+
- 
- ########################################
- #
-diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/admin/prelink.if 
serefpolicy-2.3.15/policy/modules/admin/prelink.if
+diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/admin/prelink.if 
serefpolicy-2.3.16/policy/modules/admin/prelink.if
 --- nsaserefpolicy/policy/modules/admin/prelink.if     2006-07-14 
17:04:46.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/admin/prelink.if 2006-09-25 
13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/admin/prelink.if 2006-09-26 
09:53:18.000000000 -0400
 @@ -76,7 +76,7 @@
        gen_require(`
                type prelink_cache_t;
@@ -241,30 +183,20 @@
        allow $1 prelink_cache_t:file unlink;
  ')
  
-diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/admin/readahead.te 
serefpolicy-2.3.15/policy/modules/admin/readahead.te
---- nsaserefpolicy/policy/modules/admin/readahead.te   2006-07-14 
17:04:46.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/admin/readahead.te       2006-09-25 
13:31:59.000000000 -0400
-@@ -36,6 +36,8 @@
+diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/admin/readahead.te 
serefpolicy-2.3.16/policy/modules/admin/readahead.te
+--- nsaserefpolicy/policy/modules/admin/readahead.te   2006-09-25 
15:11:11.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/admin/readahead.te       2006-09-26 
09:54:33.000000000 -0400
+@@ -36,6 +36,7 @@
  dev_getattr_all_blk_files(readahead_t)
  dev_dontaudit_read_all_blk_files(readahead_t)
  dev_dontaudit_getattr_memory_dev(readahead_t)
-+dev_dontaudit_getattr_nvram(readahead_t)
 +storage_dontaudit_getattr_fixed_disk_dev(readahead_t)
  
  domain_use_interactive_fds(readahead_t)
  
-@@ -52,6 +54,8 @@
- fs_dontaudit_read_ramfs_files(readahead_t)
- fs_read_tmpfs_symlinks(readahead_t)
- 
-+mls_file_read_up(readahead_t)
-+
- term_dontaudit_use_console(readahead_t)
- 
- auth_dontaudit_read_shadow(readahead_t)
-diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/admin/rpm.fc 
serefpolicy-2.3.15/policy/modules/admin/rpm.fc
+diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/admin/rpm.fc 
serefpolicy-2.3.16/policy/modules/admin/rpm.fc
 --- nsaserefpolicy/policy/modules/admin/rpm.fc 2006-09-22 14:07:08.000000000 
-0400
-+++ serefpolicy-2.3.15/policy/modules/admin/rpm.fc     2006-09-25 
13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/admin/rpm.fc     2006-09-26 
09:53:18.000000000 -0400
 @@ -21,6 +21,8 @@
  /usr/sbin/pup                 --      
gen_context(system_u:object_r:rpm_exec_t,s0)
  /usr/sbin/rhn_check           --      
gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -274,9 +206,9 @@
  ')
  
  /var/lib/alternatives(/.*)?           
gen_context(system_u:object_r:rpm_var_lib_t,s0)
-diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/apps/java.fc 
serefpolicy-2.3.15/policy/modules/apps/java.fc
+diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/apps/java.fc 
serefpolicy-2.3.16/policy/modules/apps/java.fc
 --- nsaserefpolicy/policy/modules/apps/java.fc 2006-08-29 09:00:26.000000000 
-0400
-+++ serefpolicy-2.3.15/policy/modules/apps/java.fc     2006-09-25 
13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/apps/java.fc     2006-09-26 
09:53:18.000000000 -0400
 @@ -1,7 +1,7 @@
  #
  # /opt
@@ -286,9 +218,9 @@
  
  #
  # /usr
-diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/apps/slocate.te 
serefpolicy-2.3.15/policy/modules/apps/slocate.te
+diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/apps/slocate.te 
serefpolicy-2.3.16/policy/modules/apps/slocate.te
 --- nsaserefpolicy/policy/modules/apps/slocate.te      2006-07-14 
17:04:31.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/apps/slocate.te  2006-09-25 
13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/apps/slocate.te  2006-09-26 
09:53:18.000000000 -0400
 @@ -45,6 +45,7 @@
  files_dontaudit_getattr_all_dirs(locate_t)
  
@@ -297,9 +229,9 @@
  
  libs_use_shared_libs(locate_t)
  libs_use_ld_so(locate_t)
-diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 
serefpolicy-2.3.15/policy/modules/kernel/corenetwork.te.in
---- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in     2006-09-22 
09:35:44.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/kernel/corenetwork.te.in 2006-09-25 
13:31:59.000000000 -0400
+diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 
serefpolicy-2.3.16/policy/modules/kernel/corenetwork.te.in
+--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in     2006-09-25 
15:11:10.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/kernel/corenetwork.te.in 2006-09-26 
09:53:18.000000000 -0400
 @@ -67,6 +67,7 @@
  network_port(clamd, tcp,3310,s0)
  network_port(clockspeed, udp,4041,s0)
@@ -308,15 +240,6 @@
  network_port(cvs, tcp,2401,s0, udp,2401,s0)
  network_port(dcc, udp,6276,s0, udp,6277,s0)
  network_port(dbskkd, tcp,1178,s0)
-@@ -82,7 +83,7 @@
- network_port(giftd, tcp,1213,s0)
- network_port(gopher, tcp,70,s0, udp,70,s0)
- network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0) 
# 8118 is for privoxy
--network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, 
tcp,8009,s0)
-+network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, 
tcp,8009,s0, tcp,8443,s0, ) #8443 is mod_nss default port
- network_port(howl, tcp,5335,s0, udp,5353,s0)
- network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp,50000,s0, 
tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, 
tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, 
tcp,9291,s0, tcp,9292,s0)
- network_port(i18n_input, tcp,9010,s0)
 @@ -121,6 +122,8 @@
  network_port(radacct, udp,1646,s0, udp,1813,s0)
  network_port(radius, udp,1645,s0, udp,1812,s0)
@@ -358,9 +281,9 @@
  ')
  
  ########################################
-diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/kernel/devices.fc 
serefpolicy-2.3.15/policy/modules/kernel/devices.fc
+diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/kernel/devices.fc 
serefpolicy-2.3.16/policy/modules/kernel/devices.fc
 --- nsaserefpolicy/policy/modules/kernel/devices.fc    2006-09-22 
14:07:03.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/kernel/devices.fc        2006-09-25 
13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/kernel/devices.fc        2006-09-26 
09:53:18.000000000 -0400
 @@ -25,10 +25,10 @@
  /dev/i915             -c      gen_context(system_u:object_r:dri_device_t,s0)
  /dev/irlpt[0-9]+      -c      
gen_context(system_u:object_r:printer_device_t,s0)
@@ -388,36 +311,10 @@
  /dev/(misc/)?psaux    -c      gen_context(system_u:object_r:mouse_device_t,s0)
  /dev/rmidi.*          -c      gen_context(system_u:object_r:sound_device_t,s0)
  /dev/radeon           -c      gen_context(system_u:object_r:dri_device_t,s0)
-diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/kernel/devices.if 
serefpolicy-2.3.15/policy/modules/kernel/devices.if
+diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/kernel/devices.if 
serefpolicy-2.3.16/policy/modules/kernel/devices.if
 --- nsaserefpolicy/policy/modules/kernel/devices.if    2006-09-22 
09:35:44.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/kernel/devices.if        2006-09-25 
13:31:59.000000000 -0400
-@@ -1998,6 +1998,25 @@
- 
- ########################################
- ## <summary>
-+##    dontaudit getattr BIOS non-volatile RAM.
-+## </summary>
-+## <param name="domain">
-+##    <summary>
-+##    Domain allowed access.
-+##    </summary>
-+## </param>
-+#
-+interface(`dev_dontaudit_getattr_nvram',`
-+      gen_require(`
-+              type nvram_device_t;
-+      ')
-+
-+      allow $1 device_t:dir search_dir_perms;
-+      dontaudit $1 nvram_device_t:chr_file getattr;
-+')
-+
-+########################################
-+## <summary>
- ##    Get the attributes of the printer device nodes.
- ## </summary>
- ## <param name="domain">
-@@ -3211,3 +3230,23 @@
++++ serefpolicy-2.3.16/policy/modules/kernel/devices.if        2006-09-26 
09:53:18.000000000 -0400
+@@ -3211,3 +3211,23 @@
  
        typeattribute $1 devices_unconfined_type;
  ')
@@ -441,9 +338,23 @@
 +      dontaudit $1 device_t:file getattr;
 +')
 +
-diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/kernel/files.fc 
serefpolicy-2.3.15/policy/modules/kernel/files.fc
---- nsaserefpolicy/policy/modules/kernel/files.fc      2006-09-05 
07:41:00.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/kernel/files.fc  2006-09-25 
13:31:59.000000000 -0400
+diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/kernel/domain.if 
serefpolicy-2.3.16/policy/modules/kernel/domain.if
+--- nsaserefpolicy/policy/modules/kernel/domain.if     2006-09-15 
13:14:21.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/kernel/domain.if 2006-09-26 
09:53:18.000000000 -0400
+@@ -99,7 +99,9 @@
+ 
+       typeattribute $2 entry_type;
+ 
+-      corecmd_executable_file($2)
++      ifdef(`targeted_policy',`
++              corecmd_executable_file($2)
++      ')
+ ')
+ 
+ ########################################
+diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/kernel/files.fc 
serefpolicy-2.3.16/policy/modules/kernel/files.fc
+--- nsaserefpolicy/policy/modules/kernel/files.fc      2006-09-25 
15:11:10.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/kernel/files.fc  2006-09-26 
09:53:18.000000000 -0400
 @@ -29,9 +29,10 @@
  /boot                 -d      gen_context(system_u:object_r:boot_t,s0)
  /boot/.*                      gen_context(system_u:object_r:boot_t,s0)
@@ -456,15 +367,6 @@
  
  #
  # /emul
-@@ -58,7 +59,7 @@
- /etc/nohotplug                --      
gen_context(system_u:object_r:etc_runtime_t,s0)
- /etc/nologin.*                --      
gen_context(system_u:object_r:etc_runtime_t,s0)
- /etc/reader.conf      --      gen_context(system_u:object_r:etc_runtime_t,s0)
--/etc/smartd\.conf     --      gen_context(system_u:object_r:etc_runtime_t,s0)
-+/etc/smartd\.conf.*   --      gen_context(system_u:object_r:etc_runtime_t,s0)
- 
- /etc/cups/client\.conf        --      gen_context(system_u:object_r:etc_t,s0)
- 
 @@ -92,9 +93,9 @@
  # HOME_ROOT
  # expanded by genhomedircon
@@ -547,9 +449,9 @@
 +/var/tmp/lost\+found  -d      
gen_context(system_u:object_r:lost_found_t,s15:c0.c1023)
  /var/tmp/lost\+found/.*               <<none>>
  /var/tmp/vi\.recover  -d      gen_context(system_u:object_r:tmp_t,s0)
-diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/kernel/files.if 
serefpolicy-2.3.15/policy/modules/kernel/files.if
+diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/kernel/files.if 
serefpolicy-2.3.16/policy/modules/kernel/files.if
 --- nsaserefpolicy/policy/modules/kernel/files.if      2006-09-22 
14:07:03.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/kernel/files.if  2006-09-25 
13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/kernel/files.if  2006-09-26 
09:53:18.000000000 -0400
 @@ -4541,3 +4541,23 @@
  
        typealias etc_runtime_t alias $1;
@@ -574,21 +476,38 @@
 +      allow $1 etc_t:dir rw_dir_perms;
 +')
 +
-diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/kernel/filesystem.if 
serefpolicy-2.3.15/policy/modules/kernel/filesystem.if
---- nsaserefpolicy/policy/modules/kernel/filesystem.if 2006-09-22 
14:07:03.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/kernel/filesystem.if     2006-09-25 
13:31:59.000000000 -0400
-@@ -455,7 +455,7 @@
-       ')
- 
-       allow $1 binfmt_misc_fs_t:dir { getattr search };
--      allow $1 binfmt_misc_fs_t:file { getattr ioctl write };
-+      allow $1 binfmt_misc_fs_t:file { getattr ioctl write read };
+diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/kernel/filesystem.if 
serefpolicy-2.3.16/policy/modules/kernel/filesystem.if
+--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2006-09-25 
15:11:10.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/kernel/filesystem.if     2006-09-26 
10:02:05.000000000 -0400
+@@ -3381,3 +3381,25 @@
+       allow $1 noxattrfs:blk_file { getattr relabelfrom };
+       allow $1 noxattrfs:chr_file { getattr relabelfrom };
  ')
- 
- ########################################
-diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/kernel/kernel.te 
serefpolicy-2.3.15/policy/modules/kernel/kernel.te
++
++
++########################################
++## <summary>
++##    Create, read, write, and delete symbolic links
++##    on a autofs filesystem.
++## </summary>
++## <param name="domain">
++##    <summary>
++##    Domain allowed access.
++##    </summary>
++## </param>
++#
++interface(`fs_manage_autofs_symlinks',`
++      gen_require(`
++              type autofs_t;
++      ')
++
++      allow $1 autofs_t:dir rw_dir_perms;
++      allow $1 autofs_t:lnk_file create_lnk_perms;
++')
++
+diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/kernel/kernel.te 
serefpolicy-2.3.16/policy/modules/kernel/kernel.te
 --- nsaserefpolicy/policy/modules/kernel/kernel.te     2006-09-22 
09:35:44.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/kernel/kernel.te 2006-09-25 
13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/kernel/kernel.te 2006-09-26 
09:53:18.000000000 -0400
 @@ -39,7 +39,7 @@
  domain_base_type(kernel_t)
  mls_rangetrans_source(kernel_t)
@@ -658,9 +577,9 @@
  ')
  
  optional_policy(`
-diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/kernel/mcs.te 
serefpolicy-2.3.15/policy/modules/kernel/mcs.te
+diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/kernel/mcs.te 
serefpolicy-2.3.16/policy/modules/kernel/mcs.te
 --- nsaserefpolicy/policy/modules/kernel/mcs.te        2006-09-22 
14:07:03.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/kernel/mcs.te    2006-09-25 
13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/kernel/mcs.te    2006-09-26 
09:53:18.000000000 -0400
 @@ -37,15 +37,15 @@
  # default and have the daemons which need to run with all categories be
  # exceptions.  But while range_transitions have to be in the base module
@@ -686,31 +605,9 @@
  
  # these might be targeted_policy only
  range_transition unconfined_t initrc_exec_t s0;
-diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/kernel/mls.te 
serefpolicy-2.3.15/policy/modules/kernel/mls.te
---- nsaserefpolicy/policy/modules/kernel/mls.te        2006-09-22 
09:35:44.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/kernel/mls.te    2006-09-25 
13:31:59.000000000 -0400
-@@ -62,11 +62,13 @@
- type lvm_exec_t;
- type run_init_t;
- type setrans_exec_t;
-+type fsdaemon_exec_t;
- 
- ifdef(`enable_mls',`
--range_transition initrc_t auditd_exec_t s15:c0.c255;
--range_transition kernel_t init_exec_t s0 - s15:c0.c255;
--range_transition kernel_t lvm_exec_t s0 - s15:c0.c255;
--range_transition initrc_t setrans_exec_t s15:c0.c255;
--range_transition run_init_t initrc_exec_t s0 - s15:c0.c255;
-+range_transition initrc_t auditd_exec_t s15:c0.c1023;
-+range_transition initrc_t fsdaemon_exec_t s15:c0.c1023;
-+range_transition kernel_t init_exec_t s0 - s15:c0.c1023;
-+range_transition kernel_t lvm_exec_t s0 - s15:c0.c1023;
-+range_transition initrc_t setrans_exec_t s15:c0.c1023;
-+range_transition run_init_t initrc_exec_t s0 - s15:c0.c1023;
- ')
-diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/kernel/selinux.te 
serefpolicy-2.3.15/policy/modules/kernel/selinux.te
+diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/kernel/selinux.te 
serefpolicy-2.3.16/policy/modules/kernel/selinux.te
 --- nsaserefpolicy/policy/modules/kernel/selinux.te    2006-08-02 
10:34:05.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/kernel/selinux.te        2006-09-25 
13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/kernel/selinux.te        2006-09-26 
09:53:18.000000000 -0400
 @@ -19,7 +19,7 @@
  type security_t;
  fs_type(security_t)
@@ -720,9 +617,9 @@
  genfscon selinuxfs / gen_context(system_u:object_r:security_t,s0)
  
  neverallow ~{ selinux_unconfined_type can_load_policy } security_t:security 
load_policy;
-diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/kernel/storage.fc 
serefpolicy-2.3.15/policy/modules/kernel/storage.fc
+diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/kernel/storage.fc 
serefpolicy-2.3.16/policy/modules/kernel/storage.fc
 --- nsaserefpolicy/policy/modules/kernel/storage.fc    2006-08-02 
10:34:05.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/kernel/storage.fc        2006-09-25 
13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/kernel/storage.fc        2006-09-26 
09:53:18.000000000 -0400
 @@ -5,36 +5,36 @@
  /dev/n?osst[0-3].*    -c      gen_context(system_u:object_r:tape_device_t,s0)
  /dev/n?pt[0-9]+               -c      
gen_context(system_u:object_r:tape_device_t,s0)
@@ -810,9 +707,9 @@
 +/dev/scramdisk/.*     -b      
gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c1023)
  
  /dev/usb/rio500               -c      
gen_context(system_u:object_r:removable_device_t,s0)
-diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/kernel/storage.if 
serefpolicy-2.3.15/policy/modules/kernel/storage.if
+diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/kernel/storage.if 
serefpolicy-2.3.16/policy/modules/kernel/storage.if
 --- nsaserefpolicy/policy/modules/kernel/storage.if    2006-07-14 
17:04:29.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/kernel/storage.if        2006-09-25 
13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/kernel/storage.if        2006-09-26 
09:53:18.000000000 -0400
 @@ -37,6 +37,7 @@
        ')
  
@@ -821,9 +718,9 @@
  ')
  
  ########################################
-diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/kernel/terminal.fc 
serefpolicy-2.3.15/policy/modules/kernel/terminal.fc
+diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/kernel/terminal.fc 
serefpolicy-2.3.16/policy/modules/kernel/terminal.fc
 --- nsaserefpolicy/policy/modules/kernel/terminal.fc   2006-09-01 
14:10:17.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/kernel/terminal.fc       2006-09-25 
13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/kernel/terminal.fc       2006-09-26 
09:53:18.000000000 -0400
 @@ -18,7 +18,7 @@
  
  /dev/pty/.*           -c      
gen_context(system_u:object_r:bsdpty_device_t,s0)
@@ -833,9 +730,9 @@
  
  /dev/tts/[^/]*                -c      
gen_context(system_u:object_r:tty_device_t,s0)
  
-diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/services/apache.fc 
serefpolicy-2.3.15/policy/modules/services/apache.fc
+diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/services/apache.fc 
serefpolicy-2.3.16/policy/modules/services/apache.fc
 --- nsaserefpolicy/policy/modules/services/apache.fc   2006-08-02 
10:34:07.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/services/apache.fc       2006-09-25 
13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/services/apache.fc       2006-09-26 
09:53:18.000000000 -0400
 @@ -80,3 +80,12 @@
  /var/www/cgi-bin(/.*)?                        
gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
  /var/www/icons(/.*)?                  
gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -849,9 +746,9 @@
 +/opt/fortitude/modules.local(/.*)?    
gen_context(system_u:object_r:httpd_modules_t,s0)
 +/opt/fortitude/logs(/.*)?             
gen_context(system_u:object_r:httpd_log_t,s0)
 +
-diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/services/automount.te 
serefpolicy-2.3.15/policy/modules/services/automount.te
+diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/services/automount.te 
serefpolicy-2.3.16/policy/modules/services/automount.te
 --- nsaserefpolicy/policy/modules/services/automount.te        2006-09-22 
14:07:05.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/services/automount.te    2006-09-25 
13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/services/automount.te    2006-09-26 
10:01:31.000000000 -0400
 @@ -36,6 +36,8 @@
  allow automount_t self:unix_dgram_socket create_socket_perms;
  allow automount_t self:tcp_socket create_stream_socket_perms;
@@ -869,32 +766,17 @@
  
  fs_mount_all_fs(automount_t)
  fs_unmount_all_fs(automount_t)
-diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/services/bind.te 
serefpolicy-2.3.15/policy/modules/services/bind.te
---- nsaserefpolicy/policy/modules/services/bind.te     2006-08-29 
09:00:27.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/services/bind.te 2006-09-25 
13:31:59.000000000 -0400
-@@ -223,6 +223,7 @@
- allow ndc_t named_t:unix_stream_socket connectto;
- 
- allow ndc_t named_conf_t:file { getattr read };
-+allow ndc_t named_conf_t:lnk_file { getattr read };
- 
- allow ndc_t named_var_run_t:sock_file rw_file_perms;
- 
-diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/services/bluetooth.fc 
serefpolicy-2.3.15/policy/modules/services/bluetooth.fc
---- nsaserefpolicy/policy/modules/services/bluetooth.fc        2006-09-22 
14:07:06.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/services/bluetooth.fc    2006-09-25 
13:31:59.000000000 -0400
-@@ -7,7 +7,7 @@
- #
- # /usr
- #
--/usr/bin/blue.*pin    --      
gen_context(system_u:object_r:bluetooth_helper_exec_t,s0)
-+#/usr/bin/blue.*pin   --      
gen_context(system_u:object_r:bluetooth_helper_exec_t,s0)
- /usr/bin/dund         --      
gen_context(system_u:object_r:bluetooth_exec_t,s0)
- /usr/bin/hidd         --      
gen_context(system_u:object_r:bluetooth_exec_t,s0)
- /usr/bin/rfcomm               --      
gen_context(system_u:object_r:bluetooth_exec_t,s0)
-diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/services/ccs.fc 
serefpolicy-2.3.15/policy/modules/services/ccs.fc
+@@ -128,6 +131,7 @@
+ fs_manage_auto_mountpoints(automount_t)
+ fs_unmount_autofs(automount_t)
+ fs_mount_autofs(automount_t)
++fs_manage_autofs_symlinks(automount_t)
+ 
+ term_dontaudit_use_console(automount_t)
+ term_dontaudit_getattr_pty_dirs(automount_t)
+diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/services/ccs.fc 
serefpolicy-2.3.16/policy/modules/services/ccs.fc
 --- nsaserefpolicy/policy/modules/services/ccs.fc      1969-12-31 
19:00:00.000000000 -0500
-+++ serefpolicy-2.3.15/policy/modules/services/ccs.fc  2006-09-25 
13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/services/ccs.fc  2006-09-26 
09:53:18.000000000 -0400
 @@ -0,0 +1,8 @@
 +# ccs executable will have:
 +# label: system_u:object_r:ccs_exec_t
@@ -904,9 +786,9 @@
 +/sbin/ccsd            --      gen_context(system_u:object_r:ccs_exec_t,s0)
 +/var/run/cluster(/.*)?                
gen_context(system_u:object_r:ccs_var_run_t,s0)
 +/etc/cluster(/.*)?            gen_context(system_u:object_r:cluster_conf_t,s0)
-diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/services/ccs.if 
serefpolicy-2.3.15/policy/modules/services/ccs.if
+diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/services/ccs.if 
serefpolicy-2.3.16/policy/modules/services/ccs.if
 --- nsaserefpolicy/policy/modules/services/ccs.if      1969-12-31 
19:00:00.000000000 -0500
-+++ serefpolicy-2.3.15/policy/modules/services/ccs.if  2006-09-25 
13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/services/ccs.if  2006-09-26 
09:53:18.000000000 -0400
 @@ -0,0 +1,65 @@
 +## <summary>policy for ccs</summary>
 +
@@ -973,9 +855,9 @@
 +      allow $1 cluster_conf_t:file { getattr read };
 +')
 +
-diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/services/ccs.te 
serefpolicy-2.3.15/policy/modules/services/ccs.te
+diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/services/ccs.te 
serefpolicy-2.3.16/policy/modules/services/ccs.te
 --- nsaserefpolicy/policy/modules/services/ccs.te      1969-12-31 
19:00:00.000000000 -0500
-+++ serefpolicy-2.3.15/policy/modules/services/ccs.te  2006-09-25 
13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/services/ccs.te  2006-09-26 
09:53:18.000000000 -0400
 @@ -0,0 +1,87 @@
 +policy_module(ccs,1.0.0)
 +
@@ -1064,20 +946,9 @@
 +
 +allow ccs_t cluster_conf_t:dir r_dir_perms;
 +allow ccs_t cluster_conf_t:file rw_file_perms;
-diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/services/cron.fc 
serefpolicy-2.3.15/policy/modules/services/cron.fc
---- nsaserefpolicy/policy/modules/services/cron.fc     2006-07-14 
17:04:41.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/services/cron.fc 2006-09-25 
13:31:59.000000000 -0400
-@@ -11,6 +11,7 @@
- /usr/sbin/fcron                       --      
gen_context(system_u:object_r:crond_exec_t,s0)
- 
- /var/run/atd\.pid             --      
gen_context(system_u:object_r:crond_var_run_t,s0)
-+/var/run/anacron\.pid         --      
gen_context(system_u:object_r:crond_var_run_t,s0)
- /var/run/crond?\.pid          --      
gen_context(system_u:object_r:crond_var_run_t,s0)
- /var/run/crond\.reboot                --      
gen_context(system_u:object_r:crond_var_run_t,s0)
- /var/run/fcron\.fifo          -s      
gen_context(system_u:object_r:crond_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/services/cron.te 
serefpolicy-2.3.15/policy/modules/services/cron.te
---- nsaserefpolicy/policy/modules/services/cron.te     2006-09-15 
13:14:24.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/services/cron.te 2006-09-25 
13:31:59.000000000 -0400
+diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/services/cron.te 
serefpolicy-2.3.16/policy/modules/services/cron.te
+--- nsaserefpolicy/policy/modules/services/cron.te     2006-09-25 
15:11:11.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/services/cron.te 2006-09-26 
09:53:18.000000000 -0400
 @@ -17,6 +17,14 @@
  type cron_spool_t;
  files_type(cron_spool_t)
@@ -1111,9 +982,9 @@
  tunable_policy(`fcron_crond', `
        allow crond_t system_cron_spool_t:file create_file_perms;
  ')
-diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/services/dbus.if 
serefpolicy-2.3.15/policy/modules/services/dbus.if
+diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/services/dbus.if 
serefpolicy-2.3.16/policy/modules/services/dbus.if
 --- nsaserefpolicy/policy/modules/services/dbus.if     2006-09-15 
13:14:24.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/services/dbus.if 2006-09-25 
13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/services/dbus.if 2006-09-26 
09:53:18.000000000 -0400
 @@ -123,6 +123,7 @@
        selinux_compute_relabel_context($1_dbusd_t)
        selinux_compute_user_contexts($1_dbusd_t)
@@ -1122,56 +993,36 @@
        corecmd_list_bin($1_dbusd_t)
        corecmd_read_bin_symlinks($1_dbusd_t)
        corecmd_read_bin_files($1_dbusd_t)
-diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/services/hal.te 
serefpolicy-2.3.15/policy/modules/services/hal.te
---- nsaserefpolicy/policy/modules/services/hal.te      2006-09-05 
07:41:01.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/services/hal.te  2006-09-25 
13:31:59.000000000 -0400
-@@ -142,10 +142,12 @@
- userdom_dontaudit_use_unpriv_user_fds(hald_t)
- userdom_dontaudit_search_sysadm_home_dirs(hald_t)
- 
-+# hal_probe_serial causes these
-+term_setattr_unallocated_ttys(hald_t)
-+term_dontaudit_use_unallocated_ttys(hald_t)
-+
- ifdef(`targeted_policy',`
-       term_dontaudit_use_console(hald_t)
--      term_setattr_unallocated_ttys(hald_t)
--      term_dontaudit_use_unallocated_ttys(hald_t)
-       term_dontaudit_use_generic_ptys(hald_t)
-       files_dontaudit_read_root_files(hald_t)
- ')
-diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/services/lpd.fc 
serefpolicy-2.3.15/policy/modules/services/lpd.fc
+diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/services/lpd.fc 
serefpolicy-2.3.16/policy/modules/services/lpd.fc
 --- nsaserefpolicy/policy/modules/services/lpd.fc      2006-09-22 
14:07:06.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/services/lpd.fc  2006-09-25 
13:39:36.000000000 -0400
-@@ -8,11 +8,14 @@
++++ serefpolicy-2.3.16/policy/modules/services/lpd.fc  2006-09-26 
09:53:18.000000000 -0400
+@@ -8,14 +8,23 @@
  #
  /usr/sbin/checkpc     --      gen_context(system_u:object_r:checkpc_exec_t,s0)
  /usr/sbin/lpd         --      gen_context(system_u:object_r:lpd_exec_t,s0)
 +/usr/sbin/lpadmin     --      gen_context(system_u:object_r:lpr_exec_t,s0)
 +/usr/sbin/lpc(\.cups)?        --      
gen_context(system_u:object_r:lpr_exec_t,s0)
++/usr/sbin/accept      --      gen_context(system_u:object_r:lpr_exec_t,s0)
++/usr/sbin/lpinfo      --      gen_context(system_u:object_r:lpr_exec_t,s0)
++/usr/sbin/lpmove      --      gen_context(system_u:object_r:lpr_exec_t,s0)
  /usr/share/printconf/.* --    gen_context(system_u:object_r:printconf_t,s0)
  /usr/bin/lp(\.cups)?  --      gen_context(system_u:object_r:lpr_exec_t,s0)
  /usr/bin/lpr(\.cups)? --      gen_context(system_u:object_r:lpr_exec_t,s0)
  /usr/bin/lpq(\.cups)? --      gen_context(system_u:object_r:lpr_exec_t,s0)
  /usr/bin/lprm(\.cups)?        --      
gen_context(system_u:object_r:lpr_exec_t,s0)
 +/usr/bin/lpstat(\.cups)? --   gen_context(system_u:object_r:lpr_exec_t,s0)
++/usr/bin/cancel(\.cups)?      --      
gen_context(system_u:object_r:lpr_exec_t,s0)
++/usr/bin/lpoptions    --      gen_context(system_u:object_r:lpr_exec_t,s0)
  
  #
  # /var
-diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/services/networkmanager.te 
serefpolicy-2.3.15/policy/modules/services/networkmanager.te
---- nsaserefpolicy/policy/modules/services/networkmanager.te   2006-09-22 
14:07:06.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/services/networkmanager.te       
2006-09-25 13:31:59.000000000 -0400
-@@ -163,6 +163,7 @@
- optional_policy(`
-       ppp_domtrans(NetworkManager_t)
-       ppp_read_pid_files(NetworkManager_t)
-+      ppp_signal(NetworkManager_t)
- ')
- 
- optional_policy(`
-diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/services/nscd.if 
serefpolicy-2.3.15/policy/modules/services/nscd.if
+ #
+ /var/spool/lpd(/.*)?          gen_context(system_u:object_r:print_spool_t,s0)
+ /var/run/lprng(/.*)?          gen_context(system_u:object_r:lpd_var_run_t,s0)
++
+diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/services/nscd.if 
serefpolicy-2.3.16/policy/modules/services/nscd.if
 --- nsaserefpolicy/policy/modules/services/nscd.if     2006-08-07 
18:55:18.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/services/nscd.if 2006-09-25 
13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/services/nscd.if 2006-09-26 
09:53:18.000000000 -0400
 @@ -181,3 +181,23 @@
  
        allow $1 nscd_t:nscd *;
@@ -1196,22 +1047,10 @@
 +      role $1 types nscd_t;
 +')
 +
-diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/services/nscd.te 
serefpolicy-2.3.15/policy/modules/services/nscd.te
---- nsaserefpolicy/policy/modules/services/nscd.te     2006-08-07 
18:55:18.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/services/nscd.te 2006-09-25 
13:31:59.000000000 -0400
-@@ -88,6 +88,8 @@
- domain_use_interactive_fds(nscd_t)
- 
- files_read_etc_files(nscd_t)
-+# Needed to read files created by firstboot "/etc/hesiod.conf"
-+files_read_etc_runtime_files(nscd_t)
- files_read_generic_tmp_symlinks(nscd_t)
- 
- init_use_fds(nscd_t)
-diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/services/oddjob.fc 
serefpolicy-2.3.15/policy/modules/services/oddjob.fc
+diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/services/oddjob.fc 
serefpolicy-2.3.16/policy/modules/services/oddjob.fc
 --- nsaserefpolicy/policy/modules/services/oddjob.fc   1969-12-31 
19:00:00.000000000 -0500
-+++ serefpolicy-2.3.15/policy/modules/services/oddjob.fc       2006-09-25 
13:31:59.000000000 -0400
-@@ -0,0 +1,10 @@
++++ serefpolicy-2.3.16/policy/modules/services/oddjob.fc       2006-09-26 
09:53:18.000000000 -0400
+@@ -0,0 +1,8 @@
 +# oddjob executable will have:
 +# label: system_u:object_r:oddjob_exec_t
 +# MLS sensitivity: s0
@@ -1219,12 +1058,10 @@
 +
 +/usr/sbin/oddjobd             --      
gen_context(system_u:object_r:oddjob_exec_t,s0)
 +/var/run/oddjobd.pid                  
gen_context(system_u:object_r:oddjob_var_run_t,s0)
-+/usr/lib/oddjobd                      
gen_context(system_u:object_r:oddjob_var_lib_t,s0)
-+
 +/usr/lib/oddjob/mkhomedir     --      
gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
-diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/services/oddjob.if 
serefpolicy-2.3.15/policy/modules/services/oddjob.if
+diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/services/oddjob.if 
serefpolicy-2.3.16/policy/modules/services/oddjob.if
 --- nsaserefpolicy/policy/modules/services/oddjob.if   1969-12-31 
19:00:00.000000000 -0500
-+++ serefpolicy-2.3.15/policy/modules/services/oddjob.if       2006-09-25 
13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/services/oddjob.if       2006-09-26 
09:53:18.000000000 -0400
 @@ -0,0 +1,99 @@
 +## <summary>policy for oddjob</summary>
 +
@@ -1325,10 +1162,10 @@
 +      allow oddjob_mkhomedir_t $1:fifo_file rw_file_perms;
 +      allow oddjob_mkhomedir_t $1:process sigchld;
 +')
-diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/services/oddjob.te 
serefpolicy-2.3.15/policy/modules/services/oddjob.te
+diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/services/oddjob.te 
serefpolicy-2.3.16/policy/modules/services/oddjob.te
 --- nsaserefpolicy/policy/modules/services/oddjob.te   1969-12-31 
19:00:00.000000000 -0500
-+++ serefpolicy-2.3.15/policy/modules/services/oddjob.te       2006-09-25 
13:31:59.000000000 -0400
-@@ -0,0 +1,95 @@
++++ serefpolicy-2.3.16/policy/modules/services/oddjob.te       2006-09-26 
09:53:18.000000000 -0400
+@@ -0,0 +1,85 @@
 +policy_module(oddjob,1.0.0)
 +
 +########################################
@@ -1345,10 +1182,6 @@
 +type oddjob_var_run_t;
 +files_pid_file(oddjob_var_run_t)
 +
-+# var/lib files
-+type oddjob_var_lib_t;
-+files_type(oddjob_var_lib_t)
-+
 +type oddjob_mkhomedir_t;
 +type oddjob_mkhomedir_exec_t;
 +domain_type(oddjob_mkhomedir_t)
@@ -1375,12 +1208,6 @@
 +allow oddjob_t oddjob_var_run_t:dir rw_dir_perms;
 +files_pid_filetrans(oddjob_t,oddjob_var_run_t, { file sock_file })
 +
-+# var/lib files for oddjob
-+allow oddjob_t oddjob_var_lib_t:file create_file_perms;
-+allow oddjob_t oddjob_var_lib_t:sock_file create_file_perms;
-+allow oddjob_t oddjob_var_lib_t:dir create_dir_perms;
-+files_var_lib_filetrans(oddjob_t,oddjob_var_lib_t, { file dir sock_file })
-+
 +init_dontaudit_use_fds(oddjob_t)
 +allow oddjob_t self:capability { audit_write setgid } ;
 +allow oddjob_t self:process setexec;
@@ -1424,9 +1251,9 @@
 +oddjob_system_entry(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
 +domain_auto_trans(unconfined_t,oddjob_mkhomedir_exec_t,oddjob_mkhomedir_t)
 +
-diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/services/pegasus.if 
serefpolicy-2.3.15/policy/modules/services/pegasus.if
+diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/services/pegasus.if 
serefpolicy-2.3.16/policy/modules/services/pegasus.if
 --- nsaserefpolicy/policy/modules/services/pegasus.if  2006-07-14 
17:04:41.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/services/pegasus.if      2006-09-25 
13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/services/pegasus.if      2006-09-26 
09:53:18.000000000 -0400
 @@ -1 +1,32 @@
  ## <summary>The Open Group Pegasus CIM/WBEM Server.</summary>
 +
@@ -1460,9 +1287,9 @@
 +      allow pegasus_t $1:fifo_file rw_file_perms;
 +      allow pegasus_t $1:process sigchld;
 +')
-diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/services/pegasus.te 
serefpolicy-2.3.15/policy/modules/services/pegasus.te
+diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/services/pegasus.te 
serefpolicy-2.3.16/policy/modules/services/pegasus.te
 --- nsaserefpolicy/policy/modules/services/pegasus.te  2006-08-23 
12:14:54.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/services/pegasus.te      2006-09-25 
13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/services/pegasus.te      2006-09-26 
09:53:18.000000000 -0400
 @@ -100,13 +100,12 @@
  
  auth_use_nsswitch(pegasus_t)
@@ -1479,20 +1306,9 @@
  files_read_var_lib_symlinks(pegasus_t)
  
  hostname_exec(pegasus_t)
-diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/services/postfix.fc 
serefpolicy-2.3.15/policy/modules/services/postfix.fc
---- nsaserefpolicy/policy/modules/services/postfix.fc  2006-07-14 
17:04:40.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/services/postfix.fc      2006-09-25 
13:31:59.000000000 -0400
-@@ -22,6 +22,7 @@
- /usr/lib/postfix/(n)?qmgr --  
gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
- /usr/lib/postfix/showq        --      
gen_context(system_u:object_r:postfix_showq_exec_t,s0)
- /usr/lib/postfix/smtp --      
gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
-+/usr/lib/postfix/lmtp --      
gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
- /usr/lib/postfix/scache       --      
gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
- /usr/lib/postfix/smtpd        --      
gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
- /usr/lib/postfix/bounce       --      
gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
-diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/services/ricci.fc 
serefpolicy-2.3.15/policy/modules/services/ricci.fc
+diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/services/ricci.fc 
serefpolicy-2.3.16/policy/modules/services/ricci.fc
 --- nsaserefpolicy/policy/modules/services/ricci.fc    1969-12-31 
19:00:00.000000000 -0500
-+++ serefpolicy-2.3.15/policy/modules/services/ricci.fc        2006-09-25 
13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/services/ricci.fc        2006-09-26 
09:53:18.000000000 -0400
 @@ -0,0 +1,20 @@
 +# ricci executable will have:
 +# label: system_u:object_r:ricci_exec_t
@@ -1514,9 +1330,9 @@
 +/usr/sbin/ricci-modservice    --      
gen_context(system_u:object_r:ricci_modservice_exec_t,s0)
 +/usr/sbin/ricci-modstorage    --      
gen_context(system_u:object_r:ricci_modstorage_exec_t,s0)
 +
-diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/services/ricci.if 
serefpolicy-2.3.15/policy/modules/services/ricci.if
+diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/services/ricci.if 
serefpolicy-2.3.16/policy/modules/services/ricci.if
 --- nsaserefpolicy/policy/modules/services/ricci.if    1969-12-31 
19:00:00.000000000 -0500
-+++ serefpolicy-2.3.15/policy/modules/services/ricci.if        2006-09-25 
13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/services/ricci.if        2006-09-26 
09:53:18.000000000 -0400
 @@ -0,0 +1,184 @@
 +## <summary>policy for ricci</summary>
 +
@@ -1702,9 +1518,9 @@
 +      allow $1 ricci_modcluster_var_run_t:sock_file write;
 +      allow $1 ricci_modclusterd_t:unix_stream_socket connectto;
 +')
-diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/services/ricci.te 
serefpolicy-2.3.15/policy/modules/services/ricci.te
+diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/services/ricci.te 
serefpolicy-2.3.16/policy/modules/services/ricci.te
 --- nsaserefpolicy/policy/modules/services/ricci.te    1969-12-31 
19:00:00.000000000 -0500
-+++ serefpolicy-2.3.15/policy/modules/services/ricci.te        2006-09-25 
13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/services/ricci.te        2006-09-26 
09:53:18.000000000 -0400
 @@ -0,0 +1,386 @@
 +policy_module(ricci,1.0.0)
 +
@@ -2092,9 +1908,9 @@
 +')
 +
 +
-diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/services/sendmail.te 
serefpolicy-2.3.15/policy/modules/services/sendmail.te
+diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/services/sendmail.te 
serefpolicy-2.3.16/policy/modules/services/sendmail.te
 --- nsaserefpolicy/policy/modules/services/sendmail.te 2006-09-22 
14:07:06.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/services/sendmail.te     2006-09-25 
13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/services/sendmail.te     2006-09-26 
09:53:18.000000000 -0400
 @@ -32,6 +32,7 @@
  allow sendmail_t self:unix_dgram_socket create_socket_perms;
  allow sendmail_t self:tcp_socket create_stream_socket_perms;
@@ -2103,58 +1919,36 @@
  
  allow sendmail_t sendmail_log_t:file create_file_perms;
  allow sendmail_t sendmail_log_t:dir { rw_dir_perms setattr };
-diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/services/smartmon.te 
serefpolicy-2.3.15/policy/modules/services/smartmon.te
---- nsaserefpolicy/policy/modules/services/smartmon.te 2006-07-14 
17:04:41.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/services/smartmon.te     2006-09-25 
13:31:59.000000000 -0400
-@@ -7,8 +7,13 @@
+diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/services/setroubleshoot.te 
serefpolicy-2.3.16/policy/modules/services/setroubleshoot.te
+--- nsaserefpolicy/policy/modules/services/setroubleshoot.te   2006-09-22 
14:07:05.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/services/setroubleshoot.te       
2006-09-26 09:53:18.000000000 -0400
+@@ -28,7 +28,7 @@
  #
  
- type fsdaemon_t;
--type fsdaemon_exec_t;
-+# real declaration moved to mls until
-+# range_transition works in loadable modules
-+gen_require(`
-+      type fsdaemon_exec_t;
-+')
- init_daemon_domain(fsdaemon_t,fsdaemon_exec_t)
-+mls_rangetrans_target(fsdaemon_t)
- 
- type fsdaemon_var_run_t;
- files_pid_file(fsdaemon_var_run_t)
-@@ -62,6 +67,7 @@
+ allow setroubleshootd_t self:capability { dac_override sys_tty_config };
+-allow setroubleshootd_t self:process { signal getattr };
++allow setroubleshootd_t self:process { signal getattr getsched };
+ allow setroubleshootd_t self:fifo_file rw_file_perms;
+ allow setroubleshootd_t self:tcp_socket create_stream_socket_perms;
+ allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms 
connectto };
+diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/services/smartmon.te 
serefpolicy-2.3.16/policy/modules/services/smartmon.te
+--- nsaserefpolicy/policy/modules/services/smartmon.te 2006-07-14 
17:04:41.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/services/smartmon.te     2006-09-26 
09:53:18.000000000 -0400
+@@ -60,8 +60,11 @@
+ fs_getattr_all_fs(fsdaemon_t)
+ fs_search_auto_mountpoints(fsdaemon_t)
  
++mls_file_read_up(fsdaemon_t)
++
  storage_raw_read_fixed_disk(fsdaemon_t)
  storage_raw_write_fixed_disk(fsdaemon_t)
 +storage_raw_read_removable_device(fsdaemon_t)
  
  term_dontaudit_use_console(fsdaemon_t)
  term_dontaudit_search_ptys(fsdaemon_t)
-diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/services/ssh.te 
serefpolicy-2.3.15/policy/modules/services/ssh.te
---- nsaserefpolicy/policy/modules/services/ssh.te      2006-09-22 
09:35:44.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/services/ssh.te  2006-09-25 
13:31:59.000000000 -0400
-@@ -71,7 +71,7 @@
- ifdef(`strict_policy',`
-       # so a tunnel can point to another ssh tunnel
-       allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
--
-+      allow sshd_t self:key { search link write };
-       allow sshd_t sshd_tmp_t:dir create_dir_perms;
-       allow sshd_t sshd_tmp_t:file create_file_perms;
-       allow sshd_t sshd_tmp_t:sock_file create_file_perms;
-@@ -81,6 +81,10 @@
-       corenet_tcp_bind_xserver_port(sshd_t)
-       corenet_sendrecv_xserver_server_packets(sshd_t)
- 
-+      kernel_link_key(sshd_t)
-+
-+      userdom_search_all_users_home_dirs(sshd_t)
-+
-       tunable_policy(`ssh_sysadm_login',`
-               # Relabel and access ptys created by sshd
-               # ioctl is necessary for logout() processing for utmp entry and 
for w to
-diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/system/hostname.te 
serefpolicy-2.3.15/policy/modules/system/hostname.te
+diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/system/hostname.te 
serefpolicy-2.3.16/policy/modules/system/hostname.te
 --- nsaserefpolicy/policy/modules/system/hostname.te   2006-08-29 
09:00:29.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/system/hostname.te       2006-09-25 
13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/system/hostname.te       2006-09-26 
09:53:18.000000000 -0400
 @@ -8,7 +8,10 @@
  
  type hostname_t;
@@ -2167,9 +1961,9 @@
  role system_r types hostname_t;
  
  ########################################
-diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/system/init.fc 
serefpolicy-2.3.15/policy/modules/system/init.fc
+diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/system/init.fc 
serefpolicy-2.3.16/policy/modules/system/init.fc
 --- nsaserefpolicy/policy/modules/system/init.fc       2006-08-25 
13:29:58.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/system/init.fc   2006-09-25 
13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/system/init.fc   2006-09-26 
09:53:18.000000000 -0400
 @@ -66,3 +66,6 @@
  /var/run/sysconfig(/.*)?      
gen_context(system_u:object_r:initrc_var_run_t,s0)
  ')
@@ -2177,43 +1971,10 @@
 +# Until their is a policy for pcscd we need these
 +/var/run/pcscd\.pub   --      
gen_context(system_u:object_r:initrc_var_run_t,s0)
 +/var/run/pcscd\.pid   --      
gen_context(system_u:object_r:initrc_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/system/init.if 
serefpolicy-2.3.15/policy/modules/system/init.if
---- nsaserefpolicy/policy/modules/system/init.if       2006-09-15 
13:14:26.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/system/init.if   2006-09-25 
13:31:59.000000000 -0400
-@@ -63,8 +63,11 @@
-               attribute direct_run_init, direct_init, direct_init_entry;
-               type initrc_t;
-               role system_r;
-+              attribute daemon;
-       ')
- 
-+      typeattribute $1 daemon;
-+
-       domain_type($1)
-       domain_entry_file($1,$2)
- 
-diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/system/init.te 
serefpolicy-2.3.15/policy/modules/system/init.te
---- nsaserefpolicy/policy/modules/system/init.te       2006-09-22 
14:07:07.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/system/init.te   2006-09-25 
13:31:59.000000000 -0400
-@@ -16,6 +16,9 @@
- attribute direct_init;
- attribute direct_init_entry;
- 
-+# Mark process types as daemons
-+attribute daemon;
-+
- #
- # init_t is the domain of the init process.
- #
-@@ -206,6 +209,7 @@
- 
- allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
- allow initrc_t self:capability ~{ sys_admin sys_module };
-+dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
- allow initrc_t self:passwd rootok;
- 
- # Allow IPC with self
-@@ -361,7 +365,8 @@
+diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/system/init.te 
serefpolicy-2.3.16/policy/modules/system/init.te
+--- nsaserefpolicy/policy/modules/system/init.te       2006-09-25 
15:11:11.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/system/init.te   2006-09-26 
09:53:18.000000000 -0400
+@@ -365,7 +365,8 @@
  logging_append_all_logs(initrc_t)
  logging_read_audit_config(initrc_t)
  
@@ -2223,19 +1984,7 @@
  # slapd needs to read cert files from its initscript
  miscfiles_read_certs(initrc_t)
  
-@@ -513,6 +518,11 @@
-       optional_policy(`
-               mono_domtrans(initrc_t)
-       ')
-+
-+      tunable_policy(`allow_daemons_use_tty',`
-+              term_use_unallocated_ttys(daemon)
-+              term_use_generic_ptys(daemon)
-+      ')
- ',`
-       # cjp: require doesnt work in the else of optionals :\
-       # this also would result in a type transition
-@@ -570,6 +580,8 @@
+@@ -579,6 +580,8 @@
        dev_getattr_printer_dev(initrc_t)
  
        cups_read_log(initrc_t)
@@ -2244,9 +1993,126 @@
        cups_read_rw_config(initrc_t)
  ')
  
-diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/system/logging.fc 
serefpolicy-2.3.15/policy/modules/system/logging.fc
+diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/system/iscsi.fc 
serefpolicy-2.3.16/policy/modules/system/iscsi.fc
+--- nsaserefpolicy/policy/modules/system/iscsi.fc      1969-12-31 
19:00:00.000000000 -0500
++++ serefpolicy-2.3.16/policy/modules/system/iscsi.fc  2006-09-26 
10:04:37.000000000 -0400
+@@ -0,0 +1,7 @@
++# iscsid executable will have:
++# label: system_u:object_r:iscsid_exec_t
++# MLS sensitivity: s0
++# MCS categories: <none>
++
++/sbin/iscsid          --      gen_context(system_u:object_r:iscsid_exec_t,s0)
++/var/run/iscsid.pid   --      
gen_context(system_u:object_r:iscsi_var_run_t,s0)
+diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/system/iscsi.if 
serefpolicy-2.3.16/policy/modules/system/iscsi.if
+--- nsaserefpolicy/policy/modules/system/iscsi.if      1969-12-31 
19:00:00.000000000 -0500
++++ serefpolicy-2.3.16/policy/modules/system/iscsi.if  2006-09-26 
10:04:37.000000000 -0400
+@@ -0,0 +1,24 @@
++## <summary>policy for iscsid</summary>
++
++########################################
++## <summary>
++##    Execute a domain transition to run iscsid.
++## </summary>
++## <param name="domain">
++## <summary>
++##    Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`iscsid_domtrans',`
++      gen_require(`
++              type iscsid_t, iscsid_exec_t;
++      ')
++
++      domain_auto_trans($1,iscsid_exec_t,iscsid_t)
++
++      allow $1 iscsid_t:fd use;
++      allow iscsid_t $1:fd use;
++      allow iscsid_t $1:fifo_file rw_file_perms;
++      allow iscsid_t $1:process sigchld;
++')
+diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/system/iscsi.te 
serefpolicy-2.3.16/policy/modules/system/iscsi.te
+--- nsaserefpolicy/policy/modules/system/iscsi.te      1969-12-31 
19:00:00.000000000 -0500
++++ serefpolicy-2.3.16/policy/modules/system/iscsi.te  2006-09-26 
10:04:37.000000000 -0400
+@@ -0,0 +1,74 @@
++policy_module(iscsid,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type iscsid_t;
++type iscsid_exec_t;
++domain_type(iscsid_t)
++init_daemon_domain(iscsid_t, iscsid_exec_t)
++
++type iscsi_tmp_t;
++files_tmp_file(iscsi_tmp_t)
++
++type iscsi_var_run_t;
++files_pid_file(iscsi_var_run_t)
++
++
++########################################
++#
++# iscsid local policy
++#
++# Check in /etc/selinux/refpolicy/include for macros to use instead of allow 
rules.
++
++# Some common macros (you might be able to remove some)
++files_read_etc_files(iscsid_t)
++libs_use_ld_so(iscsid_t)
++libs_use_shared_libs(iscsid_t)
++miscfiles_read_localization(iscsid_t)
++## internal communication is often done using fifo and unix sockets.
++allow iscsid_t self:fifo_file { read write };
++allow iscsid_t self:unix_stream_socket create_stream_socket_perms;
++
++## Networking basics (adjust to your needs!)
++sysnet_dns_name_resolve(iscsid_t)
++corenet_tcp_sendrecv_all_if(iscsid_t)
++corenet_tcp_sendrecv_all_nodes(iscsid_t)
++corenet_tcp_sendrecv_all_ports(iscsid_t)
++corenet_non_ipsec_sendrecv(iscsid_t)
++corenet_tcp_connect_http_port(iscsid_t)
++#corenet_tcp_connect_all_ports(iscsid_t)
++## if it is a network daemon, consider these:
++#corenet_tcp_bind_all_ports(iscsid_t)
++#corenet_tcp_bind_all_nodes(iscsid_t)
++allow iscsid_t self:tcp_socket { listen accept };
++
++# Init script handling
++init_use_fds(iscsid_t)
++init_use_script_ptys(iscsid_t)
++domain_use_interactive_fds(iscsid_t)
++
++logging_send_syslog_msg(iscsid_t)
++
++allow iscsid_t self:capability { ipc_lock net_admin sys_nice sys_resource };
++allow iscsid_t self:netlink_socket { bind create };
++allow iscsid_t self:unix_dgram_socket create_socket_perms;
++
++allow iscsid_t devpts_t:chr_file { read write };
++
++allow iscsid_t self:process setsched;
++allow iscsid_t self:sem create_sem_perms;
++allow iscsid_t self:shm create_shm_perms;
++
++dev_rw_sysfs(iscsid_t)
++
++allow iscsid_t iscsi_var_run_t:dir rw_dir_perms;
++allow iscsid_t iscsi_var_run_t:file create_file_perms;
++files_pid_filetrans(iscsid_t,iscsi_var_run_t,file)
++
++allow iscsid_t iscsi_tmp_t:dir create_dir_perms;
++allow iscsid_t iscsi_tmp_t:file create_file_perms;
++fs_tmpfs_filetrans(iscsid_t, iscsi_tmp_t, file )
++
+diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/system/logging.fc 
serefpolicy-2.3.16/policy/modules/system/logging.fc
 --- nsaserefpolicy/policy/modules/system/logging.fc    2006-09-01 
14:10:18.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/system/logging.fc        2006-09-25 
13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/system/logging.fc        2006-09-26 
09:53:18.000000000 -0400
 @@ -1,7 +1,7 @@
  
  /dev/log              -s      gen_context(system_u:object_r:devlog_t,s0)
@@ -2271,9 +2137,9 @@
  
  /var/run/audit_events -s      
gen_context(system_u:object_r:auditd_var_run_t,s0)
  /var/run/auditd\.pid  --      
gen_context(system_u:object_r:auditd_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/system/logging.te 
serefpolicy-2.3.15/policy/modules/system/logging.te
---- nsaserefpolicy/policy/modules/system/logging.te    2006-08-29 
09:00:29.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/system/logging.te        2006-09-25 
13:31:59.000000000 -0400
+diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/system/logging.te 
serefpolicy-2.3.16/policy/modules/system/logging.te
+--- nsaserefpolicy/policy/modules/system/logging.te    2006-09-25 
15:11:11.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/system/logging.te        2006-09-26 
09:53:18.000000000 -0400
 @@ -18,6 +18,7 @@
  
  type auditd_log_t;
@@ -2282,17 +2148,9 @@
  
  type auditd_t;
  # real declaration moved to mls until
-@@ -161,6 +162,7 @@
- miscfiles_read_localization(auditd_t)
- 
- mls_file_read_up(auditd_t)
-+mls_file_write_down(auditd_t) # Need to be able to write to /var/run/ 
directory
- mls_rangetrans_target(auditd_t)
- 
- seutil_dontaudit_read_config(auditd_t)
-diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/system/raid.te 
serefpolicy-2.3.15/policy/modules/system/raid.te
+diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/system/raid.te 
serefpolicy-2.3.16/policy/modules/system/raid.te
 --- nsaserefpolicy/policy/modules/system/raid.te       2006-07-14 
17:04:44.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/system/raid.te   2006-09-25 
13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/system/raid.te   2006-09-26 
09:53:18.000000000 -0400
 @@ -29,11 +29,13 @@
  kernel_read_system_state(mdadm_t)
  kernel_read_kernel_sysctls(mdadm_t)
@@ -2307,9 +2165,9 @@
  
  fs_search_auto_mountpoints(mdadm_t)
  fs_dontaudit_list_tmpfs(mdadm_t)
-diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/system/selinuxutil.fc 
serefpolicy-2.3.15/policy/modules/system/selinuxutil.fc
+diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/system/selinuxutil.fc 
serefpolicy-2.3.16/policy/modules/system/selinuxutil.fc
 --- nsaserefpolicy/policy/modules/system/selinuxutil.fc        2006-09-05 
07:41:01.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/system/selinuxutil.fc    2006-09-25 
13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/system/selinuxutil.fc    2006-09-26 
09:53:18.000000000 -0400
 @@ -6,12 +6,12 @@
  /etc/selinux(/.*)?                    
gen_context(system_u:object_r:selinux_config_t,s0)
  /etc/selinux/([^/]*/)?contexts(/.*)?  
gen_context(system_u:object_r:default_context_t,s0)
@@ -2326,28 +2184,17 @@
  
  #
  # /root
-diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/system/setrans.fc 
serefpolicy-2.3.15/policy/modules/system/setrans.fc
+diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/system/setrans.fc 
serefpolicy-2.3.16/policy/modules/system/setrans.fc
 --- nsaserefpolicy/policy/modules/system/setrans.fc    2006-07-14 
17:04:44.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/system/setrans.fc        2006-09-25 
13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/system/setrans.fc        2006-09-26 
09:53:18.000000000 -0400
 @@ -1,3 +1,3 @@
  /sbin/mcstransd       --      gen_context(system_u:object_r:setrans_exec_t,s0)
  
 -/var/run/setrans(/.*)?        
gen_context(system_u:object_r:setrans_var_run_t,s15:c0.c255)
 +/var/run/setrans(/.*)?        
gen_context(system_u:object_r:setrans_var_run_t,s15:c0.c1023)
-diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/system/udev.te 
serefpolicy-2.3.15/policy/modules/system/udev.te
---- nsaserefpolicy/policy/modules/system/udev.te       2006-09-01 
14:10:18.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/system/udev.te   2006-09-25 
13:31:59.000000000 -0400
-@@ -92,6 +92,7 @@
- dev_delete_generic_files(udev_t)
- 
- domain_read_all_domains_state(udev_t)
-+domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these 
- 
- files_read_etc_runtime_files(udev_t)
- files_read_etc_files(udev_t)
-diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/system/unconfined.if 
serefpolicy-2.3.15/policy/modules/system/unconfined.if
+diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/system/unconfined.if 
serefpolicy-2.3.16/policy/modules/system/unconfined.if
 --- nsaserefpolicy/policy/modules/system/unconfined.if 2006-08-29 
09:00:29.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/system/unconfined.if     2006-09-25 
13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/system/unconfined.if     2006-09-26 
09:53:18.000000000 -0400
 @@ -31,6 +31,7 @@
        allow $1 self:nscd *;
        allow $1 self:dbus *;
@@ -2356,9 +2203,9 @@
  
        kernel_unconfined($1)
        corenet_unconfined($1)
-diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/system/userdomain.fc 
serefpolicy-2.3.15/policy/modules/system/userdomain.fc
+diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/system/userdomain.fc 
serefpolicy-2.3.16/policy/modules/system/userdomain.fc
 --- nsaserefpolicy/policy/modules/system/userdomain.fc 2006-07-14 
17:04:44.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/system/userdomain.fc     2006-09-25 
13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/system/userdomain.fc     2006-09-26 
09:53:18.000000000 -0400
 @@ -4,6 +4,6 @@
  HOME_DIR              -d      
gen_context(system_u:object_r:user_home_dir_t,s0)
  HOME_DIR/.+           gen_context(system_u:object_r:user_home_t,s0)
@@ -2367,112 +2214,21 @@
 +HOME_DIR              -d      
gen_context(system_u:object_r:ROLE_home_dir_t,s0-s15:c0.c1023)
  HOME_DIR/.+           gen_context(system_u:object_r:ROLE_home_t,s0)
  ')
-diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/system/userdomain.if 
serefpolicy-2.3.15/policy/modules/system/userdomain.if
---- nsaserefpolicy/policy/modules/system/userdomain.if 2006-09-22 
09:35:45.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/system/userdomain.if     2006-09-25 
13:31:59.000000000 -0400
-@@ -4317,6 +4317,7 @@
-               ')
- 
-               dontaudit $1 user_home_dir_t:dir search_dir_perms;
-+              dontaudit $1 user_home_t:dir search_dir_perms;
-               dontaudit $1 user_home_t:file r_file_perms;
-       ',`
-               gen_require(`
-@@ -4324,7 +4325,8 @@
-               ')
- 
-               dontaudit $1 sysadm_home_dir_t:dir search_dir_perms;
--              dontaudit $1 sysadm_home_t:dir r_file_perms;
-+              dontaudit $1 sysadm_home_t:dir search_dir_perms;
-+              dontaudit $1 sysadm_home_t:file r_file_perms;
+diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/system/userdomain.if 
serefpolicy-2.3.16/policy/modules/system/userdomain.if
+--- nsaserefpolicy/policy/modules/system/userdomain.if 2006-09-25 
15:11:11.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/system/userdomain.if     2006-09-26 
09:53:18.000000000 -0400
+@@ -849,6 +849,7 @@
        ')
- ')
- 
-@@ -5146,6 +5148,29 @@
  
- ########################################
- ## <summary>
-+##    Read and write unprivileged user ttys.
-+## </summary>
-+## <param name="domain">
-+##    <summary>
-+##    Domain allowed access.
-+##    </summary>
-+## </param>
-+#
-+interface(`userdom_use_unpriv_users_ttys',`
-+      ifdef(`targeted_policy',`
-+              term_use_unallocated_ttys($1)
-+      ',`
-+              gen_require(`
-+                      attribute user_ttynode;
-+              ')
-+
-+              allow $1 user_ttynode:chr_file rw_file_perms;
-+      ')
-+')
-+
-+
-+########################################
-+## <summary>
- ##    Read the process state of all user domains.
- ## </summary>
- ## <param name="domain">
-diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/system/userdomain.te 
serefpolicy-2.3.15/policy/modules/system/userdomain.te
---- nsaserefpolicy/policy/modules/system/userdomain.te 2006-09-22 
09:35:45.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/system/userdomain.te     2006-09-25 
13:31:59.000000000 -0400
-@@ -58,6 +58,10 @@
- 
- ifdef(`strict_policy',`
-       userdom_admin_user_template(sysadm)
-+      # Following for sending reboot, and wall messages
-+      userdom_use_unpriv_users_ptys(sysadm_t)
-+      userdom_use_unpriv_users_ttys(sysadm_t)
-+
-       userdom_unpriv_user_template(staff)
-       userdom_unpriv_user_template(user)
- 
-@@ -128,11 +132,13 @@
-               domain_kill_all_domains(auditadm_t)
-               seutil_read_bin_policy(auditadm_t)
-               corecmd_exec_shell(auditadm_t)
-+              logging_send_syslog_msg(auditadm_t)
-               logging_read_generic_logs(auditadm_t)
-               logging_manage_audit_log(auditadm_t)
-               logging_manage_audit_config(auditadm_t)
-               logging_run_auditctl(auditadm_t,auditadm_r,{ 
auditadm_tty_device_t auditadm_devpts_t })
-               logging_run_auditd(auditadm_t, auditadm_r, { 
auditadm_tty_device_t auditadm_devpts_t })
-+              userdom_dontaudit_read_sysadm_home_content_files(auditadm_t)
- 
-               allow secadm_t self:capability dac_override;
-               corecmd_exec_shell(secadm_t)
-@@ -148,6 +154,7 @@
-               logging_read_audit_log(secadm_t)
-               logging_read_generic_logs(secadm_t)
-               userdom_dontaudit_append_staff_home_content_files(secadm_t)
-+              userdom_dontaudit_read_sysadm_home_content_files(secadm_t)
-       ',`
-               logging_manage_audit_log(sysadm_t)
-               logging_manage_audit_config(sysadm_t)
-@@ -376,11 +383,12 @@
-                       selinux_set_parameters(secadm_t)
- 
-                       seutil_manage_bin_policy(secadm_t)
--                      seutil_run_checkpolicy(secadm_t,secadm_r,admin_terminal)
--                      seutil_run_loadpolicy(secadm_t,secadm_r,admin_terminal)
--                      seutil_run_semanage(secadm_t,secadm_r,admin_terminal)
--                      seutil_run_setfiles(secadm_t,secadm_r,admin_terminal)
--                      seutil_run_restorecon(secadm_t,secadm_r,admin_terminal)
-+                      seutil_run_checkpolicy(secadm_t,secadm_r,{ 
secadm_tty_device_t sysadm_devpts_t })
-+                      seutil_run_loadpolicy(secadm_t,secadm_r,{ 
secadm_tty_device_t sysadm_devpts_t })
-+                      seutil_run_semanage(secadm_t,secadm_r,{ 
secadm_tty_device_t sysadm_devpts_t })
-+                      seutil_run_setfiles(secadm_t,secadm_r,{ 
secadm_tty_device_t sysadm_devpts_t })
-+                      seutil_run_restorecon(secadm_t,secadm_r,{ 
secadm_tty_device_t sysadm_devpts_t })
-+                      logging_send_syslog_msg(secadm_t)
-               ', `
-                       selinux_set_enforce_mode(sysadm_t)
-                       selinux_set_boolean(sysadm_t)
-@@ -415,6 +423,9 @@
+       optional_policy(`
++              rpm_exec($1_t)
+               rpm_read_db($1_t)
+               rpm_dontaudit_manage_db($1_t)
+       ')
+diff --exclude-from=exclude -N -u -r 
nsaserefpolicy/policy/modules/system/userdomain.te 
serefpolicy-2.3.16/policy/modules/system/userdomain.te
+--- nsaserefpolicy/policy/modules/system/userdomain.te 2006-09-25 
15:11:11.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/system/userdomain.te     2006-09-26 
09:53:18.000000000 -0400
+@@ -423,6 +423,9 @@
        ')
  
        optional_policy(`
@@ -2482,9 +2238,9 @@
                usermanage_run_admin_passwd(sysadm_t,sysadm_r,admin_terminal)
                usermanage_run_groupadd(sysadm_t,sysadm_r,admin_terminal)
                usermanage_run_useradd(sysadm_t,sysadm_r,admin_terminal)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users 
serefpolicy-2.3.15/policy/users
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users 
serefpolicy-2.3.16/policy/users
 --- nsaserefpolicy/policy/users        2006-07-14 17:04:46.000000000 -0400
-+++ serefpolicy-2.3.15/policy/users    2006-09-25 13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/policy/users    2006-09-26 09:53:18.000000000 -0400
 @@ -16,7 +16,7 @@
  # and a user process should never be assigned the system user
  # identity.
@@ -2524,9 +2280,9 @@
 +              gen_user(root, sysadm, sysadm_r staff_r 
ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - s15:c0.c1023, c0.c1023)
        ')
  ')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular 
serefpolicy-2.3.15/Rules.modular
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular 
serefpolicy-2.3.16/Rules.modular
 --- nsaserefpolicy/Rules.modular       2006-09-15 13:14:28.000000000 -0400
-+++ serefpolicy-2.3.15/Rules.modular   2006-09-25 13:31:59.000000000 -0400
++++ serefpolicy-2.3.16/Rules.modular   2006-09-26 09:53:18.000000000 -0400
 @@ -212,6 +212,16 @@
  
  ########################################


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.292
retrieving revision 1.293
diff -u -r1.292 -r1.293
--- selinux-policy.spec 25 Sep 2006 15:58:33 -0000      1.292
+++ selinux-policy.spec 26 Sep 2006 14:59:58 -0000      1.293
@@ -16,8 +16,8 @@
 %define CHECKPOLICYVER 1.30.11-1
 Summary: SELinux policy configuration
 Name: selinux-policy
-Version: 2.3.15
-Release: 2
+Version: 2.3.16
+Release: 1
 License: GPL
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -349,6 +349,9 @@
 %endif
 
 %changelog
+* Mon Sep 25 2006 Dan Walsh <dwalsh@xxxxxxxxxx> 2.3.16-1
+- Update with upstream
+
 * Mon Sep 25 2006 Dan Walsh <dwalsh@xxxxxxxxxx> 2.3.15-2
 - mls fixes 
 


Index: sources
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/sources,v
retrieving revision 1.92
retrieving revision 1.93
diff -u -r1.92 -r1.93
--- sources     22 Sep 2006 20:41:12 -0000      1.92
+++ sources     26 Sep 2006 14:59:58 -0000      1.93
@@ -1 +1 @@
-c26b613471b3742750204c54e4336a48  serefpolicy-2.3.15.tgz
+549a42b9073f1aae693dd3481a11c9ff  serefpolicy-2.3.16.tgz

-- 
fedora-cvs-commits mailing list
fedora-cvs-commits@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-cvs-commits

<Prev in Thread] Current Thread [Next in Thread>
  • rpms/selinux-policy/devel .cvsignore, 1.88, 1.89 modules-targeted.conf, 1.36, 1.37 policy-20060915.patch, 1.12, 1.13 selinux-policy.spec, 1.292, 1.293 sources, 1.92, 1.93, fedora-cvs-commits <=