- Allow amanda to read tape

- Allow prewikka cgi to use syslog, allow audisp_t to signal cgi
- Add support for netware file systems

policy-20080509.patch

@@ -284,7 +284,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.te serefpolicy-3.4.2/policy/modules/admin/amanda.te
 --- nsaserefpolicy/policy/modules/admin/amanda.te	2008-06-12 23:25:08.000000000 -0400
-+++ serefpolicy-3.4.2/policy/modules/admin/amanda.te	2008-07-02 08:47:04.000000000 -0400
++++ serefpolicy-3.4.2/policy/modules/admin/amanda.te	2008-07-07 11:14:20.000000000 -0400
 @@ -82,8 +82,9 @@
  allow amanda_t amanda_config_t:file { getattr read };
  
@@ -297,7 +297,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.
  
  # access to amanda_dumpdates_t
  allow amanda_t amanda_dumpdates_t:file { getattr lock read write };
-@@ -220,6 +221,7 @@
+@@ -146,6 +147,8 @@
+ fs_list_all(amanda_t)
+ 
+ storage_raw_read_fixed_disk(amanda_t)
++storage_read_tape(amanda_t)
++storage_write_tape(amanda_t)
+ 
+ # Added for targeted policy
+ term_use_unallocated_ttys(amanda_t)
+@@ -220,6 +223,7 @@
  auth_use_nsswitch(amanda_recover_t)
  
  fstools_domtrans(amanda_t)
@@ -1460,7 +1469,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s
  #######################################
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.4.2/policy/modules/admin/sudo.if
 --- nsaserefpolicy/policy/modules/admin/sudo.if	2008-06-12 23:25:08.000000000 -0400
-+++ serefpolicy-3.4.2/policy/modules/admin/sudo.if	2008-07-02 08:47:04.000000000 -0400
++++ serefpolicy-3.4.2/policy/modules/admin/sudo.if	2008-07-07 11:49:07.000000000 -0400
 @@ -55,7 +55,7 @@
  	#
  
@@ -1510,7 +1519,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if
  
  	domain_use_interactive_fds($1_sudo_t)
  	domain_sigchld_interactive_fds($1_sudo_t)
-@@ -106,32 +108,49 @@
+@@ -106,32 +108,50 @@
  	files_getattr_usr_files($1_sudo_t)
  	# for some PAM modules and for cwd
  	files_dontaudit_search_home($1_sudo_t)
@@ -1549,6 +1558,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if
  	# for some PAM modules and for cwd
 +	sysadm_search_home_content_dirs($1_sudo_t)
  	userdom_dontaudit_search_all_users_home_content($1_sudo_t)
++	userdom_manage_all_users_keys($1_sudo_t)
  
 -	ifdef(`TODO',`
 -	# for when the network connection is killed
@@ -7375,7 +7385,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.4.2/policy/modules/kernel/filesystem.te
 --- nsaserefpolicy/policy/modules/kernel/filesystem.te	2008-06-12 23:25:02.000000000 -0400
-+++ serefpolicy-3.4.2/policy/modules/kernel/filesystem.te	2008-07-02 08:47:04.000000000 -0400
++++ serefpolicy-3.4.2/policy/modules/kernel/filesystem.te	2008-07-07 12:19:45.000000000 -0400
 @@ -21,7 +21,6 @@
  
  # Use xattrs for the following filesystem types.
@@ -7396,6 +7406,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
  type eventpollfs_t;
  fs_type(eventpollfs_t)
  # change to task SID 20060628
+@@ -241,6 +245,7 @@
+ genfscon lustre / gen_context(system_u:object_r:nfs_t,s0)
+ genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
+ genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
++genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
+ 
+ ########################################
+ #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.4.2/policy/modules/kernel/kernel.if
 --- nsaserefpolicy/policy/modules/kernel/kernel.if	2008-06-12 23:25:03.000000000 -0400
 +++ serefpolicy-3.4.2/policy/modules/kernel/kernel.if	2008-07-02 08:47:04.000000000 -0400
@@ -21376,7 +21394,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.4.2/policy/modules/services/prelude.te
 --- nsaserefpolicy/policy/modules/services/prelude.te	2008-06-12 23:25:06.000000000 -0400
-+++ serefpolicy-3.4.2/policy/modules/services/prelude.te	2008-07-02 08:47:04.000000000 -0400
++++ serefpolicy-3.4.2/policy/modules/services/prelude.te	2008-07-07 11:27:54.000000000 -0400
 @@ -19,12 +19,31 @@
  type prelude_var_lib_t;
  files_type(prelude_var_lib_t)
@@ -21520,12 +21538,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
  ########################################
  #
  # prewikka_cgi Declarations
-@@ -135,6 +234,10 @@
+@@ -135,6 +234,12 @@
  	apache_content_template(prewikka)
  	files_read_etc_files(httpd_prewikka_script_t)
  
 +	auth_use_nsswitch(httpd_prewikka_script_t)
 +
++	logging_send_syslog_msg(httpd_prewikka_script_t)
++
 +	can_exec(httpd_prewikka_script_t, httpd_prewikka_script_exec_t)
 +
  	optional_policy(`
@@ -28282,7 +28302,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 +/var/cache/coolkey(/.*)?	gen_context(system_u:object_r:auth_cache_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.4.2/policy/modules/system/authlogin.if
 --- nsaserefpolicy/policy/modules/system/authlogin.if	2008-06-12 23:25:07.000000000 -0400
-+++ serefpolicy-3.4.2/policy/modules/system/authlogin.if	2008-07-02 08:47:05.000000000 -0400
++++ serefpolicy-3.4.2/policy/modules/system/authlogin.if	2008-07-07 11:48:48.000000000 -0400
 @@ -56,10 +56,6 @@
  	miscfiles_read_localization($1_chkpwd_t)
  
@@ -29779,7 +29799,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
 +/var/cfengine/outputs(/.*)?	gen_context(system_u:object_r:var_log_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.4.2/policy/modules/system/logging.if
 --- nsaserefpolicy/policy/modules/system/logging.if	2008-06-12 23:25:07.000000000 -0400
-+++ serefpolicy-3.4.2/policy/modules/system/logging.if	2008-07-02 08:55:06.000000000 -0400
++++ serefpolicy-3.4.2/policy/modules/system/logging.if	2008-07-07 11:43:15.000000000 -0400
 @@ -213,12 +213,7 @@
  ## </param>
  #
@@ -29884,7 +29904,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
  ')
  
  ########################################
-@@ -771,6 +803,131 @@
+@@ -771,6 +803,132 @@
  ## <rolecap/>
  #
  interface(`logging_admin',`
@@ -29995,6 +30015,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
 +	role system_r types $1;
 +
 +	domtrans_pattern(audisp_t,$2,$1)
++	allow $1 audisp_t:process signal;
 +
 +	allow audisp_t $2:file getattr;
 +	allow $1 audisp_t:unix_stream_socket rw_socket_perms;
@@ -33457,7 +33478,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +/root(/.*)?	 	gen_context(system_u:object_r:admin_home_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.4.2/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2008-06-12 23:25:07.000000000 -0400
-+++ serefpolicy-3.4.2/policy/modules/system/userdomain.if	2008-07-02 08:47:05.000000000 -0400
++++ serefpolicy-3.4.2/policy/modules/system/userdomain.if	2008-07-07 11:47:08.000000000 -0400
 @@ -28,10 +28,14 @@
  		class context contains;
  	')

selinux-policy.spec

@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.4.2
-Release: 11%{?dist}
+Release: 12%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -375,6 +375,11 @@ exit 0
 %endif
 
 %changelog
+* Mon Jul 7 2008 Dan Walsh <dwalsh@redhat.com> 3.4.2-12
+- Allow amanda to read tape
+- Allow prewikka cgi to use syslog, allow audisp_t to signal cgi
+- Add support for netware file systems
+
 * Thu Jul 3 2008 Dan Walsh <dwalsh@redhat.com> 3.4.2-11
 - Allow ypbind apps to net_bind_service