- Remove old booleans from targeted-booleans.conf file

booleans-targeted.conf

@@ -1,14 +1,14 @@
 # Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
 # 
-allow_execmem = true
+allow_execmem = false
 
 # Allow making a modified private filemapping executable (text relocation).
 # 
-allow_execmod = true
+allow_execmod = false
 
 # Allow making the stack executable via mprotect.Also requires allow_execmem.
 # 
-allow_execstack = true
+allow_execstack = false
 
 # Allow ftpd to read cifs directories.
 # 
@@ -66,10 +66,6 @@ fcron_crond = false
 # 
 ftp_home_dir = false
 
-# Allow ftpd to run directly without inetd
-# 
-ftpd_is_daemon = true
-
 #
 # allow httpd to connect to mysql/posgresql 
 httpd_can_network_connect_db = false
@@ -130,10 +126,6 @@ pppd_can_insmod = false
 # 
 read_default_t = true
 
-# Allow ssh to run from inetd instead of as a daemon.
-# 
-run_ssh_inetd = false
-
 # Allow samba to export user home directories.
 # 
 samba_enable_home_dirs = false
@@ -142,10 +134,6 @@ samba_enable_home_dirs = false
 # 
 squid_connect_any = false
 
-# Configure stunnel to be a standalone daemon orinetd service.
-# 
-stunnel_is_daemon = false
-
 # Support NFS home directories
 # 
 use_nfs_home_dirs = true
@@ -158,18 +146,10 @@ use_samba_home_dirs = false
 # 
 user_ping = true
 
-# Allow gpg executable stack
-# 
-allow_gpg_execstack = false
-
 # allow host key based authentication
 # 
 allow_ssh_keysign = false
 
-# Allow users to connect to mysql
-# 
-allow_user_mysql_connect = false
-
 # Allow pppd to be run for a regular user
 # 
 pppd_for_user = false
@@ -190,18 +170,10 @@ user_direct_mouse = false
 # 
 user_dmesg = false
 
-# Allow users to control network interfaces(also needs USERCTL=true)
-# 
-user_net_control = false
-
 # Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY)
 # 
 user_rw_noexattrfile = false
 
-# Allow users to rw usb devices
-# 
-user_rw_usb = false
-
 # Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users)  disabling this forces FTP passive modeand may change other protocols.
 # 
 user_tcp_server = false
@@ -226,14 +198,6 @@ allow_polyinstantiation = false
 # 
 allow_daemons_dump_core = true
 
-# Allow mount command to mounton any directory
-# 
-allow_mounton_anydir = true
-
-# Allow unlabeled packets to flow
-# 
-allow_unlabeled_packets = true
-
 # Allow samba to act as the domain controller
 # 
 samba_domain_controller = false
@@ -273,4 +237,8 @@ allow_nsplugin_execmem=true
 
 # Allow unconfined domain to transition to confined domain
 # 
-allow_unconfined_nsplugin_transition=false
+allow_unconfined_nsplugin_transition=true
+
+# Allow unconfined domains mmap low kernel memory
+# 
+allow_unconfined_mmap_low = false

selinux-policy.spec

@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.3.1
-Release: 41%{?dist}
+Release: 43%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -385,6 +385,14 @@ exit 0
 %endif
 
 %changelog
+* Mon Apr 28 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-43
+- Remove old booleans from targeted-booleans.conf file
+
+* Fri Apr 25 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-42
+- Add boolean to mmap_zero
+- allow tor setgid
+- Allow gnomeclock to set clock
+
 * Thu Apr 24 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-41
 - Don't run crontab from unconfined_t