- Fix dnsmasq

- Allow rshd full login privs
2007-10-19 15:01:30 +00:00 · 2007-10-19 15:01:30 +00:00 · 3375c34d9a
commit 3375c34d9a
parent 6455c9d6b5
2 changed files with 88 additions and 49 deletions
--- a/policy-20070703.patch
+++ b/policy-20070703.patch
@ -2198,7 +2198,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.if
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te serefpolicy-3.0.8/policy/modules/admin/vpn.te
 --- nsaserefpolicy/policy/modules/admin/vpn.te	2007-07-25 10:37:43.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/admin/vpn.te	2007-10-18 13:19:26.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/admin/vpn.te	2007-10-19 10:15:22.000000000 -0400
@@ -22,7 +22,7 @@
 # Local policy
 #
@ -3650,7 +3650,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.0.8/policy/modules/kernel/domain.te
 --- nsaserefpolicy/policy/modules/kernel/domain.te	2007-07-25 10:37:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/domain.te	2007-10-03 11:10:24.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/kernel/domain.te	2007-10-19 11:01:04.000000000 -0400
@@ -6,6 +6,22 @@
 # Declarations
 #
@ -3674,7 +3674,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
 # Mark process types as domains
 attribute domain;
 
-@@ -134,3 +150,22 @@
+@@ -80,6 +96,8 @@
+ allow domain self:lnk_file r_file_perms;
+ allow domain self:file rw_file_perms;
+ kernel_read_proc_symlinks(domain)
+# Every domain gets the key ring, so we should default to no one allowed to look at it
+kernel_dontaudit_search_key(domain)
+ 
+ # create child processes in the domain
+ allow domain self:process { fork sigchld };
+@@ -134,3 +152,22 @@
 
 # act on all domains keys
 allow unconfined_domain_type domain:key *;
@ -4264,8 +4273,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.0.8/policy/modules/kernel/filesystem.te
 --- nsaserefpolicy/policy/modules/kernel/filesystem.te	2007-09-12 10:34:49.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/filesystem.te	2007-10-08 11:25:43.000000000 -0400
-@@ -80,6 +80,7 @@
+++ serefpolicy-3.0.8/policy/modules/kernel/filesystem.te	2007-10-19 10:04:10.000000000 -0400
+@@ -29,6 +29,7 @@
+ fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0);
+ fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0);
+ fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0);
+fs_use_xattr lustre gen_context(system_u:object_r:fs_t,s0);
+ 
+ # Use the allocating task SID to label inodes in the following filesystem
+ # types, and label the filesystem itself with the specified context.
+@@ -80,6 +81,7 @@
 type fusefs_t;
 fs_noxattr_type(fusefs_t)
 allow fusefs_t self:filesystem associate;
@ -4273,7 +4290,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
 genfscon fuse / gen_context(system_u:object_r:fusefs_t,s0)
 genfscon fuseblk / gen_context(system_u:object_r:fusefs_t,s0)
 
-@@ -116,6 +117,7 @@
+@@ -116,6 +118,7 @@
 
 type ramfs_t;
 fs_type(ramfs_t)
@ -4281,7 +4298,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
 genfscon ramfs / gen_context(system_u:object_r:ramfs_t,s0)
 
 type romfs_t;
-@@ -133,6 +135,11 @@
+@@ -133,6 +136,11 @@
 genfscon spufs / gen_context(system_u:object_r:spufs_t,s0)
 files_mountpoint(spufs_t)
 
@ -4295,7 +4312,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
 files_mountpoint(vxfs_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.0.8/policy/modules/kernel/kernel.if
 --- nsaserefpolicy/policy/modules/kernel/kernel.if	2007-08-22 07:14:06.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/kernel.if	2007-10-03 11:10:24.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/kernel/kernel.if	2007-10-19 11:00:20.000000000 -0400
@@ -352,6 +352,24 @@
 
 ########################################
@ -6882,14 +6899,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.0.8/policy/modules/services/dnsmasq.te
 --- nsaserefpolicy/policy/modules/services/dnsmasq.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/dnsmasq.te	2007-10-03 11:10:24.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/dnsmasq.te	2007-10-19 10:47:35.000000000 -0400
@@ -94,3 +94,7 @@
 optional_policy(`
 	udev_read_db(dnsmasq_t)
 ')
 +
 +optional_policy(`
-+	virt_rw_lib_files(dnsmasq_t)
+	virt_manage_lib_files(dnsmasq_t)
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.0.8/policy/modules/services/dovecot.fc
 --- nsaserefpolicy/policy/modules/services/dovecot.fc	2007-05-29 14:10:57.000000000 -0400
@ -7703,7 +7720,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.te serefpolicy-3.0.8/policy/modules/services/inetd.te
 --- nsaserefpolicy/policy/modules/services/inetd.te	2007-09-12 10:34:50.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/inetd.te	2007-10-10 09:28:59.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/inetd.te	2007-10-19 10:51:35.000000000 -0400
@@ -53,6 +53,8 @@
 allow inetd_t inetd_var_run_t:file manage_file_perms;
 files_pid_filetrans(inetd_t,inetd_var_run_t,file)
@ -7713,7 +7730,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inet
 kernel_read_kernel_sysctls(inetd_t)
 kernel_list_proc(inetd_t)
 kernel_read_proc_symlinks(inetd_t)
-@@ -80,16 +82,21 @@
+@@ -80,16 +82,22 @@
 corenet_udp_bind_comsat_port(inetd_t)
 corenet_tcp_bind_dbskkd_port(inetd_t)
 corenet_udp_bind_dbskkd_port(inetd_t)
@ -7721,6 +7738,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inet
 corenet_udp_bind_ftp_port(inetd_t)
 corenet_tcp_bind_inetd_child_port(inetd_t)
 +corenet_udp_bind_inetd_child_port(inetd_t)
+corenet_tcp_bind_ircd_port(inetd_t)
 corenet_udp_bind_ktalkd_port(inetd_t)
 corenet_tcp_bind_printer_port(inetd_t)
 +corenet_udp_bind_rlogind_port(inetd_t)
@ -7735,7 +7753,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inet
 corenet_udp_bind_tftp_port(inetd_t)
 corenet_tcp_bind_ssh_port(inetd_t)
 
-@@ -132,8 +139,10 @@
+@@ -132,8 +140,10 @@
 miscfiles_read_localization(inetd_t)
 
 # xinetd needs MLS override privileges to work
@ -7746,19 +7764,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inet
 mls_process_set_level(inetd_t)
 
 sysnet_read_config(inetd_t)
-@@ -141,6 +150,11 @@
+@@ -141,6 +151,11 @@
 userdom_dontaudit_use_unpriv_user_fds(inetd_t)
 userdom_dontaudit_search_sysadm_home_dirs(inetd_t)
 
 +ifdef(`enable_mls',`
-+ 	corenet_tcp_recv_netlabel(inetd_t)
-+  	corenet_udp_recv_netlabel(inetd_t)
+ 	corenet_tcp_recvfrom_netlabel(inetd_t)
+  	corenet_udp_recvfrom_netlabel(inetd_t)
 +')
 +
 optional_policy(`
 	amanda_search_lib(inetd_t)
 ')
-@@ -170,6 +184,9 @@
+@@ -170,6 +185,9 @@
 # for identd
 allow inetd_child_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
 allow inetd_child_t self:capability { setuid setgid };
@ -7768,7 +7786,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inet
 files_search_home(inetd_child_t)
 
 manage_dirs_pattern(inetd_child_t,inetd_child_tmp_t,inetd_child_tmp_t)
-@@ -212,13 +229,10 @@
+@@ -212,13 +230,10 @@
 ')
 
 optional_policy(`
@ -9999,7 +10017,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
 	userdom_read_unpriv_users_tmp_files(gssd_t) 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.te serefpolicy-3.0.8/policy/modules/services/rshd.te
 --- nsaserefpolicy/policy/modules/services/rshd.te	2007-09-12 10:34:50.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/rshd.te	2007-10-18 18:33:05.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/rshd.te	2007-10-19 10:15:23.000000000 -0400
@@ -16,10 +16,11 @@
 #
 # Local policy
@ -10023,13 +10041,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd
 corenet_sendrecv_rsh_server_packets(rshd_t)
 
 dev_read_urand(rshd_t)
-@@ -44,28 +48,44 @@
+@@ -44,28 +48,42 @@
 selinux_compute_relabel_context(rshd_t)
 selinux_compute_user_contexts(rshd_t)
 
-+auth_use_nsswitch(rshd_t)
- auth_domtrans_chk_passwd(rshd_t)
-+auth_domtrans_upd_passwd_chk(rshd_t)
+-auth_domtrans_chk_passwd(rshd_t)
+auth_login_pgm_domain(rshd_t)
 +auth_search_key(rshd_t)
 +auth_write_login_records(rshd_t)
 
@ -10071,7 +10088,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd
 tunable_policy(`use_nfs_home_dirs',`
 	fs_read_nfs_files(rshd_t)
 	fs_read_nfs_symlinks(rshd_t)
-@@ -76,15 +96,3 @@
+@@ -76,15 +94,3 @@
 	fs_read_cifs_symlinks(rshd_t)
 ')
 
@ -12190,7 +12207,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 +/var/cache/coolkey(/.*)?	gen_context(system_u:object_r:auth_cache_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.0.8/policy/modules/system/authlogin.if
 --- nsaserefpolicy/policy/modules/system/authlogin.if	2007-08-22 07:14:13.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/authlogin.if	2007-10-18 17:06:56.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/authlogin.if	2007-10-19 08:20:05.000000000 -0400
@@ -26,7 +26,8 @@
 	type $1_chkpwd_t, can_read_shadow_passwords;
 	application_domain($1_chkpwd_t,chkpwd_exec_t)
@ -12222,14 +12239,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 
 	domain_type($1)
 	domain_subj_id_change_exemption($1)
-@@ -176,11 +178,32 @@
+@@ -176,11 +178,31 @@
 	domain_obj_id_change_exemption($1)
 	role system_r types $1;
 
 +	# needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321
 +	kernel_write_proc_files($1)
 +
-+
 +	auth_keyring_domain($1)
 +	allow $1 keyring_type:key { search link };
 +
@ -12255,7 +12271,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 	selinux_get_fs_mount($1)
 	selinux_validate_context($1)
 	selinux_compute_access_vector($1)
-@@ -196,22 +219,40 @@
+@@ -196,22 +218,40 @@
 	mls_fd_share_all_levels($1)
 
 	auth_domtrans_chk_passwd($1)
@ -12297,7 +12313,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 	')
 ')
 
-@@ -309,9 +350,6 @@
+@@ -309,9 +349,6 @@
 		type system_chkpwd_t, chkpwd_exec_t, shadow_t;
 	')
 
@ -12307,7 +12323,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 	corecmd_search_bin($1)
 	domtrans_pattern($1,chkpwd_exec_t,system_chkpwd_t)
 
-@@ -329,6 +367,8 @@
+@@ -329,6 +366,8 @@
 
 	optional_policy(`
 		kerberos_use($1)
@ -12316,7 +12332,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 	')
 
 	optional_policy(`
-@@ -347,6 +387,37 @@
+@@ -347,6 +386,37 @@
 
 ########################################
 ## <summary>
@ -12354,7 +12370,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 ##	Get the attributes of the shadow passwords file.
 ## </summary>
 ## <param name="domain">
-@@ -695,6 +766,24 @@
+@@ -695,6 +765,24 @@
 
 ########################################
 ## <summary>
@ -12379,7 +12395,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 ##	Execute pam programs in the PAM domain.
 ## </summary>
 ## <param name="domain">
-@@ -1318,16 +1407,14 @@
+@@ -1318,16 +1406,14 @@
 ## </param>
 #
 interface(`auth_use_nsswitch',`
@ -12399,7 +12415,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 	miscfiles_read_certs($1)
 
 	sysnet_dns_name_resolve($1)
-@@ -1347,6 +1434,8 @@
+@@ -1347,6 +1433,8 @@
 
 	optional_policy(`
 		samba_stream_connect_winbind($1)
@ -12408,7 +12424,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 	')
 ')
 
-@@ -1381,3 +1470,163 @@
+@@ -1381,3 +1469,163 @@
 	typeattribute $1 can_write_shadow_passwords;
 	typeattribute $1 can_relabelto_shadow_passwords;
 ')
@ -15668,7 +15684,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.0.8/policy/modules/system/unconfined.te
 --- nsaserefpolicy/policy/modules/system/unconfined.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/unconfined.te	2007-10-18 16:48:24.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/unconfined.te	2007-10-19 10:29:16.000000000 -0400
@@ -5,36 +5,48 @@
 #
 # Declarations
@ -15725,7 +15741,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 
 libs_run_ldconfig(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
 
-@@ -42,37 +54,30 @@
+@@ -42,37 +54,29 @@
 logging_run_auditctl(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
 
 mount_run_unconfined(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
@ -15738,7 +15754,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 
 -unconfined_domain(unconfined_t)
 -
-+userdom_unconfined(unconfined_t)
 userdom_priveleged_home_dir_manager(unconfined_t)
 
 optional_policy(`
@ -15771,7 +15786,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 ')
 
 optional_policy(`
-@@ -107,6 +112,10 @@
+@@ -107,6 +111,10 @@
 	optional_policy(`
 		oddjob_dbus_chat(unconfined_t)
 	')
@ -15782,7 +15797,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 ')
 
 optional_policy(`
-@@ -118,11 +127,11 @@
+@@ -118,11 +126,11 @@
 ')
 
 optional_policy(`
@ -15796,7 +15811,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 ')
 
 optional_policy(`
-@@ -134,11 +143,7 @@
+@@ -134,11 +142,7 @@
 ')
 
 optional_policy(`
@ -15809,7 +15824,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 ')
 
 optional_policy(`
-@@ -155,32 +160,23 @@
+@@ -155,32 +159,23 @@
 
 optional_policy(`
 	postfix_run_map(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
@ -15846,7 +15861,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 ')
 
 optional_policy(`
-@@ -205,11 +201,22 @@
+@@ -205,11 +200,22 @@
 ')
 
 optional_policy(`
@ -15871,7 +15886,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 ')
 
 ########################################
-@@ -225,8 +232,21 @@
+@@ -225,8 +231,21 @@
 
 	init_dbus_chat_script(unconfined_execmem_t)
 	unconfined_dbus_chat(unconfined_execmem_t)
@ -17456,8 +17471,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.f
 +/var/lib/libvirt(/.*)?		gen_context(system_u:object_r:virt_var_lib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.if serefpolicy-3.0.8/policy/modules/system/virt.if
 --- nsaserefpolicy/policy/modules/system/virt.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.8/policy/modules/system/virt.if	2007-10-03 11:10:25.000000000 -0400
-@@ -0,0 +1,58 @@
+++ serefpolicy-3.0.8/policy/modules/system/virt.if	2007-10-19 10:47:26.000000000 -0400
+@@ -0,0 +1,78 @@
 +## <summary>Virtualization </summary>
 +
 +########################################
@ -17516,6 +17531,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.i
 +	files_list_var_lib($1)
 +	rw_files_pattern($1,virt_var_lib_t,virt_var_lib_t)
 +')
+
+########################################
+## <summary>
+##	Allow the specified domain to manage
+##	virt library files.
+## </summary>
+## <param name="domain">
+## 	<summary>
+##	Domain allowed to transition.
+## 	</summary>
+## </param>
+#
+interface(`virt_manage_lib_files',`
+	gen_require(`
+		type virt_var_lib_t;
+	')
+
+	files_list_var_lib($1)
+	manage_files_pattern($1,virt_var_lib_t,virt_var_lib_t)
+')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.te serefpolicy-3.0.8/policy/modules/system/virt.te
 --- nsaserefpolicy/policy/modules/system/virt.te	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-3.0.8/policy/modules/system/virt.te	2007-10-03 11:10:25.000000000 -0400
@ -17775,7 +17810,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.
 +## <summary>Policy for webadm user</summary>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.te serefpolicy-3.0.8/policy/modules/users/webadm.te
 --- nsaserefpolicy/policy/modules/users/webadm.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.8/policy/modules/users/webadm.te	2007-10-03 11:10:25.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/users/webadm.te	2007-10-19 10:27:46.000000000 -0400
@@ -0,0 +1,42 @@
 +policy_module(webadm,1.0.0)
 +
@ -17805,7 +17840,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.
 +files_manage_generic_locks(webadm_t)
 +files_list_var(webadm_t)
 +selinux_get_enforce_mode(webadm_t)
-+seutil_domtrans_restorecon(webadm_t)
+seutil_domtrans_setfiles(webadm_t)
 +
 +logging_send_syslog_msg(webadm_t)
 +
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.0.8
-Release: 26%{?dist}
+Release: 27%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -373,6 +373,10 @@ exit 0
 %endif

 %changelog
+* Fri Oct 17 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-27
+- Fix dnsmasq
+- Allow rshd full login privs
+
 * Thu Oct 16 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-26
 - Allow rshd to connect to ports > 1023