- Allow allow_httpd_mod_auth_pam to work

policy-20071130.patch

@@ -13893,18 +13893,52 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.f
  /opt/NX/bin/nxserver		--	gen_context(system_u:object_r:nx_server_exec_t,s0)
  
  /opt/NX/home/nx/\.ssh(/.*)?		gen_context(system_u:object_r:nx_server_home_ssh_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.fc serefpolicy-3.2.5/policy/modules/services/oddjob.fc
+--- nsaserefpolicy/policy/modules/services/oddjob.fc	2007-10-12 08:56:07.000000000 -0400
++++ serefpolicy-3.2.5/policy/modules/services/oddjob.fc	2008-01-31 15:22:43.000000000 -0500
+@@ -1,4 +1,4 @@
+-/usr/lib/oddjob/mkhomedir	--	gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
++/usr/lib(64)?/oddjob/mkhomedir	--	gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
+ 
+ /usr/sbin/oddjobd		--	gen_context(system_u:object_r:oddjob_exec_t,s0)
+ 
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.if serefpolicy-3.2.5/policy/modules/services/oddjob.if
+--- nsaserefpolicy/policy/modules/services/oddjob.if	2007-01-02 12:57:43.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/oddjob.if	2008-01-31 15:49:10.000000000 -0500
+@@ -44,6 +44,7 @@
+ 	')
+ 
+ 	domtrans_pattern(oddjob_t, $2, $1)
++	domain_user_exemption_target($1)
+ ')
+ 
+ ########################################
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.te serefpolicy-3.2.5/policy/modules/services/oddjob.te
 --- nsaserefpolicy/policy/modules/services/oddjob.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/oddjob.te	2008-01-18 12:40:46.000000000 -0500
-@@ -15,6 +15,7 @@
++++ serefpolicy-3.2.5/policy/modules/services/oddjob.te	2008-01-31 15:44:28.000000000 -0500
+@@ -10,14 +10,20 @@
+ type oddjob_exec_t;
+ domain_type(oddjob_t)
+ init_daemon_domain(oddjob_t, oddjob_exec_t)
++domain_obj_id_change_exemption(oddjob_t)
+ domain_subj_id_change_exemption(oddjob_t)
+ 
  type oddjob_mkhomedir_t;
  type oddjob_mkhomedir_exec_t;
  domain_type(oddjob_mkhomedir_t)
+-init_daemon_domain(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
 +domain_obj_id_change_exemption(oddjob_mkhomedir_t)
- init_daemon_domain(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
++init_system_domain(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
  oddjob_system_entry(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
  
-@@ -68,20 +69,38 @@
++ifdef(`enable_mcs',`
++	init_ranged_daemon_domain(oddjob_t,oddjob_exec_t,s0 - mcs_systemhigh)
++')
++
+ # pid files
+ type oddjob_var_run_t;
+ files_pid_file(oddjob_var_run_t)
+@@ -68,20 +74,38 @@
  # oddjob_mkhomedir local policy
  #
  
@@ -21350,7 +21384,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 +/var/cache/coolkey(/.*)?	gen_context(system_u:object_r:auth_cache_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.2.5/policy/modules/system/authlogin.if
 --- nsaserefpolicy/policy/modules/system/authlogin.if	2007-11-29 13:29:35.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/system/authlogin.if	2008-01-31 13:43:36.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/system/authlogin.if	2008-01-31 15:15:50.000000000 -0500
 @@ -99,7 +99,7 @@
  template(`authlogin_per_role_template',`
  
@@ -21396,7 +21430,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
  	# for SSP/ProPolice
  	dev_read_urand($1)
  	# for fingerprint readers
-@@ -221,11 +237,35 @@
+@@ -221,11 +237,36 @@
  
  	logging_send_audit_msgs($1)
  	logging_send_syslog_msg($1)
@@ -21414,6 +21448,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 +		dbus_system_bus_client_template(notused, $1)
 +		optional_policy(`
 +			oddjob_dbus_chat($1)
++			oddjob_domtrans_mkhomedir($1)
 +		')
 +	')
 +
@@ -21433,7 +21468,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
  	tunable_policy(`allow_polyinstantiation',`
  		files_polyinstantiate_all($1)
  	')
-@@ -342,6 +382,8 @@
+@@ -342,6 +383,8 @@
  
  	optional_policy(`
  		kerberos_use($1)
@@ -21442,7 +21477,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
  	')
  
  	optional_policy(`
-@@ -356,6 +398,28 @@
+@@ -356,6 +399,28 @@
  	optional_policy(`
  		samba_stream_connect_winbind($1)
  	')
@@ -21471,7 +21506,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
  ')
  
  ########################################
-@@ -369,12 +433,12 @@
+@@ -369,12 +434,12 @@
  ## </param>
  ## <param name="role">
  ##	<summary>
@@ -21486,7 +21521,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
  ##	</summary>
  ## </param>
  #
-@@ -386,6 +450,7 @@
+@@ -386,6 +451,7 @@
  	auth_domtrans_chk_passwd($1)
  	role $2 types system_chkpwd_t;
  	allow system_chkpwd_t $3:chr_file rw_file_perms;
@@ -21494,7 +21529,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
  ')
  
  ########################################
-@@ -1457,6 +1522,7 @@
+@@ -1457,6 +1523,7 @@
  	optional_policy(`
  		samba_stream_connect_winbind($1)
  		samba_read_var_files($1)
@@ -21502,7 +21537,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
  	')
  ')
  
-@@ -1491,3 +1557,23 @@
+@@ -1491,3 +1558,23 @@
  	typeattribute $1 can_write_shadow_passwords;
  	typeattribute $1 can_relabelto_shadow_passwords;
  ')

selinux-policy.spec

@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.2.5
-Release: 23%{?dist}
+Release: 24%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -387,7 +387,7 @@ exit 0
 %endif
 
 %changelog
-* Wed Jan 30 2008 Dan Walsh <dwalsh@redhat.com> 3.2.5-23
+* Wed Jan 30 2008 Dan Walsh <dwalsh@redhat.com> 3.2.5-24
 - Allow allow_httpd_mod_auth_pam to work
 
 * Wed Jan 30 2008 Dan Walsh <dwalsh@redhat.com> 3.2.5-22