- Allow openoffice execstack/execmem privs

policy-20080710.patch

@@ -5821,6 +5821,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 +
 +
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/webalizer.te serefpolicy-3.5.13/policy/modules/apps/webalizer.te
+--- nsaserefpolicy/policy/modules/apps/webalizer.te	2008-10-16 17:21:13.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/apps/webalizer.te	2008-10-28 19:20:51.000000000 -0400
+@@ -68,6 +68,7 @@
+ 
+ fs_search_auto_mountpoints(webalizer_t)
+ fs_getattr_xattr_fs(webalizer_t)
++fs_rw_anon_inodefs_files(webalizer_t)
+ 
+ files_read_etc_files(webalizer_t)
+ files_read_etc_runtime_files(webalizer_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.fc serefpolicy-3.5.13/policy/modules/apps/wine.fc
 --- nsaserefpolicy/policy/modules/apps/wine.fc	2008-08-07 11:15:02.000000000 -0400
 +++ serefpolicy-3.5.13/policy/modules/apps/wine.fc	2008-10-28 10:56:19.000000000 -0400
@@ -9491,8 +9502,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.5.13/policy/modules/roles/unprivuser.te
 --- nsaserefpolicy/policy/modules/roles/unprivuser.te	2008-10-14 11:58:09.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/roles/unprivuser.te	2008-10-28 11:05:49.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/roles/unprivuser.te	2008-10-28 19:21:12.000000000 -0400
-@@ -13,3 +13,20 @@
+@@ -13,3 +13,18 @@
  
  userdom_unpriv_user_template(user)
  
@@ -9511,8 +9522,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +optional_policy(`
 +	setroubleshoot_dontaudit_stream_connect(user_t)
 +')
-+
-+gen_user(user_u, user, user_r, s0, s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/webadm.fc serefpolicy-3.5.13/policy/modules/roles/webadm.fc
 --- nsaserefpolicy/policy/modules/roles/webadm.fc	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-3.5.13/policy/modules/roles/webadm.fc	2008-10-28 10:56:19.000000000 -0400
@@ -33328,18 +33337,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +define(`manage_key_perms', `{ create link read search setattr view write } ')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.5.13/policy/users
 --- nsaserefpolicy/policy/users	2008-08-07 11:15:13.000000000 -0400
-+++ serefpolicy-3.5.13/policy/users	2008-10-28 11:14:49.000000000 -0400
++++ serefpolicy-3.5.13/policy/users	2008-10-28 19:21:24.000000000 -0400
-@@ -24,12 +24,9 @@
+@@ -25,11 +25,8 @@
- # SELinux user identity for a Linux user.  If you do not want to
  # permit any access to such users, then remove this entry.
  #
--gen_user(user_u, user, user_r, s0, s0)
+ gen_user(user_u, user, user_r, s0, s0)
 -gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
 -gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
 -
 -# Until order dependence is fixed for users:
 -gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
-+#gen_user(user_u, user, user_r, s0, s0)
 +gen_user(staff_u, user, staff_r system_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
 +gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
  

selinux-policy.spec

@@ -16,7 +16,7 @@
 %define POLICYVER 23
 %define libsepolver 2.0.20-1
 %define POLICYCOREUTILSVER 2.0.54-2
-%define CHECKPOLICYVER 2.0.16-1
+%define CHECKPOLICYVER 2.0.16-3
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.5.13