- Update to upstream

.cvsignore

@@ -201,3 +201,8 @@ serefpolicy-3.7.7.tgz
 serefpolicy-3.7.8.tgz
 setroubleshoot-2.2.58.tar.gz
 serefpolicy-3.7.9.tgz
+serefpolicy-3.7.11.tgz
+serefpolicy-3.7.12.tgz
+serefpolicy-3.7.13.tgz
+serefpolicy-3.7.14.tgz
+serefpolicy-3.7.15.tgz

booleans-targeted.conf

@@ -258,3 +258,11 @@ init_upstart = true
 # Allow mount to mount any file/dir
 # 
 allow_mount_anyfile = true
+
+# Allow confined domains to communicate with ncsd via shared memory
+# 
+nscd_use_shm = true
+
+# Allow fenced domain to connect to the network using TCP.
+#
+fenced_can_network_connect=false

modules-minimum.conf

@@ -32,6 +32,13 @@ alsa = base
 # 
 ada = module
 
+# Layer: services
+# Module: cachefilesd
+#
+# CacheFiles userspace management daemon
+# 
+cachefilesd = module
+
 # Layer: apps
 # Module: cpufreqselector 
 #
@@ -159,6 +166,13 @@ automount = module
 # 
 avahi = module
 
+# Layer: services
+# Module: boinc
+#
+# Berkeley Open Infrastructure for Network Computing
+#
+boinc = module
+
 # Layer: services
 # Module: bind
 #
@@ -819,7 +833,6 @@ ktalk = module
 # 
 kudzu = base
 
-
 # Layer: services
 # Module: ldap
 #
@@ -827,6 +840,13 @@ kudzu = base
 # 
 ldap = module
 
+# Layer: services
+# Module: likewise
+#
+# Likewise Active Directory support for UNIX
+# 
+likewise = module
+
 # Layer: system
 # Module: libraries
 #
@@ -1454,7 +1474,14 @@ seunshare = module
 # 
 shorewall = base
 
-# Layer: apps
+# Layer: admin
+# Module: shutdown
+#
+# Policy for shutdown
+# 
+shutdown = module
+
+# Layer: admin
 # Module: sectoolm
 #
 # Policy for sectool-mechanism
@@ -1497,10 +1524,17 @@ slocate = module
 # 
 smartmon = module
 
+# Layer: services 
+# Module: smokeping
+#
+# Latency Logging and Graphing System
+# 
+smokeping = module
+
 # Layer: admin
 # Module: smoltclient
 #
-# The Fedora hardware profiler client
+#The Fedora hardware profiler client
 # 
 smoltclient = module
 
@@ -1956,6 +1990,13 @@ munin = module
 # 
 bitlbee = module
 
+# Layer: system
+# Module: sosreport
+#
+# sosreport debuggin information generator
+# 
+sosreport = module
+
 # Layer: services
 # Module: soundserver
 #

modules-mls.conf

@@ -33,11 +33,11 @@ alsa = base
 ada = module
 
 # Layer: services
-# Module: cgroup
+# Module: cachefilesd
 #
-# Tools and libraries to control and monitor control groups
+# CacheFiles userspace management daemon
 # 
-cgroup = module
+cachefilesd = module
 
 # Layer: apps
 # Module: cpufreqselector 
@@ -46,6 +46,13 @@ cgroup = module
 # 
 cpufreqselector = module
 
+# Layer: apps
+# Module: chrome
+#
+# chrome sandbox
+# 
+chrome = module
+
 # Layer: modules
 # Module: awstats
 #
@@ -138,6 +145,13 @@ automount = module
 # 
 avahi = module
 
+# Layer: services
+# Module: boinc
+#
+# Berkeley Open Infrastructure for Network Computing
+#
+boinc = module
+
 # Layer: services
 # Module: bind
 #
@@ -218,6 +232,13 @@ certwatch = module
 # 
 certmaster = module
 
+# Layer: services
+# Module: certmonger
+#
+# Certificate status monitor and PKI enrollment client
+# 
+certmonger = module
+
 # Layer: services
 # Module: chronyd
 #
@@ -225,7 +246,7 @@ certmaster = module
 # 
 chronyd = module
 
-# Layer: services
+q# Layer: services
 # Module: cipe
 #
 # Encrypted tunnel daemon
@@ -433,12 +454,26 @@ domain = base
 # 
 dovecot = module
 
+# Layer: services
+# Module: git
+#
+# Policy for the stupid content tracker
+# 
+git = module
+
+# Layer: apps
+# Module: gitosis
+#
+# Policy for gitosis
+# 
+gitosis = module
+ 
 # Layer: apps
 # Module: gpg
 #
 # Policy for GNU Privacy Guard and related programs.
 # 
-gpg = off
+gpg = module
 
 # Layer: services
 # Module: gpsd
@@ -507,6 +542,20 @@ finger = module
 # 
 firstboot = base
 
+# Layer: apps
+# Module: firewallgui
+#
+# policy for system-config-firewall
+# 
+firewallgui = module
+
+# Layer: services
+# Module: fprintd
+#
+# finger print server
+# 
+fprintd = module
+
 # Layer: system
 # Module: fstools
 #
@@ -570,6 +619,13 @@ plymouthd = module
 # 
 policykit = module
 
+# Layer: apps
+# Module: ptchown
+#
+# helper function for grantpt(3), changes ownship and permissions of pseudotty
+# 
+ptchown = module
+
 # Layer: services
 # Module: psad
 #
@@ -692,6 +748,13 @@ kdump = module
 # 
 kdumpgui = module
 
+# Layer: services
+# Module: ksmtuned
+#
+#  Kernel Samepage Merging (KSM) Tuning Daemon
+# 
+ksmtuned = module
+
 # Layer: services
 # Module: kerberos
 #
@@ -802,7 +865,7 @@ lvm = base
 # Layer: admin
 # Module: mcelog
 #
-# Policy for mcelog.
+# mcelog is a daemon that collects and decodes Machine Check Exception data on x86-64 machines. 
 # 
 mcelog = base
 
@@ -871,6 +934,20 @@ mount = base
 # 
 mozilla = module
 
+# Layer: services
+# Module: ntop
+#
+# Policy for ntop
+# 
+ntop = module
+
+# Layer: services
+# Module: nslcd
+#
+# Policy for nslcd
+# 
+nslcd = module
+
 # Layer: apps
 # Module: nsplugin
 #
@@ -1142,6 +1219,13 @@ razor = module
 # 
 readahead = base
 
+# Layer: services
+# Module: rgmanager
+#
+# Red Hat Resource Group Manager
+#
+rgmanager = module
+
 # Layer: services
 # Module: rhgb
 #
@@ -1213,6 +1297,13 @@ rshd = module
 # 
 rsync = module
 
+# Layer: services
+# Module: rtkit
+#
+# Real Time Kit Daemon
+# 
+rtkit = module
+
 # Layer: services
 # Module: rwho
 #
@@ -1234,6 +1325,13 @@ sasl = module
 # 
 sendmail = base
 
+# Layer: apps
+# Module: seunshare
+#
+# seunshare executable
+# 
+seunshare = module
+
 # Layer: services
 # Module: samba
 #
@@ -1243,6 +1341,13 @@ sendmail = base
 # 
 samba = module
 
+# Layer: apps
+# Module: sandbox
+#
+# Experimental policy for running apps within a sandbox
+# 
+sandbox = module
+
 # Layer: apps
 # Module: sambagui
 #
@@ -1526,6 +1631,13 @@ timidity = off
 # 
 tftp = module
 
+# Layer: services
+# Module: tuned
+#
+# Dynamic adaptive system tuning daemon
+#
+tuned = module
+
 # Layer: services
 # Module: uucp
 #
@@ -1711,6 +1823,13 @@ munin = module
 # 
 bitlbee = module
 
+# Layer: system
+# Module: sosreport
+#
+# sosreport debuggin information generator
+# 
+sosreport = module
+
 # Layer: services
 # Module: soundserver
 #
@@ -1903,3 +2022,9 @@ rhcs = module
 # 
 shorewall = base
 
+# Layer: admin
+# Module: shutdown
+#
+# Policy for shutdown
+# 
+shutdown = module

modules-targeted.conf

@@ -32,6 +32,13 @@ alsa = base
 # 
 ada = module
 
+# Layer: services
+# Module: cachefilesd
+#
+# CacheFiles userspace management daemon
+# 
+cachefilesd = module
+
 # Layer: apps
 # Module: cpufreqselector 
 #
@@ -159,6 +166,13 @@ automount = module
 # 
 avahi = module
 
+# Layer: services
+# Module: boinc
+#
+# Berkeley Open Infrastructure for Network Computing
+#
+boinc = module
+
 # Layer: services
 # Module: bind
 #
@@ -819,7 +833,6 @@ ktalk = module
 # 
 kudzu = base
 
-
 # Layer: services
 # Module: ldap
 #
@@ -827,6 +840,13 @@ kudzu = base
 # 
 ldap = module
 
+# Layer: services
+# Module: likewise
+#
+# Likewise Active Directory support for UNIX
+# 
+likewise = module
+
 # Layer: system
 # Module: libraries
 #
@@ -1454,7 +1474,14 @@ seunshare = module
 # 
 shorewall = base
 
-# Layer: apps
+# Layer: admin
+# Module: shutdown
+#
+# Policy for shutdown
+# 
+shutdown = module
+
+# Layer: admin
 # Module: sectoolm
 #
 # Policy for sectool-mechanism
@@ -1497,10 +1524,17 @@ slocate = module
 # 
 smartmon = module
 
+# Layer: services 
+# Module: smokeping
+#
+# Latency Logging and Graphing System
+# 
+smokeping = module
+
 # Layer: admin
 # Module: smoltclient
 #
-# The Fedora hardware profiler client
+#The Fedora hardware profiler client
 # 
 smoltclient = module
 
@@ -1956,6 +1990,13 @@ munin = module
 # 
 bitlbee = module
 
+# Layer: system
+# Module: sosreport
+#
+# sosreport debuggin information generator
+# 
+sosreport = module
+
 # Layer: services
 # Module: soundserver
 #

nsadiff

@@ -1 +1 @@
-diff --exclude-from=exclude -N -u -r nsaserefpolicy serefpolicy-3.7.9 > /tmp/diff
+diff --exclude-from=exclude -N -u -r nsaserefpolicy serefpolicy-3.7.15 > /tmp/diff

securetty_types-minimum

@@ -1,3 +1,4 @@
+console_device_t
 sysadm_tty_device_t
 user_tty_device_t
 staff_tty_device_t

securetty_types-mls

@@ -1,3 +1,4 @@
+console_device_t
 sysadm_tty_device_t
 user_tty_device_t
 staff_tty_device_t

securetty_types-targeted

@@ -1,3 +1,4 @@
+console_device_t
 sysadm_tty_device_t
 user_tty_device_t
 staff_tty_device_t

selinux-policy.spec

@@ -19,7 +19,7 @@
 %define CHECKPOLICYVER 2.0.21-1
 Summary: SELinux policy configuration
 Name: selinux-policy
-Version: 3.7.9
+Version: 3.7.15
 Release: 1%{?dist}
 License: GPLv2+
 Group: System Environment/Base
@@ -466,6 +466,91 @@ exit 0
 %endif
 
 %changelog
+* Thu Mar 18 2010 Dan Walsh <dwalsh@redhat.com> 3.7.15-1
+- Update to upstream
+
+* Tue Mar 16 2010 Dan Walsh <dwalsh@redhat.com> 3.7.14-5
+- Allow boinc to read kernel sysctl
+- Fix snmp port definitions
+- Allow apache to read anon_inodefs
+
+* Sun Mar 14 2010 Dan Walsh <dwalsh@redhat.com> 3.7.14-4
+- Allow shutdown dac_override
+
+* Sat Mar 13 2010 Dan Walsh <dwalsh@redhat.com> 3.7.14-3
+- Add device_t as a file system
+- Fix sysfs association
+
+* Fri Mar 12 2010 Dan Walsh <dwalsh@redhat.com> 3.7.14-2
+- Dontaudit ipsec_mgmt sys_ptrace
+- Allow at to mail its spool files
+- Allow nsplugin to search in .pulse directory
+
+* Fri Mar 12 2010 Dan Walsh <dwalsh@redhat.com> 3.7.14-1
+- Update to upstream
+
+* Fri Mar 12 2010 Dan Walsh <dwalsh@redhat.com> 3.7.13-4
+- Allow users to dbus chat with xdm
+- Allow users to r/w wireless_device_t
+- Dontaudit reading of process states by ipsec_mgmt
+
+* Thu Mar 11 2010 Dan Walsh <dwalsh@redhat.com> 3.7.13-3
+- Fix openoffice from unconfined_t
+
+* Wed Mar 10 2010 Dan Walsh <dwalsh@redhat.com> 3.7.13-2
+- Add shutdown policy so consolekit can shutdown system
+
+* Tue Mar 9 2010 Dan Walsh <dwalsh@redhat.com> 3.7.13-1
+- Update to upstream
+
+* Thu Mar 4 2010 Dan Walsh <dwalsh@redhat.com> 3.7.12-1
+- Update to upstream
+
+* Thu Mar 4 2010 Dan Walsh <dwalsh@redhat.com> 3.7.11-1
+- Update to upstream - These are merges of my patches
+- Remove 389 labeling conflicts
+- Add MLS fixes found in RHEL6 testing
+- Allow pulseaudio to run as a service
+- Add label for mssql and allow apache to connect to this database port if boolean set
+- Dontaudit searches of debugfs mount point
+- Allow policykit_auth to send signals to itself
+- Allow modcluster to call getpwnam
+- Allow swat to signal winbind
+- Allow usbmux to run as a system role
+- Allow svirt to create and use devpts
+
+* Mon Mar 1 2010 Dan Walsh <dwalsh@redhat.com> 3.7.10-5
+- Add MLS fixes found in RHEL6 testing
+- Allow domains to append to rpm_tmp_t
+- Add cachefilesfd policy
+- Dontaudit leaks when transitioning
+
+* Wed Feb 23 2010 Dan Walsh <dwalsh@redhat.com> 3.7.10-4
+- Change allow_execstack and allow_execmem booleans to on
+- dontaudit acct using console
+- Add label for fping
+- Allow tmpreaper to delete sandbox_file_t
+- Fix wine dontaudit mmap_zero
+- Allow abrt to read var_t symlinks
+
+* Tue Feb 22 2010 Dan Walsh <dwalsh@redhat.com> 3.7.10-3
+- Additional policy for rgmanager
+
+* Mon Feb 22 2010 Dan Walsh <dwalsh@redhat.com> 3.7.10-2
+- Allow sshd to setattr on pseudo terms
+
+* Mon Feb 22 2010 Dan Walsh <dwalsh@redhat.com> 3.7.10-1
+- Update to upstream
+
+* Thu Feb 18 2010 Dan Walsh <dwalsh@redhat.com> 3.7.9-4
+- Allow policykit to send itself signals
+
+* Wed Feb 17 2010 Dan Walsh <dwalsh@redhat.com> 3.7.9-3
+- Fix duplicate cobbler definition
+
+* Wed Feb 17 2010 Dan Walsh <dwalsh@redhat.com> 3.7.9-2
+- Fix file context of /var/lib/avahi-autoipd
+
 * Fri Feb 12 2010 Dan Walsh <dwalsh@redhat.com> 3.7.9-1
 - Merge with upstream
 

sources

@@ -1,2 +1,2 @@
 4c7d323036f1662a06a7a4f2a7da57a5  config.tgz
-87a01bd56d6fca0ae9bef4d35dad49ef  serefpolicy-3.7.9.tgz
+aaaf54fcfe4fe4e0a906dca6c21fa7ed  serefpolicy-3.7.15.tgz