trunk: 10 patches from dan.

man/man8/ftpd_selinux.8

@@ -12,7 +12,7 @@ If you want to share files anonymously, you must label the files and directories
 .TP
 chcon -R -t public_content_t /var/ftp
 .TP
-If you want to setup a directory where you can upload files to you must label the files and directories ftpd_anon_rw_t.  So if you created a special directory /var/ftp/incoming, you would need to label the directory with the chcon tool.
+If you want to setup a directory where you can upload files to you must label the files and directories public_content_rw_t.  So if you created a special directory /var/ftp/incoming, you would need to label the directory with the chcon tool.
 .TP
 chcon -t public_content_rw_t /var/ftp/incoming
 .TP

man/man8/httpd_selinux.8

@@ -30,7 +30,7 @@ httpd_sys_script_exec_t
 .EX
 httpd_sys_script_ro_t 
 .EE
-- Set files with httpd_sys_script_ro_t if you want httpd_sys_script_exec_t scripts to read the data, and disallow other sys scripts from access.
+- Set files with httpd_sys_script_ro_t if you want httpd_sys_script_exec_t scripts to read the data, and disallow other non sys scripts from access.
 .EX
 httpd_sys_script_rw_t 
 .EE

policy/modules/admin/dmidecode.te

@@ -1,5 +1,5 @@
 
-policy_module(dmidecode,1.2.1)
+policy_module(dmidecode,1.2.2)
 
 ########################################
 #
@@ -18,6 +18,7 @@ role system_r types dmidecode_t;
 
 allow dmidecode_t self:capability sys_rawio;
 
+dev_read_sysfs(dmidecode_t)
 # Allow dmidecode to read /dev/mem
 dev_read_raw_memory(dmidecode_t)
 

policy/modules/kernel/corenetwork.te.in

@@ -1,5 +1,5 @@
 
-policy_module(corenetwork,1.2.11)
+policy_module(corenetwork,1.2.12)
 
 ########################################
 #
@@ -164,6 +164,7 @@ type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined por
 network_port(uucpd, tcp,540,s0)
 network_port(vnc, tcp,5900,s0)
 network_port(xen, tcp,8002,s0)
+network_port(xfs, tcp,7100,s0)
 network_port(xserver, tcp, 6000, s0, tcp,6001,s0, tcp,6002,s0, tcp,6003,s0, tcp,6004,s0, tcp,6005,s0, tcp,6006,s0, tcp,6007,s0, tcp,6008,s0, tcp,6009,s0, tcp,6010,s0, tcp,6011,s0, tcp,6012,s0, tcp,6013,s0, tcp,6014,s0, tcp,6015,s0, tcp,6016,s0, tcp,6017,s0, tcp,6018,s0, tcp,6019,s0)
 network_port(zebra, tcp,2600,s0, tcp,2601,s0, tcp,2602,s0, tcp,2603,s0, tcp,2604,s0, tcp,2606,s0, udp,2600,s0, udp,2601,s0, udp,2602,s0, udp,2603,s0, udp,2604,s0, udp,2606,s0)
 network_port(zope, tcp,8021,s0)

policy/modules/services/ktalk.te

@@ -1,5 +1,5 @@
 
-policy_module(ktalk,1.5.1)
+policy_module(ktalk,1.5.2)
 
 ########################################
 #
@@ -68,6 +68,10 @@ fs_getattr_xattr_fs(ktalkd_t)
 
 files_read_etc_files(ktalkd_t)
 
+term_search_ptys(ktalkd_t)
+
+auth_use_nsswitch(ktalkd_t)
+
 init_read_utmp(ktalkd_t)
 
 libs_use_ld_so(ktalkd_t)
@@ -75,13 +79,3 @@ libs_use_shared_libs(ktalkd_t)
 logging_send_syslog_msg(ktalkd_t)
 
 miscfiles_read_localization(ktalkd_t)
-
-sysnet_read_config(ktalkd_t)
-
-optional_policy(`
-	nis_use_ypbind(ktalkd_t)
-')
-
-optional_policy(`
-	nscd_socket_use(ktalkd_t)
-')

policy/modules/services/rsync.te

@@ -1,5 +1,5 @@
 
-policy_module(rsync,1.5.0)
+policy_module(rsync,1.5.1)
 
 ########################################
 #
@@ -17,6 +17,7 @@ gen_tunable(allow_rsync_anon_write,false)
 type rsync_t;
 type rsync_exec_t;
 init_daemon_domain(rsync_t,rsync_exec_t)
+application_executable_file(rsync_exec_t)
 role system_r types rsync_t;
 
 type rsync_data_t;

policy/modules/services/setroubleshoot.te

@@ -1,5 +1,5 @@
 
-policy_module(setroubleshoot,1.5.1)
+policy_module(setroubleshoot,1.5.2)
 
 ########################################
 #
@@ -67,6 +67,7 @@ corenet_tcp_connect_smtp_port(setroubleshootd_t)
 corenet_sendrecv_smtp_client_packets(setroubleshootd_t)
 
 dev_read_urand(setroubleshootd_t)
+dev_read_sysfs(setroubleshootd_t)
 
 domain_dontaudit_search_all_domains_state(setroubleshootd_t)
 
@@ -106,6 +107,12 @@ sysnet_read_config(setroubleshootd_t)
 
 userdom_dontaudit_read_sysadm_home_content_files(setroubleshootd_t)
 
+optional_policy(`
+	dbus_system_bus_client_template(setroubleshootd, setroubleshootd_t)
+	dbus_send_system_bus(setroubleshootd_t)
+	dbus_connect_system_bus(setroubleshootd_t)
+')
+
 optional_policy(`
 	rpm_read_db(setroubleshootd_t)
 	rpm_dontaudit_manage_db(setroubleshootd_t)

policy/modules/services/tftp.te

@@ -1,5 +1,5 @@
 
-policy_module(tftp,1.5.1)
+policy_module(tftp,1.5.2)
 
 ########################################
 #
@@ -26,6 +26,7 @@ allow tftpd_t self:tcp_socket create_stream_socket_perms;
 allow tftpd_t self:udp_socket create_socket_perms;
 allow tftpd_t self:unix_dgram_socket create_socket_perms;
 allow tftpd_t self:unix_stream_socket create_stream_socket_perms;
+allow tftpd_t self:netlink_route_socket r_netlink_socket_perms;
 dontaudit tftpd_t self:capability sys_tty_config;
 
 allow tftpd_t tftpdir_t:dir { getattr read search };

policy/modules/services/xfs.te

@@ -1,5 +1,5 @@
 
-policy_module(xfs,1.2.1)
+policy_module(xfs,1.2.2)
 
 ########################################
 #
@@ -37,6 +37,15 @@ files_pid_filetrans(xfs_t,xfs_var_run_t,file)
 kernel_read_kernel_sysctls(xfs_t)
 kernel_read_system_state(xfs_t)
 
+corenet_all_recvfrom_unlabeled(xfs_t)
+corenet_all_recvfrom_netlabel(xfs_t)
+corenet_tcp_sendrecv_generic_if(xfs_t)
+corenet_tcp_sendrecv_all_nodes(xfs_t)
+corenet_tcp_sendrecv_all_ports(xfs_t)
+corenet_tcp_bind_all_nodes(xfs_t)
+corenet_tcp_bind_xfs_port(xfs_t)
+corenet_sendrecv_xfs_server_packets(xfs_t)
+
 corecmd_list_bin(xfs_t)
 
 dev_read_sysfs(xfs_t)

policy/modules/system/ipsec.te

@@ -1,5 +1,5 @@
 
-policy_module(ipsec,1.4.1)
+policy_module(ipsec,1.4.2)
 
 ########################################
 #
@@ -321,6 +321,7 @@ libs_use_shared_libs(racoon_t)
 locallogin_use_fds(racoon_t)
 
 logging_send_syslog_msg(racoon_t)
+logging_send_audit_msgs(racoon_t)
 
 miscfiles_read_localization(racoon_t)