- Allow initrc_t to delete dev_null

- Allow readahead to configure auditing
- Fix milter policy
- Add /var/lib/readahead

policy-20090105.patch

@@ -770,26 +770,45 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.fc serefpolicy-3.6.12/policy/modules/admin/readahead.fc
 --- nsaserefpolicy/policy/modules/admin/readahead.fc	2008-08-07 11:15:13.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/admin/readahead.fc	2009-04-23 17:15:49.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/admin/readahead.fc	2009-04-24 13:03:55.000000000 -0400
-@@ -1,3 +1,4 @@
+@@ -1,3 +1,7 @@
  /etc/readahead.d(/.*)?		gen_context(system_u:object_r:readahead_etc_rw_t,s0)
  
 -/usr/sbin/readahead	--	gen_context(system_u:object_r:readahead_exec_t,s0)
 +/usr/sbin/readahead.*	--	gen_context(system_u:object_r:readahead_exec_t,s0)
 +/sbin/readahead.*	--	gen_context(system_u:object_r:readahead_exec_t,s0)
++
++/var/lib/readahead(/.*)?	gen_context(system_u:object_r:readahead_var_lib_t,s0)
++
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.6.12/policy/modules/admin/readahead.te
 --- nsaserefpolicy/policy/modules/admin/readahead.te	2009-01-05 15:39:44.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/admin/readahead.te	2009-04-24 09:02:26.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/admin/readahead.te	2009-04-24 13:45:16.000000000 -0400
-@@ -24,7 +24,7 @@
+@@ -11,8 +11,8 @@
+ init_daemon_domain(readahead_t, readahead_exec_t)
+ application_domain(readahead_t, readahead_exec_t)
+ 
+-type readahead_etc_rw_t;
+-files_pid_file(readahead_etc_rw_t)
++type readahead_var_lib_t;
++files_type(readahead_var_lib_t)
+ 
+ type readahead_var_run_t;
+ files_pid_file(readahead_var_run_t)
+@@ -24,9 +24,11 @@
  
  allow readahead_t self:capability { fowner dac_override dac_read_search };
  dontaudit readahead_t self:capability sys_tty_config;
 -allow readahead_t self:process signal_perms;
 +allow readahead_t self:process { setsched signal_perms };
  
- manage_files_pattern(readahead_t, readahead_etc_rw_t, readahead_etc_rw_t)
+-manage_files_pattern(readahead_t, readahead_etc_rw_t, readahead_etc_rw_t)
++files_search_var_lib(readahead_t)
++manage_dirs_pattern(readahead_t, readahead_var_lib_t, readahead_var_lib_t)
++manage_files_pattern(readahead_t, readahead_var_lib_t, readahead_var_lib_t)
  
-@@ -58,6 +58,7 @@
+ manage_files_pattern(readahead_t, readahead_var_run_t, readahead_var_run_t)
+ files_pid_filetrans(readahead_t, readahead_var_run_t, file)
+@@ -58,6 +60,7 @@
  fs_dontaudit_search_ramfs(readahead_t)
  fs_dontaudit_read_ramfs_pipes(readahead_t)
  fs_dontaudit_read_ramfs_files(readahead_t)
@@ -797,7 +816,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  fs_read_tmpfs_symlinks(readahead_t)
  fs_list_inotifyfs(readahead_t)
  
-@@ -72,6 +73,7 @@
+@@ -72,6 +75,7 @@
  init_getattr_initctl(readahead_t)
  
  logging_send_syslog_msg(readahead_t)
@@ -11791,7 +11810,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  /var/run/dbus(/.*)?		gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.6.12/policy/modules/services/dbus.if
 --- nsaserefpolicy/policy/modules/services/dbus.if	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/dbus.if	2009-04-23 10:31:43.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/dbus.if	2009-04-24 13:45:56.000000000 -0400
 @@ -44,6 +44,7 @@
  
  		attribute session_bus_type;
@@ -11993,7 +12012,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +	ifdef(`hide_broken_symptoms', `
 +		dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
-+	');
++	')
 +
 +	userdom_dontaudit_search_admin_dir($1)
 +')
@@ -14836,7 +14855,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/var/spool/milter-regex(/.*)?				gen_context(system_u:object_r:regex_milter_data_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.if serefpolicy-3.6.12/policy/modules/services/milter.if
 --- nsaserefpolicy/policy/modules/services/milter.if	2008-11-25 09:01:08.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/milter.if	2009-04-24 07:22:51.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/milter.if	2009-04-24 13:45:41.000000000 -0400
+@@ -24,7 +24,7 @@
+ 
+ 	# Type for the milter data (e.g. the socket used to communicate with the MTA)
+ 	type $1_milter_data_t, milter_data_type;
+-	files_type($1_milter_data_t);
++	files_type($1_milter_data_t)
+ 
+ 	allow $1_milter_t self:fifo_file rw_fifo_file_perms;
+ 
 @@ -77,3 +77,24 @@
  	getattr_dirs_pattern($1, milter_data_type, milter_data_type)
  	getattr_sock_files_pattern($1, milter_data_type, milter_data_type)

selinux-policy.spec

@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.12
-Release: 17%{?dist}
+Release: 18%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -446,9 +446,11 @@ exit 0
 %endif
 
 %changelog
-* Fri Apr 24 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-17
+* Fri Apr 24 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-18
 - Allow initrc_t to delete dev_null
 - Allow readahead to configure auditing
+- Fix milter policy
+- Add /var/lib/readahead
 
 * Fri Apr 24 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-16
 - Update to latest milter code from Paul Howarth