This one has my latest patch. It's nothing serious at all.

A change to postgresql policy because the start scripts run "ps".

A new type for quota databases (which needs some improvement - apparently different versions of quota use different names, also needs support for multiple file systems).

The logrotate domain needs to read apache config files so it knows how to restart it.

update-modules needs to read some sysctl's (the tail program which is called from a script needs them). Could have used a dontaudit rule I guess, but for what update-modules is doing there's no reason to prevent such access (and a dontaudit rule could bite us later if the modutils change in an unexpected way).

tmpreaper needs to be able to unlink files of home_type so that "mv ~/file /tmp" on a machine with a single file system (/tmp and /home on the same filesystem), doesn't result in files under /tmp that tmpreaper can't remove. Sure there's probably lots of other ways of preventing tmpreaper from removing files, but this is a really common one that's easy to fix. tmpreaper can't search home_type directories so it can't invade your home dir either...

Steve, I think this is worthy of the CVS.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page




--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.



text/x-diff attachment: diff