diff --git a/modules-minimum.conf b/modules-minimum.conf
index 3c06644..28611ef 100644
--- a/modules-minimum.conf
+++ b/modules-minimum.conf
@@ -527,6 +527,13 @@ hal = module
#
polkit = module
+# Layer: services
+# Module: psad
+#
+# Analyze iptables log for hostile traffic
+#
+psad = module
+
# Layer: system
# Module: hostname
#
diff --git a/modules-mls.conf b/modules-mls.conf
index eea74cd..3577d01 100644
--- a/modules-mls.conf
+++ b/modules-mls.conf
@@ -527,6 +527,13 @@ hal = module
#
polkit = module
+# Layer: services
+# Module: psad
+#
+# Analyze iptables log for hostile traffic
+#
+psad = module
+
# Layer: system
# Module: hostname
#
@@ -1329,13 +1336,6 @@ ulogd = module
#
wine = module
-# Layer: apps
-# Module: wm
-#
-# X windows window manager
-#
-#wm = module
-
# Layer: admin
# Module: tzdata
#
@@ -1767,3 +1767,11 @@ pingd = module
#
#
milter = module
+
+# Layer: apps
+# Module: wm
+#
+# X windows window manager
+#
+wm = module
+
diff --git a/modules-targeted.conf b/modules-targeted.conf
index 3c06644..28611ef 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -527,6 +527,13 @@ hal = module
#
polkit = module
+# Layer: services
+# Module: psad
+#
+# Analyze iptables log for hostile traffic
+#
+psad = module
+
# Layer: system
# Module: hostname
#
diff --git a/policy-20090105.patch b/policy-20090105.patch
index 19d0b5c..df9c30f 100644
--- a/policy-20090105.patch
+++ b/policy-20090105.patch
@@ -2194,7 +2194,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+seutil_domtrans_setfiles_mac(livecd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.6.3/policy/modules/apps/mono.if
--- nsaserefpolicy/policy/modules/apps/mono.if 2008-08-07 11:15:02.000000000 -0400
-+++ serefpolicy-3.6.3/policy/modules/apps/mono.if 2009-01-19 13:10:02.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/apps/mono.if 2009-01-21 12:26:56.000000000 -0500
@@ -21,6 +21,103 @@
########################################
@@ -3933,8 +3933,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/usr/bin/metacity -- gen_context(system_u:object_r:wm_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.if serefpolicy-3.6.3/policy/modules/apps/wm.if
--- nsaserefpolicy/policy/modules/apps/wm.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/apps/wm.if 2009-01-19 13:10:02.000000000 -0500
-@@ -0,0 +1,19 @@
++++ serefpolicy-3.6.3/policy/modules/apps/wm.if 2009-01-21 14:33:42.000000000 -0500
+@@ -0,0 +1,108 @@
+## <summary>Window Manager.</summary>
+
+########################################
@@ -3954,114 +3954,108 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ can_exec($1, wm_exec_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.te serefpolicy-3.6.3/policy/modules/apps/wm.te
---- nsaserefpolicy/policy/modules/apps/wm.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/apps/wm.te 2009-01-19 13:10:02.000000000 -0500
-@@ -0,0 +1,104 @@
-+policy_module(wm,0.0.4)
+
-+########################################
-+#
-+# Declarations
++#######################################
++## <summary>
++## The role template for the wm module.
++## </summary>
++## <desc>
++## <p>
++## This template creates a derived domains which are used
++## for wm applications.
++## </p>
++## </desc>
++## <param name="role_prefix">
++## <summary>
++## The prefix of the user domain (e.g., user
++## is the prefix for user_t).
++## </summary>
++## </param>
++## <param name="user_role">
++## <summary>
++## The role associated with the user domain.
++## </summary>
++## </param>
++## <param name="user_domain">
++## <summary>
++## The type of the user domain.
++## </summary>
++## </param>
+#
++template(`wm_role_template',`
++ gen_require(`
++ type wm_exec_t;
++ ')
+
-+type wm_t;
-+type wm_exec_t;
-+domain_type(wm_t)
-+domain_entry_file(wm_t,wm_exec_t)
-+role user_r types wm_t;
-+
-+type wm_tmpfs_t;
-+
-+files_read_etc_files(wm_t)
-+
-+nscd_dontaudit_search_pid(wm_t)
-+
-+miscfiles_read_localization(wm_t)
-+
-+dev_read_urand(wm_t)
-+
-+files_list_tmp(wm_t)
++ type $1_wm_t;
++ domain_type($1_wm_t)
++ domain_entry_file($1_wm_t, wm_exec_t)
++ role $2 types $1_wm_t;
+
-+allow wm_t proc_t:file { read getattr };
++ domtrans_pattern($3, wm_exec_t, $1_wm_t)
+
-+allow wm_t info_xproperty_t:x_property { write create };
++ corecmd_bin_domtrans($1_wm_t, $1_t)
++ corecmd_shell_domtrans($1_wm_t, $1_t)
+
-+allow wm_t self:process getsched;
-+allow wm_t self:x_drawable blend;
++ ifdef(`enable_mls',`
++ mls_file_read_all_levels($1_wm_t)
++ mls_file_write_all_levels($1_wm_t)
++ mls_xwin_read_all_levels($1_wm_t)
++ mls_xwin_write_all_levels($1_wm_t)
++ mls_fd_use_all_levels($1_wm_t)
++ ')
+
-+allow wm_t tmpfs_t:file { read write };
++ files_read_etc_files($1_wm_t)
++ files_read_usr_files($1_wm_t)
+
-+allow wm_t usr_t:file { read getattr };
-+allow wm_t usr_t:lnk_file read;
++ miscfiles_read_fonts($1_wm_t)
++ miscfiles_read_localization($1_wm_t)
+
-+allow wm_t user_tmp_t:dir { write search setattr remove_name getattr add_name };
-+allow wm_t user_tmp_t:sock_file { write create unlink };
++ optional_policy(`
++ gnome_read_config($1_wm_t)
++ gnome_read_gconf_config($1_wm_t)
++ ')
+
-+allow wm_t user_t:unix_stream_socket connectto;
-+allow wm_t self:fifo_file { write read };
++ auth_use_nsswitch($1_wm_t)
+
++ kernel_read_system_state($1_wm_t)
+
-+allow wm_t client_xevent_t:x_synthetic_event send;
-+allow wm_t focus_xevent_t:x_event receive;
-+allow wm_t input_xevent_t:x_event receive;
-+allow wm_t manage_xevent_t:x_event receive;
-+allow wm_t manage_xevent_t:x_synthetic_event { receive send };
-+allow wm_t property_xevent_t:x_event receive;
-+allow wm_t xproperty_t:x_property { read write destroy };
-+allow wm_t rootwindow_t:x_colormap { install uninstall use add_color remove_color read };
-+allow wm_t rootwindow_t:x_drawable { read write manage setattr get_property hide show receive set_property create send add_child remove_child getattr list_property blend list_child destroy override };
-+allow wm_t xproperty_t:x_property { write read };
-+allow wm_t xserver_t:x_device { force_cursor setfocus use setattr grab manage getattr freeze write };
-+allow wm_t xserver_t:x_resource { read write };
-+allow wm_t xserver_t:x_screen setattr;
-+allow wm_t xselection_t:x_selection setattr;
++ allow $1_wm_t self:fifo_file rw_fifo_file_perms;
++ allow $1_wm_t self:process getsched;
++ allow $1_wm_t self:shm create_shm_perms;
+
-+allow wm_t :x_drawable { get_property setattr show receive manage send read getattr list_child set_property };
-+allow wm_t $2_t:x_resource { read write };
++ allow $1_wm_t $1_t:unix_stream_socket connectto;
+
-+ifdef(`enable_mls',`
-+ mls_file_read_all_levels(wm_t)
-+ mls_file_write_all_levels(wm_t)
-+ mls_xwin_read_all_levels(wm_t)
-+ mls_xwin_write_all_levels(wm_t)
-+ mls_fd_use_all_levels(wm_t)
-+')
++ optional_policy(`
++ dbus_system_bus_client($1_wm_t)
++ ')
+
-+corecmd_exec_bin(wm_t)
-+can_exec(wm_t, { shell_exec_t })
-+domtrans_pattern(wm_t,bin_t,user_t)
++ userdom_unpriv_usertype($1, $1_wm_t)
+
-+allow user_t wm_t:unix_stream_socket connectto;
-+allow user_t wm_t:x_drawable { receive get_property getattr list_child };
++ userdom_manage_home_role($1_r, $1_wm_t)
++ userdom_manage_tmpfs_role($1_r, $1_wm_t)
++ userdom_manage_tmp_role($1_r, $1_wm_t)
+
-+allow user_t wm_t:process signal;
++ dev_read_urand($1_wm_t)
+
-+optional_policy(`
-+ dbus_system_bus_client(wm_t)
-+ dbus_user_bus_client(user,wm_t)
++ optional_policy(`
++ xserver_role($1_r, $1_wm_t)
++ xserver_use_xdm($1_wm_t)
++ ')
+')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.te serefpolicy-3.6.3/policy/modules/apps/wm.te
+--- nsaserefpolicy/policy/modules/apps/wm.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/apps/wm.te 2009-01-21 12:37:15.000000000 -0500
+@@ -0,0 +1,9 @@
++policy_module(wm,0.0.4)
+
-+allow wm_t user_home_t:dir { search getattr };
-+allow wm_t user_xproperty_t:x_property { read write destroy };
-+allow wm_t default_t:dir search;
-+allow wm_t home_root_t:dir search;
-+allow wm_t user_home_dir_t:dir search;
-+allow wm_t xserver_tmp_t:dir search;
-+allow wm_t xserver_tmp_t:lnk_file read;
-+allow wm_t user_home_dir_t:dir search_dir_perms;
-+manage_files_pattern(wm_t,user_tmp_t,user_tmp_t)
-+allow wm_t user_home_t:file { write read getattr };
-+allow wm_t xserver_t:unix_stream_socket connectto;
-+allow wm_t xserver_tmp_t:sock_file write;
-+manage_lnk_files_pattern(wm_t, xserver_tmp_t, xserver_tmp_t)
-+
-+allow wm_t security_xext_t:x_extension { query use };
-+
-+userdom_use_user_terminals(wm_t)
-+
++########################################
++#
++# Declarations
++#
+
-+xserver_user_x_domain_template(user, wm_t, wm_tmpfs_t)
++type wm_exec_t;
++corecmd_executable_file(wm_exec_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.3/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2009-01-05 15:39:38.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/kernel/corecommands.fc 2009-01-20 14:46:23.000000000 -0500
@@ -4962,7 +4956,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
type power_device_t;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.3/policy/modules/kernel/domain.if
--- nsaserefpolicy/policy/modules/kernel/domain.if 2009-01-05 15:39:38.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/kernel/domain.if 2009-01-19 13:10:02.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/kernel/domain.if 2009-01-21 13:16:11.000000000 -0500
@@ -1247,18 +1247,34 @@
## </summary>
## </param>
@@ -5452,7 +5446,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.6.3/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2009-01-05 15:39:38.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/kernel/filesystem.if 2009-01-20 14:57:41.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/kernel/filesystem.if 2009-01-21 13:00:37.000000000 -0500
@@ -534,6 +534,24 @@
########################################
@@ -9208,7 +9202,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.if serefpolicy-3.6.3/policy/modules/services/avahi.if
--- nsaserefpolicy/policy/modules/services/avahi.if 2008-11-19 11:51:44.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/avahi.if 2009-01-19 13:10:02.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/services/avahi.if 2009-01-21 15:37:35.000000000 -0500
@@ -21,6 +21,25 @@
########################################
@@ -10129,7 +10123,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/var/log/rpmpkgs.* -- gen_context(system_u:object_r:cron_log_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.6.3/policy/modules/services/cron.if
--- nsaserefpolicy/policy/modules/services/cron.if 2008-11-11 16:13:47.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/cron.if 2009-01-20 15:16:32.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/services/cron.if 2009-01-21 15:20:50.000000000 -0500
@@ -12,6 +12,10 @@
## </param>
#
@@ -10141,7 +10135,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
##############################
#
# Declarations
-@@ -31,7 +35,11 @@
+@@ -31,13 +35,18 @@
# dac_override is to create the file in the directory under /tmp
allow $1_t self:capability { fowner setuid setgid chown dac_override };
@@ -10154,7 +10148,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow $1_t $1_tmp_t:file manage_file_perms;
files_tmp_filetrans($1_t,$1_tmp_t,file)
-@@ -58,6 +66,12 @@
+
+ # create files in /var/spool/cron
+ # cjp: change this to a role transition
++ manage_files_pattern($1_t, user_cron_spool_t, user_cron_spool_t)
+ manage_files_pattern($1_t, cron_spool_t, user_cron_spool_t)
+ filetrans_pattern($1_t, cron_spool_t, user_cron_spool_t, file)
+ files_search_spool($1_t)
+@@ -58,6 +67,12 @@
files_dontaudit_search_pids($1_t)
logging_send_syslog_msg($1_t)
@@ -10167,7 +10168,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
miscfiles_read_localization($1_t)
-@@ -261,6 +275,7 @@
+@@ -261,6 +276,7 @@
allow $1 system_cronjob_t:fifo_file rw_file_perms;
allow $1 system_cronjob_t:process sigchld;
@@ -10175,7 +10176,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow $1 crond_t:fifo_file rw_file_perms;
allow $1 crond_t:fd use;
allow $1 crond_t:process sigchld;
-@@ -343,6 +358,24 @@
+@@ -343,6 +359,24 @@
########################################
## <summary>
@@ -10200,7 +10201,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Read and write a cron daemon unnamed pipe.
## </summary>
## <param name="domain">
-@@ -361,7 +394,7 @@
+@@ -361,7 +395,7 @@
########################################
## <summary>
@@ -10209,7 +10210,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## </summary>
## <param name="domain">
## <summary>
-@@ -369,7 +402,7 @@
+@@ -369,7 +403,7 @@
## </summary>
## </param>
#
@@ -10218,7 +10219,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
gen_require(`
type crond_t;
')
-@@ -481,11 +514,14 @@
+@@ -481,11 +515,14 @@
#
interface(`cron_read_system_job_tmp_files',`
gen_require(`
@@ -10234,7 +10235,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -506,3 +542,82 @@
+@@ -506,3 +543,82 @@
dontaudit $1 system_cronjob_tmp_t:file append;
')
@@ -10319,7 +10320,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.6.3/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/cron.te 2009-01-20 16:52:23.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/services/cron.te 2009-01-21 15:19:17.000000000 -0500
@@ -38,6 +38,10 @@
type cron_var_lib_t;
files_type(cron_var_lib_t)
@@ -11417,7 +11418,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.6.3/policy/modules/services/dbus.te
--- nsaserefpolicy/policy/modules/services/dbus.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/dbus.te 2009-01-19 13:10:02.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/services/dbus.te 2009-01-21 14:05:46.000000000 -0500
@@ -9,14 +9,15 @@
#
# Delcarations
@@ -11436,7 +11437,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
type session_dbusd_tmp_t;
typealias session_dbusd_tmp_t alias { user_dbusd_tmp_t staff_dbusd_tmp_t sysadm_dbusd_tmp_t };
-@@ -31,11 +32,23 @@
+@@ -31,11 +32,24 @@
files_tmp_file(system_dbusd_tmp_t)
type system_dbusd_var_lib_t;
@@ -11456,12 +11457,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ mls_rangetrans_target(system_dbusd_t)
+ mls_file_read_all_levels(system_dbusd_t)
+ mls_socket_write_all_levels(system_dbusd_t)
++ mls_socket_read_to_clearance(system_dbusd_t)
+')
+
##############################
#
# System bus local policy
-@@ -45,7 +58,7 @@
+@@ -45,7 +59,7 @@
# cjp: dac_override should probably go in a distro_debian
allow system_dbusd_t self:capability { dac_override setgid setpcap setuid };
dontaudit system_dbusd_t self:capability sys_tty_config;
@@ -11470,7 +11472,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow system_dbusd_t self:fifo_file rw_fifo_file_perms;
allow system_dbusd_t self:dbus { send_msg acquire_svc };
allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto };
-@@ -53,6 +66,8 @@
+@@ -53,6 +67,8 @@
# Receive notifications of policy reloads and enforcing status changes.
allow system_dbusd_t self:netlink_selinux_socket { create bind read };
@@ -11479,7 +11481,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow system_dbusd_t dbusd_etc_t:dir list_dir_perms;
read_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t)
read_lnk_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t)
-@@ -75,6 +90,8 @@
+@@ -75,6 +91,8 @@
fs_getattr_all_fs(system_dbusd_t)
fs_search_auto_mountpoints(system_dbusd_t)
@@ -11488,7 +11490,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
selinux_get_fs_mount(system_dbusd_t)
selinux_validate_context(system_dbusd_t)
-@@ -91,9 +108,9 @@
+@@ -91,9 +109,9 @@
corecmd_list_bin(system_dbusd_t)
corecmd_read_bin_pipes(system_dbusd_t)
corecmd_read_bin_sockets(system_dbusd_t)
@@ -11499,7 +11501,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_read_etc_files(system_dbusd_t)
files_list_home(system_dbusd_t)
-@@ -101,6 +118,8 @@
+@@ -101,6 +119,8 @@
init_use_fds(system_dbusd_t)
init_use_script_ptys(system_dbusd_t)
@@ -11508,7 +11510,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
logging_send_audit_msgs(system_dbusd_t)
logging_send_syslog_msg(system_dbusd_t)
-@@ -128,9 +147,34 @@
+@@ -128,9 +148,34 @@
')
optional_policy(`
@@ -14220,9 +14222,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
#
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.6.3/policy/modules/services/networkmanager.fc
--- nsaserefpolicy/policy/modules/services/networkmanager.fc 2008-09-24 09:07:28.000000000 -0400
-+++ serefpolicy-3.6.3/policy/modules/services/networkmanager.fc 2009-01-19 13:10:02.000000000 -0500
-@@ -1,8 +1,12 @@
++++ serefpolicy-3.6.3/policy/modules/services/networkmanager.fc 2009-01-21 12:55:52.000000000 -0500
+@@ -1,8 +1,13 @@
+/etc/NetworkManager/dispatcher\.d(/.*) gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
++/usr/libexec/nm-dispatcher.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
+
/sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
/sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
@@ -14234,7 +14237,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/log/wpa_supplicant.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0)
-@@ -10,3 +14,4 @@
+@@ -10,3 +15,4 @@
/var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
@@ -18369,202 +18372,642 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+optional_policy(`
+ mailscanner_read_spool(procmail_t)
+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.6.3/policy/modules/services/pyzor.fc
---- nsaserefpolicy/policy/modules/services/pyzor.fc 2008-11-11 16:13:46.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/pyzor.fc 2009-01-19 13:10:02.000000000 -0500
-@@ -1,6 +1,8 @@
- /etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0)
-+/etc/rc\.d/init\.d/pyzord -- gen_context(system_u:object_r:pyzord_initrc_exec_t,s0)
-
- HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0)
-+HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0)
-
- /usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0)
- /usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.6.3/policy/modules/services/pyzor.if
---- nsaserefpolicy/policy/modules/services/pyzor.if 2008-11-11 16:13:46.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/pyzor.if 2009-01-19 13:10:02.000000000 -0500
-@@ -88,3 +88,50 @@
- corecmd_search_bin($1)
- can_exec($1, pyzor_exec_t)
- ')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad.fc serefpolicy-3.6.3/policy/modules/services/psad.fc
+--- nsaserefpolicy/policy/modules/services/psad.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/services/psad.fc 2009-01-21 14:22:29.000000000 -0500
+@@ -0,0 +1,17 @@
+
-+########################################
-+## <summary>
-+## All of the rules required to administrate
-+## an pyzor environment
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <param name="role">
-+## <summary>
-+## The role to be allowed to manage the pyzor domain.
-+## </summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`pyzor_admin',`
-+ gen_require(`
-+ type pyzord_t, pyzor_tmp_t, pyzord_log_t;
-+ type pyzor_etc_t, pyzor_var_lib_t;
-+ type pyzord_initrc_exec_t;
-+ ')
+
-+ allow $1 pyzord_t:process { ptrace signal_perms };
-+ ps_process_pattern($1, pyzord_t)
-+
-+ init_labeled_script_domtrans($1, pyzord_initrc_exec_t)
-+ domain_system_change_exemption($1)
-+ role_transition $2 pyzord_initrc_exec_t system_r;
-+ allow $2 system_r;
++/etc/rc\.d/init\.d/psad -- gen_context(system_u:object_r:psad_initrc_exec_t,s0)
+
-+ files_list_tmp($1)
-+ admin_pattern($1, pyzor_tmp_t)
++/etc/psad(/.*)? gen_context(system_u:object_r:psad_etc_t,s0)
+
-+ logging_list_logs($1)
-+ admin_pattern($1, pyzord_log_t)
++/usr/sbin/psad -- gen_context(system_u:object_r:psad_exec_t,s0)
+
-+ files_list_etc($1)
-+ admin_pattern($1, pyzor_etc_t)
++#/usr/sbin/psadwatchd -- gen_context(system_u:object_r:psadwatchd_exec_t,s0)
+
-+ files_list_var_lib($1)
-+ admin_pattern($1, pyzor_var_lib_t)
-+')
++#/usr/sbin/kmsgsd -- gen_context(system_u:object_r:kmsgsd_exec_t,s0)
+
++/var/run/psad(/.*)? gen_context(system_u:object_r:psad_var_run_t,s0)
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.6.3/policy/modules/services/pyzor.te
---- nsaserefpolicy/policy/modules/services/pyzor.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/pyzor.te 2009-01-19 13:10:02.000000000 -0500
-@@ -6,6 +6,38 @@
- # Declarations
- #
-
++/var/lib/psad(/.*)? gen_context(system_u:object_r:psad_var_lib_t,s0)
+
-+ifdef(`distro_redhat',`
++/var/log/psad(/.*)? gen_context(system_u:object_r:psad_var_log_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad.if serefpolicy-3.6.3/policy/modules/services/psad.if
+--- nsaserefpolicy/policy/modules/services/psad.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/services/psad.if 2009-01-21 14:22:29.000000000 -0500
+@@ -0,0 +1,304 @@
++## <summary>Psad SELinux policy</summary>
+
++########################################
++## <summary>
++## Execute a domain transition to run psad.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`psad_domtrans',`
+ gen_require(`
-+ type spamc_t;
-+ type spamc_exec_t;
-+ type spamd_t;
-+ type spamd_initrc_exec_t;
-+ type spamd_exec_t;
-+ type spamc_tmp_t;
-+ type spamd_log_t;
-+ type spamd_var_lib_t;
-+ type spamd_etc_t;
-+ type spamc_tmp_t;
-+ type spamc_home_t;
++ type psad_t, psad_exec_t;
+ ')
+
-+ typealias spamc_t alias pyzor_t;
-+ typealias spamc_exec_t alias pyzor_exec_t;
-+ typealias spamd_t alias pyzord_t;
-+ typealias spamd_initrc_exec_t alias pyzord_initrc_exec_t;
-+ typealias spamd_exec_t alias pyzord_exec_t;
-+ typealias spamc_tmp_t alias pyzor_tmp_t;
-+ typealias spamd_log_t alias pyzor_log_t;
-+ typealias spamd_log_t alias pyzord_log_t;
-+ typealias spamd_var_lib_t alias pyzor_var_lib_t;
-+ typealias spamd_etc_t alias pyzor_etc_t;
-+ typealias spamc_home_t alias pyzor_home_t;
-+ typealias spamc_home_t alias user_pyzor_home_t;
++ domtrans_pattern($1, psad_exec_t, psad_t)
++')
+
-+',`
++########################################
++## <summary>
++## Read and write psad UDP sockets.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`psad_rw_udp_sockets',`
++ gen_require(`
++ type psad_t;
++ ')
+
- type pyzor_t;
- type pyzor_exec_t;
- typealias pyzor_t alias { user_pyzor_t staff_pyzor_t sysadm_pyzor_t };
-@@ -40,6 +72,7 @@
-
- type pyzord_log_t;
- logging_log_file(pyzord_log_t)
++ allow $1 psad_t:udp_socket { read write };
+')
-
- ########################################
- #
-@@ -83,6 +116,8 @@
-
- miscfiles_read_localization(pyzor_t)
-
-+mta_read_queue(pyzor_t)
-+
- userdom_dontaudit_search_user_home_dirs(pyzor_t)
-
- optional_policy(`
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radvd.te serefpolicy-3.6.3/policy/modules/services/radvd.te
---- nsaserefpolicy/policy/modules/services/radvd.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/radvd.te 2009-01-19 13:10:02.000000000 -0500
-@@ -22,7 +22,7 @@
- #
- # Local policy
- #
--allow radvd_t self:capability { setgid setuid net_raw };
-+allow radvd_t self:capability { setgid setuid net_raw net_admin };
- dontaudit radvd_t self:capability sys_tty_config;
- allow radvd_t self:process signal_perms;
- allow radvd_t self:unix_dgram_socket create_socket_perms;
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.6.3/policy/modules/services/razor.if
---- nsaserefpolicy/policy/modules/services/razor.if 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/razor.if 2009-01-19 13:10:02.000000000 -0500
-@@ -157,3 +157,45 @@
-
- domtrans_pattern($1, razor_exec_t, razor_t)
- ')
+
+########################################
+## <summary>
-+## Create, read, write, and delete razor files
-+## in a user home subdirectory.
++## Read and write psad packet sockets.
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
+## </param>
+#
-+template(`razor_manage_user_home_files',`
-+ gen_require(`
-+ type razor_home_t;
-+ ')
++interface(`psad_rw_packet_sockets',`
++ gen_require(`
++ type psad_t;
++ ')
+
-+ files_search_home($1)
-+ userdom_search_user_home_dirs($1)
-+ manage_files_pattern($1, razor_home_t, razor_home_t)
-+ read_lnk_files_pattern($1, razor_home_t, razor_home_t)
++ allow $1 psad_t:packet_socket { read write };
+')
+
+########################################
+## <summary>
-+## read razor lib files.
++## Send a generic signal to psad
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
+## </param>
+#
-+interface(`razor_read_lib_files',`
-+ gen_require(`
-+ type razor_var_lib_t;
-+ ')
++interface(`psad_signal',`
++ gen_require(`
++ type psad_t;
++ ')
+
-+ files_search_var_lib($1)
-+ read_files_pattern($1, razor_var_lib_t, razor_var_lib_t)
++ allow $1 psad_t:process signal;
+')
+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.6.3/policy/modules/services/razor.te
---- nsaserefpolicy/policy/modules/services/razor.te 2009-01-19 11:07:32.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/razor.te 2009-01-19 13:10:02.000000000 -0500
-@@ -6,6 +6,32 @@
- # Declarations
- #
-
-+ifdef(`distro_redhat',`
-+
-+ gen_require(`
++#######################################
++## <summary>
++## Send a null signal to psad.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`psad_signull',`
++ gen_require(`
++ type psad_t;
++ ')
++
++ allow $1 psad_t:process signull;
++')
++
++########################################
++## <summary>
++## Read psad etc configuration files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++##
++#
++interface(`psad_read_etc',`
++ gen_require(`
++ type psad_etc_t;
++ ')
++
++ files_search_etc($1)
++ read_files_pattern($1, psad_etc_t, psad_etc_t)
++')
++
++########################################
++## <summary>
++## Manage psad etc configuration files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++##
++#
++interface(`psad_manage_etc',`
++ gen_require(`
++ type psad_etc_t;
++ ')
++
++ files_search_etc($1)
++ manage_dirs_pattern($1, psad_etc_t, psad_etc_t)
++ manage_files_pattern($1, psad_etc_t, psad_etc_t)
++
++')
++
++########################################
++## <summary>
++## Read psad PID files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++##
++#
++interface(`psad_read_pid_files',`
++ gen_require(`
++ type psad_var_run_t;
++ ')
++
++ files_search_pids($1)
++ read_files_pattern($1, psad_var_run_t, psad_var_run_t)
++')
++
++########################################
++## <summary>
++## Read psad PID files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++##
++#
++interface(`psad_rw_pid_files',`
++ gen_require(`
++ type psad_var_run_t;
++ ')
++
++ files_search_pids($1)
++ rw_files_pattern($1, psad_var_run_t, psad_var_run_t)
++')
++
++########################################
++## <summary>
++## Allow the specified domain to read psad's log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++##
++#
++interface(`psad_read_log',`
++ gen_require(`
++ type psad_var_log_t;
++ ')
++
++ logging_search_logs($1)
++ list_dirs_pattern($1, psad_var_log_t, psad_var_log_t)
++ read_files_pattern($1, psad_var_log_t, psad_var_log_t)
++')
++
++########################################
++## <summary>
++## Allow the specified domain to append to psad's log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++##
++#
++interface(`psad_append_log',`
++ gen_require(`
++ type psad_var_log_t;
++ ')
++
++ logging_search_logs($1)
++ list_dirs_pattern($1, psad_var_log_t, psad_var_log_t)
++ append_files_pattern($1, psad_var_log_t, psad_var_log_t)
++')
++
++########################################
++## <summary>
++## Read and write psad fifo files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`psad_rw_fifo_file',`
++ gen_require(`
++ type psad_t;
++ ')
++
++ files_search_var_lib($1)
++ search_dirs_pattern($1, psad_var_lib_t, psad_var_lib_t)
++ rw_fifo_files_pattern($1, psad_var_lib_t, psad_var_lib_t)
++')
++
++#######################################
++## <summary>
++## Read and write psad tmp files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`psad_rw_tmp_files',`
++ gen_require(`
++ type psad_tmp_t;
++ ')
++
++ files_search_tmp($1)
++ rw_files_pattern($1, psad_tmp_t, psad_tmp_t)
++')
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an psad environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to be allowed to manage the syslog domain.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`psad_admin',`
++ gen_require(`
++ type psad_t, psad_var_run_t, psad_var_log_t;
++ type psad_initrc_exec_t, psad_var_lib_t;
++ type psad_tmp_t;
++ ')
++
++ allow $1 psad_t:process { ptrace signal_perms };
++ ps_process_pattern($1, psad_t)
++
++ init_labeled_script_domtrans($1, psad_initrc_exec_t)
++ domain_system_change_exemption($1)
++ role_transition $2 psad_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ files_search_etc($1)
++ admin_pattern($1, psad_etc_t)
++
++ files_search_pids($1)
++ admin_pattern($1, psad_var_run_t)
++
++ logging_search_logs($1)
++ admin_pattern($1, psad_var_log_t)
++
++ files_search_var_lib($1)
++ admin_pattern($1, psad_var_lib_t)
++
++ files_search_tmp($1)
++ admin_pattern($1, psad_tmp_t)
++')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad.te serefpolicy-3.6.3/policy/modules/services/psad.te
+--- nsaserefpolicy/policy/modules/services/psad.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/services/psad.te 2009-01-21 14:22:29.000000000 -0500
+@@ -0,0 +1,107 @@
++policy_module(psad,1.0.0)
++
++########################################
++#
++# Declarations
++#
++type psad_t;
++type psad_exec_t;
++init_daemon_domain(psad_t, psad_exec_t)
++
++type psad_initrc_exec_t;
++init_script_file(psad_initrc_exec_t)
++
++# config files
++type psad_etc_t;
++files_config_file(psad_etc_t)
++
++# var/lib files
++type psad_var_lib_t;
++files_type(psad_var_lib_t)
++
++# log files
++type psad_var_log_t;
++logging_log_file(psad_var_log_t)
++
++# pid files
++type psad_var_run_t;
++files_pid_file(psad_var_run_t)
++
++# tmp files
++type psad_tmp_t;
++files_tmp_file(psad_tmp_t)
++
++########################################
++#
++# psad local policy
++#
++
++allow psad_t self:capability { net_admin net_raw setuid setgid dac_override };
++dontaudit psad_t self:capability { sys_tty_config };
++allow psad_t self:process signull;
++
++allow psad_t self:fifo_file rw_fifo_file_perms;
++allow psad_t self:rawip_socket create_socket_perms;
++
++# config files
++read_files_pattern(psad_t,psad_etc_t,psad_etc_t)
++list_dirs_pattern(psad_t,psad_etc_t,psad_etc_t)
++
++# pid file
++manage_files_pattern(psad_t, psad_var_run_t,psad_var_run_t)
++manage_sock_files_pattern(psad_t, psad_var_run_t,psad_var_run_t)
++files_pid_filetrans(psad_t,psad_var_run_t, { file sock_file })
++
++# log files
++manage_files_pattern(psad_t, psad_var_log_t, psad_var_log_t)
++manage_dirs_pattern(psad_t, psad_var_log_t, psad_var_log_t)
++logging_log_filetrans(psad_t,psad_var_log_t, { file dir })
++
++# tmp files
++manage_dirs_pattern(psad_t,psad_tmp_t,psad_tmp_t)
++manage_files_pattern(psad_t,psad_tmp_t,psad_tmp_t)
++files_tmp_filetrans(psad_t, psad_tmp_t, { file dir })
++
++# /var/lib files
++search_dirs_pattern(psad_t, psad_var_lib_t, psad_var_lib_t)
++manage_fifo_files_pattern(psad_t, psad_var_lib_t, psad_var_lib_t)
++
++kernel_read_system_state(psad_t)
++kernel_read_network_state(psad_t)
++#kernel_read_kernel_sysctls(psad_t)
++kernel_read_net_sysctls(psad_t)
++
++corecmd_exec_shell(psad_t)
++corecmd_exec_bin(psad_t)
++
++auth_use_nsswitch(psad_t)
++
++corenet_tcp_connect_whois_port(psad_t)
++
++dev_read_urand(psad_t)
++
++files_read_etc_runtime_files(psad_t)
++
++fs_getattr_all_fs(psad_t)
++
++libs_use_ld_so(psad_t)
++libs_use_shared_libs(psad_t)
++
++miscfiles_read_localization(psad_t)
++
++logging_read_generic_logs(psad_t)
++logging_read_syslog_config(psad_t)
++logging_send_syslog_msg(psad_t)
++
++#sysnet_domtrans_ifconfig(psad_t)
++sysnet_exec_ifconfig(psad_t)
++iptables_domtrans(psad_t)
++
++optional_policy(`
++ mta_send_mail(psad_t)
++ mta_read_queue(psad_t)
++')
++
++permissive psad_t;
++
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.6.3/policy/modules/services/pyzor.fc
+--- nsaserefpolicy/policy/modules/services/pyzor.fc 2008-11-11 16:13:46.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/services/pyzor.fc 2009-01-19 13:10:02.000000000 -0500
+@@ -1,6 +1,8 @@
+ /etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0)
++/etc/rc\.d/init\.d/pyzord -- gen_context(system_u:object_r:pyzord_initrc_exec_t,s0)
+
+ HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0)
++HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0)
+
+ /usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0)
+ /usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.6.3/policy/modules/services/pyzor.if
+--- nsaserefpolicy/policy/modules/services/pyzor.if 2008-11-11 16:13:46.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/services/pyzor.if 2009-01-19 13:10:02.000000000 -0500
+@@ -88,3 +88,50 @@
+ corecmd_search_bin($1)
+ can_exec($1, pyzor_exec_t)
+ ')
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an pyzor environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to be allowed to manage the pyzor domain.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`pyzor_admin',`
++ gen_require(`
++ type pyzord_t, pyzor_tmp_t, pyzord_log_t;
++ type pyzor_etc_t, pyzor_var_lib_t;
++ type pyzord_initrc_exec_t;
++ ')
++
++ allow $1 pyzord_t:process { ptrace signal_perms };
++ ps_process_pattern($1, pyzord_t)
++
++ init_labeled_script_domtrans($1, pyzord_initrc_exec_t)
++ domain_system_change_exemption($1)
++ role_transition $2 pyzord_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ files_list_tmp($1)
++ admin_pattern($1, pyzor_tmp_t)
++
++ logging_list_logs($1)
++ admin_pattern($1, pyzord_log_t)
++
++ files_list_etc($1)
++ admin_pattern($1, pyzor_etc_t)
++
++ files_list_var_lib($1)
++ admin_pattern($1, pyzor_var_lib_t)
++')
++
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.6.3/policy/modules/services/pyzor.te
+--- nsaserefpolicy/policy/modules/services/pyzor.te 2009-01-19 11:06:49.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/services/pyzor.te 2009-01-19 13:10:02.000000000 -0500
+@@ -6,6 +6,38 @@
+ # Declarations
+ #
+
++
++ifdef(`distro_redhat',`
++
++ gen_require(`
++ type spamc_t;
++ type spamc_exec_t;
++ type spamd_t;
++ type spamd_initrc_exec_t;
++ type spamd_exec_t;
++ type spamc_tmp_t;
++ type spamd_log_t;
++ type spamd_var_lib_t;
++ type spamd_etc_t;
++ type spamc_tmp_t;
++ type spamc_home_t;
++ ')
++
++ typealias spamc_t alias pyzor_t;
++ typealias spamc_exec_t alias pyzor_exec_t;
++ typealias spamd_t alias pyzord_t;
++ typealias spamd_initrc_exec_t alias pyzord_initrc_exec_t;
++ typealias spamd_exec_t alias pyzord_exec_t;
++ typealias spamc_tmp_t alias pyzor_tmp_t;
++ typealias spamd_log_t alias pyzor_log_t;
++ typealias spamd_log_t alias pyzord_log_t;
++ typealias spamd_var_lib_t alias pyzor_var_lib_t;
++ typealias spamd_etc_t alias pyzor_etc_t;
++ typealias spamc_home_t alias pyzor_home_t;
++ typealias spamc_home_t alias user_pyzor_home_t;
++
++',`
++
+ type pyzor_t;
+ type pyzor_exec_t;
+ typealias pyzor_t alias { user_pyzor_t staff_pyzor_t sysadm_pyzor_t };
+@@ -40,6 +72,7 @@
+
+ type pyzord_log_t;
+ logging_log_file(pyzord_log_t)
++')
+
+ ########################################
+ #
+@@ -83,6 +116,8 @@
+
+ miscfiles_read_localization(pyzor_t)
+
++mta_read_queue(pyzor_t)
++
+ userdom_dontaudit_search_user_home_dirs(pyzor_t)
+
+ optional_policy(`
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radvd.te serefpolicy-3.6.3/policy/modules/services/radvd.te
+--- nsaserefpolicy/policy/modules/services/radvd.te 2009-01-19 11:06:49.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/services/radvd.te 2009-01-19 13:10:02.000000000 -0500
+@@ -22,7 +22,7 @@
+ #
+ # Local policy
+ #
+-allow radvd_t self:capability { setgid setuid net_raw };
++allow radvd_t self:capability { setgid setuid net_raw net_admin };
+ dontaudit radvd_t self:capability sys_tty_config;
+ allow radvd_t self:process signal_perms;
+ allow radvd_t self:unix_dgram_socket create_socket_perms;
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.6.3/policy/modules/services/razor.if
+--- nsaserefpolicy/policy/modules/services/razor.if 2009-01-19 11:06:49.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/services/razor.if 2009-01-19 13:10:02.000000000 -0500
+@@ -157,3 +157,45 @@
+
+ domtrans_pattern($1, razor_exec_t, razor_t)
+ ')
++
++########################################
++## <summary>
++## Create, read, write, and delete razor files
++## in a user home subdirectory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++template(`razor_manage_user_home_files',`
++ gen_require(`
++ type razor_home_t;
++ ')
++
++ files_search_home($1)
++ userdom_search_user_home_dirs($1)
++ manage_files_pattern($1, razor_home_t, razor_home_t)
++ read_lnk_files_pattern($1, razor_home_t, razor_home_t)
++')
++
++########################################
++## <summary>
++## read razor lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`razor_read_lib_files',`
++ gen_require(`
++ type razor_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, razor_var_lib_t, razor_var_lib_t)
++')
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.6.3/policy/modules/services/razor.te
+--- nsaserefpolicy/policy/modules/services/razor.te 2009-01-19 11:07:32.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/services/razor.te 2009-01-19 13:10:02.000000000 -0500
+@@ -6,6 +6,32 @@
+ # Declarations
+ #
+
++ifdef(`distro_redhat',`
++
++ gen_require(`
+ type spamc_t;
+ type spamc_exec_t;
+ type spamd_log_t;
@@ -21365,7 +21808,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.3/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/virt.te 2009-01-20 14:57:03.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/services/virt.te 2009-01-21 13:00:55.000000000 -0500
@@ -53,7 +53,7 @@
# virtd local policy
#
@@ -21384,7 +21827,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_tcp_bind_vnc_port(virtd_t)
corenet_tcp_connect_vnc_port(virtd_t)
corenet_tcp_connect_soundd_port(virtd_t)
-@@ -110,6 +110,7 @@
+@@ -110,11 +110,13 @@
files_read_usr_files(virtd_t)
files_read_etc_files(virtd_t)
@@ -21392,16 +21835,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_read_etc_runtime_files(virtd_t)
files_search_all(virtd_t)
files_list_kernel_modules(virtd_t)
-@@ -129,6 +130,8 @@
+
+ fs_list_auto_mountpoints(virtd_t)
++fs_getattr_xattr_fs(virtd_t)
+
+ storage_raw_write_removable_device(virtd_t)
+ storage_raw_read_removable_device(virtd_t)
+@@ -129,7 +131,10 @@
logging_send_syslog_msg(virtd_t)
+sysnet_domtrans_ifconfig(virtd_t)
+
userdom_read_all_users_state(virtd_t)
++userdom_dontaudit_list_admin_dir(virtd_t)
tunable_policy(`virt_use_nfs',`
-@@ -173,16 +176,17 @@
+ fs_manage_nfs_dirs(virtd_t)
+@@ -173,16 +178,17 @@
iptables_domtrans(virtd_t)
')
@@ -21447,8 +21898,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_tcp_connect_http_port(httpd_w3c_validator_script_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.6.3/policy/modules/services/xserver.fc
--- nsaserefpolicy/policy/modules/services/xserver.fc 2009-01-05 15:39:43.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/xserver.fc 2009-01-19 13:10:02.000000000 -0500
-@@ -3,11 +3,14 @@
++++ serefpolicy-3.6.3/policy/modules/services/xserver.fc 2009-01-21 12:59:03.000000000 -0500
+@@ -3,12 +3,16 @@
#
HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0)
HOME_DIR/\.fonts(/.*)? gen_context(system_u:object_r:user_fonts_t,s0)
@@ -21461,9 +21912,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+HOME_DIR/\.xsession-errors.* -- gen_context(system_u:object_r:xdm_home_t,s0)
+HOME_DIR/\.dmrc -- gen_context(system_u:object_r:xdm_home_t,s0)
++/root/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
#
# /dev
-@@ -32,11 +35,6 @@
+ #
+@@ -32,11 +36,6 @@
/etc/X11/wdm/Xstartup.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/X11/Xsession[^/]* -- gen_context(system_u:object_r:xsession_exec_t,s0)
@@ -21475,7 +21928,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
#
# /opt
#
-@@ -61,6 +59,7 @@
+@@ -61,6 +60,7 @@
/usr/(s)?bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0)
@@ -21483,7 +21936,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/usr/bin/Xair -- gen_context(system_u:object_r:xserver_exec_t,s0)
/usr/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0)
/usr/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0)
-@@ -89,16 +88,26 @@
+@@ -89,16 +89,26 @@
/var/[xgk]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
@@ -21514,8 +21967,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.3/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2009-01-05 15:39:43.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/xserver.if 2009-01-21 11:14:55.000000000 -0500
-@@ -116,6 +116,7 @@
++++ serefpolicy-3.6.3/policy/modules/services/xserver.if 2009-01-21 15:37:51.000000000 -0500
+@@ -90,7 +90,8 @@
+ allow $2 xauth_home_t:file manage_file_perms;
+ allow $2 xauth_home_t:file { relabelfrom relabelto };
+
+- xserver_common_x_domain_template(user, $2)
++ xserver_common_app($2)
++ xserver_use_xdm($2)
+
+ ##############################
+ #
+@@ -116,6 +117,7 @@
# setattr: gnome-settings-daemon X11:GrabKey
# manage: metacity X11:ChangeWindowAttributes
allow $2 rootwindow_t:x_drawable { read write manage setattr };
@@ -21523,7 +21986,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# setattr: metacity X11:InstallColormap
allow $2 xserver_t:x_screen { saver_getattr saver_setattr setattr };
-@@ -156,7 +157,7 @@
+@@ -156,7 +158,7 @@
allow $1 xserver_t:process signal;
# Read /tmp/.X0-lock
@@ -21532,7 +21995,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Client read xserver shm
allow $1 xserver_t:fd use;
-@@ -219,12 +220,12 @@
+@@ -219,12 +221,12 @@
allow $1 self:unix_stream_socket { connectto create_stream_socket_perms };
# Read .Xauthority file
@@ -21548,7 +22011,57 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow $1 xdm_tmp_t:dir search;
allow $1 xdm_tmp_t:sock_file { read write };
dontaudit $1 xdm_t:tcp_socket { read write };
-@@ -397,11 +398,12 @@
+@@ -278,7 +280,6 @@
+ type input_xevent_t, focus_xevent_t, property_xevent_t, manage_xevent_t;
+ type xevent_t, client_xevent_t;
+
+- attribute x_domain;
+ attribute xproperty_type;
+ attribute xevent_type;
+ attribute input_xevent_type;
+@@ -287,6 +288,8 @@
+ class x_property all_x_property_perms;
+ class x_event all_x_event_perms;
+ class x_synthetic_event all_x_synthetic_event_perms;
++ class x_selection all_x_selection_perms;
++ type xselection_t;
+ ')
+
+ ##############################
+@@ -294,20 +297,11 @@
+ # Local Policy
+ #
+
+- # Type attributes
+- typeattribute $2 x_domain;
+-
+ # X Properties
+ # can read and write client properties
+ allow $2 $1_xproperty_t:x_property { create destroy read write append };
+ type_transition $2 xproperty_t:x_property $1_xproperty_t;
+
+- # X Windows
+- # new windows have the domain type
+- type_transition $2 rootwindow_t:x_drawable $2;
+-
+- # X Input
+- # can receive own events
+ allow $2 $1_input_xevent_t:{ x_event x_synthetic_event } receive;
+ allow $2 $1_property_xevent_t:{ x_event x_synthetic_event } receive;
+ allow $2 $1_focus_xevent_t:{ x_event x_synthetic_event } receive;
+@@ -320,8 +315,10 @@
+ type_transition $2 manage_xevent_t:x_event $1_manage_xevent_t;
+ type_transition $2 client_xevent_t:x_event $1_client_xevent_t;
+ type_transition $2 xevent_t:x_event $1_default_xevent_t;
+- # can send ICCCM events to myself
++
+ allow $2 $1_manage_xevent_t:x_synthetic_event send;
++
++ xserver_common_app($2)
+ ')
+
+ #######################################
+@@ -397,11 +394,12 @@
gen_require(`
type xdm_t, xdm_tmp_t;
type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t;
@@ -21564,7 +22077,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Read .Xauthority file
allow $2 xauth_home_t:file read_file_perms;
-@@ -409,7 +411,7 @@
+@@ -409,7 +407,7 @@
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
@@ -21573,7 +22086,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow $2 xdm_tmp_t:dir search_dir_perms;
allow $2 xdm_tmp_t:sock_file { read write };
dontaudit $2 xdm_t:tcp_socket { read write };
-@@ -437,6 +439,10 @@
+@@ -437,6 +435,10 @@
allow $2 xserver_t:shm rw_shm_perms;
allow $2 xserver_tmpfs_t:file rw_file_perms;
')
@@ -21584,7 +22097,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -639,7 +645,7 @@
+@@ -639,7 +641,7 @@
type xdm_t;
')
@@ -21593,7 +22106,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -738,6 +744,7 @@
+@@ -738,6 +740,7 @@
files_search_tmp($1)
allow $1 xdm_tmp_t:dir list_dir_perms;
create_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
@@ -21601,7 +22114,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -756,7 +763,26 @@
+@@ -756,7 +759,26 @@
')
files_search_pids($1)
@@ -21629,7 +22142,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -779,6 +805,31 @@
+@@ -779,6 +801,31 @@
########################################
## <summary>
@@ -21661,7 +22174,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Make an X session script an entrypoint for the specified domain.
## </summary>
## <param name="domain">
-@@ -1018,10 +1069,11 @@
+@@ -1018,10 +1065,11 @@
#
interface(`xserver_domtrans',`
gen_require(`
@@ -21674,7 +22187,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
domtrans_pattern($1, xserver_exec_t, xserver_t)
')
-@@ -1159,6 +1211,272 @@
+@@ -1159,6 +1207,275 @@
########################################
## <summary>
@@ -21829,6 +22342,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+interface(`xserver_use_xdm',`
+ gen_require(`
+ type xdm_t, xdm_tmp_t;
++ type xdm_xproperty_t;
+ class x_client all_x_client_perms;
+ class x_drawable all_x_drawable_perms;
+ class x_property all_x_property_perms;
@@ -21846,6 +22360,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ allow $1 xdm_t:x_client { getattr destroy };
+ allow $1 xdm_t:x_drawable { read receive get_property getattr send list_child add_child };
++ allow $1 xdm_xproperty_t:x_property { write read };
++
+')
+
+########################################
@@ -21947,9 +22463,109 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Interface to provide X object permissions on a given X server to
## an X client domain. Gives the domain complete control over the
## display.
+@@ -1172,7 +1489,99 @@
+ interface(`xserver_unconfined',`
+ gen_require(`
+ attribute xserver_unconfined_type;
++ attribute x_domain;
+ ')
+
+ typeattribute $1 xserver_unconfined_type;
++ typeattribute $1 x_domain;
++')
++
++########################################
++## <summary>
++## Rules required for using the X Windows server
++## and environment.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`xserver_communicate',`
++ gen_require(`
++ type xdm_t, xdm_tmp_t;
++ class x_client all_x_client_perms;
++ class x_drawable all_x_drawable_perms;
++ class x_property all_x_property_perms;
++ class x_resource all_x_resource_perms;
+ ')
++
++ allow $1 $2:x_drawable all_x_drawable_perms;
++ allow $1 $2:x_resource all_x_resource_perms;
++')
++
++#######################################
++## <summary>
++## Interface to provide X object permissions on a given X server to
++## an X client domain. Provides the minimal set required by a basic
++## X client application.
++## </summary>
++## <param name="domain">
++## <summary>
++## Client domain allowed access.
++## </summary>
++## </param>
++#
++interface(`xserver_common_app',`
++
++ gen_require(`
++ attribute x_domain;
++ attribute xevent_type;
++ type xselection_t, rootwindow_t;
++ type user_xproperty_t, xproperty_t;
++ class x_property all_x_property_perms;
++ ')
++
++ # Type attributes
++ typeattribute $1 x_domain;
++
++ allow $1 xselection_t:x_selection setattr;
++ allow $1 user_xproperty_t:x_property { write read };
++ allow $1 xproperty_t:x_property all_x_property_perms;
++
++ # X Windows
++ # new windows have the domain type
++ type_transition $1 rootwindow_t:x_drawable $1;
++
++ # X Input
++ # can receive own events
++ allow $1 xevent_type:{ x_event x_synthetic_event } { receive send };
++ xserver_communicate($1, $1)
++')
++
++########################################
++## <summary>
++## Send and receive messages from
++## xdm over dbus.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`xserver_xdm_dbus_chat',`
++ gen_require(`
++ type xdm_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 xdm_t:dbus send_msg;
++ allow xdm_t $1:dbus send_msg;
++')
++
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.3/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/xserver.te 2009-01-21 11:00:16.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/services/xserver.te 2009-01-21 14:02:11.000000000 -0500
@@ -34,6 +34,13 @@
## <desc>
@@ -22084,13 +22700,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
typealias xserver_tmpfs_t alias { auditadm_xserver_tmpfs_t secadm_xserver_tmpfs_t };
files_tmpfs_file(xserver_tmpfs_t)
ubac_constrained(xserver_tmpfs_t)
-@@ -256,13 +275,13 @@
+@@ -250,19 +269,21 @@
+ # Xauth local policy
+ #
+
++allow xauth_t self:capability dac_override;
+ allow xauth_t self:process signal;
+ allow xauth_t self:unix_stream_socket create_stream_socket_perms;
+
allow xauth_t xauth_home_t:file manage_file_perms;
userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file)
-
++userdom_admin_home_dir_filetrans(xauth_t, xauth_home_t, file)
++
+manage_dirs_pattern(xauth_t, xdm_var_run_t, xdm_var_run_t)
+manage_files_pattern(xauth_t, xdm_var_run_t, xdm_var_run_t)
-+
+
manage_dirs_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t)
manage_files_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t)
files_tmp_filetrans(xauth_t, xauth_tmp_t, { file dir })
@@ -22101,7 +22725,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
domain_use_interactive_fds(xauth_t)
files_read_etc_files(xauth_t)
-@@ -300,13 +319,14 @@
+@@ -300,13 +321,14 @@
# XDM Local policy
#
@@ -22119,7 +22743,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow xdm_t self:tcp_socket create_stream_socket_perms;
allow xdm_t self:udp_socket create_socket_perms;
allow xdm_t self:socket create_socket_perms;
-@@ -314,6 +334,11 @@
+@@ -314,6 +336,11 @@
allow xdm_t self:key { search link write };
allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
@@ -22131,7 +22755,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Allow gdm to run gdm-binary
can_exec(xdm_t, xdm_exec_t)
-@@ -329,6 +354,8 @@
+@@ -329,6 +356,8 @@
manage_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file })
@@ -22140,7 +22764,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_dirs_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
manage_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
-@@ -336,15 +363,30 @@
+@@ -336,15 +365,30 @@
manage_fifo_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
manage_sock_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
fs_tmpfs_filetrans(xdm_t, xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
@@ -22173,7 +22797,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow xdm_t xserver_t:process signal;
allow xdm_t xserver_t:unix_stream_socket connectto;
-@@ -358,6 +400,7 @@
+@@ -358,6 +402,7 @@
allow xdm_t xserver_t:process { noatsecure siginh rlimitinh signal sigkill };
allow xdm_t xserver_t:shm rw_shm_perms;
@@ -22181,7 +22805,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t,xserver_tmp_t,xserver_tmp_t,xserver_t)
-@@ -389,11 +432,13 @@
+@@ -389,11 +434,13 @@
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t)
@@ -22195,7 +22819,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dev_read_rand(xdm_t)
dev_read_sysfs(xdm_t)
dev_getattr_framebuffer_dev(xdm_t)
-@@ -401,6 +446,7 @@
+@@ -401,6 +448,7 @@
dev_getattr_mouse_dev(xdm_t)
dev_setattr_mouse_dev(xdm_t)
dev_rw_apm_bios(xdm_t)
@@ -22203,7 +22827,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dev_setattr_apm_bios_dev(xdm_t)
dev_rw_dri(xdm_t)
dev_rw_agp(xdm_t)
-@@ -413,14 +459,17 @@
+@@ -413,14 +461,17 @@
dev_setattr_video_dev(xdm_t)
dev_getattr_scanner_dev(xdm_t)
dev_setattr_scanner_dev(xdm_t)
@@ -22223,7 +22847,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -431,9 +480,13 @@
+@@ -431,9 +482,13 @@
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -22237,7 +22861,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -442,6 +495,7 @@
+@@ -442,6 +497,7 @@
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -22245,7 +22869,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
term_setattr_console(xdm_t)
term_use_unallocated_ttys(xdm_t)
-@@ -450,6 +504,7 @@
+@@ -450,6 +506,7 @@
auth_domtrans_pam_console(xdm_t)
auth_manage_pam_pid(xdm_t)
auth_manage_pam_console_data(xdm_t)
@@ -22253,7 +22877,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
auth_rw_faillog(xdm_t)
auth_write_login_records(xdm_t)
-@@ -460,10 +515,10 @@
+@@ -460,10 +517,10 @@
logging_read_generic_logs(xdm_t)
@@ -22266,7 +22890,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -504,10 +559,12 @@
+@@ -504,10 +561,12 @@
optional_policy(`
alsa_domtrans(xdm_t)
@@ -22279,7 +22903,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -515,12 +572,41 @@
+@@ -515,12 +574,41 @@
')
optional_policy(`
@@ -22321,7 +22945,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
hostname_exec(xdm_t)
')
-@@ -542,6 +628,19 @@
+@@ -542,6 +630,19 @@
')
optional_policy(`
@@ -22341,7 +22965,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
seutil_sigchld_newrole(xdm_t)
')
-@@ -550,8 +649,8 @@
+@@ -550,8 +651,8 @@
')
optional_policy(`
@@ -22351,7 +22975,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
-@@ -571,6 +670,10 @@
+@@ -571,6 +672,10 @@
')
optional_policy(`
@@ -22362,7 +22986,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
xfs_stream_connect(xdm_t)
')
-@@ -587,7 +690,7 @@
+@@ -587,7 +692,7 @@
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -22371,7 +22995,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dontaudit xserver_t self:capability chown;
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:memprotect mmap_zero;
-@@ -602,6 +705,7 @@
+@@ -602,6 +707,7 @@
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -22379,7 +23003,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Device rules
allow x_domain xserver_t:x_device { read getattr use setattr setfocus grab bell };
-@@ -635,6 +739,15 @@
+@@ -635,6 +741,15 @@
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -22395,7 +23019,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Create files in /var/log with the xserver_log_t type.
manage_files_pattern(xserver_t, xserver_log_t, xserver_log_t)
logging_log_filetrans(xserver_t, xserver_log_t,file)
-@@ -680,9 +793,13 @@
+@@ -680,9 +795,14 @@
dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
@@ -22406,18 +23030,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+domain_mmap_low_type(xserver_t)
domain_mmap_low(xserver_t)
+domain_dontaudit_read_all_domains_state(xserver_t)
++domain_signal_all_domains(xserver_t)
files_read_etc_files(xserver_t)
files_read_etc_runtime_files(xserver_t)
-@@ -697,6 +814,7 @@
+@@ -697,8 +817,12 @@
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
+fs_list_inotifyfs(xdm_t)
++fs_rw_tmpfs_files(xserver_t)
mls_xwin_read_to_clearance(xserver_t)
++mls_process_write_to_clearance(xserver_t)
++mls_file_write_to_clearance(xserver_t)
-@@ -720,6 +838,7 @@
+ selinux_validate_context(xserver_t)
+ selinux_compute_access_vector(xserver_t)
+@@ -720,6 +844,7 @@
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -22425,7 +23055,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
modutils_domtrans_insmod(xserver_t)
-@@ -774,6 +893,10 @@
+@@ -774,6 +899,10 @@
')
optional_policy(`
@@ -22436,7 +23066,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
rhgb_getpgid(xserver_t)
rhgb_signal(xserver_t)
')
-@@ -806,7 +929,7 @@
+@@ -806,7 +935,7 @@
allow xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xserver_t xdm_var_lib_t:dir search;
@@ -22445,7 +23075,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -830,6 +953,10 @@
+@@ -830,6 +959,10 @@
xserver_use_user_fonts(xserver_t)
@@ -22456,7 +23086,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
fs_manage_nfs_files(xserver_t)
-@@ -844,11 +971,14 @@
+@@ -844,11 +977,14 @@
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -22472,7 +23102,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -856,6 +986,11 @@
+@@ -856,6 +992,11 @@
rhgb_rw_tmpfs_files(xserver_t)
')
@@ -22484,7 +23114,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
# Rules common to all X window domains
-@@ -972,6 +1107,37 @@
+@@ -972,6 +1113,37 @@
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
@@ -22522,7 +23152,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ifdef(`TODO',`
tunable_policy(`allow_polyinstantiation',`
# xdm needs access for linking .X11-unix to poly /tmp
-@@ -986,3 +1152,13 @@
+@@ -986,3 +1158,13 @@
#
allow xdm_t user_home_type:file unlink;
') dnl end TODO
@@ -24415,7 +25045,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.6.3/policy/modules/system/miscfiles.if
--- nsaserefpolicy/policy/modules/system/miscfiles.if 2008-08-07 11:15:12.000000000 -0400
-+++ serefpolicy-3.6.3/policy/modules/system/miscfiles.if 2009-01-19 13:10:02.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/system/miscfiles.if 2009-01-21 13:05:22.000000000 -0500
@@ -23,6 +23,45 @@
########################################
@@ -26720,7 +27350,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.3/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/system/userdomain.if 2009-01-20 16:18:13.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/system/userdomain.if 2009-01-21 15:37:07.000000000 -0500
@@ -30,8 +30,9 @@
')
@@ -27049,7 +27679,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
#######################################
-@@ -420,34 +432,39 @@
+@@ -420,34 +432,41 @@
## is the prefix for user_t).
## </summary>
## </param>
@@ -27103,11 +27733,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
- xserver_manage_xdm_tmp_files($1_t)
+ xserver_manage_xdm_tmp_files($1)
+ xserver_stream_connect($1)
++ xserver_xdm_dbus_chat($1)
+ ')
++
')
#######################################
-@@ -497,11 +514,7 @@
+@@ -497,11 +516,7 @@
attribute unpriv_userdomain;
')
@@ -27120,7 +27752,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
##############################
#
-@@ -512,189 +525,198 @@
+@@ -512,189 +527,198 @@
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
@@ -27361,16 +27993,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
- postgresql_stream_connect($1_t)
- postgresql_tcp_connect($1_t)
+ postgresql_stream_connect($1_usertype)
-+ ')
')
-+
-+ optional_policy(`
-+ # to allow monitoring of pcmcia status
-+ pcmcia_read_pid($1_usertype)
')
optional_policy(`
- resmgr_stream_connect($1_t)
++ # to allow monitoring of pcmcia status
++ pcmcia_read_pid($1_usertype)
++ ')
++
++ optional_policy(`
+ pcscd_read_pub_files($1_usertype)
+ pcscd_stream_connect($1_usertype)
')
@@ -27400,22 +28032,22 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
#######################################
-@@ -722,15 +744,29 @@
+@@ -722,15 +746,29 @@
userdom_base_user_template($1)
- userdom_manage_home_role($1_r, $1_t)
+ userdom_change_password_template($1)
++
++ userdom_manage_home_role($1_r, $1_usertype)
- userdom_manage_tmp_role($1_r, $1_t)
- userdom_manage_tmpfs_role($1_r, $1_t)
-+ userdom_manage_home_role($1_r, $1_usertype)
++ userdom_manage_tmp_role($1_r, $1_usertype)
++ userdom_manage_tmpfs_role($1_r, $1_usertype)
- userdom_exec_user_tmp_files($1_t)
- userdom_exec_user_home_content_files($1_t)
-+ userdom_manage_tmp_role($1_r, $1_usertype)
-+ userdom_manage_tmpfs_role($1_r, $1_usertype)
-+
+ ifelse(`$1',`unconfined',`',`
+ gen_tunable(allow_$1_exec_content, true)
+
@@ -27436,7 +28068,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
##############################
#
-@@ -746,70 +782,72 @@
+@@ -746,70 +784,72 @@
allow $1_t self:context contains;
@@ -27542,7 +28174,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
')
-@@ -846,6 +884,28 @@
+@@ -846,6 +886,28 @@
# Local policy
#
@@ -27571,7 +28203,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
loadkeys_run($1_t,$1_r)
')
-@@ -876,7 +936,7 @@
+@@ -876,7 +938,7 @@
userdom_restricted_user_template($1)
@@ -27580,17 +28212,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
##############################
#
-@@ -884,14 +944,18 @@
+@@ -884,14 +946,19 @@
#
auth_role($1_r, $1_t)
- auth_search_pam_console_data($1_t)
+ auth_search_pam_console_data($1_usertype)
++
++ xserver_role($1_r, $1_t)
++ xserver_communicate($1_usertype, $1_usertype)
- dev_read_sound($1_t)
- dev_write_sound($1_t)
-+ xserver_role($1_r, $1_t)
-+
+ dev_read_sound($1_usertype)
+ dev_write_sound($1_usertype)
# gnome keyring wants to read this.
@@ -27604,7 +28237,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
logging_dontaudit_send_audit_msgs($1_t)
# Need to to this just so screensaver will work. Should be moved to screensaver domain
-@@ -899,28 +963,24 @@
+@@ -899,28 +966,28 @@
selinux_get_enforce_mode($1_t)
optional_policy(`
@@ -27615,31 +28248,33 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
- dbus_role_template($1, $1_r, $1_t)
- dbus_system_bus_client($1_t)
--
-- optional_policy(`
-- consolekit_dbus_chat($1_t)
+ apache_role($1_r, $1_usertype)
++ ')
+
+ optional_policy(`
+- consolekit_dbus_chat($1_t)
++ gnome_manage_config($1_usertype)
++ gnome_manage_gconf_home_files($1_usertype)
')
optional_policy(`
- cups_dbus_chat($1_t)
- ')
-+ gnome_manage_config($1_usertype)
-+ gnome_manage_gconf_home_files($1_usertype)
++ openoffice_role_template($1, $1_r, $1_usertype)
')
optional_policy(`
- java_role($1_r, $1_t)
-+ openoffice_role_template($1, $1_r, $1_usertype)
++ polkit_role($1_r, $1_usertype)
')
optional_policy(`
- setroubleshoot_dontaudit_stream_connect($1_t)
-+ polkit_role($1_r, $1_usertype)
++ wm_role_template($1, $1_r, $1_usertype)
')
')
-@@ -931,8 +991,7 @@
+@@ -931,8 +998,7 @@
## </summary>
## <desc>
## <p>
@@ -27649,7 +28284,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## </p>
## <p>
## This template creates a user domain, types, and
-@@ -954,8 +1013,8 @@
+@@ -954,8 +1020,8 @@
# Declarations
#
@@ -27659,7 +28294,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_common_user_template($1)
##############################
-@@ -964,11 +1023,10 @@
+@@ -964,11 +1030,12 @@
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -27669,10 +28304,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_tcp_bind_xserver_port($1_t)
- files_exec_usr_files($1_t)
++ storage_rw_fuse($1_t)
++
# cjp: why?
files_read_kernel_symbol_table($1_t)
-@@ -986,37 +1044,47 @@
+@@ -986,37 +1053,47 @@
')
')
@@ -27723,17 +28360,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ optional_policy(`
+ mount_run($1_t, $1_r)
- ')
++ ')
+
+ # Run pppd in pppd_t by default for user
+ optional_policy(`
+ ppp_run_cond($1_t, $1_r)
-+ ')
+ ')
+
')
#######################################
-@@ -1050,7 +1118,7 @@
+@@ -1050,7 +1127,7 @@
#
template(`userdom_admin_user_template',`
gen_require(`
@@ -27742,7 +28379,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
##############################
-@@ -1059,8 +1127,7 @@
+@@ -1059,8 +1136,7 @@
#
# Inherit rules for ordinary users.
@@ -27752,7 +28389,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
domain_obj_id_change_exemption($1_t)
role system_r types $1_t;
-@@ -1083,7 +1150,8 @@
+@@ -1083,7 +1159,8 @@
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -27762,7 +28399,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
-@@ -1099,6 +1167,7 @@
+@@ -1099,6 +1176,7 @@
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -27770,7 +28407,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1106,8 +1175,6 @@
+@@ -1106,8 +1184,6 @@
dev_getattr_generic_blk_files($1_t)
dev_getattr_generic_chr_files($1_t)
@@ -27779,7 +28416,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Allow MAKEDEV to work
dev_create_all_blk_files($1_t)
dev_create_all_chr_files($1_t)
-@@ -1162,20 +1229,6 @@
+@@ -1162,20 +1238,6 @@
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -27800,7 +28437,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1221,6 +1274,7 @@
+@@ -1221,6 +1283,7 @@
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -27808,7 +28445,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1286,11 +1340,15 @@
+@@ -1286,11 +1349,15 @@
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -27824,7 +28461,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1387,7 +1445,7 @@
+@@ -1387,7 +1454,7 @@
########################################
## <summary>
@@ -27833,7 +28470,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## </summary>
## <param name="domain">
## <summary>
-@@ -1420,6 +1478,14 @@
+@@ -1420,6 +1487,14 @@
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -27848,7 +28485,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1435,9 +1501,11 @@
+@@ -1435,9 +1510,11 @@
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -27860,7 +28497,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1494,6 +1562,25 @@
+@@ -1494,6 +1571,25 @@
allow $1 user_home_dir_t:dir relabelto;
')
@@ -27886,7 +28523,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
## <summary>
## Create directories in the home dir root with
-@@ -1547,9 +1634,9 @@
+@@ -1547,9 +1643,9 @@
type user_home_dir_t, user_home_t;
')
@@ -27898,7 +28535,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1568,6 +1655,8 @@
+@@ -1568,6 +1664,8 @@
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -27907,7 +28544,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1643,6 +1732,7 @@
+@@ -1643,6 +1741,7 @@
type user_home_dir_t, user_home_t;
')
@@ -27915,7 +28552,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
files_search_home($1)
')
-@@ -1741,6 +1831,62 @@
+@@ -1741,6 +1840,62 @@
########################################
## <summary>
@@ -27978,7 +28615,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Execute user home files.
## </summary>
## <param name="domain">
-@@ -1757,14 +1903,6 @@
+@@ -1757,14 +1912,6 @@
files_search_home($1)
exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
@@ -27993,7 +28630,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1787,6 +1925,46 @@
+@@ -1787,6 +1934,46 @@
########################################
## <summary>
@@ -28040,7 +28677,44 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Create, read, write, and delete files
## in a user home subdirectory.
## </summary>
-@@ -2819,6 +2997,24 @@
+@@ -1921,6 +2108,36 @@
+
+ ########################################
+ ## <summary>
++## Create objects in the /root directory
++## with an automatic type transition to
++## a specified private type.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="private_type">
++## <summary>
++## The type of the object to create.
++## </summary>
++## </param>
++## <param name="object_class">
++## <summary>
++## The class of the object to be created.
++## </summary>
++## </param>
++#
++interface(`userdom_admin_home_dir_filetrans',`
++ gen_require(`
++ type admin_home_t;
++ ')
++
++ filetrans_pattern($1, admin_home_t, $2, $3)
++')
++
++########################################
++## <summary>
+ ## Create objects in a user home directory
+ ## with an automatic type transition to
+ ## a specified private type.
+@@ -2819,6 +3036,24 @@
########################################
## <summary>
@@ -28065,7 +28739,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Do not audit attempts to use user ttys.
## </summary>
## <param name="domain">
-@@ -2851,6 +3047,7 @@
+@@ -2851,6 +3086,7 @@
')
read_files_pattern($1,userdomain,userdomain)
@@ -28073,7 +28747,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_search_proc($1)
')
-@@ -2965,6 +3162,24 @@
+@@ -2965,6 +3201,24 @@
########################################
## <summary>
@@ -28098,7 +28772,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Send a dbus message to all user domains.
## </summary>
## <param name="domain">
-@@ -2981,3 +3196,264 @@
+@@ -2981,3 +3235,264 @@
allow $1 userdomain:dbus send_msg;
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index ad3b6a3..b9945c5 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.3
-Release: 3%{?dist}
+Release: 4%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -445,6 +445,9 @@ exit 0
%endif
%changelog
+* Wed Jan 21 2009 Dan Walsh <dwalsh@redhat.com> 3.6.3-4
+- Add wm policy
+
* Tue Jan 20 2009 Dan Walsh <dwalsh@redhat.com> 3.6.3-3
- Fixed for DeviceKit