diff --git a/policy-20080710.patch b/policy-20080710.patch
index 110afb5..0493f77 100644
--- a/policy-20080710.patch
+++ b/policy-20080710.patch
@@ -6940,7 +6940,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## all protocols (TCP, UDP, etc)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.5.13/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2008-08-07 11:15:01.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/kernel/domain.te 2008-10-17 10:31:27.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/kernel/domain.te 2008-10-21 11:21:45.000000000 -0400
@@ -5,6 +5,13 @@
#
# Declarations
@@ -6955,7 +6955,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Mark process types as domains
attribute domain;
-@@ -85,6 +92,7 @@
+@@ -80,11 +87,14 @@
+ allow domain self:lnk_file { read_lnk_file_perms lock ioctl };
+ allow domain self:file rw_file_perms;
+ kernel_read_proc_symlinks(domain)
++kernel_read_crypto_sysctls(domain)
++
+ # Every domain gets the key ring, so we should default
+ # to no one allowed to look at it; afs kernel support creates
# a keyring
kernel_dontaudit_search_key(domain)
kernel_dontaudit_link_key(domain)
@@ -6963,7 +6970,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# create child processes in the domain
allow domain self:process { fork sigchld };
-@@ -131,6 +139,9 @@
+@@ -131,6 +141,9 @@
allow unconfined_domain_type domain:fd use;
allow unconfined_domain_type domain:fifo_file rw_file_perms;
@@ -6973,7 +6980,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Act upon any other process.
allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
-@@ -140,7 +151,7 @@
+@@ -140,7 +153,7 @@
# For /proc/pid
allow unconfined_domain_type domain:dir list_dir_perms;
@@ -6982,7 +6989,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
-@@ -148,3 +159,39 @@
+@@ -148,3 +161,39 @@
# receive from all domains over labeled networking
domain_all_recvfrom_all_domains(unconfined_domain_type)
@@ -7913,7 +7920,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
#
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.5.13/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2008-08-07 11:15:01.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/kernel/kernel.if 2008-10-20 14:00:25.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/kernel/kernel.if 2008-10-21 10:34:57.000000000 -0400
@@ -1198,6 +1198,7 @@
')
@@ -7934,7 +7941,34 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1768,6 +1771,7 @@
+@@ -1569,6 +1572,26 @@
+
+ ########################################
+ ##
++## Read generic crypto sysctls.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`kernel_read_crypto_sysctls',`
++ gen_require(`
++ type proc_t, sysctl_t, sysctl_crypto_t;
++ ')
++
++ read_files_pattern($1, { proc_t sysctl_t sysctl_crypto_t }, sysctl_crypto_t)
++
++ list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_crypto_t)
++')
++
++########################################
++##
+ ## Read generic kernel sysctls.
+ ##
+ ##
+@@ -1768,6 +1791,7 @@
')
dontaudit $1 sysctl_type:dir list_dir_perms;
@@ -7942,7 +7976,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2582,6 +2586,24 @@
+@@ -2582,6 +2606,24 @@
########################################
##
@@ -7969,7 +8003,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
##
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.5.13/policy/modules/kernel/kernel.te
--- nsaserefpolicy/policy/modules/kernel/kernel.te 2008-08-07 11:15:01.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/kernel/kernel.te 2008-10-17 10:31:27.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/kernel/kernel.te 2008-10-21 10:34:03.000000000 -0400
@@ -63,6 +63,15 @@
genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0)
@@ -7986,7 +8020,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# kvmFS
#
-@@ -160,6 +169,7 @@
+@@ -120,6 +129,10 @@
+ type sysctl_rpc_t, sysctl_type;
+ genfscon proc /net/rpc gen_context(system_u:object_r:sysctl_rpc_t,s0)
+
++# /proc/sys/crypto directory and files
++type sysctl_crypto_t, sysctl_type;
++genfscon proc /sys/crypto gen_context(system_u:object_r:sysctl_crypto_t,s0)
++
+ # /proc/sys/fs directory and files
+ type sysctl_fs_t, sysctl_type;
+ files_mountpoint(sysctl_fs_t)
+@@ -160,6 +173,7 @@
#
type unlabeled_t;
sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
@@ -7994,7 +8039,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# These initial sids are no longer used, and can be removed:
sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
-@@ -274,6 +284,8 @@
+@@ -274,6 +288,8 @@
fs_rw_tmpfs_chr_files(kernel_t)
')
@@ -10499,7 +10544,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.5.13/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2008-10-16 17:21:16.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/apache.te 2008-10-20 15:37:58.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/services/apache.te 2008-10-21 09:18:28.000000000 -0400
@@ -20,6 +20,8 @@
# Declarations
#
@@ -10593,18 +10638,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
type httpd_lock_t;
files_lock_file(httpd_lock_t)
-@@ -180,6 +220,10 @@
+@@ -180,6 +220,13 @@
# setup the system domain for system CGI scripts
apache_content_template(sys)
+typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t;
++typealias httpd_sys_content_t alias httpd_fastcgi_content_t;
++typealias httpd_sys_content_rw_t alias httpd_fastcgi_content_rw_t;
++
+typeattribute httpd_sys_content_t httpdcontent, httpd_ro_content; # customizable
+typeattribute httpd_sys_content_rw_t httpdcontent, httpd_rw_content; # customizable
+typeattribute httpd_sys_content_ra_t httpdcontent; # customizable
type httpd_tmp_t;
files_tmp_file(httpd_tmp_t)
-@@ -202,12 +246,16 @@
+@@ -202,12 +249,16 @@
prelink_object_file(httpd_modules_t)
')
@@ -10622,7 +10670,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dontaudit httpd_t self:capability { net_admin sys_tty_config };
allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow httpd_t self:fd use;
-@@ -249,6 +297,7 @@
+@@ -249,6 +300,7 @@
allow httpd_t httpd_modules_t:dir list_dir_perms;
mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
@@ -10630,7 +10678,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
apache_domtrans_rotatelogs(httpd_t)
# Apache-httpd needs to be able to send signals to the log rotate procs.
-@@ -260,9 +309,9 @@
+@@ -260,9 +312,9 @@
allow httpd_t httpd_suexec_exec_t:file read_file_perms;
@@ -10643,7 +10691,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
-@@ -289,6 +338,7 @@
+@@ -289,6 +341,7 @@
kernel_read_kernel_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
@@ -10651,7 +10699,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_all_recvfrom_unlabeled(httpd_t)
corenet_all_recvfrom_netlabel(httpd_t)
-@@ -299,6 +349,7 @@
+@@ -299,6 +352,7 @@
corenet_tcp_sendrecv_all_ports(httpd_t)
corenet_udp_sendrecv_all_ports(httpd_t)
corenet_tcp_bind_all_nodes(httpd_t)
@@ -10659,7 +10707,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_tcp_bind_http_port(httpd_t)
corenet_tcp_bind_http_cache_port(httpd_t)
corenet_sendrecv_http_server_packets(httpd_t)
-@@ -312,12 +363,11 @@
+@@ -312,12 +366,11 @@
fs_getattr_all_fs(httpd_t)
fs_search_auto_mountpoints(httpd_t)
@@ -10674,7 +10722,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
domain_use_interactive_fds(httpd_t)
-@@ -335,6 +385,10 @@
+@@ -335,6 +388,10 @@
files_read_var_lib_symlinks(httpd_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -10685,7 +10733,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
libs_use_ld_so(httpd_t)
libs_use_shared_libs(httpd_t)
-@@ -351,18 +405,33 @@
+@@ -351,18 +408,33 @@
userdom_use_unpriv_users_fds(httpd_t)
@@ -10723,7 +10771,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
')
-@@ -370,20 +439,45 @@
+@@ -370,20 +442,45 @@
corenet_tcp_connect_all_ports(httpd_t)
')
@@ -10770,7 +10818,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
-@@ -394,11 +488,12 @@
+@@ -394,11 +491,12 @@
corenet_tcp_bind_ftp_port(httpd_t)
')
@@ -10786,7 +10834,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
fs_read_nfs_files(httpd_t)
fs_read_nfs_symlinks(httpd_t)
')
-@@ -408,6 +503,11 @@
+@@ -408,6 +506,11 @@
fs_read_cifs_symlinks(httpd_t)
')
@@ -10798,7 +10846,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
allow httpd_sys_script_t httpd_t:fd use;
-@@ -441,8 +541,13 @@
+@@ -441,8 +544,13 @@
')
optional_policy(`
@@ -10814,7 +10862,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -454,18 +559,13 @@
+@@ -454,18 +562,13 @@
')
optional_policy(`
@@ -10834,7 +10882,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -475,6 +575,12 @@
+@@ -475,6 +578,12 @@
openca_kill(httpd_t)
')
@@ -10847,7 +10895,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
-@@ -482,6 +588,7 @@
+@@ -482,6 +591,7 @@
tunable_policy(`httpd_can_network_connect_db',`
postgresql_tcp_connect(httpd_t)
@@ -10855,7 +10903,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
')
-@@ -490,6 +597,7 @@
+@@ -490,6 +600,7 @@
')
optional_policy(`
@@ -10863,7 +10911,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -519,9 +627,28 @@
+@@ -519,9 +630,28 @@
logging_send_syslog_msg(httpd_helper_t)
tunable_policy(`httpd_tty_comm',`
@@ -10892,7 +10940,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
# Apache PHP script local policy
-@@ -551,22 +678,27 @@
+@@ -551,22 +681,27 @@
fs_search_auto_mountpoints(httpd_php_t)
@@ -10926,7 +10974,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -584,12 +716,14 @@
+@@ -584,12 +719,14 @@
append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
@@ -10942,7 +10990,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_kernel_sysctls(httpd_suexec_t)
kernel_list_proc(httpd_suexec_t)
kernel_read_proc_symlinks(httpd_suexec_t)
-@@ -598,9 +732,7 @@
+@@ -598,9 +735,7 @@
fs_search_auto_mountpoints(httpd_suexec_t)
@@ -10953,7 +11001,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -633,12 +765,25 @@
+@@ -633,12 +768,25 @@
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -10982,7 +11030,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -647,6 +792,12 @@
+@@ -647,6 +795,12 @@
fs_exec_nfs_files(httpd_suexec_t)
')
@@ -10995,7 +11043,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_suexec_t)
fs_read_cifs_symlinks(httpd_suexec_t)
-@@ -664,10 +815,6 @@
+@@ -664,10 +818,6 @@
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -11006,7 +11054,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
# Apache system script local policy
-@@ -677,7 +824,8 @@
+@@ -677,7 +827,8 @@
dontaudit httpd_sys_script_t httpd_config_t:dir search;
@@ -11016,7 +11064,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
read_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
-@@ -691,12 +839,15 @@
+@@ -691,12 +842,15 @@
# Should we add a boolean?
apache_domtrans_rotatelogs(httpd_sys_script_t)
@@ -11034,7 +11082,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -704,6 +855,30 @@
+@@ -704,6 +858,30 @@
fs_read_nfs_symlinks(httpd_sys_script_t)
')
@@ -11065,7 +11113,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -716,10 +891,10 @@
+@@ -716,10 +894,10 @@
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -11080,7 +11128,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -727,6 +902,8 @@
+@@ -727,6 +905,8 @@
# httpd_rotatelogs local policy
#
@@ -11089,7 +11137,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
kernel_read_kernel_sysctls(httpd_rotatelogs_t)
-@@ -741,3 +918,56 @@
+@@ -741,3 +921,56 @@
logging_search_logs(httpd_rotatelogs_t)
miscfiles_read_localization(httpd_rotatelogs_t)
@@ -17120,25 +17168,47 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.5.13/policy/modules/services/nscd.if
--- nsaserefpolicy/policy/modules/services/nscd.if 2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/nscd.if 2008-10-17 10:31:27.000000000 -0400
-@@ -20,6 +20,42 @@
++++ serefpolicy-3.5.13/policy/modules/services/nscd.if 2008-10-20 16:13:12.000000000 -0400
+@@ -2,7 +2,27 @@
########################################
##
-+## Send signulls to NSCD.
+-## Send generic signals to NSCD.
++## Execute NSCD in the nscd domain.
+##
+##
+##
-+## Domain allowed access.
++## The type of the process performing this action.
+##
+##
+#
-+interface(`nscd_signull',`
++interface(`nscd_domtrans',`
+ gen_require(`
-+ type nscd_t;
++ type nscd_t, nscd_exec_t;
+ ')
+
-+ allow $1 nscd_t:process signull;
++ corecmd_search_bin($1)
++ domtrans_pattern($1, nscd_exec_t, nscd_t)
++')
++
++########################################
++##
++## Allow the specified domain to execute nscd
++## in the caller domain.
+ ##
+ ##
+ ##
+@@ -10,37 +30,53 @@
+ ##
+ ##
+ #
+-interface(`nscd_signal',`
++interface(`nscd_exec',`
++ gen_require(`
++ type nscd_exec_t;
++ ')
++
++ can_exec($1, nscd_exec_t)
+')
+
+########################################
@@ -17152,18 +17222,62 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+##
+#
+interface(`nscd_sigkill',`
-+ gen_require(`
-+ type nscd_t;
-+ ')
-+
+ gen_require(`
+ type nscd_t;
+ ')
+
+- allow $1 nscd_t:process signal;
+ allow $1 nscd_t:process sigkill;
-+')
-+
-+########################################
-+##
- ## Execute NSCD in the nscd domain.
+ ')
+
+ ########################################
+ ##
+-## Execute NSCD in the nscd domain.
++## Send generic signals to NSCD.
##
##
+ ##
+-## The type of the process performing this action.
++## Domain allowed access.
+ ##
+ ##
+ #
+-interface(`nscd_domtrans',`
++interface(`nscd_signal',`
+ gen_require(`
+- type nscd_t, nscd_exec_t;
++ type nscd_t;
+ ')
+
+- corecmd_search_bin($1)
+- domtrans_pattern($1, nscd_exec_t, nscd_t)
++ allow $1 nscd_t:process signal;
+ ')
+
+ ########################################
+ ##
+-## Allow the specified domain to execute nscd
+-## in the caller domain.
++## Send signulls to NSCD.
+ ##
+ ##
+ ##
+@@ -48,12 +84,12 @@
+ ##
+ ##
+ #
+-interface(`nscd_exec',`
++interface(`nscd_signull',`
+ gen_require(`
+- type nscd_exec_t;
++ type nscd_t;
+ ')
+
+- can_exec($1, nscd_exec_t)
++ allow $1 nscd_t:process signull;
+ ')
+
+ ########################################
@@ -70,15 +106,14 @@
interface(`nscd_socket_use',`
gen_require(`
@@ -18481,7 +18595,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.5.13/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2008-10-16 17:21:16.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/postfix.te 2008-10-17 10:31:27.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/services/postfix.te 2008-10-21 11:23:16.000000000 -0400
@@ -6,6 +6,14 @@
# Declarations
#
@@ -22987,7 +23101,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/etc/ssh/ssh_host_key -- gen_context(system_u:object_r:sshd_key_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.5.13/policy/modules/services/ssh.if
--- nsaserefpolicy/policy/modules/services/ssh.if 2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/ssh.if 2008-10-17 10:31:27.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/services/ssh.if 2008-10-21 10:06:54.000000000 -0400
@@ -36,6 +36,7 @@
gen_require(`
attribute ssh_server;
@@ -23008,16 +23122,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
##############################
#
-@@ -65,7 +67,7 @@
+@@ -65,8 +67,7 @@
allow $1_ssh_t self:sem create_sem_perms;
allow $1_ssh_t self:msgq create_msgq_perms;
allow $1_ssh_t self:msg { send receive };
- allow $1_ssh_t self:tcp_socket create_socket_perms;
+- allow $1_ssh_t self:netlink_route_socket r_netlink_socket_perms;
+ allow $1_ssh_t self:tcp_socket create_stream_socket_perms;
- allow $1_ssh_t self:netlink_route_socket r_netlink_socket_perms;
# for rsync
-@@ -93,20 +95,21 @@
+ allow $1_ssh_t $2:unix_stream_socket rw_socket_perms;
+@@ -93,20 +94,21 @@
ps_process_pattern($2, $1_ssh_t)
# user can manage the keys and config
@@ -23047,7 +23162,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_all_recvfrom_unlabeled($1_ssh_t)
corenet_all_recvfrom_netlabel($1_ssh_t)
-@@ -115,6 +118,8 @@
+@@ -115,6 +117,8 @@
corenet_tcp_sendrecv_all_ports($1_ssh_t)
corenet_tcp_connect_ssh_port($1_ssh_t)
corenet_sendrecv_ssh_client_packets($1_ssh_t)
@@ -23056,7 +23171,41 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dev_read_urand($1_ssh_t)
-@@ -212,7 +217,7 @@
+@@ -133,6 +137,8 @@
+ files_read_etc_files($1_ssh_t)
+ files_read_var_files($1_ssh_t)
+
++ auth_use_nsswitch($1_ssh_t)
++
+ libs_use_ld_so($1_ssh_t)
+ libs_use_shared_libs($1_ssh_t)
+
+@@ -143,9 +149,6 @@
+
+ seutil_read_config($1_ssh_t)
+
+- sysnet_read_config($1_ssh_t)
+- sysnet_dns_name_resolve($1_ssh_t)
+-
+ tunable_policy(`read_default_t',`
+ files_list_default($1_ssh_t)
+ files_read_default_files($1_ssh_t)
+@@ -157,14 +160,6 @@
+ optional_policy(`
+ kerberos_use($1_ssh_t)
+ ')
+-
+- optional_policy(`
+- nis_use_ypbind($1_ssh_t)
+- ')
+-
+- optional_policy(`
+- nscd_socket_use($1_ssh_t)
+- ')
+ ')
+
+ #######################################
+@@ -212,7 +207,7 @@
ssh_basic_client_template($1, $2, $3)
@@ -23065,7 +23214,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
type $1_ssh_agent_t;
application_domain($1_ssh_agent_t, ssh_agent_exec_t)
-@@ -240,9 +245,9 @@
+@@ -240,9 +235,9 @@
manage_sock_files_pattern($1_ssh_t, $1_ssh_tmpfs_t, $1_ssh_tmpfs_t)
fs_tmpfs_filetrans($1_ssh_t, $1_ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file })
@@ -23078,7 +23227,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Allow the ssh program to communicate with ssh-agent.
stream_connect_pattern($1_ssh_t, $1_ssh_agent_tmp_t, $1_ssh_agent_tmp_t, $1_ssh_agent_t)
-@@ -254,6 +259,8 @@
+@@ -254,6 +249,8 @@
userdom_use_unpriv_users_fds($1_ssh_t)
userdom_dontaudit_list_user_home_dirs($1,$1_ssh_t)
userdom_search_user_home_dirs($1,$1_ssh_t)
@@ -23087,7 +23236,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Write to the user domain tty.
userdom_use_user_terminals($1,$1_ssh_t)
# needs to read krb tgt
-@@ -279,24 +286,14 @@
+@@ -279,24 +276,14 @@
# for port forwarding
tunable_policy(`user_tcp_server',`
corenet_tcp_bind_ssh_port($1_ssh_t)
@@ -23114,7 +23263,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
##############################
#
# $1_ssh_agent_t local policy
-@@ -381,12 +378,9 @@
+@@ -381,12 +368,9 @@
optional_policy(`
xserver_use_xdm_fds($1_ssh_agent_t)
xserver_rw_xdm_pipes($1_ssh_agent_t)
@@ -23128,7 +23277,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
##############################
#
# $1_ssh_keysign_t local policy
-@@ -413,6 +407,25 @@
+@@ -413,6 +397,25 @@
')
')
@@ -23154,7 +23303,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
#######################################
##
## The template to define a ssh server.
-@@ -443,13 +456,14 @@
+@@ -443,13 +446,14 @@
type $1_var_run_t;
files_pid_file($1_var_run_t)
@@ -23170,7 +23319,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom };
term_create_pty($1_t,$1_devpts_t)
-@@ -478,7 +492,12 @@
+@@ -478,7 +482,12 @@
corenet_udp_bind_all_nodes($1_t)
corenet_tcp_bind_ssh_port($1_t)
corenet_tcp_connect_all_ports($1_t)
@@ -23183,7 +23332,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
fs_dontaudit_getattr_all_fs($1_t)
-@@ -506,9 +525,14 @@
+@@ -506,9 +515,14 @@
userdom_dontaudit_relabelfrom_unpriv_users_ptys($1_t)
userdom_search_all_users_home_dirs($1_t)
@@ -23198,7 +23347,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
tunable_policy(`use_samba_home_dirs',`
-@@ -517,11 +541,7 @@
+@@ -517,11 +531,7 @@
optional_policy(`
kerberos_use($1_t)
@@ -23211,7 +23360,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -710,3 +730,22 @@
+@@ -710,3 +720,22 @@
dontaudit $1 sshd_key_t:file { getattr read };
')
@@ -23236,7 +23385,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.5.13/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2008-10-14 11:58:09.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/ssh.te 2008-10-17 10:31:27.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/services/ssh.te 2008-10-21 10:05:20.000000000 -0400
@@ -24,7 +24,7 @@
# Type for the ssh-agent executable.
@@ -23297,6 +23446,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
unconfined_shell_domtrans(sshd_t)
')
+@@ -176,6 +197,8 @@
+ init_use_fds(ssh_keygen_t)
+ init_use_script_ptys(ssh_keygen_t)
+
++auth_use_nsswitch(ssh_keygen_t)
++
+ libs_use_ld_so(ssh_keygen_t)
+ libs_use_shared_libs(ssh_keygen_t)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/stunnel.fc serefpolicy-3.5.13/policy/modules/services/stunnel.fc
--- nsaserefpolicy/policy/modules/services/stunnel.fc 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/services/stunnel.fc 2008-10-17 10:31:27.000000000 -0400
@@ -23701,7 +23859,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.5.13/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2008-10-08 19:00:27.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/xserver.if 2008-10-17 17:26:09.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/services/xserver.if 2008-10-21 11:39:30.000000000 -0400
@@ -16,6 +16,7 @@
gen_require(`
type xkb_var_lib_t, xserver_exec_t, xserver_log_t;
@@ -23946,7 +24104,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
##############################
#
-@@ -441,16 +385,16 @@
+@@ -441,16 +385,17 @@
domtrans_pattern($2, iceauth_exec_t, $1_iceauth_t)
@@ -23965,10 +24123,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
- allow xdm_t $1_iceauth_home_t:file read_file_perms;
+ xserver_use_xdm($2)
++ xserver_rw_xdm_xserver_shm($2)
fs_search_auto_mountpoints($1_iceauth_t)
-@@ -473,33 +417,12 @@
+@@ -473,33 +418,12 @@
#
# Device rules
@@ -24005,7 +24164,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# xrdb X11:ChangeProperty prop=RESOURCE_MANAGER
allow $2 info_xproperty_t:x_property { create write append };
-@@ -548,7 +471,7 @@
+@@ -548,7 +472,7 @@
allow $2 $1_xserver_t:process signal;
# Read /tmp/.X0-lock
@@ -24014,7 +24173,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Client read xserver shm
allow $2 $1_xserver_t:fd use;
-@@ -616,7 +539,7 @@
+@@ -616,7 +540,7 @@
# refpolicywarn(`$0() has been deprecated, please use xserver_user_x_domain_template instead.')
gen_require(`
type xdm_t, xdm_tmp_t;
@@ -24023,7 +24182,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
allow $2 self:shm create_shm_perms;
-@@ -624,12 +547,12 @@
+@@ -624,12 +548,12 @@
allow $2 self:unix_stream_socket { connectto create_stream_socket_perms };
# Read .Xauthority file
@@ -24039,7 +24198,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow $2 xdm_tmp_t:dir search;
allow $2 xdm_tmp_t:sock_file { read write };
dontaudit $2 xdm_t:tcp_socket { read write };
-@@ -649,13 +572,210 @@
+@@ -649,13 +573,210 @@
xserver_read_xdm_tmp_files($2)
@@ -24091,7 +24250,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ allow $3 $1_rootwindow_t:x_drawable { list_property get_property set_property };
+ # X Windows
+ # operations allowed on root windows
-+ allow $3 $1_rootwindow_t:x_drawable { getattr list_child add_child remove_child send receive override destroy hide };
++ allow $3 $1_rootwindow_t:x_drawable { read getattr list_child add_child remove_child send receive override destroy hide };
+# type_transition $3 $1_rootwindow_t:x_drawable $2_t;
+
+ allow $3 $1_xproperty_t:x_property { write read };
@@ -24254,7 +24413,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
#######################################
##
## Interface to provide X object permissions on a given X server to
-@@ -682,7 +802,7 @@
+@@ -682,7 +803,7 @@
#
template(`xserver_common_x_domain_template',`
gen_require(`
@@ -24263,7 +24422,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
type xproperty_t, info_xproperty_t, clipboard_xproperty_t;
type input_xevent_t, focus_xevent_t, property_xevent_t, manage_xevent_t;
type xevent_t, client_xevent_t;
-@@ -691,7 +811,6 @@
+@@ -691,7 +812,6 @@
attribute x_server_domain, x_domain;
attribute xproperty_type;
attribute xevent_type, xextension_type;
@@ -24271,7 +24430,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
class x_drawable all_x_drawable_perms;
class x_screen all_x_screen_perms;
-@@ -708,6 +827,7 @@
+@@ -708,6 +828,7 @@
class x_resource all_x_resource_perms;
class x_event all_x_event_perms;
class x_synthetic_event all_x_synthetic_event_perms;
@@ -24279,7 +24438,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
##############################
-@@ -715,20 +835,22 @@
+@@ -715,20 +836,22 @@
# Declarations
#
@@ -24305,7 +24464,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
##############################
#
# Local Policy
-@@ -746,7 +868,7 @@
+@@ -746,7 +869,7 @@
allow $3 x_server_domain:x_server getattr;
# everyone can do override-redirect windows.
# this could be used to spoof labels
@@ -24314,7 +24473,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# everyone can receive management events on the root window
# allows to know when new windows appear, among other things
allow $3 manage_xevent_t:x_event receive;
-@@ -755,36 +877,30 @@
+@@ -755,36 +878,30 @@
# can read server-owned resources
allow $3 x_server_domain:x_resource read;
# can mess with own clients
@@ -24361,7 +24520,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# X Input
# can receive own events
-@@ -811,6 +927,12 @@
+@@ -811,6 +928,12 @@
allow $3 manage_xevent_t:x_synthetic_event send;
allow $3 client_xevent_t:x_synthetic_event send;
@@ -24374,7 +24533,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# X Selections
# can use the clipboard
allow $3 clipboard_xselection_t:x_selection { getattr setattr read };
-@@ -819,13 +941,15 @@
+@@ -819,13 +942,15 @@
# Other X Objects
# can create and use cursors
@@ -24394,7 +24553,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined($3),
-@@ -885,24 +1009,17 @@
+@@ -885,24 +1010,17 @@
#
template(`xserver_user_x_domain_template',`
gen_require(`
@@ -24426,7 +24585,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Allow connections to X server.
files_search_tmp($3)
-@@ -917,16 +1034,16 @@
+@@ -917,16 +1035,16 @@
xserver_rw_session_template($1, $3, $4)
xserver_use_user_fonts($1, $3)
@@ -24450,7 +24609,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -958,26 +1075,43 @@
+@@ -958,26 +1076,43 @@
#
template(`xserver_use_user_fonts',`
gen_require(`
@@ -24501,7 +24660,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Transition to a user Xauthority domain.
##
##
-@@ -1003,10 +1137,77 @@
+@@ -1003,10 +1138,77 @@
#
template(`xserver_domtrans_user_xauth',`
gen_require(`
@@ -24581,7 +24740,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1036,10 +1237,10 @@
+@@ -1036,10 +1238,10 @@
#
template(`xserver_user_home_dir_filetrans_user_xauth',`
gen_require(`
@@ -24594,7 +24753,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1180,7 +1381,7 @@
+@@ -1180,7 +1382,7 @@
type xdm_t;
')
@@ -24603,7 +24762,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1225,6 +1426,25 @@
+@@ -1225,6 +1427,25 @@
########################################
##
@@ -24629,7 +24788,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Read xdm-writable configuration files.
##
##
-@@ -1239,7 +1459,7 @@
+@@ -1239,7 +1460,7 @@
')
files_search_etc($1)
@@ -24638,7 +24797,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1279,6 +1499,7 @@
+@@ -1279,6 +1500,7 @@
files_search_tmp($1)
allow $1 xdm_tmp_t:dir list_dir_perms;
create_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
@@ -24646,7 +24805,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1297,7 +1518,7 @@
+@@ -1297,7 +1519,7 @@
')
files_search_pids($1)
@@ -24655,7 +24814,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1315,7 +1536,25 @@
+@@ -1315,7 +1537,25 @@
type xdm_var_lib_t;
')
@@ -24682,7 +24841,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1330,15 +1569,47 @@
+@@ -1330,15 +1570,47 @@
#
interface(`xserver_domtrans_xdm_xserver',`
gen_require(`
@@ -24731,7 +24890,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Make an X session script an entrypoint for the specified domain.
##
##
-@@ -1488,7 +1759,7 @@
+@@ -1488,7 +1760,7 @@
type xdm_xserver_tmp_t;
')
@@ -24740,7 +24899,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1680,6 +1951,26 @@
+@@ -1680,6 +1952,26 @@
########################################
##
@@ -24767,7 +24926,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## xdm xserver RW shared memory socket.
##
##
-@@ -1698,6 +1989,24 @@
+@@ -1698,6 +1990,24 @@
########################################
##
@@ -24792,7 +24951,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Interface to provide X object permissions on a given X server to
## an X client domain. Gives the domain complete control over the
## display.
-@@ -1710,8 +2019,157 @@
+@@ -1710,8 +2020,157 @@
#
interface(`xserver_unconfined',`
gen_require(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 4b801c0..2d7a401 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.5.13
-Release: 2%{?dist}
+Release: 3%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -312,6 +312,7 @@ Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
Requires(pre): coreutils
Requires(pre): selinux-policy = %{version}-%{release}
Conflicts: audispd-plugins <= 1.7.7-1
+Obsoletes: mod_fcgid-selinux
%description targeted
SELinux Reference policy targeted base module.
@@ -461,6 +462,9 @@ exit 0
%endif
%changelog
+* Tue Oct 21 2008 Dan Walsh 3.5.13-3
+- Remove mod_fcgid-selinux package
+
* Mon Oct 20 2008 Dan Walsh 3.5.13-2
- Fix dovecot access