@@ -27068,7 +27280,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zabbix.fc serefpolicy-3.3.1/policy/modules/services/zabbix.fc
--- nsaserefpolicy/policy/modules/services/zabbix.fc 2007-04-11 15:52:54.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/zabbix.fc 2008-04-21 11:02:50.221767000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/zabbix.fc 2008-04-21 11:02:50.000000000 -0400
@@ -1,5 +1,8 @@
+
/usr/bin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0)
@@ -27080,7 +27292,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zabb
+/etc/rc.d/init.d/zabbix -- gen_context(system_u:object_r:zabbix_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zabbix.if serefpolicy-3.3.1/policy/modules/services/zabbix.if
--- nsaserefpolicy/policy/modules/services/zabbix.if 2008-02-06 10:33:21.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/zabbix.if 2008-04-21 11:02:50.226767000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/zabbix.if 2008-04-21 11:02:50.000000000 -0400
@@ -79,6 +79,25 @@
########################################
@@ -27139,7 +27351,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zabb
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zabbix.te serefpolicy-3.3.1/policy/modules/services/zabbix.te
--- nsaserefpolicy/policy/modules/services/zabbix.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/zabbix.te 2008-04-21 11:02:50.261767000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/zabbix.te 2008-04-21 11:02:50.000000000 -0400
@@ -18,6 +18,9 @@
type zabbix_var_run_t;
files_pid_file(zabbix_var_run_t)
@@ -27152,7 +27364,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zabb
# zabbix local policy
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zebra.fc serefpolicy-3.3.1/policy/modules/services/zebra.fc
--- nsaserefpolicy/policy/modules/services/zebra.fc 2006-11-16 17:15:20.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/zebra.fc 2008-04-21 11:02:50.275767000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/zebra.fc 2008-04-21 11:02:50.000000000 -0400
@@ -14,3 +14,10 @@
/var/run/\.zebra -s gen_context(system_u:object_r:zebra_var_run_t,s0)
/var/run/\.zserv -s gen_context(system_u:object_r:zebra_var_run_t,s0)
@@ -27166,7 +27378,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zebr
+/etc/rc.d/init.d/zebra -- gen_context(system_u:object_r:zebra_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zebra.if serefpolicy-3.3.1/policy/modules/services/zebra.if
--- nsaserefpolicy/policy/modules/services/zebra.if 2008-02-06 10:33:21.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/zebra.if 2008-04-21 11:02:50.280767000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/zebra.if 2008-04-21 11:02:50.000000000 -0400
@@ -18,12 +18,32 @@
files_search_etc($1)
@@ -27243,7 +27455,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zebr
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zebra.te serefpolicy-3.3.1/policy/modules/services/zebra.te
--- nsaserefpolicy/policy/modules/services/zebra.te 2008-02-06 10:33:21.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/zebra.te 2008-04-21 11:02:50.286766000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/zebra.te 2008-04-21 11:02:50.000000000 -0400
@@ -30,6 +30,9 @@
type zebra_var_run_t;
files_pid_file(zebra_var_run_t)
@@ -27265,7 +27477,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zebr
allow zebra_t self:unix_stream_socket { connectto create_stream_socket_perms };
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.3.1/policy/modules/system/authlogin.fc
--- nsaserefpolicy/policy/modules/system/authlogin.fc 2008-02-19 17:24:26.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/authlogin.fc 2008-04-21 12:03:55.507562000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/authlogin.fc 2008-04-21 12:03:55.000000000 -0400
@@ -7,12 +7,10 @@
/etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0)
/etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0)
@@ -27294,7 +27506,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
+/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.3.1/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2008-02-01 09:12:53.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/authlogin.if 2008-04-21 11:02:50.300767000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/authlogin.if 2008-04-28 09:15:47.070186000 -0400
@@ -99,7 +99,7 @@
template(`authlogin_per_role_template',`
@@ -27312,7 +27524,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
')
domain_type($1)
-@@ -177,12 +178,27 @@
+@@ -177,12 +178,28 @@
domain_obj_id_change_exemption($1)
role system_r types $1;
@@ -27325,6 +27537,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
+ allow $1 self:process setkeycreate;
+ allow $1 self:key manage_key_perms;
+ userdom_manage_all_users_keys($1)
++ init_script_search_keyring($1)
+
files_list_var_lib($1)
manage_files_pattern($1, var_auth_t, var_auth_t)
@@ -27340,7 +27553,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
# for SSP/ProPolice
dev_read_urand($1)
# for fingerprint readers
-@@ -226,8 +242,38 @@
+@@ -226,8 +243,38 @@
seutil_read_config($1)
seutil_read_default_contexts($1)
@@ -27379,7 +27592,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
')
')
-@@ -342,6 +388,8 @@
+@@ -342,6 +389,8 @@
optional_policy(`
kerberos_use($1)
@@ -27388,7 +27601,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
')
optional_policy(`
-@@ -356,6 +404,28 @@
+@@ -356,6 +405,28 @@
optional_policy(`
samba_stream_connect_winbind($1)
')
@@ -27417,7 +27630,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
')
########################################
-@@ -369,12 +439,12 @@
+@@ -369,12 +440,12 @@
##
##
##
@@ -27432,7 +27645,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
##
##
#
-@@ -386,6 +456,7 @@
+@@ -386,6 +457,7 @@
auth_domtrans_chk_passwd($1)
role $2 types system_chkpwd_t;
allow system_chkpwd_t $3:chr_file rw_file_perms;
@@ -27440,7 +27653,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
')
########################################
-@@ -1457,6 +1528,7 @@
+@@ -1457,6 +1529,7 @@
optional_policy(`
samba_stream_connect_winbind($1)
samba_read_var_files($1)
@@ -27448,7 +27661,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
')
')
-@@ -1491,3 +1563,59 @@
+@@ -1491,3 +1564,59 @@
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
@@ -27510,7 +27723,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.3.1/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te 2008-02-19 17:24:26.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/authlogin.te 2008-04-21 11:02:50.306767000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/authlogin.te 2008-04-21 11:02:50.000000000 -0400
@@ -59,6 +59,9 @@
type utempter_exec_t;
application_domain(utempter_t,utempter_exec_t)
@@ -27592,7 +27805,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.3.1/policy/modules/system/fstools.fc
--- nsaserefpolicy/policy/modules/system/fstools.fc 2007-09-26 12:15:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/system/fstools.fc 2008-04-21 11:02:50.311767000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/fstools.fc 2008-04-21 11:02:50.000000000 -0400
@@ -1,4 +1,3 @@
-/sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
@@ -27608,7 +27821,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool
/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.if serefpolicy-3.3.1/policy/modules/system/fstools.if
--- nsaserefpolicy/policy/modules/system/fstools.if 2008-02-18 14:30:18.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/fstools.if 2008-04-21 11:02:50.316767000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/fstools.if 2008-04-21 11:02:50.000000000 -0400
@@ -81,10 +81,10 @@
#
interface(`fstools_read_pipes',`
@@ -27624,7 +27837,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.3.1/policy/modules/system/fstools.te
--- nsaserefpolicy/policy/modules/system/fstools.te 2008-02-18 14:30:18.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/fstools.te 2008-04-21 11:02:50.323767000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/fstools.te 2008-04-21 11:02:50.000000000 -0400
@@ -97,6 +97,10 @@
fs_getattr_tmpfs_dirs(fsadm_t)
fs_read_tmpfs_symlinks(fsadm_t)
@@ -27648,7 +27861,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.te serefpolicy-3.3.1/policy/modules/system/getty.te
--- nsaserefpolicy/policy/modules/system/getty.te 2008-02-18 14:30:18.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/getty.te 2008-04-21 11:02:50.329766000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/getty.te 2008-04-21 11:02:50.000000000 -0400
@@ -9,6 +9,7 @@
type getty_t;
type getty_exec_t;
@@ -27659,7 +27872,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.
type getty_etc_t;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-3.3.1/policy/modules/system/hostname.te
--- nsaserefpolicy/policy/modules/system/hostname.te 2008-02-18 14:30:18.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/hostname.te 2008-04-21 11:02:50.334767000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/hostname.te 2008-04-21 11:02:50.000000000 -0400
@@ -8,7 +8,9 @@
type hostname_t;
@@ -27673,7 +27886,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostna
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplug.te serefpolicy-3.3.1/policy/modules/system/hotplug.te
--- nsaserefpolicy/policy/modules/system/hotplug.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/hotplug.te 2008-04-21 11:02:50.340767000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/hotplug.te 2008-04-21 11:02:50.000000000 -0400
@@ -179,6 +179,7 @@
sysnet_read_dhcpc_pid(hotplug_t)
sysnet_rw_dhcp_config(hotplug_t)
@@ -27684,7 +27897,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplu
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.3.1/policy/modules/system/init.fc
--- nsaserefpolicy/policy/modules/system/init.fc 2007-10-12 08:56:08.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/system/init.fc 2008-04-21 11:02:50.345767000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/init.fc 2008-04-21 11:02:50.000000000 -0400
@@ -4,8 +4,7 @@
/etc/init\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
@@ -27702,7 +27915,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.f
-
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.3.1/policy/modules/system/init.if
--- nsaserefpolicy/policy/modules/system/init.if 2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/system/init.if 2008-04-21 11:02:50.353764000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/init.if 2008-04-28 09:15:35.654776000 -0400
@@ -211,6 +211,13 @@
kernel_dontaudit_use_fds($1)
')
@@ -27769,7 +27982,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
')
')
-@@ -567,19 +576,66 @@
+@@ -567,23 +576,70 @@
#
interface(`init_domtrans_script',`
gen_require(`
@@ -27817,11 +28030,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
ifdef(`enable_mls',`
- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
+ range_transition $1 $2:process s0 - mls_systemhigh;
-+ ')
-+')
-+
-+########################################
-+##
+ ')
+ ')
+
+ ########################################
+ ##
+## Execute a file in a bin directory
+## in the initrc_t domain
+##
@@ -27834,12 +28047,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
+interface(`init_bin_domtrans_spec',`
+ gen_require(`
+ type initrc_t;
- ')
++ ')
+
+ corecmd_bin_domtrans($1, initrc_t)
- ')
-
- ########################################
++')
++
++########################################
++##
+ ## Execute a init script in a specified domain.
+ ##
+ ##
@@ -609,11 +665,11 @@
# cjp: added for gentoo integrated run_init
interface(`init_script_file_domtrans',`
@@ -27939,7 +28156,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
')
########################################
-@@ -1273,3 +1349,114 @@
+@@ -1273,3 +1349,131 @@
files_search_pids($1)
allow $1 initrc_var_run_t:file manage_file_perms;
')
@@ -28053,10 +28270,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
+ allow init_t $1:unix_dgram_socket sendto;
+')
+
++########################################
++##
++## Search for initrc_t kernel keyrings
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`init_script_search_keyring',`
++ gen_require(`
++ type initrc_t;
++ ')
++
++ allow $1 initrc_t:key search;
++')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.3.1/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2008-02-26 08:17:43.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/init.te 2008-04-21 11:02:50.360757000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/init.te 2008-04-21 11:02:50.000000000 -0400
@@ -10,6 +10,20 @@
# Declarations
#
@@ -28348,7 +28582,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.3.1/policy/modules/system/iptables.te
--- nsaserefpolicy/policy/modules/system/iptables.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/iptables.te 2008-04-21 11:02:50.365752000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/iptables.te 2008-04-21 11:02:50.000000000 -0400
@@ -48,6 +48,7 @@
fs_getattr_xattr_fs(iptables_t)
@@ -28359,7 +28593,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.3.1/policy/modules/system/iscsi.te
--- nsaserefpolicy/policy/modules/system/iscsi.te 2008-02-18 14:30:18.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/iscsi.te 2008-04-21 11:02:50.370747000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/iscsi.te 2008-04-28 10:29:25.956857000 -0400
@@ -29,7 +29,7 @@
#
@@ -28379,7 +28613,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.3.1/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2007-12-12 11:35:28.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/libraries.fc 2008-04-21 11:02:50.389728000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/libraries.fc 2008-04-21 11:02:50.000000000 -0400
@@ -69,8 +69,10 @@
ifdef(`distro_gentoo',`
# despite the extensions, they are actually libs
@@ -28454,7 +28688,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
+/usr/lib/oracle/.*/lib/libnnz10\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.3.1/policy/modules/system/libraries.te
--- nsaserefpolicy/policy/modules/system/libraries.te 2008-02-06 10:33:22.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/libraries.te 2008-04-21 11:02:50.394723000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/libraries.te 2008-04-21 11:02:50.000000000 -0400
@@ -23,6 +23,9 @@
init_system_domain(ldconfig_t,ldconfig_exec_t)
role system_r types ldconfig_t;
@@ -28523,7 +28757,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.3.1/policy/modules/system/locallogin.te
--- nsaserefpolicy/policy/modules/system/locallogin.te 2008-02-06 10:33:22.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/locallogin.te 2008-04-21 11:02:50.401716000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/locallogin.te 2008-04-21 11:02:50.000000000 -0400
@@ -131,6 +131,7 @@
miscfiles_read_localization(local_login_t)
@@ -28574,7 +28808,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall
-')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.3.1/policy/modules/system/logging.fc
--- nsaserefpolicy/policy/modules/system/logging.fc 2008-02-26 08:17:43.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/logging.fc 2008-04-21 11:02:50.407709000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/logging.fc 2008-04-21 11:02:50.000000000 -0400
@@ -4,6 +4,8 @@
/etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
/etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
@@ -28604,7 +28838,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
+/var/cfengine/outputs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.3.1/policy/modules/system/logging.if
--- nsaserefpolicy/policy/modules/system/logging.if 2007-12-12 11:35:28.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/logging.if 2008-04-21 11:02:50.414703000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/logging.if 2008-04-21 11:02:50.000000000 -0400
@@ -213,12 +213,7 @@
##
#
@@ -28831,7 +29065,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.3.1/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2008-02-26 08:17:43.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/logging.te 2008-04-21 11:02:50.421696000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/logging.te 2008-04-21 11:02:50.000000000 -0400
@@ -61,10 +61,29 @@
logging_log_file(var_log_t)
files_mountpoint(var_log_t)
@@ -29054,7 +29288,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc serefpolicy-3.3.1/policy/modules/system/lvm.fc
--- nsaserefpolicy/policy/modules/system/lvm.fc 2007-12-12 11:35:28.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/lvm.fc 2008-04-21 11:02:50.426691000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/lvm.fc 2008-04-21 11:02:50.000000000 -0400
@@ -55,6 +55,7 @@
/sbin/lvs -- gen_context(system_u:object_r:lvm_exec_t,s0)
/sbin/lvscan -- gen_context(system_u:object_r:lvm_exec_t,s0)
@@ -29070,7 +29304,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc
+/var/run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.3.1/policy/modules/system/lvm.te
--- nsaserefpolicy/policy/modules/system/lvm.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/lvm.te 2008-04-23 10:09:00.750545000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/lvm.te 2008-04-23 10:09:00.000000000 -0400
@@ -22,7 +22,7 @@
role system_r types lvm_t;
@@ -29249,7 +29483,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.fc serefpolicy-3.3.1/policy/modules/system/miscfiles.fc
--- nsaserefpolicy/policy/modules/system/miscfiles.fc 2007-08-22 17:33:53.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/system/miscfiles.fc 2008-04-21 11:02:50.437680000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/miscfiles.fc 2008-04-21 11:02:50.000000000 -0400
@@ -11,6 +11,7 @@
/etc/avahi/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
@@ -29265,7 +29499,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi
+HOME_DIR/\.fontconfig(/.*)? gen_context(system_u:object_r:user_fonts_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.3.1/policy/modules/system/miscfiles.if
--- nsaserefpolicy/policy/modules/system/miscfiles.if 2007-11-16 13:45:14.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/miscfiles.if 2008-04-21 16:33:42.509785000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/miscfiles.if 2008-04-21 16:33:42.000000000 -0400
@@ -489,3 +489,65 @@
manage_lnk_files_pattern($1,locale_t,locale_t)
')
@@ -29334,7 +29568,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.te serefpolicy-3.3.1/policy/modules/system/miscfiles.te
--- nsaserefpolicy/policy/modules/system/miscfiles.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/miscfiles.te 2008-04-21 11:02:50.449668000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/miscfiles.te 2008-04-21 11:02:50.000000000 -0400
@@ -20,6 +20,14 @@
files_type(fonts_t)
@@ -29352,7 +29586,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi
type hwdata_t;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.if serefpolicy-3.3.1/policy/modules/system/modutils.if
--- nsaserefpolicy/policy/modules/system/modutils.if 2007-03-26 10:39:07.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/system/modutils.if 2008-04-21 11:02:50.455662000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/modutils.if 2008-04-21 11:02:50.000000000 -0400
@@ -66,6 +66,25 @@
########################################
@@ -29381,7 +29615,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
##
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.3.1/policy/modules/system/modutils.te
--- nsaserefpolicy/policy/modules/system/modutils.te 2008-02-06 10:33:22.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/modutils.te 2008-04-21 11:02:50.461656000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/modutils.te 2008-04-21 11:02:50.000000000 -0400
@@ -22,6 +22,8 @@
type insmod_exec_t;
application_domain(insmod_t,insmod_exec_t)
@@ -29524,7 +29758,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
#################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.3.1/policy/modules/system/mount.fc
--- nsaserefpolicy/policy/modules/system/mount.fc 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/mount.fc 2008-04-21 11:02:50.466651000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/mount.fc 2008-04-21 11:02:50.000000000 -0400
@@ -1,4 +1,6 @@
/bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
/bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
@@ -29536,7 +29770,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
+/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.3.1/policy/modules/system/mount.if
--- nsaserefpolicy/policy/modules/system/mount.if 2007-10-12 08:56:08.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/system/mount.if 2008-04-21 11:02:50.472644000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/mount.if 2008-04-21 11:02:50.000000000 -0400
@@ -48,7 +48,9 @@
mount_domtrans($1)
@@ -29550,7 +29784,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
samba_run_smbmount($1, $2, $3)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.3.1/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2008-02-06 10:33:22.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/mount.te 2008-04-22 14:45:02.004951000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/mount.te 2008-04-22 14:45:02.000000000 -0400
@@ -18,17 +18,18 @@
init_system_domain(mount_t,mount_exec_t)
role system_r types mount_t;
@@ -29698,14 +29932,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.fc serefpolicy-3.3.1/policy/modules/system/qemu.fc
--- nsaserefpolicy/policy/modules/system/qemu.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/qemu.fc 2008-04-21 11:02:50.484633000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/qemu.fc 2008-04-21 11:02:50.000000000 -0400
@@ -0,0 +1,3 @@
+
+/usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.if serefpolicy-3.3.1/policy/modules/system/qemu.if
--- nsaserefpolicy/policy/modules/system/qemu.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/qemu.if 2008-04-21 11:02:50.489628000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/qemu.if 2008-04-21 11:02:50.000000000 -0400
@@ -0,0 +1,303 @@
+
+## policy for qemu
@@ -30012,8 +30246,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.i
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.te serefpolicy-3.3.1/policy/modules/system/qemu.te
--- nsaserefpolicy/policy/modules/system/qemu.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/qemu.te 2008-04-21 11:02:50.493624000 -0400
-@@ -0,0 +1,50 @@
++++ serefpolicy-3.3.1/policy/modules/system/qemu.te 2008-04-28 16:14:23.857051000 -0400
+@@ -0,0 +1,49 @@
+policy_module(qemu,1.0.0)
+
+##
@@ -30060,13 +30294,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.t
+unconfined_domain_noaudit(qemu_unconfined_t)
+allow qemu_unconfined_t self:process { execstack execmem };
+
-+
+optional_policy(`
+ xserver_xdm_rw_shm(qemu_unconfined_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.3.1/policy/modules/system/raid.te
--- nsaserefpolicy/policy/modules/system/raid.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/raid.te 2008-04-21 11:02:50.497620000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/raid.te 2008-04-21 11:02:50.000000000 -0400
@@ -19,7 +19,7 @@
# Local policy
#
@@ -30094,7 +30327,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.t
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.3.1/policy/modules/system/selinuxutil.fc
--- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2007-05-18 11:12:44.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/system/selinuxutil.fc 2008-04-21 11:02:50.502615000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/selinuxutil.fc 2008-04-21 11:02:50.000000000 -0400
@@ -38,7 +38,7 @@
/usr/sbin/restorecond -- gen_context(system_u:object_r:restorecond_exec_t,s0)
/usr/sbin/run_init -- gen_context(system_u:object_r:run_init_exec_t,s0)
@@ -30106,7 +30339,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.3.1/policy/modules/system/selinuxutil.if
--- nsaserefpolicy/policy/modules/system/selinuxutil.if 2007-11-29 13:29:35.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/selinuxutil.if 2008-04-21 11:02:50.511606000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/selinuxutil.if 2008-04-21 11:02:50.000000000 -0400
@@ -215,8 +215,6 @@
seutil_domtrans_newrole($1)
role $2 types newrole_t;
@@ -30390,7 +30623,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.3.1/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2008-02-06 10:33:22.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/selinuxutil.te 2008-04-21 11:02:50.518599000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/selinuxutil.te 2008-04-28 10:24:53.045591000 -0400
@@ -75,7 +75,6 @@
type restorecond_exec_t;
init_daemon_domain(restorecond_t,restorecond_exec_t)
@@ -30628,7 +30861,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
fs_search_auto_mountpoints(setfiles_t)
fs_relabelfrom_noxattr_fs(setfiles_t)
-@@ -617,16 +596,8 @@
+@@ -572,9 +551,7 @@
+ selinux_compute_relabel_context(setfiles_t)
+ selinux_compute_user_contexts(setfiles_t)
+
+-term_use_all_user_ttys(setfiles_t)
+-term_use_all_user_ptys(setfiles_t)
+-term_use_unallocated_ttys(setfiles_t)
++term_use_all_terms(setfiles_t)
+
+ # this is to satisfy the assertion:
+ auth_relabelto_shadow(setfiles_t)
+@@ -617,16 +594,8 @@
')
')
@@ -30649,7 +30893,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.te serefpolicy-3.3.1/policy/modules/system/setrans.te
--- nsaserefpolicy/policy/modules/system/setrans.te 2007-10-02 09:54:52.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/system/setrans.te 2008-04-21 11:02:50.523594000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/setrans.te 2008-04-21 11:02:50.000000000 -0400
@@ -28,7 +28,7 @@
#
@@ -30669,7 +30913,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setran
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.3.1/policy/modules/system/sysnetwork.if
--- nsaserefpolicy/policy/modules/system/sysnetwork.if 2007-07-16 14:09:49.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/system/sysnetwork.if 2008-04-21 11:02:50.529588000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/sysnetwork.if 2008-04-21 11:02:50.000000000 -0400
@@ -145,6 +145,25 @@
########################################
@@ -30768,7 +31012,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.3.1/policy/modules/system/sysnetwork.te
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2008-02-06 10:33:22.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/sysnetwork.te 2008-04-22 07:16:34.625592000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/sysnetwork.te 2008-04-22 07:16:34.000000000 -0400
@@ -45,7 +45,7 @@
dontaudit dhcpc_t self:capability sys_tty_config;
# for access("/etc/bashrc", X_OK) on Red Hat
@@ -30919,9 +31163,63 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
kernel_read_xen_state(ifconfig_t)
kernel_write_xen_state(ifconfig_t)
xen_append_log(ifconfig_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.if serefpolicy-3.3.1/policy/modules/system/udev.if
+--- nsaserefpolicy/policy/modules/system/udev.if 2007-01-02 12:57:49.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/system/udev.if 2008-04-28 10:54:03.940707000 -0400
+@@ -96,6 +96,24 @@
+
+ ########################################
+ ##
++## dontaudit process read list of devices.
++##
++##
++##
++## The type of the process performing this action.
++##
++##
++#
++interface(`udev_dontaudit_search_db',`
++ gen_require(`
++ type udev_tbl_t;
++ ')
++
++ dontaudit $1 udev_tbl_t:dir search_dir_perms;
++')
++
++########################################
++##
+ ## Allow process to read list of devices.
+ ##
+ ##
+@@ -106,11 +124,11 @@
+ #
+ interface(`udev_read_db',`
+ gen_require(`
+- type udev_tdb_t;
++ type udev_tbl_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+- allow $1 udev_tdb_t:file read_file_perms;
++ read_files_pattern($1, udev_tbl_t, udev_tbl_t)
+ ')
+
+ ########################################
+@@ -125,9 +143,9 @@
+ #
+ interface(`udev_rw_db',`
+ gen_require(`
+- type udev_tdb_t;
++ type udev_tbl_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+- allow $1 udev_tdb_t:file rw_file_perms;
++ allow $1 udev_tbl_t:file rw_file_perms;
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.3.1/policy/modules/system/udev.te
--- nsaserefpolicy/policy/modules/system/udev.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/udev.te 2008-04-21 11:02:50.541576000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/udev.te 2008-04-21 11:02:50.000000000 -0400
@@ -83,6 +83,7 @@
kernel_rw_unix_dgram_sockets(udev_t)
kernel_dgram_send(udev_t)
@@ -30979,7 +31277,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.3.1/policy/modules/system/unconfined.fc
--- nsaserefpolicy/policy/modules/system/unconfined.fc 2007-12-12 11:35:28.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/unconfined.fc 2008-04-21 11:02:50.546571000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/unconfined.fc 2008-04-21 11:02:50.000000000 -0400
@@ -2,15 +2,16 @@
# e.g.:
# /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0)
@@ -31003,7 +31301,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
+/usr/sbin/sysreport -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.3.1/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2007-11-16 15:30:49.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/unconfined.if 2008-04-21 11:02:50.553564000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/unconfined.if 2008-04-25 13:52:57.000000000 -0400
@@ -12,14 +12,13 @@
#
interface(`unconfined_domain_noaudit',`
@@ -31038,15 +31336,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
kernel_unconfined($1)
corenet_unconfined($1)
-@@ -40,6 +40,7 @@
+@@ -40,10 +40,16 @@
domain_unconfined($1)
domain_dontaudit_read_all_domains_state($1)
domain_dontaudit_ptrace_all_domains($1)
-+ domain_mmap_low($1)
++
files_unconfined($1)
fs_unconfined($1)
selinux_unconfined($1)
-@@ -70,6 +71,7 @@
+
++ domain_mmap_low_type($1)
++ tunable_policy(`allow_unconfined_mmap_low',`
++ domain_mmap_low($1)
++ ')
++
+ tunable_policy(`allow_execheap',`
+ # Allow making the stack executable via mprotect.
+ allow $1 self:process execheap;
+@@ -70,6 +76,7 @@
optional_policy(`
# Communicate via dbusd.
dbus_system_bus_unconfined($1)
@@ -31054,7 +31361,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
')
optional_policy(`
-@@ -95,6 +97,10 @@
+@@ -95,6 +102,10 @@
optional_policy(`
storage_unconfined($1)
')
@@ -31065,7 +31372,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
')
########################################
-@@ -372,6 +378,24 @@
+@@ -372,6 +383,24 @@
########################################
##
@@ -31090,7 +31397,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
## Send generic signals to the unconfined domain.
##
##
-@@ -581,7 +605,6 @@
+@@ -581,7 +610,6 @@
interface(`unconfined_dbus_connect',`
gen_require(`
type unconfined_t;
@@ -31098,19 +31405,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
')
allow $1 unconfined_t:dbus acquire_svc;
-@@ -589,49 +612,209 @@
+@@ -589,7 +617,7 @@
########################################
##
-## Read files in unconfined users home directories.
+## Allow ptrace of unconfined domain
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -597,20 +625,53 @@
+ ##
+ ##
+ #
+-interface(`unconfined_read_home_content_files',`
+interface(`unconfined_ptrace',`
+ gen_require(`
+ type unconfined_t;
@@ -31148,34 +31456,47 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
+##
+#
+interface(`unconfined_execmem_rw_shm',`
-+ gen_require(`
+ gen_require(`
+- type unconfined_home_dir_t, unconfined_home_t;
+ type unconfined_execmem_t;
-+ ')
-+
+ ')
+
+- files_search_home($1)
+- allow $1 { unconfined_home_dir_t unconfined_home_t }:dir list_dir_perms;
+- read_files_pattern($1, { unconfined_home_dir_t unconfined_home_t }, unconfined_home_t)
+- read_lnk_files_pattern($1, { unconfined_home_dir_t unconfined_home_t }, unconfined_home_t)
+ allow $1 unconfined_execmem_t:shm rw_shm_perms;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Read unconfined users temporary files.
+## Transition to the unconfined_execmem domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -618,20 +679,58 @@
+ ##
+ ##
+ #
+-interface(`unconfined_read_tmp_files',`
+interface(`unconfined_execmem_domtrans',`
+
-+ gen_require(`
+ gen_require(`
+- type unconfined_tmp_t;
+ type unconfined_execmem_t, unconfined_execmem_exec_t;
-+ ')
-+
+ ')
+
+- files_search_tmp($1)
+- allow $1 unconfined_tmp_t:dir list_dir_perms;
+- read_files_pattern($1, unconfined_tmp_t, unconfined_tmp_t)
+- read_lnk_files_pattern($1, unconfined_tmp_t, unconfined_tmp_t)
+ domtrans_pattern($1,unconfined_execmem_exec_t,unconfined_execmem_t)
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Write unconfined users temporary files.
+## allow attempts to use unconfined ttys and ptys.
+##
+##
@@ -31217,15 +31538,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
+########################################
+##
+## Allow apps to set rlimits on userdomain
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -639,10 +738,99 @@
+ ##
+ ##
+ #
+-interface(`unconfined_write_tmp_files',`
+interface(`unconfined_set_rlimitnh',`
-+ gen_require(`
+ gen_require(`
+- type unconfined_tmp_t;
+ type unconfined_t;
+ ')
+
@@ -31254,83 +31577,67 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
+########################################
+##
+## Read/write unconfined tmpfs files.
- ##
++##
+##
+##
+## Read/write unconfined tmpfs files.
+##
+##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
- #
--interface(`unconfined_read_home_content_files',`
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`unconfined_rw_tmpfs_files',`
- gen_require(`
-- type unconfined_home_dir_t, unconfined_home_t;
++ gen_require(`
+ type unconfined_tmpfs_t;
- ')
-
-- files_search_home($1)
-- allow $1 { unconfined_home_dir_t unconfined_home_t }:dir list_dir_perms;
-- read_files_pattern($1, { unconfined_home_dir_t unconfined_home_t }, unconfined_home_t)
-- read_lnk_files_pattern($1, { unconfined_home_dir_t unconfined_home_t }, unconfined_home_t)
++ ')
++
+ fs_search_tmpfs($1)
+ allow $1 unconfined_tmpfs_t:dir list_dir_perms;
+ rw_files_pattern($1,unconfined_tmpfs_t,unconfined_tmpfs_t)
+ read_lnk_files_pattern($1,unconfined_tmpfs_t,unconfined_tmpfs_t)
- ')
-
- ########################################
- ##
--## Read unconfined users temporary files.
++')
++
++########################################
++##
+## Delete unconfined tmpfs files.
- ##
++##
+##
+##
+## Read/write unconfined tmpfs files.
+##
+##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
- #
--interface(`unconfined_read_tmp_files',`
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`unconfined_delete_tmpfs_files',`
- gen_require(`
-- type unconfined_tmp_t;
++ gen_require(`
+ type unconfined_tmpfs_t;
- ')
-
-- files_search_tmp($1)
-- allow $1 unconfined_tmp_t:dir list_dir_perms;
-- read_files_pattern($1, unconfined_tmp_t, unconfined_tmp_t)
-- read_lnk_files_pattern($1, unconfined_tmp_t, unconfined_tmp_t)
++ ')
++
+ fs_search_tmpfs($1)
+ allow $1 unconfined_tmpfs_t:dir list_dir_perms;
+ delete_files_pattern($1,unconfined_tmpfs_t,unconfined_tmpfs_t)
+ read_lnk_files_pattern($1,unconfined_tmpfs_t,unconfined_tmpfs_t)
- ')
-
- ########################################
- ##
--## Write unconfined users temporary files.
++')
++
++########################################
++##
+## Get the process group of unconfined.
- ##
- ##
- ##
-@@ -639,10 +822,10 @@
- ##
- ##
- #
--interface(`unconfined_write_tmp_files',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`unconfined_getpgid',`
- gen_require(`
-- type unconfined_tmp_t;
++ gen_require(`
+ type unconfined_t;
')
@@ -31339,8 +31646,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.3.1/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2008-02-13 16:26:06.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/unconfined.te 2008-04-24 16:57:46.339086000 -0400
-@@ -6,35 +6,67 @@
++++ serefpolicy-3.3.1/policy/modules/system/unconfined.te 2008-04-25 14:52:17.000000000 -0400
+@@ -6,35 +6,74 @@
# Declarations
#
@@ -31353,6 +31660,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
+
+##
+##
++## Allow unconfined domain to map low memory in the kernel
++##
++##
++gen_tunable(allow_unconfined_mmap_low,false)
++
++##
++##
+## Transition to confined qemu domains from unconfined user
+##
+##
@@ -31412,7 +31726,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
libs_run_ldconfig(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
-@@ -42,37 +74,44 @@
+@@ -42,37 +81,44 @@
logging_run_auditctl(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
mount_run_unconfined(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
@@ -31467,7 +31781,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
')
optional_policy(`
-@@ -101,12 +140,24 @@
+@@ -101,12 +147,24 @@
')
optional_policy(`
@@ -31492,7 +31806,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
')
optional_policy(`
-@@ -118,11 +169,7 @@
+@@ -118,11 +176,7 @@
')
optional_policy(`
@@ -31505,7 +31819,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
')
optional_policy(`
-@@ -134,82 +181,97 @@
+@@ -134,82 +188,97 @@
')
optional_policy(`
@@ -31628,7 +31942,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
')
########################################
-@@ -219,14 +281,35 @@
+@@ -219,14 +288,35 @@
allow unconfined_execmem_t self:process { execstack execmem };
unconfined_domain_noaudit(unconfined_execmem_t)
@@ -31671,7 +31985,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
+domain_ptrace_all_domains(unconfined_notrans_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.3.1/policy/modules/system/userdomain.fc
--- nsaserefpolicy/policy/modules/system/userdomain.fc 2007-02-19 11:32:53.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/userdomain.fc 2008-04-21 11:02:50.564553000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/userdomain.fc 2008-04-21 11:02:50.000000000 -0400
@@ -1,4 +1,5 @@
-HOME_DIR -d gen_context(system_u:object_r:ROLE_home_dir_t,s0-mls_systemhigh)
-HOME_DIR/.+ gen_context(system_u:object_r:ROLE_home_t,s0)
@@ -31684,7 +31998,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.3.1/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2008-02-15 09:52:56.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-04-24 15:08:40.156331000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-04-28 15:32:37.832254000 -0400
@@ -29,9 +29,14 @@
')
@@ -34467,7 +34781,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+ attribute user_home_type;
+ ')
+
-+ allow $1 user_home_type:file write;
++ allow $1 user_home_type:file write_file_perms;
+')
+
+########################################
@@ -34655,7 +34969,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.3.1/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/userdomain.te 2008-04-21 11:02:50.596521000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/userdomain.te 2008-04-21 11:02:50.000000000 -0400
@@ -2,12 +2,7 @@
policy_module(userdomain,2.5.0)
@@ -34963,7 +35277,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.fc serefpolicy-3.3.1/policy/modules/system/virt.fc
--- nsaserefpolicy/policy/modules/system/virt.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/virt.fc 2008-04-21 11:02:50.601516000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/virt.fc 2008-04-21 11:02:50.000000000 -0400
@@ -0,0 +1,13 @@
+
+/usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0)
@@ -34980,7 +35294,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.f
+/etc/libvirt/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.if serefpolicy-3.3.1/policy/modules/system/virt.if
--- nsaserefpolicy/policy/modules/system/virt.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/virt.if 2008-04-21 11:02:50.606511000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/virt.if 2008-04-28 16:10:44.344207000 -0400
@@ -0,0 +1,324 @@
+
+## policy for virt
@@ -35308,8 +35622,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.i
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.te serefpolicy-3.3.1/policy/modules/system/virt.te
--- nsaserefpolicy/policy/modules/system/virt.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/virt.te 2008-04-23 10:09:03.411358000 -0400
-@@ -0,0 +1,174 @@
++++ serefpolicy-3.3.1/policy/modules/system/virt.te 2008-04-28 16:24:22.547363000 -0400
+@@ -0,0 +1,197 @@
+
+policy_module(virt,1.0.0)
+
@@ -35364,8 +35678,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.t
+#
+# virtd local policy
+#
-+allow virtd_t self:capability { dac_override kill net_admin setgid };
-+allow virtd_t self:process { sigkill signal };
++allow virtd_t self:capability { dac_override kill net_admin setgid sys_ptrace };
++allow virtd_t self:process { sigkill signal execmem };
+allow virtd_t self:fifo_file rw_file_perms;
+allow virtd_t self:unix_stream_socket create_stream_socket_perms;
+allow virtd_t self:tcp_socket create_stream_socket_perms;
@@ -35383,6 +35697,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.t
+manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
+logging_log_filetrans(virtd_t, virt_log_t, { file dir } )
+
++manage_files_pattern(virtd_t, virt_image_t, virt_image_t)
++
+read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
+read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
+
@@ -35425,6 +35741,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.t
+files_read_etc_runtime_files(virtd_t)
+files_search_all(virtd_t)
+
++fs_list_auto_mountpoints(virtd_t)
++
++storage_raw_write_removable_device(virtd_t)
++storage_raw_read_removable_device(virtd_t)
++
++term_getattr_pty_fs(virtd_t)
++term_use_ptmx(virtd_t)
++
+libs_use_ld_so(virtd_t)
+libs_use_shared_libs(virtd_t)
+
@@ -35467,6 +35791,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.t
+
+optional_policy(`
+ polkit_domtrans_auth(virtd_t)
++ polkit_domtrans_resolve(virtd_t)
+')
+
+optional_policy(`
@@ -35484,9 +35809,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.t
+ xen_stream_connect(virtd_t)
+ xen_stream_connect_xenstore(virtd_t)
+')
++
++tunable_policy(`virt_use_nfs',`
++ fs_manage_nfs_dirs(virtd_t)
++ fs_manage_nfs_files(virtd_t)
++ fs_read_nfs_symlinks(virtd_t)
++')
++
++tunable_policy(`virt_use_samba',`
++ fs_manage_nfs_files(virtd_t)
++ fs_manage_cifs_files(virtd_t)
++ fs_read_cifs_symlinks(virtd_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.3.1/policy/modules/system/xen.if
--- nsaserefpolicy/policy/modules/system/xen.if 2007-06-21 09:32:04.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/system/xen.if 2008-04-21 11:02:50.616500000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/xen.if 2008-04-21 11:02:50.000000000 -0400
@@ -167,11 +167,14 @@
#
interface(`xen_stream_connect',`
@@ -35530,7 +35867,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.3.1/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/xen.te 2008-04-21 11:02:50.622495000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/xen.te 2008-04-21 11:02:50.000000000 -0400
@@ -6,6 +6,13 @@
# Declarations
#
@@ -35720,17 +36057,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/auditadm.fc serefpolicy-3.3.1/policy/modules/users/auditadm.fc
--- nsaserefpolicy/policy/modules/users/auditadm.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/users/auditadm.fc 2008-04-21 11:02:50.628489000 -0400
++++ serefpolicy-3.3.1/policy/modules/users/auditadm.fc 2008-04-21 11:02:50.000000000 -0400
@@ -0,0 +1 @@
+# No auditadm file contexts.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/auditadm.if serefpolicy-3.3.1/policy/modules/users/auditadm.if
--- nsaserefpolicy/policy/modules/users/auditadm.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/users/auditadm.if 2008-04-21 11:02:50.632485000 -0400
++++ serefpolicy-3.3.1/policy/modules/users/auditadm.if 2008-04-21 11:02:50.000000000 -0400
@@ -0,0 +1 @@
+## Policy for auditadm user
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/auditadm.te serefpolicy-3.3.1/policy/modules/users/auditadm.te
--- nsaserefpolicy/policy/modules/users/auditadm.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/users/auditadm.te 2008-04-21 11:02:50.636481000 -0400
++++ serefpolicy-3.3.1/policy/modules/users/auditadm.te 2008-04-21 11:02:50.000000000 -0400
@@ -0,0 +1,25 @@
+policy_module(auditadm,1.0.1)
+gen_require(`
@@ -35759,17 +36096,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/auditad
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.fc serefpolicy-3.3.1/policy/modules/users/guest.fc
--- nsaserefpolicy/policy/modules/users/guest.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/users/guest.fc 2008-04-21 11:02:50.640477000 -0400
++++ serefpolicy-3.3.1/policy/modules/users/guest.fc 2008-04-21 11:02:50.000000000 -0400
@@ -0,0 +1 @@
+# No guest file contexts.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.if serefpolicy-3.3.1/policy/modules/users/guest.if
--- nsaserefpolicy/policy/modules/users/guest.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/users/guest.if 2008-04-21 11:02:50.644475000 -0400
++++ serefpolicy-3.3.1/policy/modules/users/guest.if 2008-04-21 11:02:50.000000000 -0400
@@ -0,0 +1 @@
+## Policy for guest user
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.te serefpolicy-3.3.1/policy/modules/users/guest.te
--- nsaserefpolicy/policy/modules/users/guest.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/users/guest.te 2008-04-21 11:02:50.649467000 -0400
++++ serefpolicy-3.3.1/policy/modules/users/guest.te 2008-04-21 11:02:50.000000000 -0400
@@ -0,0 +1,21 @@
+policy_module(guest,1.0.1)
+userdom_restricted_user_template(guest)
@@ -35794,17 +36131,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.t
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.fc serefpolicy-3.3.1/policy/modules/users/logadm.fc
--- nsaserefpolicy/policy/modules/users/logadm.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/users/logadm.fc 2008-04-21 11:02:50.653465000 -0400
++++ serefpolicy-3.3.1/policy/modules/users/logadm.fc 2008-04-21 11:02:50.000000000 -0400
@@ -0,0 +1 @@
+# No logadm file contexts.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.if serefpolicy-3.3.1/policy/modules/users/logadm.if
--- nsaserefpolicy/policy/modules/users/logadm.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/users/logadm.if 2008-04-21 11:02:50.658459000 -0400
++++ serefpolicy-3.3.1/policy/modules/users/logadm.if 2008-04-21 11:02:50.000000000 -0400
@@ -0,0 +1 @@
+## Policy for logadm user
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.te serefpolicy-3.3.1/policy/modules/users/logadm.te
--- nsaserefpolicy/policy/modules/users/logadm.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/users/logadm.te 2008-04-21 11:02:50.662457000 -0400
++++ serefpolicy-3.3.1/policy/modules/users/logadm.te 2008-04-21 11:02:50.000000000 -0400
@@ -0,0 +1,11 @@
+policy_module(logadm,1.0.0)
+
@@ -35819,22 +36156,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.
+logging_admin(logadm_t, logadm_r, { logadm_devpts_t logadm_tty_device_t })
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/metadata.xml serefpolicy-3.3.1/policy/modules/users/metadata.xml
--- nsaserefpolicy/policy/modules/users/metadata.xml 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/users/metadata.xml 2008-04-21 11:02:50.666453000 -0400
++++ serefpolicy-3.3.1/policy/modules/users/metadata.xml 2008-04-21 11:02:50.000000000 -0400
@@ -0,0 +1 @@
+Policy modules for users
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/secadm.fc serefpolicy-3.3.1/policy/modules/users/secadm.fc
--- nsaserefpolicy/policy/modules/users/secadm.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/users/secadm.fc 2008-04-21 11:02:50.669451000 -0400
++++ serefpolicy-3.3.1/policy/modules/users/secadm.fc 2008-04-21 11:02:50.000000000 -0400
@@ -0,0 +1 @@
+# No secadm file contexts.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/secadm.if serefpolicy-3.3.1/policy/modules/users/secadm.if
--- nsaserefpolicy/policy/modules/users/secadm.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/users/secadm.if 2008-04-21 11:02:50.672448000 -0400
++++ serefpolicy-3.3.1/policy/modules/users/secadm.if 2008-04-21 11:02:50.000000000 -0400
@@ -0,0 +1 @@
+## Policy for secadm user
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/secadm.te serefpolicy-3.3.1/policy/modules/users/secadm.te
--- nsaserefpolicy/policy/modules/users/secadm.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/users/secadm.te 2008-04-21 11:02:50.676440000 -0400
++++ serefpolicy-3.3.1/policy/modules/users/secadm.te 2008-04-21 11:02:50.000000000 -0400
@@ -0,0 +1,39 @@
+policy_module(secadm,1.0.1)
+gen_require(`
@@ -35877,17 +36214,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/secadm.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.fc serefpolicy-3.3.1/policy/modules/users/staff.fc
--- nsaserefpolicy/policy/modules/users/staff.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/users/staff.fc 2008-04-21 11:02:50.690428000 -0400
++++ serefpolicy-3.3.1/policy/modules/users/staff.fc 2008-04-21 11:02:50.000000000 -0400
@@ -0,0 +1 @@
+# No staff file contexts.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.if serefpolicy-3.3.1/policy/modules/users/staff.if
--- nsaserefpolicy/policy/modules/users/staff.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/users/staff.if 2008-04-21 11:02:50.727392000 -0400
++++ serefpolicy-3.3.1/policy/modules/users/staff.if 2008-04-21 11:02:50.000000000 -0400
@@ -0,0 +1 @@
+## Policy for staff user
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.te serefpolicy-3.3.1/policy/modules/users/staff.te
--- nsaserefpolicy/policy/modules/users/staff.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/users/staff.te 2008-04-24 15:09:37.398476000 -0400
++++ serefpolicy-3.3.1/policy/modules/users/staff.te 2008-04-24 15:09:37.000000000 -0400
@@ -0,0 +1,23 @@
+policy_module(staff,1.0.1)
+userdom_admin_login_user_template(staff)
@@ -35914,17 +36251,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.t
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/user.fc serefpolicy-3.3.1/policy/modules/users/user.fc
--- nsaserefpolicy/policy/modules/users/user.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/users/user.fc 2008-04-21 11:02:50.738381000 -0400
++++ serefpolicy-3.3.1/policy/modules/users/user.fc 2008-04-21 11:02:50.000000000 -0400
@@ -0,0 +1 @@
+# No user file contexts.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/user.if serefpolicy-3.3.1/policy/modules/users/user.if
--- nsaserefpolicy/policy/modules/users/user.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/users/user.if 2008-04-21 11:02:50.741379000 -0400
++++ serefpolicy-3.3.1/policy/modules/users/user.if 2008-04-21 11:02:50.000000000 -0400
@@ -0,0 +1 @@
+## Policy for user user
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/user.te serefpolicy-3.3.1/policy/modules/users/user.te
--- nsaserefpolicy/policy/modules/users/user.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/users/user.te 2008-04-24 15:09:03.056815000 -0400
++++ serefpolicy-3.3.1/policy/modules/users/user.te 2008-04-24 15:09:03.000000000 -0400
@@ -0,0 +1,18 @@
+policy_module(user,1.0.1)
+userdom_unpriv_user_template(user)
@@ -35946,17 +36283,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/user.te
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.fc serefpolicy-3.3.1/policy/modules/users/webadm.fc
--- nsaserefpolicy/policy/modules/users/webadm.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/users/webadm.fc 2008-04-21 11:02:50.749370000 -0400
++++ serefpolicy-3.3.1/policy/modules/users/webadm.fc 2008-04-21 11:02:50.000000000 -0400
@@ -0,0 +1 @@
+# No webadm file contexts.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.if serefpolicy-3.3.1/policy/modules/users/webadm.if
--- nsaserefpolicy/policy/modules/users/webadm.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/users/webadm.if 2008-04-21 11:02:50.752367000 -0400
++++ serefpolicy-3.3.1/policy/modules/users/webadm.if 2008-04-21 11:02:50.000000000 -0400
@@ -0,0 +1 @@
+## Policy for webadm user
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.te serefpolicy-3.3.1/policy/modules/users/webadm.te
--- nsaserefpolicy/policy/modules/users/webadm.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/users/webadm.te 2008-04-21 11:02:50.755365000 -0400
++++ serefpolicy-3.3.1/policy/modules/users/webadm.te 2008-04-21 11:02:50.000000000 -0400
@@ -0,0 +1,41 @@
+policy_module(webadm,1.0.0)
+
@@ -36001,17 +36338,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.
+userdom_role_change_template(staff, webadm)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/xguest.fc serefpolicy-3.3.1/policy/modules/users/xguest.fc
--- nsaserefpolicy/policy/modules/users/xguest.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/users/xguest.fc 2008-04-21 11:02:50.758364000 -0400
++++ serefpolicy-3.3.1/policy/modules/users/xguest.fc 2008-04-21 11:02:50.000000000 -0400
@@ -0,0 +1 @@
+# No xguest file contexts.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/xguest.if serefpolicy-3.3.1/policy/modules/users/xguest.if
--- nsaserefpolicy/policy/modules/users/xguest.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/users/xguest.if 2008-04-21 11:02:50.763355000 -0400
++++ serefpolicy-3.3.1/policy/modules/users/xguest.if 2008-04-21 11:02:50.000000000 -0400
@@ -0,0 +1 @@
+## Policy for xguest user
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/xguest.te serefpolicy-3.3.1/policy/modules/users/xguest.te
--- nsaserefpolicy/policy/modules/users/xguest.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/users/xguest.te 2008-04-21 11:02:50.768353000 -0400
++++ serefpolicy-3.3.1/policy/modules/users/xguest.te 2008-04-21 11:02:50.000000000 -0400
@@ -0,0 +1,66 @@
+policy_module(xguest,1.0.1)
+
@@ -36081,7 +36418,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/xguest.
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/file_patterns.spt serefpolicy-3.3.1/policy/support/file_patterns.spt
--- nsaserefpolicy/policy/support/file_patterns.spt 2007-10-12 08:56:09.000000000 -0400
-+++ serefpolicy-3.3.1/policy/support/file_patterns.spt 2008-04-21 11:02:50.774346000 -0400
++++ serefpolicy-3.3.1/policy/support/file_patterns.spt 2008-04-21 11:02:50.000000000 -0400
@@ -537,3 +537,23 @@
allow $1 $2:dir rw_dir_perms;
type_transition $1 $2:$4 $3;
@@ -36108,7 +36445,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/file_patterns
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.3.1/policy/support/obj_perm_sets.spt
--- nsaserefpolicy/policy/support/obj_perm_sets.spt 2008-02-06 10:33:22.000000000 -0500
-+++ serefpolicy-3.3.1/policy/support/obj_perm_sets.spt 2008-04-21 11:02:50.781336000 -0400
++++ serefpolicy-3.3.1/policy/support/obj_perm_sets.spt 2008-04-21 11:02:50.000000000 -0400
@@ -315,3 +315,13 @@
#
define(`client_stream_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }')
@@ -36125,7 +36462,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets
+define(`manage_key_perms', `{ create link read search setattr view write } ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.3.1/policy/users
--- nsaserefpolicy/policy/users 2007-10-12 08:56:09.000000000 -0400
-+++ serefpolicy-3.3.1/policy/users 2008-04-21 11:02:50.786332000 -0400
++++ serefpolicy-3.3.1/policy/users 2008-04-21 11:02:50.000000000 -0400
@@ -16,7 +16,7 @@
# and a user process should never be assigned the system user
# identity.
diff --git a/selinux-policy.spec b/selinux-policy.spec
index ed2863c..24b7dfe 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.3.1
-Release: 41%{?dist}
+Release: 43%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -385,6 +385,14 @@ exit 0
%endif
%changelog
+* Mon Apr 28 2008 Dan Walsh 3.3.1-43
+- Remove old booleans from targeted-booleans.conf file
+
+* Fri Apr 25 2008 Dan Walsh 3.3.1-42
+- Add boolean to mmap_zero
+- allow tor setgid
+- Allow gnomeclock to set clock
+
* Thu Apr 24 2008 Dan Walsh 3.3.1-41
- Don't run crontab from unconfined_t