diff --git a/policy-20070703.patch b/policy-20070703.patch
index 041063d..d8856fd 100644
--- a/policy-20070703.patch
+++ b/policy-20070703.patch
@@ -2198,7 +2198,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.if
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te serefpolicy-3.0.8/policy/modules/admin/vpn.te
--- nsaserefpolicy/policy/modules/admin/vpn.te 2007-07-25 10:37:43.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/admin/vpn.te 2007-10-18 13:19:26.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/admin/vpn.te 2007-10-19 10:15:22.000000000 -0400
@@ -22,7 +22,7 @@
# Local policy
#
@@ -3650,7 +3650,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.0.8/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2007-07-25 10:37:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/domain.te 2007-10-03 11:10:24.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/kernel/domain.te 2007-10-19 11:01:04.000000000 -0400
@@ -6,6 +6,22 @@
# Declarations
#
@@ -3674,7 +3674,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
# Mark process types as domains
attribute domain;
-@@ -134,3 +150,22 @@
+@@ -80,6 +96,8 @@
+ allow domain self:lnk_file r_file_perms;
+ allow domain self:file rw_file_perms;
+ kernel_read_proc_symlinks(domain)
++# Every domain gets the key ring, so we should default to no one allowed to look at it
++kernel_dontaudit_search_key(domain)
+
+ # create child processes in the domain
+ allow domain self:process { fork sigchld };
+@@ -134,3 +152,22 @@
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -4264,8 +4273,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.0.8/policy/modules/kernel/filesystem.te
--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2007-09-12 10:34:49.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/filesystem.te 2007-10-08 11:25:43.000000000 -0400
-@@ -80,6 +80,7 @@
++++ serefpolicy-3.0.8/policy/modules/kernel/filesystem.te 2007-10-19 10:04:10.000000000 -0400
+@@ -29,6 +29,7 @@
+ fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0);
+ fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0);
+ fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0);
++fs_use_xattr lustre gen_context(system_u:object_r:fs_t,s0);
+
+ # Use the allocating task SID to label inodes in the following filesystem
+ # types, and label the filesystem itself with the specified context.
+@@ -80,6 +81,7 @@
type fusefs_t;
fs_noxattr_type(fusefs_t)
allow fusefs_t self:filesystem associate;
@@ -4273,7 +4290,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
genfscon fuse / gen_context(system_u:object_r:fusefs_t,s0)
genfscon fuseblk / gen_context(system_u:object_r:fusefs_t,s0)
-@@ -116,6 +117,7 @@
+@@ -116,6 +118,7 @@
type ramfs_t;
fs_type(ramfs_t)
@@ -4281,7 +4298,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
genfscon ramfs / gen_context(system_u:object_r:ramfs_t,s0)
type romfs_t;
-@@ -133,6 +135,11 @@
+@@ -133,6 +136,11 @@
genfscon spufs / gen_context(system_u:object_r:spufs_t,s0)
files_mountpoint(spufs_t)
@@ -4295,7 +4312,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
files_mountpoint(vxfs_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.0.8/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2007-08-22 07:14:06.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/kernel.if 2007-10-03 11:10:24.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/kernel/kernel.if 2007-10-19 11:00:20.000000000 -0400
@@ -352,6 +352,24 @@
########################################
@@ -6882,14 +6899,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.0.8/policy/modules/services/dnsmasq.te
--- nsaserefpolicy/policy/modules/services/dnsmasq.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/dnsmasq.te 2007-10-03 11:10:24.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/dnsmasq.te 2007-10-19 10:47:35.000000000 -0400
@@ -94,3 +94,7 @@
optional_policy(`
udev_read_db(dnsmasq_t)
')
+
+optional_policy(`
-+ virt_rw_lib_files(dnsmasq_t)
++ virt_manage_lib_files(dnsmasq_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.0.8/policy/modules/services/dovecot.fc
--- nsaserefpolicy/policy/modules/services/dovecot.fc 2007-05-29 14:10:57.000000000 -0400
@@ -7703,7 +7720,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.te serefpolicy-3.0.8/policy/modules/services/inetd.te
--- nsaserefpolicy/policy/modules/services/inetd.te 2007-09-12 10:34:50.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/inetd.te 2007-10-10 09:28:59.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/inetd.te 2007-10-19 10:51:35.000000000 -0400
@@ -53,6 +53,8 @@
allow inetd_t inetd_var_run_t:file manage_file_perms;
files_pid_filetrans(inetd_t,inetd_var_run_t,file)
@@ -7713,7 +7730,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inet
kernel_read_kernel_sysctls(inetd_t)
kernel_list_proc(inetd_t)
kernel_read_proc_symlinks(inetd_t)
-@@ -80,16 +82,21 @@
+@@ -80,16 +82,22 @@
corenet_udp_bind_comsat_port(inetd_t)
corenet_tcp_bind_dbskkd_port(inetd_t)
corenet_udp_bind_dbskkd_port(inetd_t)
@@ -7721,6 +7738,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inet
corenet_udp_bind_ftp_port(inetd_t)
corenet_tcp_bind_inetd_child_port(inetd_t)
+corenet_udp_bind_inetd_child_port(inetd_t)
++corenet_tcp_bind_ircd_port(inetd_t)
corenet_udp_bind_ktalkd_port(inetd_t)
corenet_tcp_bind_printer_port(inetd_t)
+corenet_udp_bind_rlogind_port(inetd_t)
@@ -7735,7 +7753,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inet
corenet_udp_bind_tftp_port(inetd_t)
corenet_tcp_bind_ssh_port(inetd_t)
-@@ -132,8 +139,10 @@
+@@ -132,8 +140,10 @@
miscfiles_read_localization(inetd_t)
# xinetd needs MLS override privileges to work
@@ -7746,19 +7764,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inet
mls_process_set_level(inetd_t)
sysnet_read_config(inetd_t)
-@@ -141,6 +150,11 @@
+@@ -141,6 +151,11 @@
userdom_dontaudit_use_unpriv_user_fds(inetd_t)
userdom_dontaudit_search_sysadm_home_dirs(inetd_t)
+ifdef(`enable_mls',`
-+ corenet_tcp_recv_netlabel(inetd_t)
-+ corenet_udp_recv_netlabel(inetd_t)
++ corenet_tcp_recvfrom_netlabel(inetd_t)
++ corenet_udp_recvfrom_netlabel(inetd_t)
+')
+
optional_policy(`
amanda_search_lib(inetd_t)
')
-@@ -170,6 +184,9 @@
+@@ -170,6 +185,9 @@
# for identd
allow inetd_child_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow inetd_child_t self:capability { setuid setgid };
@@ -7768,7 +7786,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inet
files_search_home(inetd_child_t)
manage_dirs_pattern(inetd_child_t,inetd_child_tmp_t,inetd_child_tmp_t)
-@@ -212,13 +229,10 @@
+@@ -212,13 +230,10 @@
')
optional_policy(`
@@ -9999,7 +10017,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
userdom_read_unpriv_users_tmp_files(gssd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.te serefpolicy-3.0.8/policy/modules/services/rshd.te
--- nsaserefpolicy/policy/modules/services/rshd.te 2007-09-12 10:34:50.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/rshd.te 2007-10-18 18:33:05.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/rshd.te 2007-10-19 10:15:23.000000000 -0400
@@ -16,10 +16,11 @@
#
# Local policy
@@ -10023,13 +10041,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd
corenet_sendrecv_rsh_server_packets(rshd_t)
dev_read_urand(rshd_t)
-@@ -44,28 +48,44 @@
+@@ -44,28 +48,42 @@
selinux_compute_relabel_context(rshd_t)
selinux_compute_user_contexts(rshd_t)
-+auth_use_nsswitch(rshd_t)
- auth_domtrans_chk_passwd(rshd_t)
-+auth_domtrans_upd_passwd_chk(rshd_t)
+-auth_domtrans_chk_passwd(rshd_t)
++auth_login_pgm_domain(rshd_t)
+auth_search_key(rshd_t)
+auth_write_login_records(rshd_t)
@@ -10071,7 +10088,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd
tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_files(rshd_t)
fs_read_nfs_symlinks(rshd_t)
-@@ -76,15 +96,3 @@
+@@ -76,15 +94,3 @@
fs_read_cifs_symlinks(rshd_t)
')
@@ -12190,7 +12207,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
+/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.0.8/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2007-08-22 07:14:13.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/authlogin.if 2007-10-18 17:06:56.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/authlogin.if 2007-10-19 08:20:05.000000000 -0400
@@ -26,7 +26,8 @@
type $1_chkpwd_t, can_read_shadow_passwords;
application_domain($1_chkpwd_t,chkpwd_exec_t)
@@ -12222,14 +12239,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
domain_type($1)
domain_subj_id_change_exemption($1)
-@@ -176,11 +178,32 @@
+@@ -176,11 +178,31 @@
domain_obj_id_change_exemption($1)
role system_r types $1;
+ # needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321
+ kernel_write_proc_files($1)
+
-+
+ auth_keyring_domain($1)
+ allow $1 keyring_type:key { search link };
+
@@ -12255,7 +12271,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
selinux_get_fs_mount($1)
selinux_validate_context($1)
selinux_compute_access_vector($1)
-@@ -196,22 +219,40 @@
+@@ -196,22 +218,40 @@
mls_fd_share_all_levels($1)
auth_domtrans_chk_passwd($1)
@@ -12297,7 +12313,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
')
')
-@@ -309,9 +350,6 @@
+@@ -309,9 +349,6 @@
type system_chkpwd_t, chkpwd_exec_t, shadow_t;
')
@@ -12307,7 +12323,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
corecmd_search_bin($1)
domtrans_pattern($1,chkpwd_exec_t,system_chkpwd_t)
-@@ -329,6 +367,8 @@
+@@ -329,6 +366,8 @@
optional_policy(`
kerberos_use($1)
@@ -12316,7 +12332,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
')
optional_policy(`
-@@ -347,6 +387,37 @@
+@@ -347,6 +386,37 @@
########################################
##
@@ -12354,7 +12370,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
## Get the attributes of the shadow passwords file.
##
##
-@@ -695,6 +766,24 @@
+@@ -695,6 +765,24 @@
########################################
##
@@ -12379,7 +12395,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
## Execute pam programs in the PAM domain.
##
##
-@@ -1318,16 +1407,14 @@
+@@ -1318,16 +1406,14 @@
##
#
interface(`auth_use_nsswitch',`
@@ -12399,7 +12415,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
miscfiles_read_certs($1)
sysnet_dns_name_resolve($1)
-@@ -1347,6 +1434,8 @@
+@@ -1347,6 +1433,8 @@
optional_policy(`
samba_stream_connect_winbind($1)
@@ -12408,7 +12424,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
')
')
-@@ -1381,3 +1470,163 @@
+@@ -1381,3 +1469,163 @@
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
@@ -15668,7 +15684,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.0.8/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/unconfined.te 2007-10-18 16:48:24.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/unconfined.te 2007-10-19 10:29:16.000000000 -0400
@@ -5,36 +5,48 @@
#
# Declarations
@@ -15725,7 +15741,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
libs_run_ldconfig(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
-@@ -42,37 +54,30 @@
+@@ -42,37 +54,29 @@
logging_run_auditctl(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
mount_run_unconfined(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
@@ -15738,7 +15754,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
-unconfined_domain(unconfined_t)
-
-+userdom_unconfined(unconfined_t)
userdom_priveleged_home_dir_manager(unconfined_t)
optional_policy(`
@@ -15771,7 +15786,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
')
optional_policy(`
-@@ -107,6 +112,10 @@
+@@ -107,6 +111,10 @@
optional_policy(`
oddjob_dbus_chat(unconfined_t)
')
@@ -15782,7 +15797,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
')
optional_policy(`
-@@ -118,11 +127,11 @@
+@@ -118,11 +126,11 @@
')
optional_policy(`
@@ -15796,7 +15811,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
')
optional_policy(`
-@@ -134,11 +143,7 @@
+@@ -134,11 +142,7 @@
')
optional_policy(`
@@ -15809,7 +15824,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
')
optional_policy(`
-@@ -155,32 +160,23 @@
+@@ -155,32 +159,23 @@
optional_policy(`
postfix_run_map(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
@@ -15846,7 +15861,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
')
optional_policy(`
-@@ -205,11 +201,22 @@
+@@ -205,11 +200,22 @@
')
optional_policy(`
@@ -15871,7 +15886,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
')
########################################
-@@ -225,8 +232,21 @@
+@@ -225,8 +231,21 @@
init_dbus_chat_script(unconfined_execmem_t)
unconfined_dbus_chat(unconfined_execmem_t)
@@ -17456,8 +17471,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.f
+/var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.if serefpolicy-3.0.8/policy/modules/system/virt.if
--- nsaserefpolicy/policy/modules/system/virt.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.8/policy/modules/system/virt.if 2007-10-03 11:10:25.000000000 -0400
-@@ -0,0 +1,58 @@
++++ serefpolicy-3.0.8/policy/modules/system/virt.if 2007-10-19 10:47:26.000000000 -0400
+@@ -0,0 +1,78 @@
+## Virtualization
+
+########################################
@@ -17516,6 +17531,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.i
+ files_list_var_lib($1)
+ rw_files_pattern($1,virt_var_lib_t,virt_var_lib_t)
+')
++
++########################################
++##
++## Allow the specified domain to manage
++## virt library files.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`virt_manage_lib_files',`
++ gen_require(`
++ type virt_var_lib_t;
++ ')
++
++ files_list_var_lib($1)
++ manage_files_pattern($1,virt_var_lib_t,virt_var_lib_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.te serefpolicy-3.0.8/policy/modules/system/virt.te
--- nsaserefpolicy/policy/modules/system/virt.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.8/policy/modules/system/virt.te 2007-10-03 11:10:25.000000000 -0400
@@ -17775,7 +17810,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.
+## Policy for webadm user
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.te serefpolicy-3.0.8/policy/modules/users/webadm.te
--- nsaserefpolicy/policy/modules/users/webadm.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.8/policy/modules/users/webadm.te 2007-10-03 11:10:25.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/users/webadm.te 2007-10-19 10:27:46.000000000 -0400
@@ -0,0 +1,42 @@
+policy_module(webadm,1.0.0)
+
@@ -17805,7 +17840,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.
+files_manage_generic_locks(webadm_t)
+files_list_var(webadm_t)
+selinux_get_enforce_mode(webadm_t)
-+seutil_domtrans_restorecon(webadm_t)
++seutil_domtrans_setfiles(webadm_t)
+
+logging_send_syslog_msg(webadm_t)
+
diff --git a/selinux-policy.spec b/selinux-policy.spec
index fcdf473..d4f336e 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.0.8
-Release: 26%{?dist}
+Release: 27%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -373,6 +373,10 @@ exit 0
%endif
%changelog
+* Fri Oct 17 2007 Dan Walsh 3.0.8-27
+- Fix dnsmasq
+- Allow rshd full login privs
+
* Thu Oct 16 2007 Dan Walsh 3.0.8-26
- Allow rshd to connect to ports > 1023