diff --git a/modules-minimum.conf b/modules-minimum.conf
index 9fac6fc..6ca38d7 100644
--- a/modules-minimum.conf
+++ b/modules-minimum.conf
@@ -1130,6 +1130,13 @@ sendmail = base
samba = module
# Layer: apps
+# Module: sambagui
+#
+# policy for system-config-samba
+#
+sambagui = module
+
+# Layer: apps
# Module: screen
#
# GNU terminal multiplexer
diff --git a/modules-targeted.conf b/modules-targeted.conf
index 9fac6fc..6ca38d7 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -1130,6 +1130,13 @@ sendmail = base
samba = module
# Layer: apps
+# Module: sambagui
+#
+# policy for system-config-samba
+#
+sambagui = module
+
+# Layer: apps
# Module: screen
#
# GNU terminal multiplexer
diff --git a/policy-20080710.patch b/policy-20080710.patch
index 2fe1e1d..7678c1a 100644
--- a/policy-20080710.patch
+++ b/policy-20080710.patch
@@ -5466,6 +5466,84 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
# qemu_unconfined local policy
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.fc serefpolicy-3.5.13/policy/modules/apps/sambagui.fc
+--- nsaserefpolicy/policy/modules/apps/sambagui.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/apps/sambagui.fc 2008-11-04 09:44:32.000000000 -0500
+@@ -0,0 +1,4 @@
++/usr/share/system-config-samba/system-config-samba-mechanism.py -- gen_context(system_u:object_r:sambagui_exec_t,s0)
++
++
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.if serefpolicy-3.5.13/policy/modules/apps/sambagui.if
+--- nsaserefpolicy/policy/modules/apps/sambagui.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/apps/sambagui.if 2008-11-04 10:25:22.000000000 -0500
+@@ -0,0 +1,2 @@
++## system-config-samba policy
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.te serefpolicy-3.5.13/policy/modules/apps/sambagui.te
+--- nsaserefpolicy/policy/modules/apps/sambagui.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/apps/sambagui.te 2008-11-04 10:21:56.000000000 -0500
+@@ -0,0 +1,60 @@
++policy_module(sambagui,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type sambagui_t;
++type sambagui_exec_t;
++
++dbus_system_domain(sambagui_t, sambagui_exec_t)
++
++########################################
++#
++# system-config-samba local policy
++#
++
++allow sambagui_t self:fifo_file rw_fifo_file_perms;
++
++# handling with samba conf files
++samba_append_log(sambagui_t)
++samba_manage_config(sambagui_t)
++samba_manage_var_files(sambagui_t)
++samba_initrc_domtrans(sambagui_t)
++samba_domtrans_smb(sambagui_t)
++samba_domtrans_nmb(sambagui_t)
++
++# execut apps of system-config-samba
++corecmd_exec_shell(sambagui_t)
++corecmd_exec_bin(sambagui_t)
++
++files_read_etc_files(sambagui_t)
++files_search_var_lib(sambagui_t)
++files_search_usr(sambagui_t)
++
++fs_list_inotifyfs(sambagui_t)
++
++libs_use_ld_so(sambagui_t)
++libs_use_shared_libs(sambagui_t)
++
++# reading shadow by pdbedit
++#auth_read_shadow(sambagui_t)
++
++miscfiles_read_localization(sambagui_t)
++
++# read meminfo
++kernel_read_system_state(sambagui_t)
++
++dev_dontaudit_read_urand(sambagui_t)
++nscd_dontaudit_search_pid(sambagui_t)
++
++optional_policy(`
++ consoletype_exec(sambagui_t)
++')
++
++optional_policy(`
++ polkit_dbus_chat(sambagui_t)
++')
++
++permissive sambagui_t;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.fc serefpolicy-3.5.13/policy/modules/apps/screen.fc
--- nsaserefpolicy/policy/modules/apps/screen.fc 2008-08-07 11:15:03.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/apps/screen.fc 2008-10-28 10:56:19.000000000 -0400
@@ -6275,8 +6353,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.5.13/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2008-10-14 11:58:07.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/kernel/corenetwork.te.in 2008-10-28 10:56:19.000000000 -0400
-@@ -79,6 +79,7 @@
++++ serefpolicy-3.5.13/policy/modules/kernel/corenetwork.te.in 2008-11-04 09:01:51.000000000 -0500
+@@ -79,11 +79,13 @@
network_port(auth, tcp,113,s0)
network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0)
type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict
@@ -6284,7 +6362,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
network_port(clamd, tcp,3310,s0)
network_port(clockspeed, udp,4041,s0)
network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006,s0, udp,50006,s0, tcp,50007,s0, udp,50007,s0, tcp,50008,s0, udp,50008,s0)
-@@ -93,6 +94,7 @@
+ network_port(comsat, udp,512,s0)
+ network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, udp,32771,s0)
++portcon tcp 6780-6799 gen_context(system_u:object_r:cyphesis_port_t, s0)
+ network_port(cvs, tcp,2401,s0, udp,2401,s0)
+ network_port(dcc, udp,6276,s0, udp,6277,s0)
+ network_port(dbskkd, tcp,1178,s0)
+@@ -93,6 +95,7 @@
network_port(distccd, tcp,3632,s0)
network_port(dns, udp,53,s0, tcp,53,s0)
network_port(fingerd, tcp,79,s0)
@@ -6292,7 +6376,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
network_port(ftp_data, tcp,20,s0)
network_port(ftp, tcp,21,s0)
network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
-@@ -117,6 +119,8 @@
+@@ -117,6 +120,8 @@
network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
@@ -6301,7 +6385,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
network_port(ktalkd, udp,517,s0, udp,518,s0)
network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0)
type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
-@@ -126,6 +130,7 @@
+@@ -126,6 +131,7 @@
network_port(mmcc, tcp,5050,s0, udp,5050,s0)
network_port(monopd, tcp,1234,s0)
network_port(msnp, tcp,1863,s0, udp,1863,s0)
@@ -6309,7 +6393,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
network_port(mysqld, tcp,1186,s0, tcp,3306,s0)
portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0)
network_port(nessus, tcp,1241,s0)
-@@ -137,11 +142,13 @@
+@@ -137,11 +143,13 @@
network_port(pegasus_http, tcp,5988,s0)
network_port(pegasus_https, tcp,5989,s0)
network_port(postfix_policyd, tcp,10031,s0)
@@ -6323,7 +6407,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
network_port(pxe, udp,4011,s0)
-@@ -159,9 +166,10 @@
+@@ -159,9 +167,10 @@
network_port(rwho, udp,513,s0)
network_port(smbd, tcp,137-139,s0, tcp,445,s0)
network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
@@ -6335,7 +6419,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0)
type socks_port_t, port_type; dnl network_port(socks) # no defined portcon
type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
-@@ -170,13 +178,16 @@
+@@ -170,13 +179,16 @@
network_port(syslogd, udp,514,s0)
network_port(telnetd, tcp,23,s0)
network_port(tftp, udp,69,s0)
@@ -12157,16 +12241,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.fc serefpolicy-3.5.13/policy/modules/services/certmaster.fc
--- nsaserefpolicy/policy/modules/services/certmaster.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.5.13/policy/modules/services/certmaster.fc 2008-10-30 14:43:22.000000000 -0400
-@@ -0,0 +1,11 @@
++++ serefpolicy-3.5.13/policy/modules/services/certmaster.fc 2008-11-04 08:52:09.000000000 -0500
+@@ -0,0 +1,9 @@
+
+/etc/rc\.d/init\.d/certmaster -- gen_context(system_u:object_r:certmaster_initrc_exec_t,s0)
+/usr/bin/certmaster -- gen_context(system_u:object_r:certmaster_exec_t,s0)
+
+/etc/certmaster(/.*)? gen_context(system_u:object_r:certmaster_etc_rw_t,s0)
+
-+/etc/pki/certmaster(/.*)? gen_context(system_u:object_r:certmaster_cert_t,s0)
-+
+/var/run/certmaster.* gen_context(system_u:object_r:certmaster_var_run_t,s0)
+
+/var/log/certmaster(/.*)? gen_context(system_u:object_r:certmaster_var_log_t,s0)
@@ -12641,7 +12723,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.5.13/policy/modules/services/consolekit.if
--- nsaserefpolicy/policy/modules/services/consolekit.if 2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/consolekit.if 2008-10-28 10:56:19.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/services/consolekit.if 2008-11-04 09:40:18.000000000 -0500
@@ -38,3 +38,24 @@
allow $1 consolekit_t:dbus send_msg;
allow consolekit_t $1:dbus send_msg;
@@ -14081,6 +14163,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
+ files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir })
')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyphesis.fc serefpolicy-3.5.13/policy/modules/services/cyphesis.fc
+--- nsaserefpolicy/policy/modules/services/cyphesis.fc 2008-09-03 11:05:02.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/services/cyphesis.fc 2008-11-04 09:54:55.000000000 -0500
+@@ -1 +1,6 @@
+ /usr/bin/cyphesis -- gen_context(system_u:object_r:cyphesis_exec_t,s0)
++
++/var/log/cyphesis(/.*)? gen_context(system_u:object_r:cyphesis_log_t,s0)
++
++/var/run/cyphesis(/.*)? gen_context(system_u:object_r:cyphesis_run_t,s0)
++
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.fc serefpolicy-3.5.13/policy/modules/services/dbus.fc
--- nsaserefpolicy/policy/modules/services/dbus.fc 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/services/dbus.fc 2008-10-28 10:56:19.000000000 -0400
@@ -18567,8 +18659,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:polkit_var_lib_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.5.13/policy/modules/services/polkit.if
--- nsaserefpolicy/policy/modules/services/polkit.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.5.13/policy/modules/services/polkit.if 2008-10-28 10:56:19.000000000 -0400
-@@ -0,0 +1,213 @@
++++ serefpolicy-3.5.13/policy/modules/services/polkit.if 2008-11-04 09:56:57.000000000 -0500
+@@ -0,0 +1,233 @@
+
+## policy for polkit_auth
+
@@ -18782,9 +18874,29 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ polkit_read_lib($2)
+')
+
++########################################
++##
++## Send and receive messages from
++## polkit over dbus.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`polkit_dbus_chat',`
++ gen_require(`
++ type polkit_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 polkit_t:dbus send_msg;
++ allow polkit_t $1:dbus send_msg;
++')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.5.13/policy/modules/services/polkit.te
--- nsaserefpolicy/policy/modules/services/polkit.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.5.13/policy/modules/services/polkit.te 2008-10-28 10:56:19.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/services/polkit.te 2008-11-04 09:58:08.000000000 -0500
@@ -0,0 +1,231 @@
+policy_module(polkit_auth, 1.0.0)
+
@@ -21515,11 +21627,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.5.13/policy/modules/services/samba.if
--- nsaserefpolicy/policy/modules/services/samba.if 2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/samba.if 2008-10-28 10:56:19.000000000 -0400
-@@ -52,6 +52,25 @@
- ##
- ##
- #
++++ serefpolicy-3.5.13/policy/modules/services/samba.if 2008-11-04 10:21:25.000000000 -0500
+@@ -44,6 +44,44 @@
+
+ ########################################
+ ##
++## Execute smbd net in the smbd_t domain.
++##
++##
++##
++## The type of the process performing this action.
++##
++##
++#
+interface(`samba_domtrans_smb',`
+ gen_require(`
+ type smbd_t, smbd_exec_t;
@@ -21531,7 +21651,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+########################################
+##
-+## Execute samba net in the samba_net domain.
++## Execute nmbd net in the nmbd_t domain.
+##
+##
+##
@@ -21539,10 +21659,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+##
+##
+#
- interface(`samba_domtrans_net',`
- gen_require(`
- type samba_net_t, samba_net_exec_t;
-@@ -63,6 +82,25 @@
++interface(`samba_domtrans_nmb',`
++ gen_require(`
++ type nmbd_t, nmbd_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, nmbd_exec_t, nmbd_t)
++')
++
++########################################
++##
+ ## Execute samba net in the samba_net domain.
+ ##
+ ##
+@@ -63,6 +101,25 @@
########################################
##
@@ -21568,7 +21699,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Execute samba net in the samba_net domain, and
## allow the specified role the samba_net domain.
##
-@@ -95,6 +133,38 @@
+@@ -95,6 +152,38 @@
########################################
##
@@ -21607,7 +21738,36 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Execute smbmount in the smbmount domain.
##
##
-@@ -331,6 +401,25 @@
+@@ -188,6 +277,28 @@
+
+ ########################################
+ ##
++## Allow the specified domain to read
++## and write samba configuration files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`samba_manage_config',`
++ gen_require(`
++ type samba_etc_t;
++ ')
++
++ files_search_etc($1)
++ manage_dirs_pattern($1, samba_etc_t, samba_etc_t)
++ manage_files_pattern($1, samba_etc_t, samba_etc_t)
++')
++
++########################################
++##
+ ## Allow the specified domain to read samba's log files.
+ ##
+ ##
+@@ -331,6 +442,25 @@
########################################
##
@@ -21633,7 +21793,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Allow the specified domain to
## read and write samba /var files.
##
-@@ -348,6 +437,7 @@
+@@ -348,6 +478,7 @@
files_search_var($1)
files_search_var_lib($1)
manage_files_pattern($1, samba_var_t, samba_var_t)
@@ -21641,7 +21801,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -420,6 +510,7 @@
+@@ -420,6 +551,7 @@
')
domtrans_pattern($1, winbind_helper_exec_t, winbind_helper_t)
@@ -21649,7 +21809,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -503,3 +594,190 @@
+@@ -503,3 +635,208 @@
stream_connect_pattern($1, winbind_tmp_t, winbind_tmp_t, winbind_t)
')
')
@@ -21756,6 +21916,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+########################################
+##
++## Execute samba server in the samba domain.
++##
++##
++##
++## The type of the process performing this action.
++##
++##
++#
++interface(`samba_initrc_domtrans',`
++ gen_require(`
++ type samba_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, samba_initrc_exec_t)
++')
++
++########################################
++##
+## All of the rules required to administrate
+## an samba environment
+##
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 36b5b72..bce2968 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.5.13
-Release: 13%{?dist}
+Release: 14%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -457,6 +457,11 @@ exit 0
%endif
%changelog
+* Tue Nov 3 2008 Dan Walsh 3.5.13-14
+- Additional fixes for cyphesis
+- Fix certmaster file context
+- Add policy for system-config-samba
+
* Mon Nov 3 2008 Dan Walsh 3.5.13-13
- Allow dhcpc to restart ypbind
- Fixup labeling in /var/run