diff --git a/policy-20071130.patch b/policy-20071130.patch
index a1d2cee..d7307fb 100644
--- a/policy-20071130.patch
+++ b/policy-20071130.patch
@@ -1645,7 +1645,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ethereal
#######################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ethereal.te serefpolicy-3.2.5/policy/modules/apps/ethereal.te
--- nsaserefpolicy/policy/modules/apps/ethereal.te 2007-12-19 05:32:09.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/apps/ethereal.te 2007-12-19 05:38:08.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/apps/ethereal.te 2008-01-11 13:39:25.000000000 -0500
@@ -16,6 +16,13 @@
type tethereal_tmp_t;
files_tmp_file(tethereal_tmp_t)
@@ -1783,7 +1783,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc
/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.2.5/policy/modules/apps/gnome.if
--- nsaserefpolicy/policy/modules/apps/gnome.if 2007-07-23 10:20:12.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/apps/gnome.if 2007-12-19 05:38:08.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/apps/gnome.if 2008-01-11 13:39:51.000000000 -0500
@@ -33,9 +33,60 @@
##
#
@@ -2016,8 +2016,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.2.5/policy/modules/apps/gnome.te
--- nsaserefpolicy/policy/modules/apps/gnome.te 2007-12-19 05:32:09.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/apps/gnome.te 2007-12-19 05:38:08.000000000 -0500
-@@ -8,8 +8,15 @@
++++ serefpolicy-3.2.5/policy/modules/apps/gnome.te 2008-01-11 13:40:13.000000000 -0500
+@@ -8,8 +8,19 @@
attribute gnomedomain;
@@ -2036,6 +2036,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te
+
+type user_gconf_tmp_t;
+files_tmp_file(user_gconf_tmp_t)
++
++typealias user_gnome_home_t alias unconfined_gnome_home_t;
++typealias user_gconf_home_t alias unconfined_gconf_home_t;
++typealias user_gconf_tmp_t alias unconfined_gconf_tmp_t;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc serefpolicy-3.2.5/policy/modules/apps/gpg.fc
--- nsaserefpolicy/policy/modules/apps/gpg.fc 2007-10-12 08:56:02.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/apps/gpg.fc 2008-01-03 16:26:50.000000000 -0500
@@ -2050,7 +2054,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc s
/usr/bin/pinentry.* -- gen_context(system_u:object_r:pinentry_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.2.5/policy/modules/apps/gpg.if
--- nsaserefpolicy/policy/modules/apps/gpg.if 2007-07-23 10:20:12.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/apps/gpg.if 2008-01-03 17:11:22.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/apps/gpg.if 2008-01-11 13:40:51.000000000 -0500
@@ -38,6 +38,10 @@
gen_require(`
type gpg_exec_t, gpg_helper_exec_t;
@@ -3069,7 +3073,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
# /bin
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.2.5/policy/modules/apps/mozilla.if
--- nsaserefpolicy/policy/modules/apps/mozilla.if 2007-10-29 07:52:48.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/apps/mozilla.if 2008-01-03 17:10:37.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/apps/mozilla.if 2008-01-11 13:41:19.000000000 -0500
@@ -35,7 +35,10 @@
template(`mozilla_per_role_template',`
gen_require(`
@@ -3510,7 +3514,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.2.5/policy/modules/apps/mozilla.te
--- nsaserefpolicy/policy/modules/apps/mozilla.te 2007-12-19 05:32:09.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/apps/mozilla.te 2007-12-19 05:38:08.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/apps/mozilla.te 2008-01-11 14:37:00.000000000 -0500
@@ -6,15 +6,15 @@
# Declarations
#
@@ -6014,7 +6018,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/auto
+/var/run/autofs.* gen_context(system_u:object_r:automount_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.if serefpolicy-3.2.5/policy/modules/services/automount.if
--- nsaserefpolicy/policy/modules/services/automount.if 2007-03-26 10:39:04.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/services/automount.if 2007-12-19 05:38:09.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/automount.if 2008-01-08 15:20:43.000000000 -0500
@@ -74,3 +74,21 @@
dontaudit $1 automount_tmp_t:dir getattr;
@@ -6786,7 +6790,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
+/usr/local/Printer/[^/]*/inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.2.5/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/cups.te 2007-12-19 05:38:09.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/cups.te 2008-01-10 16:16:06.000000000 -0500
@@ -43,14 +43,12 @@
type cupsd_var_run_t;
@@ -6931,9 +6935,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
auth_use_nsswitch(cupsd_t)
libs_use_ld_so(cupsd_t)
-@@ -220,16 +230,19 @@
+@@ -219,17 +229,22 @@
+ miscfiles_read_fonts(cupsd_t)
seutil_read_config(cupsd_t)
++sysnet_exec_ifconfig(cupsd_t)
-sysnet_read_config(cupsd_t)
-
@@ -6944,6 +6950,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
# Write to /var/spool/cups.
lpd_manage_spool(cupsd_t)
+lpd_read_config(cupsd_t)
++lpd_exec_lpr(cupsd_t)
ifdef(`enable_mls',`
lpd_relabel_spool(cupsd_t)
@@ -6953,7 +6960,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
')
optional_policy(`
-@@ -242,12 +255,21 @@
+@@ -242,12 +257,21 @@
optional_policy(`
dbus_system_bus_client_template(cupsd,cupsd_t)
@@ -6975,7 +6982,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
')
optional_policy(`
-@@ -263,6 +285,10 @@
+@@ -263,6 +287,10 @@
')
optional_policy(`
@@ -6986,7 +6993,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
# cups execs smbtool which reads samba_etc_t files
samba_read_config(cupsd_t)
samba_rw_var_files(cupsd_t)
-@@ -326,6 +352,7 @@
+@@ -326,6 +354,7 @@
dev_read_sysfs(cupsd_config_t)
dev_read_urand(cupsd_config_t)
dev_read_rand(cupsd_config_t)
@@ -6994,7 +7001,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
fs_getattr_all_fs(cupsd_config_t)
fs_search_auto_mountpoints(cupsd_config_t)
-@@ -372,6 +399,10 @@
+@@ -372,6 +401,10 @@
')
optional_policy(`
@@ -7005,7 +7012,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
cron_system_entry(cupsd_config_t, cupsd_config_exec_t)
')
-@@ -387,6 +418,7 @@
+@@ -387,6 +420,7 @@
optional_policy(`
hal_domtrans(cupsd_config_t)
hal_read_tmp_files(cupsd_config_t)
@@ -7013,7 +7020,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
')
optional_policy(`
-@@ -499,14 +531,12 @@
+@@ -499,14 +533,12 @@
allow hplip_t self:udp_socket create_socket_perms;
allow hplip_t self:rawip_socket create_socket_perms;
@@ -7032,7 +7039,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
manage_files_pattern(hplip_t,hplip_var_run_t,hplip_var_run_t)
files_pid_filetrans(hplip_t,hplip_var_run_t,file)
-@@ -537,14 +567,14 @@
+@@ -537,14 +569,14 @@
dev_read_urand(hplip_t)
dev_read_rand(hplip_t)
dev_rw_generic_usb_dev(hplip_t)
@@ -7049,7 +7056,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
domain_use_interactive_fds(hplip_t)
files_read_etc_files(hplip_t)
-@@ -565,6 +595,7 @@
+@@ -565,6 +597,7 @@
userdom_dontaudit_search_all_users_home_content(hplip_t)
lpd_read_config(cupsd_t)
@@ -8500,7 +8507,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail
+files_type(mailscanner_spool_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.2.5/policy/modules/services/mta.if
--- nsaserefpolicy/policy/modules/services/mta.if 2007-12-06 13:12:03.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/mta.if 2008-01-04 10:12:33.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/mta.if 2008-01-11 14:28:39.000000000 -0500
@@ -133,6 +133,12 @@
sendmail_create_log($1_mail_t)
')
@@ -8514,23 +8521,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
')
#######################################
-@@ -217,6 +223,15 @@
- tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_files($1_mail_t)
+@@ -219,6 +225,11 @@
fs_manage_cifs_symlinks($1_mail_t)
-+ fs_manage_cifs_files(mailserver_delivery)
-+ fs_manage_cifs_symlinks(mailserver_delivery)
-+ ')
-+
+ ')
+
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_files($1_mail_t)
+ fs_manage_nfs_symlinks($1_mail_t)
-+ fs_manage_nfs_files(mailserver_delivery)
-+ fs_manage_nfs_symlinks(mailserver_delivery)
- ')
-
++ ')
++
optional_policy(`
-@@ -305,6 +320,42 @@
+ allow $1_mail_t self:capability dac_override;
+
+@@ -305,6 +316,42 @@
########################################
##
@@ -8573,7 +8576,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
## Modified mailserver interface for
## sendmail daemon use.
##
-@@ -383,11 +434,13 @@
+@@ -383,11 +430,13 @@
allow $1 mail_spool_t:dir list_dir_perms;
create_files_pattern($1,mail_spool_t,mail_spool_t)
read_files_pattern($1,mail_spool_t,mail_spool_t)
@@ -8587,7 +8590,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
')
optional_policy(`
-@@ -422,6 +475,7 @@
+@@ -422,6 +471,7 @@
# apache should set close-on-exec
apache_dontaudit_rw_stream_sockets($1)
apache_dontaudit_rw_sys_script_stream_sockets($1)
@@ -8595,7 +8598,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
')
')
-@@ -438,20 +492,18 @@
+@@ -438,20 +488,18 @@
interface(`mta_send_mail',`
gen_require(`
attribute mta_user_agent;
@@ -8622,7 +8625,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
')
########################################
-@@ -586,6 +638,25 @@
+@@ -586,6 +634,25 @@
files_search_etc($1)
allow $1 etc_aliases_t:file { rw_file_perms setattr };
')
@@ -8648,7 +8651,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
#######################################
##
-@@ -837,6 +908,25 @@
+@@ -837,6 +904,25 @@
########################################
##
@@ -8676,7 +8679,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
##
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.2.5/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/mta.te 2007-12-19 05:38:09.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/mta.te 2008-01-11 14:28:19.000000000 -0500
@@ -6,6 +6,8 @@
# Declarations
#
@@ -8755,7 +8758,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
logrotate_read_tmp_files(system_mail_t)
')
-@@ -136,6 +158,14 @@
+@@ -136,11 +158,30 @@
')
optional_policy(`
@@ -8770,6 +8773,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
smartmon_read_tmp_files(system_mail_t)
')
+-# should break this up among sections:
++tunable_policy(`use_samba_home_dirs',`
++ fs_manage_cifs_dirs(mailserver_delivery)
++ fs_manage_cifs_files(mailserver_delivery)
++ fs_manage_cifs_symlinks(mailserver_delivery)
++')
++
++tunable_policy(`use_nfs_home_dirs',`
++ fs_manage_nfs_dirs(mailserver_delivery)
++ fs_manage_nfs_files(mailserver_delivery)
++ fs_manage_nfs_symlinks(mailserver_delivery)
++')
+
++# should break this up among sections:
+ optional_policy(`
+ # why is mail delivered to a directory of type arpwatch_data_t?
+ arpwatch_search_data(mailserver_delivery)
+@@ -154,3 +195,4 @@
+ cron_read_system_job_tmp_files(mta_user_agent)
+ ')
+ ')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.2.5/policy/modules/services/munin.fc
--- nsaserefpolicy/policy/modules/services/munin.fc 2007-04-30 10:41:38.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/services/munin.fc 2007-12-31 05:55:51.000000000 -0500
@@ -9905,7 +9930,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
/usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.2.5/policy/modules/services/postfix.if
--- nsaserefpolicy/policy/modules/services/postfix.if 2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/postfix.if 2007-12-19 05:38:09.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/postfix.if 2008-01-08 16:12:40.000000000 -0500
@@ -416,7 +416,7 @@
##
##
@@ -9944,7 +9969,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
##
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.2.5/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/postfix.te 2007-12-31 14:18:01.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/postfix.te 2008-01-11 14:27:52.000000000 -0500
@@ -6,6 +6,14 @@
# Declarations
#
@@ -10098,6 +10123,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
########################################
#
# Postfix virtual local policy
+@@ -584,3 +618,4 @@
+ # For reading spamassasin
+ mta_read_config(postfix_virtual_t)
+ mta_manage_spool(postfix_virtual_t)
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.2.5/policy/modules/services/postgresql.fc
--- nsaserefpolicy/policy/modules/services/postgresql.fc 2006-11-16 17:15:21.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/postgresql.fc 2007-12-19 05:38:09.000000000 -0500
@@ -10201,6 +10231,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
########################################
#
# postgresql Local policy
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgrey.te serefpolicy-3.2.5/policy/modules/services/postgrey.te
+--- nsaserefpolicy/policy/modules/services/postgrey.te 2007-12-19 05:32:17.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/postgrey.te 2008-01-08 16:15:30.000000000 -0500
+@@ -24,7 +24,7 @@
+ # Local policy
+ #
+
+-allow postgrey_t self:capability { chown setgid setuid };
++allow postgrey_t self:capability { chown dac_override setgid setuid };
+ dontaudit postgrey_t self:capability sys_tty_config;
+ allow postgrey_t self:process signal_perms;
+ allow postgrey_t self:tcp_socket create_stream_socket_perms;
+@@ -85,6 +85,11 @@
+ ')
+
+ optional_policy(`
++ postfix_read_config(postgrey_t)
++ postfix_read_spool_files(postgrey_t)
++')
++
++optional_policy(`
+ seutil_sigchld_newrole(postgrey_t)
+ ')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.fc serefpolicy-3.2.5/policy/modules/services/ppp.fc
--- nsaserefpolicy/policy/modules/services/ppp.fc 2006-11-16 17:15:20.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/ppp.fc 2007-12-19 05:38:09.000000000 -0500
@@ -11632,13 +11686,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soun
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.2.5/policy/modules/services/spamassassin.fc
--- nsaserefpolicy/policy/modules/services/spamassassin.fc 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/services/spamassassin.fc 2007-12-19 05:38:09.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/spamassassin.fc 2008-01-09 09:00:58.000000000 -0500
@@ -1,4 +1,4 @@
-HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:ROLE_spamassassin_home_t,s0)
+HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:user_spamassassin_home_t,s0)
/usr/bin/sa-learn -- gen_context(system_u:object_r:spamc_exec_t,s0)
/usr/bin/spamassassin -- gen_context(system_u:object_r:spamassassin_exec_t,s0)
+@@ -9,8 +9,11 @@
+
+ /var/lib/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0)
+
++/var/log/spamd\.log -- gen_context(system_u:object_r:spamd_log_t,s0)
++
+ /var/run/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
+ /var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
+
+ /var/spool/spamassassin(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
+ /var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.2.5/policy/modules/services/spamassassin.if
--- nsaserefpolicy/policy/modules/services/spamassassin.if 2007-10-12 08:56:07.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/services/spamassassin.if 2008-01-03 12:06:11.000000000 -0500
@@ -12085,7 +12151,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.2.5/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/spamassassin.te 2008-01-03 12:54:53.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/spamassassin.te 2008-01-09 09:00:24.000000000 -0500
@@ -21,8 +21,9 @@
gen_tunable(spamd_enable_home_dirs,true)
@@ -12097,7 +12163,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
type spamd_t;
type spamd_exec_t;
-@@ -42,7 +43,17 @@
+@@ -31,6 +32,9 @@
+ type spamd_spool_t;
+ files_type(spamd_spool_t)
+
++type spamd_log_t;
++logging_log_file(spamd_log_t)
++
+ type spamd_tmp_t;
+ files_tmp_file(spamd_tmp_t)
+
+@@ -42,7 +46,17 @@
files_pid_file(spamd_var_run_t)
type spamassassin_exec_t;
@@ -12116,7 +12192,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
########################################
#
-@@ -81,10 +92,11 @@
+@@ -71,6 +85,9 @@
+ allow spamd_t self:udp_socket create_socket_perms;
+ allow spamd_t self:netlink_route_socket r_netlink_socket_perms;
+
++manage_files_pattern(spamd_t, spamd_log_t, spamd_log_t)
++logging_log_filetrans(spamd_t,spamd_log_t,file)
++
+ manage_dirs_pattern(spamd_t,spamd_spool_t,spamd_spool_t)
+ manage_files_pattern(spamd_t,spamd_spool_t,spamd_spool_t)
+ files_spool_filetrans(spamd_t,spamd_spool_t, { file dir })
+@@ -81,10 +98,11 @@
# var/lib files for spamd
allow spamd_t spamd_var_lib_t:dir list_dir_perms;
@@ -12129,7 +12215,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
files_pid_filetrans(spamd_t, spamd_var_run_t, { dir file })
kernel_read_all_sysctls(spamd_t)
-@@ -149,11 +161,31 @@
+@@ -149,11 +167,31 @@
userdom_search_unpriv_users_home_dirs(spamd_t)
userdom_dontaudit_search_sysadm_home_dirs(spamd_t)
@@ -12161,7 +12247,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
fs_manage_cifs_files(spamd_t)
')
-@@ -171,6 +203,7 @@
+@@ -171,6 +209,7 @@
optional_policy(`
dcc_domtrans_client(spamd_t)
@@ -12169,7 +12255,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
dcc_stream_connect_dccifd(spamd_t)
')
-@@ -212,3 +245,206 @@
+@@ -212,3 +251,206 @@
optional_policy(`
udev_read_db(spamd_t)
')
@@ -14139,7 +14225,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.2.5/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/system/authlogin.te 2007-12-19 05:38:09.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/system/authlogin.te 2008-01-11 14:30:57.000000000 -0500
@@ -59,6 +59,9 @@
type utempter_exec_t;
application_domain(utempter_t,utempter_exec_t)
@@ -14160,18 +14246,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
########################################
#
# PAM local policy
-@@ -121,6 +127,10 @@
+@@ -121,6 +127,11 @@
logging_send_syslog_msg(pam_t)
userdom_use_unpriv_users_fds(pam_t)
+userdom_write_unpriv_users_tmp_files(pam_t)
+userdom_unlink_unpriv_users_tmp_files(pam_t)
-+userdom_read_unpriv_users_home_content_files(pam_t)
++userdom_dontaudit_read_unpriv_users_home_content_files(pam_t)
++userdom_dontaudit_write_user_home_content_files(user, pam_t)
+userdom_append_unpriv_users_home_content_files(pam_t)
optional_policy(`
locallogin_use_fds(pam_t)
-@@ -279,8 +289,10 @@
+@@ -279,8 +290,10 @@
files_manage_etc_files(updpwd_t)
term_dontaudit_use_console(updpwd_t)
@@ -14183,7 +14270,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
auth_manage_shadow(updpwd_t)
auth_use_nsswitch(updpwd_t)
-@@ -329,11 +341,6 @@
+@@ -329,11 +342,6 @@
')
optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index fb26e1d..2d8e2d4 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.2.5
-Release: 9%{?dist}
+Release: 10%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -387,6 +387,9 @@ exit 0
%endif
%changelog
+* Mon Jan 7 2008 Dan Walsh 3.2.5-10
+- dontaudit pam_t and dbusd writing to user_home_t
+
* Mon Jan 7 2008 Dan Walsh 3.2.5-9
- Update gpg to allow reading of inotify