diff --git a/modules-mls.conf b/modules-mls.conf
index 330c3bc..625aee3 100644
--- a/modules-mls.conf
+++ b/modules-mls.conf
@@ -1074,6 +1074,13 @@ staff = base
#
user = base
+# Layer: services
+# Module: prelude
+#
+#
+#
+prelude = module
+
# Layer: users
# Module: secadm
#
diff --git a/policy-20071130.patch b/policy-20071130.patch
index 03c2bf1..5ba8e2a 100644
--- a/policy-20071130.patch
+++ b/policy-20071130.patch
@@ -8,6 +8,106 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/Changelog serefpolicy-3.3.1/
- Label /proc/kallsyms with system_map_t.
- 64-bit capabilities from Stephen Smalley.
- Labeled networking peer object class updates.
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.3.1/Makefile
+--- nsaserefpolicy/Makefile 2008-02-06 10:33:22.000000000 -0500
++++ serefpolicy-3.3.1/Makefile 2008-04-04 12:06:55.000000000 -0400
+@@ -235,7 +235,7 @@
+ appdir := $(contextpath)
+ user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts)
+ user_default_contexts_names := $(addprefix $(contextpath)/users/,$(subst _default_contexts,,$(notdir $(user_default_contexts))))
+-appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types securetty_types) $(contextpath)/files/media $(user_default_contexts_names)
++appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts x_contexts customizable_types securetty_types) $(contextpath)/files/media $(user_default_contexts_names)
+ net_contexts := $(builddir)net_contexts
+
+ all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d)
+@@ -309,20 +309,22 @@
+
+ # parse-rolemap modulename,outputfile
+ define parse-rolemap
+- $(verbose) $(M4) $(M4PARAM) $(rolemap) | \
+- $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
++ echo "" >> $2
++# $(verbose) $(M4) $(M4PARAM) $(rolemap) | \
++# $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
+ endef
+
+ # perrole-expansion modulename,outputfile
+ define perrole-expansion
+- $(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
+- $(call parse-rolemap,$1,$2)
+- $(verbose) echo "')" >> $2
+-
+- $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2
+- $(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2
+- $(call parse-rolemap-compat,$1,$2)
+- $(verbose) echo "')" >> $2
++ echo "No longer doing perrole-expansion"
++# $(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
++# $(call parse-rolemap,$1,$2)
++# $(verbose) echo "')" >> $2
++
++# $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2
++# $(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2
++# $(call parse-rolemap-compat,$1,$2)
++# $(verbose) echo "')" >> $2
+ endef
+
+ # create-base-per-role-tmpl modulenames,outputfile
+@@ -521,6 +523,10 @@
+ @mkdir -p $(appdir)/users
+ $(verbose) $(INSTALL) -m 644 $^ $@
+
++$(appdir)/initrc_context: $(tmpdir)/initrc_context
++ @mkdir -p $(appdir)
++ $(verbose) $(INSTALL) -m 644 $< $@
++
+ $(appdir)/%: $(appconf)/%
+ @mkdir -p $(appdir)
+ $(verbose) $(INSTALL) -m 644 $< $@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-3.3.1/Rules.modular
+--- nsaserefpolicy/Rules.modular 2007-12-19 05:32:18.000000000 -0500
++++ serefpolicy-3.3.1/Rules.modular 2008-04-04 12:06:56.000000000 -0400
+@@ -73,8 +73,8 @@
+ $(tmpdir)/%.mod: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf %.te
+ @echo "Compliling $(NAME) $(@F) module"
+ @test -d $(tmpdir) || mkdir -p $(tmpdir)
+- $(call perrole-expansion,$(basename $(@F)),$@.role)
+- $(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp)
++# $(call perrole-expansion,$(basename $(@F)),$@.role)
++ $(verbose) $(M4) $(M4PARAM) -s $^ > $(@:.mod=.tmp)
+ $(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
+
+ $(tmpdir)/%.mod.fc: $(m4support) %.fc
+@@ -129,7 +129,7 @@
+ @test -d $(tmpdir) || mkdir -p $(tmpdir)
+ # define all available object classes
+ $(verbose) $(genperm) $(avs) $(secclass) > $@
+- $(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@)
++# $(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@)
+ $(verbose) test -f $(booleans) && $(setbools) $(booleans) >> $@ || true
+
+ $(tmpdir)/global_bools.conf: M4PARAM += -D self_contained_policy
+@@ -147,7 +147,7 @@
+ $(tmpdir)/rolemap.conf: M4PARAM += -D self_contained_policy
+ $(tmpdir)/rolemap.conf: $(rolemap)
+ $(verbose) echo "" > $@
+- $(call parse-rolemap,base,$@)
++# $(call parse-rolemap,base,$@)
+
+ $(tmpdir)/all_te_files.conf: M4PARAM += -D self_contained_policy
+ $(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(base_te_files) $(tmpdir)/rolemap.conf
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.monolithic serefpolicy-3.3.1/Rules.monolithic
+--- nsaserefpolicy/Rules.monolithic 2007-11-20 06:55:20.000000000 -0500
++++ serefpolicy-3.3.1/Rules.monolithic 2008-04-04 12:06:56.000000000 -0400
+@@ -96,7 +96,7 @@
+ #
+ # Load the binary policy
+ #
+-reload $(tmpdir)/load: $(loadpath) $(fcpath) $(appfiles)
++reload $(tmpdir)/load: $(loadpath) $(fcpath) $(ncpath) $(appfiles)
+ @echo "Loading $(NAME) $(loadpath)"
+ $(verbose) $(LOADPOLICY) -q $(loadpath)
+ @touch $(tmpdir)/load
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/failsafe_context serefpolicy-3.3.1/config/appconfig-mcs/failsafe_context
--- nsaserefpolicy/config/appconfig-mcs/failsafe_context 2007-10-12 08:56:09.000000000 -0400
+++ serefpolicy-3.3.1/config/appconfig-mcs/failsafe_context 2008-04-04 12:06:55.000000000 -0400
@@ -691,62 +791,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/xg
+system_r:sshd_t xguest_r:xguest_t
+system_r:crond_t xguest_r:xguest_crond_t
+system_r:xdm_t xguest_r:xguest_t
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.3.1/Makefile
---- nsaserefpolicy/Makefile 2008-02-06 10:33:22.000000000 -0500
-+++ serefpolicy-3.3.1/Makefile 2008-04-04 12:06:55.000000000 -0400
-@@ -235,7 +235,7 @@
- appdir := $(contextpath)
- user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts)
- user_default_contexts_names := $(addprefix $(contextpath)/users/,$(subst _default_contexts,,$(notdir $(user_default_contexts))))
--appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types securetty_types) $(contextpath)/files/media $(user_default_contexts_names)
-+appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts x_contexts customizable_types securetty_types) $(contextpath)/files/media $(user_default_contexts_names)
- net_contexts := $(builddir)net_contexts
-
- all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d)
-@@ -309,20 +309,22 @@
-
- # parse-rolemap modulename,outputfile
- define parse-rolemap
-- $(verbose) $(M4) $(M4PARAM) $(rolemap) | \
-- $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
-+ echo "" >> $2
-+# $(verbose) $(M4) $(M4PARAM) $(rolemap) | \
-+# $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
- endef
-
- # perrole-expansion modulename,outputfile
- define perrole-expansion
-- $(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
-- $(call parse-rolemap,$1,$2)
-- $(verbose) echo "')" >> $2
--
-- $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2
-- $(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2
-- $(call parse-rolemap-compat,$1,$2)
-- $(verbose) echo "')" >> $2
-+ echo "No longer doing perrole-expansion"
-+# $(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
-+# $(call parse-rolemap,$1,$2)
-+# $(verbose) echo "')" >> $2
-+
-+# $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2
-+# $(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2
-+# $(call parse-rolemap-compat,$1,$2)
-+# $(verbose) echo "')" >> $2
- endef
-
- # create-base-per-role-tmpl modulenames,outputfile
-@@ -521,6 +523,10 @@
- @mkdir -p $(appdir)/users
- $(verbose) $(INSTALL) -m 644 $^ $@
-
-+$(appdir)/initrc_context: $(tmpdir)/initrc_context
-+ @mkdir -p $(appdir)
-+ $(verbose) $(INSTALL) -m 644 $< $@
-+
- $(appdir)/%: $(appconf)/%
- @mkdir -p $(appdir)
- $(verbose) $(INSTALL) -m 644 $< $@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/httpd_selinux.8 serefpolicy-3.3.1/man/man8/httpd_selinux.8
--- nsaserefpolicy/man/man8/httpd_selinux.8 2008-02-18 14:30:19.000000000 -0500
+++ serefpolicy-3.3.1/man/man8/httpd_selinux.8 2008-04-04 12:06:55.000000000 -0400
@@ -2522,109 +2566,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
usermanage_domtrans_groupadd(rpm_script_t)
usermanage_domtrans_useradd(rpm_script_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.3.1/policy/modules/admin/sudo.if
---- nsaserefpolicy/policy/modules/admin/sudo.if 2007-12-04 11:02:51.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/admin/sudo.if 2008-04-04 12:06:55.000000000 -0400
-@@ -55,7 +55,7 @@
- #
-
- # Use capabilities.
-- allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_resource };
-+ allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_nice sys_resource };
- allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
- allow $1_sudo_t self:process { setexec setrlimit };
- allow $1_sudo_t self:fd use;
-@@ -68,33 +68,35 @@
- allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms;
- allow $1_sudo_t self:unix_dgram_socket sendto;
- allow $1_sudo_t self:unix_stream_socket connectto;
-- allow $1_sudo_t self:netlink_audit_socket { create bind write nlmsg_read read };
-+ allow $1_sudo_t self:key manage_key_perms;
-+ allow $1_sudo_t $1_t:key search;
-
- # Enter this derived domain from the user domain
- domtrans_pattern($2, sudo_exec_t, $1_sudo_t)
-
- # By default, revert to the calling domain when a shell is executed.
- corecmd_shell_domtrans($1_sudo_t,$2)
-+ corecmd_bin_domtrans($1_sudo_t,$2)
- allow $2 $1_sudo_t:fd use;
- allow $2 $1_sudo_t:fifo_file rw_file_perms;
- allow $2 $1_sudo_t:process sigchld;
-
- kernel_read_kernel_sysctls($1_sudo_t)
- kernel_read_system_state($1_sudo_t)
-- kernel_search_key($1_sudo_t)
-+ kernel_link_key($1_sudo_t)
-
- dev_read_urand($1_sudo_t)
-
- fs_search_auto_mountpoints($1_sudo_t)
- fs_getattr_xattr_fs($1_sudo_t)
-
-- auth_domtrans_chk_passwd($1_sudo_t)
-+ auth_run_chk_passwd($1_sudo_t, $3, { $1_tty_device_t $1_devpts_t })
- # sudo stores a token in the pam_pid directory
- auth_manage_pam_pid($1_sudo_t)
- auth_use_nsswitch($1_sudo_t)
-
- corecmd_read_bin_symlinks($1_sudo_t)
-- corecmd_getattr_all_executables($1_sudo_t)
-+ corecmd_exec_all_executables($1_sudo_t)
-
- domain_use_interactive_fds($1_sudo_t)
- domain_sigchld_interactive_fds($1_sudo_t)
-@@ -106,32 +108,42 @@
- files_getattr_usr_files($1_sudo_t)
- # for some PAM modules and for cwd
- files_dontaudit_search_home($1_sudo_t)
-+ files_list_tmp($1_sudo_t)
-
- init_rw_utmp($1_sudo_t)
-
- libs_use_ld_so($1_sudo_t)
- libs_use_shared_libs($1_sudo_t)
-
-+ logging_send_audit_msgs($1_sudo_t)
- logging_send_syslog_msg($1_sudo_t)
-
- miscfiles_read_localization($1_sudo_t)
-
-+ mta_per_role_template($1, $1_sudo_t, $3)
-+
- userdom_manage_user_home_content_files($1,$1_sudo_t)
- userdom_manage_user_home_content_symlinks($1,$1_sudo_t)
- userdom_manage_user_tmp_files($1,$1_sudo_t)
- userdom_manage_user_tmp_symlinks($1,$1_sudo_t)
-+ userdom_exec_user_home_content_files($1,$1_sudo_t)
- userdom_use_user_terminals($1,$1_sudo_t)
- userdom_use_unpriv_users_fds($1_sudo_t)
- # for some PAM modules and for cwd
-+ userdom_search_sysadm_home_content_dirs($1_sudo_t)
- userdom_dontaudit_search_all_users_home_content($1_sudo_t)
-
-- ifdef(`TODO',`
-- # for when the network connection is killed
-- dontaudit unpriv_userdomain $1_sudo_t:process signal;
--
-- ifdef(`mta.te', `
-- domain_auto_trans($1_sudo_t, sendmail_exec_t, $1_mail_t)
-- ')
-+ domain_role_change_exemption($1_sudo_t)
-+ userdom_spec_domtrans_all_users($1_sudo_t)
-
-- ') dnl end TODO
-+ selinux_validate_context($1_sudo_t)
-+ selinux_compute_relabel_context($1_sudo_t)
-+ selinux_getattr_fs($1_sudo_t)
-+ seutil_read_config($1_sudo_t)
-+ seutil_search_default_contexts($1_sudo_t)
-+
-+ term_use_all_user_ttys($1_sudo_t)
-+ term_use_all_user_ptys($1_sudo_t)
-+ term_relabel_all_user_ttys($1_sudo_t)
-+ term_relabel_all_user_ptys($1_sudo_t)
- ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.3.1/policy/modules/admin/su.if
--- nsaserefpolicy/policy/modules/admin/su.if 2007-10-12 08:56:09.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/admin/su.if 2008-04-04 12:06:55.000000000 -0400
@@ -2755,6 +2696,109 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s
')
#######################################
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.3.1/policy/modules/admin/sudo.if
+--- nsaserefpolicy/policy/modules/admin/sudo.if 2007-12-04 11:02:51.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/admin/sudo.if 2008-04-04 12:06:55.000000000 -0400
+@@ -55,7 +55,7 @@
+ #
+
+ # Use capabilities.
+- allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_resource };
++ allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_nice sys_resource };
+ allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow $1_sudo_t self:process { setexec setrlimit };
+ allow $1_sudo_t self:fd use;
+@@ -68,33 +68,35 @@
+ allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms;
+ allow $1_sudo_t self:unix_dgram_socket sendto;
+ allow $1_sudo_t self:unix_stream_socket connectto;
+- allow $1_sudo_t self:netlink_audit_socket { create bind write nlmsg_read read };
++ allow $1_sudo_t self:key manage_key_perms;
++ allow $1_sudo_t $1_t:key search;
+
+ # Enter this derived domain from the user domain
+ domtrans_pattern($2, sudo_exec_t, $1_sudo_t)
+
+ # By default, revert to the calling domain when a shell is executed.
+ corecmd_shell_domtrans($1_sudo_t,$2)
++ corecmd_bin_domtrans($1_sudo_t,$2)
+ allow $2 $1_sudo_t:fd use;
+ allow $2 $1_sudo_t:fifo_file rw_file_perms;
+ allow $2 $1_sudo_t:process sigchld;
+
+ kernel_read_kernel_sysctls($1_sudo_t)
+ kernel_read_system_state($1_sudo_t)
+- kernel_search_key($1_sudo_t)
++ kernel_link_key($1_sudo_t)
+
+ dev_read_urand($1_sudo_t)
+
+ fs_search_auto_mountpoints($1_sudo_t)
+ fs_getattr_xattr_fs($1_sudo_t)
+
+- auth_domtrans_chk_passwd($1_sudo_t)
++ auth_run_chk_passwd($1_sudo_t, $3, { $1_tty_device_t $1_devpts_t })
+ # sudo stores a token in the pam_pid directory
+ auth_manage_pam_pid($1_sudo_t)
+ auth_use_nsswitch($1_sudo_t)
+
+ corecmd_read_bin_symlinks($1_sudo_t)
+- corecmd_getattr_all_executables($1_sudo_t)
++ corecmd_exec_all_executables($1_sudo_t)
+
+ domain_use_interactive_fds($1_sudo_t)
+ domain_sigchld_interactive_fds($1_sudo_t)
+@@ -106,32 +108,42 @@
+ files_getattr_usr_files($1_sudo_t)
+ # for some PAM modules and for cwd
+ files_dontaudit_search_home($1_sudo_t)
++ files_list_tmp($1_sudo_t)
+
+ init_rw_utmp($1_sudo_t)
+
+ libs_use_ld_so($1_sudo_t)
+ libs_use_shared_libs($1_sudo_t)
+
++ logging_send_audit_msgs($1_sudo_t)
+ logging_send_syslog_msg($1_sudo_t)
+
+ miscfiles_read_localization($1_sudo_t)
+
++ mta_per_role_template($1, $1_sudo_t, $3)
++
+ userdom_manage_user_home_content_files($1,$1_sudo_t)
+ userdom_manage_user_home_content_symlinks($1,$1_sudo_t)
+ userdom_manage_user_tmp_files($1,$1_sudo_t)
+ userdom_manage_user_tmp_symlinks($1,$1_sudo_t)
++ userdom_exec_user_home_content_files($1,$1_sudo_t)
+ userdom_use_user_terminals($1,$1_sudo_t)
+ userdom_use_unpriv_users_fds($1_sudo_t)
+ # for some PAM modules and for cwd
++ userdom_search_sysadm_home_content_dirs($1_sudo_t)
+ userdom_dontaudit_search_all_users_home_content($1_sudo_t)
+
+- ifdef(`TODO',`
+- # for when the network connection is killed
+- dontaudit unpriv_userdomain $1_sudo_t:process signal;
+-
+- ifdef(`mta.te', `
+- domain_auto_trans($1_sudo_t, sendmail_exec_t, $1_mail_t)
+- ')
++ domain_role_change_exemption($1_sudo_t)
++ userdom_spec_domtrans_all_users($1_sudo_t)
+
+- ') dnl end TODO
++ selinux_validate_context($1_sudo_t)
++ selinux_compute_relabel_context($1_sudo_t)
++ selinux_getattr_fs($1_sudo_t)
++ seutil_read_config($1_sudo_t)
++ seutil_search_default_contexts($1_sudo_t)
++
++ term_use_all_user_ttys($1_sudo_t)
++ term_use_all_user_ptys($1_sudo_t)
++ term_relabel_all_user_ttys($1_sudo_t)
++ term_relabel_all_user_ptys($1_sudo_t)
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.3.1/policy/modules/admin/tmpreaper.te
--- nsaserefpolicy/policy/modules/admin/tmpreaper.te 2007-10-02 09:54:52.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/admin/tmpreaper.te 2008-04-06 07:10:39.000000000 -0400
@@ -4576,7 +4620,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
+/usr/lib64/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.3.1/policy/modules/apps/mozilla.if
--- nsaserefpolicy/policy/modules/apps/mozilla.if 2007-10-29 07:52:48.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/apps/mozilla.if 2008-04-04 12:06:55.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/apps/mozilla.if 2008-04-14 14:18:09.000000000 -0400
@@ -35,7 +35,10 @@
template(`mozilla_per_role_template',`
gen_require(`
@@ -5091,7 +5135,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.
+HOME_DIR/\.mplayer(/.*)? gen_context(system_u:object_r:user_mplayer_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.if serefpolicy-3.3.1/policy/modules/apps/mplayer.if
--- nsaserefpolicy/policy/modules/apps/mplayer.if 2007-07-23 10:20:12.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/apps/mplayer.if 2008-04-04 12:06:55.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/apps/mplayer.if 2008-04-14 14:24:43.000000000 -0400
@@ -35,6 +35,7 @@
template(`mplayer_per_role_template',`
gen_require(`
@@ -5178,7 +5222,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.
')
domtrans_pattern($2, mplayer_exec_t,$1_mplayer_t)
-@@ -503,8 +506,8 @@
+@@ -478,6 +481,25 @@
+
+ ########################################
+ ## <summary>
++## Execute mplayer in the caller domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++#
++interface(`mplayer_exec',`
++ gen_require(`
++ type mplayer_exec_t;
++ ')
++
++ can_exec($1, mplayer_exec_t)
++')
++
++########################################
++## <summary>
+ ## Read mplayer per user homedir
+ ## </summary>
+ ## <desc>
+@@ -503,8 +525,8 @@
#
template(`mplayer_read_user_home_files',`
gen_require(`
@@ -5572,8 +5642,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.3.1/policy/modules/apps/nsplugin.te
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.te 2008-04-10 08:50:50.000000000 -0400
-@@ -0,0 +1,189 @@
++++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.te 2008-04-14 14:25:20.000000000 -0400
+@@ -0,0 +1,198 @@
+
+policy_module(nsplugin,1.0.0)
+
@@ -5708,6 +5778,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
+')
+
+optional_policy(`
++ mplayer_exec(nsplugin_t)
++')
++
++optional_policy(`
+ unconfined_execmem_signull(nsplugin_t)
+ unconfined_delete_tmpfs_files(nsplugin_t)
+')
@@ -5759,10 +5833,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
+
+miscfiles_read_localization(nsplugin_config_t)
+miscfiles_read_fonts(nsplugin_config_t)
++miscfiles_read_home_fonts(nsplugin_config_t)
+
+userdom_search_all_users_home_content(nsplugin_config_t)
+
+nsplugin_domtrans(nsplugin_config_t)
++
++optional_policy(`
++ mozilla_read_user_home_files(user, nsplugin_config_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.fc serefpolicy-3.3.1/policy/modules/apps/openoffice.fc
--- nsaserefpolicy/policy/modules/apps/openoffice.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/apps/openoffice.fc 2008-04-04 12:06:55.000000000 -0400
@@ -6586,7 +6665,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.3.1/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2007-12-12 11:35:27.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/kernel/corecommands.fc 2008-04-07 14:56:13.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/kernel/corecommands.fc 2008-04-14 15:22:27.000000000 -0400
@@ -7,11 +7,11 @@
/bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0)
@@ -6668,7 +6747,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
/usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0)
-@@ -213,9 +219,10 @@
+@@ -213,9 +219,11 @@
/etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0)
/usr/lib/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -6677,10 +6756,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
-/usr/lib/vmware-tools/sbin32(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib64/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/vmware-tools/sbin32(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/vmware-tools/sbin64(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/authconfig/authconfig-tui\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/authconfig/authconfig\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -284,3 +291,10 @@
+@@ -284,3 +292,10 @@
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -8309,7 +8389,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amav
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-3.3.1/policy/modules/services/amavis.te
--- nsaserefpolicy/policy/modules/services/amavis.te 2008-02-18 14:30:18.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/amavis.te 2008-04-04 12:06:55.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/amavis.te 2008-04-14 14:08:03.000000000 -0400
@@ -38,6 +38,9 @@
type amavis_spool_t;
files_type(amavis_spool_t)
@@ -8322,7 +8402,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amav
# amavis local policy
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.3.1/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/apache.fc 2008-04-04 12:06:55.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/apache.fc 2008-04-14 16:01:13.000000000 -0400
@@ -1,4 +1,4 @@
-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_ROLE_content_t,s0)
+HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
@@ -8345,7 +8425,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-@@ -48,9 +48,11 @@
+@@ -48,11 +48,14 @@
/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
@@ -8356,8 +8436,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+
/var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0)
++/var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-@@ -66,10 +68,21 @@
+ /var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+ /var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+@@ -66,10 +69,21 @@
/var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0)
@@ -10429,18 +10512,37 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitl
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitlbee.te serefpolicy-3.3.1/policy/modules/services/bitlbee.te
--- nsaserefpolicy/policy/modules/services/bitlbee.te 2007-09-17 15:56:47.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/bitlbee.te 2008-04-04 12:06:55.000000000 -0400
-@@ -17,6 +17,9 @@
++++ serefpolicy-3.3.1/policy/modules/services/bitlbee.te 2008-04-14 14:08:49.000000000 -0400
+@@ -17,6 +17,12 @@
type bitlbee_var_t;
files_type(bitlbee_var_t)
++type bitlbee_tmp_t;
++files_tmp_file(bitlbee_tmp_t)
++
+type bitlbee_script_exec_t;
+init_script_type(bitlbee_script_exec_t)
+
########################################
#
# Local policy
-@@ -54,6 +57,12 @@
+@@ -26,9 +32,15 @@
+ allow bitlbee_t self:udp_socket create_socket_perms;
+ allow bitlbee_t self:tcp_socket { create_stream_socket_perms connected_stream_socket_perms };
+ allow bitlbee_t self:unix_stream_socket create_stream_socket_perms;
++allow bitlbee_t self:fifo_file rw_fifo_file_perms;
++allow bitlbee_t self:process signal;
+
+ bitlbee_read_config(bitlbee_t)
+
++# tmp files
++manage_files_pattern(bitlbee_t,bitlbee_tmp_t,bitlbee_tmp_t)
++files_tmp_filetrans(bitlbee_t,bitlbee_tmp_t,file)
++
+ # user account information is read and edited at runtime; give the usual
+ # r/w access to bitlbee_var_t
+ manage_files_pattern(bitlbee_t, bitlbee_var_t, bitlbee_var_t)
+@@ -54,6 +66,12 @@
corenet_tcp_connect_msnp_port(bitlbee_t)
corenet_tcp_sendrecv_msnp_port(bitlbee_t)
@@ -10453,7 +10555,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitl
files_read_etc_files(bitlbee_t)
files_search_pids(bitlbee_t)
# grant read-only access to the user help files
-@@ -62,6 +71,8 @@
+@@ -62,6 +80,8 @@
libs_legacy_use_shared_libs(bitlbee_t)
libs_use_ld_so(bitlbee_t)
@@ -12923,7 +13025,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.3.1/policy/modules/services/dbus.te
--- nsaserefpolicy/policy/modules/services/dbus.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/dbus.te 2008-04-04 12:06:55.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/dbus.te 2008-04-14 15:20:57.000000000 -0400
@@ -9,6 +9,7 @@
#
# Delcarations
@@ -13001,7 +13103,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
libs_use_ld_so(system_dbusd_t)
libs_use_shared_libs(system_dbusd_t)
-@@ -121,9 +139,28 @@
+@@ -121,9 +139,32 @@
')
optional_policy(`
@@ -13028,6 +13130,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
+ ')
+ unconfined_domain(unconfined_dbusd_t)
+ allow dbusd_unconfined domain:dbus send_msg;
++
++ optional_policy(`
++ xserver_xdm_rw_shm(unconfined_dbusd_t)
++ ')
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.if serefpolicy-3.3.1/policy/modules/services/dcc.if
@@ -14960,7 +15066,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnom
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-3.3.1/policy/modules/services/hal.fc
--- nsaserefpolicy/policy/modules/services/hal.fc 2007-11-14 08:17:58.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/hal.fc 2008-04-04 12:06:55.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/hal.fc 2008-04-11 15:08:40.000000000 -0400
@@ -8,6 +8,7 @@
/usr/libexec/hal-hotplug-map -- gen_context(system_u:object_r:hald_exec_t,s0)
/usr/libexec/hal-system-sonypic -- gen_context(system_u:object_r:hald_sonypic_exec_t,s0)
@@ -14969,13 +15075,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
/usr/sbin/hald -- gen_context(system_u:object_r:hald_exec_t,s0)
-@@ -16,10 +17,12 @@
+@@ -16,10 +17,13 @@
/var/lib/hal(/.*)? gen_context(system_u:object_r:hald_var_lib_t,s0)
/var/log/pm-suspend\.log gen_context(system_u:object_r:hald_log_t,s0)
+/var/log/pm(/.*)? gen_context(system_u:object_r:hald_log_t,s0)
+/var/run/pm(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0)
++/var/run/pm-utils(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0)
+/var/run/hald(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0)
/var/run/haldaemon\.pid -- gen_context(system_u:object_r:hald_var_run_t,s0)
-/var/run/vbestate -- gen_context(system_u:object_r:hald_var_run_t,s0)
@@ -15032,7 +15139,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.3.1/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/hal.te 2008-04-04 12:06:55.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/hal.te 2008-04-14 09:25:23.000000000 -0400
@@ -49,6 +49,9 @@
type hald_var_lib_t;
files_type(hald_var_lib_t)
@@ -15043,6 +15150,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
########################################
#
# Local policy
+@@ -57,7 +60,7 @@
+ # execute openvt which needs setuid
+ allow hald_t self:capability { chown setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config };
+ dontaudit hald_t self:capability {sys_ptrace sys_tty_config };
+-allow hald_t self:process signal_perms;
++allow hald_t self:process { getattr signal_perms };
+ allow hald_t self:fifo_file rw_fifo_file_perms;
+ allow hald_t self:unix_stream_socket { create_stream_socket_perms connectto };
+ allow hald_t self:unix_dgram_socket create_socket_perms;
@@ -70,7 +73,7 @@
manage_files_pattern(hald_t,hald_cache_t,hald_cache_t)
@@ -18643,6 +18759,185 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
## Execute postfix user mail programs
## in their respective domains.
## </summary>
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.3.1/policy/modules/services/postfix.te
+--- nsaserefpolicy/policy/modules/services/postfix.te 2007-12-19 05:32:17.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/postfix.te 2008-04-14 14:30:28.000000000 -0400
+@@ -6,6 +6,14 @@
+ # Declarations
+ #
+
++## <desc>
++## <p>
++## Allow postfix_local domain full write access to mail_spool directories
++##
++## </p>
++## </desc>
++gen_tunable(allow_postfix_local_write_mail_spool,false)
++
+ attribute postfix_user_domains;
+ # domains that transition to the
+ # postfix user domains
+@@ -27,6 +35,10 @@
+ postfix_server_domain_template(local)
+ mta_mailserver_delivery(postfix_local_t)
+
++tunable_policy(`allow_postfix_local_write_mail_spool', `
++ mta_rw_spool(postfix_local_t)
++')
++
+ type postfix_local_tmp_t;
+ files_tmp_file(postfix_local_tmp_t)
+
+@@ -34,6 +46,7 @@
+ type postfix_map_t;
+ type postfix_map_exec_t;
+ application_domain(postfix_map_t,postfix_map_exec_t)
++role system_r types postfix_map_t;
+
+ type postfix_map_tmp_t;
+ files_tmp_file(postfix_map_tmp_t)
+@@ -99,6 +112,7 @@
+ allow postfix_master_t self:fifo_file rw_fifo_file_perms;
+ allow postfix_master_t self:tcp_socket create_stream_socket_perms;
+ allow postfix_master_t self:udp_socket create_socket_perms;
++allow postfix_master_t self:process setrlimit;
+
+ allow postfix_master_t postfix_etc_t:file rw_file_perms;
+
+@@ -174,6 +188,7 @@
+
+ mta_rw_aliases(postfix_master_t)
+ mta_read_sendmail_bin(postfix_master_t)
++mta_getattr_spool(postfix_master_t)
+
+ optional_policy(`
+ cyrus_stream_connect(postfix_master_t)
+@@ -248,6 +263,10 @@
+
+ corecmd_exec_bin(postfix_cleanup_t)
+
++optional_policy(`
++ mailman_read_data_files(postfix_cleanup_t)
++')
++
+ ########################################
+ #
+ # Postfix local local policy
+@@ -273,18 +292,25 @@
+
+ files_read_etc_files(postfix_local_t)
+
++logging_dontaudit_search_logs(postfix_local_t)
++
+ mta_read_aliases(postfix_local_t)
+ mta_delete_spool(postfix_local_t)
+ # For reading spamassasin
+ mta_read_config(postfix_local_t)
+
++domtrans_pattern(postfix_local_t, postfix_postdrop_exec_t, postfix_postdrop_t)
++
+ optional_policy(`
+ clamav_search_lib(postfix_local_t)
++ clamav_exec_clamscan(postfix_local_t)
+ ')
+
+ optional_policy(`
+ # for postalias
+ mailman_manage_data_files(postfix_local_t)
++ mailman_append_log(postfix_local_t)
++ mailman_read_log(postfix_local_t)
+ ')
+
+ optional_policy(`
+@@ -295,8 +321,7 @@
+ #
+ # Postfix map local policy
+ #
+-
+-allow postfix_map_t self:capability setgid;
++allow postfix_map_t self:capability { dac_override setgid setuid };
+ allow postfix_map_t self:unix_stream_socket create_stream_socket_perms;
+ allow postfix_map_t self:unix_dgram_socket create_socket_perms;
+ allow postfix_map_t self:tcp_socket create_stream_socket_perms;
+@@ -346,8 +371,6 @@
+
+ miscfiles_read_localization(postfix_map_t)
+
+-seutil_read_config(postfix_map_t)
+-
+ tunable_policy(`read_default_t',`
+ files_list_default(postfix_map_t)
+ files_read_default_files(postfix_map_t)
+@@ -360,6 +383,11 @@
+ locallogin_dontaudit_use_fds(postfix_map_t)
+ ')
+
++optional_policy(`
++# for postalias
++ mailman_manage_data_files(postfix_map_t)
++')
++
+ ########################################
+ #
+ # Postfix pickup local policy
+@@ -384,6 +412,7 @@
+ #
+
+ allow postfix_pipe_t self:fifo_file rw_fifo_file_perms;
++allow postfix_pipe_t self:process setrlimit;
+
+ write_sock_files_pattern(postfix_pipe_t,postfix_private_t,postfix_private_t)
+
+@@ -391,6 +420,12 @@
+
+ rw_files_pattern(postfix_pipe_t,postfix_spool_t,postfix_spool_t)
+
++domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t)
++
++optional_policy(`
++ dovecot_domtrans_deliver(postfix_pipe_t)
++')
++
+ optional_policy(`
+ procmail_domtrans(postfix_pipe_t)
+ ')
+@@ -400,6 +435,10 @@
+ ')
+
+ optional_policy(`
++ mta_manage_spool(postfix_pipe_t)
++')
++
++optional_policy(`
+ uucp_domtrans_uux(postfix_pipe_t)
+ ')
+
+@@ -532,9 +571,6 @@
+ # connect to master process
+ stream_connect_pattern(postfix_smtpd_t,{ postfix_private_t postfix_public_t },{ postfix_private_t postfix_public_t },postfix_master_t)
+
+-# Connect to policy server
+-corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t)
+-
+ # for prng_exch
+ allow postfix_smtpd_t postfix_spool_t:file rw_file_perms;
+ allow postfix_smtpd_t postfix_prng_t:file rw_file_perms;
+@@ -557,6 +593,10 @@
+ sasl_connect(postfix_smtpd_t)
+ ')
+
++optional_policy(`
++ dovecot_auth_stream_connect(postfix_smtpd_t)
++')
++
+ ########################################
+ #
+ # Postfix virtual local policy
+@@ -584,3 +624,4 @@
+ # For reading spamassasin
+ mta_read_config(postfix_virtual_t)
+ mta_manage_spool(postfix_virtual_t)
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfixpolicyd.fc serefpolicy-3.3.1/policy/modules/services/postfixpolicyd.fc
--- nsaserefpolicy/policy/modules/services/postfixpolicyd.fc 2007-11-08 09:29:27.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/services/postfixpolicyd.fc 2008-04-04 12:06:55.000000000 -0400
@@ -18737,185 +19032,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
########################################
#
# Local Policy
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.3.1/policy/modules/services/postfix.te
---- nsaserefpolicy/policy/modules/services/postfix.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/postfix.te 2008-04-09 08:18:34.000000000 -0400
-@@ -6,6 +6,14 @@
- # Declarations
- #
-
-+## <desc>
-+## <p>
-+## Allow postfix_local domain full write access to mail_spool directories
-+##
-+## </p>
-+## </desc>
-+gen_tunable(allow_postfix_local_write_mail_spool,false)
-+
- attribute postfix_user_domains;
- # domains that transition to the
- # postfix user domains
-@@ -27,6 +35,10 @@
- postfix_server_domain_template(local)
- mta_mailserver_delivery(postfix_local_t)
-
-+tunable_policy(`allow_postfix_local_write_mail_spool', `
-+ mta_rw_spool(postfix_local_t)
-+')
-+
- type postfix_local_tmp_t;
- files_tmp_file(postfix_local_tmp_t)
-
-@@ -34,6 +46,7 @@
- type postfix_map_t;
- type postfix_map_exec_t;
- application_domain(postfix_map_t,postfix_map_exec_t)
-+role system_r types postfix_map_t;
-
- type postfix_map_tmp_t;
- files_tmp_file(postfix_map_tmp_t)
-@@ -99,6 +112,7 @@
- allow postfix_master_t self:fifo_file rw_fifo_file_perms;
- allow postfix_master_t self:tcp_socket create_stream_socket_perms;
- allow postfix_master_t self:udp_socket create_socket_perms;
-+allow postfix_master_t self:process setrlimit;
-
- allow postfix_master_t postfix_etc_t:file rw_file_perms;
-
-@@ -174,6 +188,7 @@
-
- mta_rw_aliases(postfix_master_t)
- mta_read_sendmail_bin(postfix_master_t)
-+mta_getattr_spool(postfix_master_t)
-
- optional_policy(`
- cyrus_stream_connect(postfix_master_t)
-@@ -248,6 +263,10 @@
-
- corecmd_exec_bin(postfix_cleanup_t)
-
-+optional_policy(`
-+ mailman_read_data_files(postfix_cleanup_t)
-+')
-+
- ########################################
- #
- # Postfix local local policy
-@@ -273,18 +292,25 @@
-
- files_read_etc_files(postfix_local_t)
-
-+logging_dontaudit_search_logs(postfix_local_t)
-+
- mta_read_aliases(postfix_local_t)
- mta_delete_spool(postfix_local_t)
- # For reading spamassasin
- mta_read_config(postfix_local_t)
-
-+domtrans_pattern(postfix_local_t, postfix_postdrop_exec_t, postfix_postdrop_t)
-+
- optional_policy(`
- clamav_search_lib(postfix_local_t)
-+ clamav_exec_clamscan(postfix_local_t)
- ')
-
- optional_policy(`
- # for postalias
- mailman_manage_data_files(postfix_local_t)
-+ mailman_append_log(postfix_local_t)
-+ mailman_read_log(postfix_local_t)
- ')
-
- optional_policy(`
-@@ -295,8 +321,7 @@
- #
- # Postfix map local policy
- #
--
--allow postfix_map_t self:capability setgid;
-+allow postfix_map_t self:capability { dac_override setgid setuid };
- allow postfix_map_t self:unix_stream_socket create_stream_socket_perms;
- allow postfix_map_t self:unix_dgram_socket create_socket_perms;
- allow postfix_map_t self:tcp_socket create_stream_socket_perms;
-@@ -346,8 +371,6 @@
-
- miscfiles_read_localization(postfix_map_t)
-
--seutil_read_config(postfix_map_t)
--
- tunable_policy(`read_default_t',`
- files_list_default(postfix_map_t)
- files_read_default_files(postfix_map_t)
-@@ -360,6 +383,11 @@
- locallogin_dontaudit_use_fds(postfix_map_t)
- ')
-
-+optional_policy(`
-+# for postalias
-+ mailman_manage_data_files(postfix_map_t)
-+')
-+
- ########################################
- #
- # Postfix pickup local policy
-@@ -384,6 +412,7 @@
- #
-
- allow postfix_pipe_t self:fifo_file rw_fifo_file_perms;
-+allow postfix_pipe_t self:process setrlimit;
-
- write_sock_files_pattern(postfix_pipe_t,postfix_private_t,postfix_private_t)
-
-@@ -391,6 +420,12 @@
-
- rw_files_pattern(postfix_pipe_t,postfix_spool_t,postfix_spool_t)
-
-+domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t)
-+
-+optional_policy(`
-+ dovecot_domtrans_deliver(postfix_pipe_t)
-+')
-+
- optional_policy(`
- procmail_domtrans(postfix_pipe_t)
- ')
-@@ -400,6 +435,10 @@
- ')
-
- optional_policy(`
-+ mta_manage_spool(postfix_pipe_t)
-+')
-+
-+optional_policy(`
- uucp_domtrans_uux(postfix_pipe_t)
- ')
-
-@@ -532,9 +571,6 @@
- # connect to master process
- stream_connect_pattern(postfix_smtpd_t,{ postfix_private_t postfix_public_t },{ postfix_private_t postfix_public_t },postfix_master_t)
-
--# Connect to policy server
--corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t)
--
- # for prng_exch
- allow postfix_smtpd_t postfix_spool_t:file rw_file_perms;
- allow postfix_smtpd_t postfix_prng_t:file rw_file_perms;
-@@ -557,6 +593,10 @@
- sasl_connect(postfix_smtpd_t)
- ')
-
-+optional_policy(`
-+ dovecot_auth_stream_connect(postfix_smtpd_t)
-+')
-+
- ########################################
- #
- # Postfix virtual local policy
-@@ -584,3 +624,4 @@
- # For reading spamassasin
- mta_read_config(postfix_virtual_t)
- mta_manage_spool(postfix_virtual_t)
-+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.3.1/policy/modules/services/postgresql.fc
--- nsaserefpolicy/policy/modules/services/postgresql.fc 2006-11-16 17:15:21.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/services/postgresql.fc 2008-04-04 12:06:55.000000000 -0400
@@ -19035,9 +19151,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
+/var/spool/postfix/postgrey(/.*)? gen_context(system_u:object_r:postgrey_spool_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgrey.if serefpolicy-3.3.1/policy/modules/services/postgrey.if
--- nsaserefpolicy/policy/modules/services/postgrey.if 2006-11-16 17:15:20.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/postgrey.if 2008-04-04 12:06:55.000000000 -0400
-@@ -19,3 +19,74 @@
++++ serefpolicy-3.3.1/policy/modules/services/postgrey.if 2008-04-14 10:40:45.000000000 -0400
+@@ -12,10 +12,82 @@
+ #
+ interface(`postgrey_stream_connect',`
+ gen_require(`
+- type postgrey_var_run_t, postgrey_t;
++ type postgrey_var_run_t, postgrey_t, postgrey_spool_t;
+ ')
+
+ allow $1 postgrey_t:unix_stream_socket connectto;
allow $1 postgrey_var_run_t:sock_file write;
++ allow $1 postgrey_spool_t:sock_file write;
files_search_pids($1)
')
+
@@ -19113,8 +19238,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgrey.te serefpolicy-3.3.1/policy/modules/services/postgrey.te
--- nsaserefpolicy/policy/modules/services/postgrey.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/postgrey.te 2008-04-04 12:06:55.000000000 -0400
-@@ -13,26 +13,37 @@
++++ serefpolicy-3.3.1/policy/modules/services/postgrey.te 2008-04-14 10:40:21.000000000 -0400
+@@ -13,26 +13,38 @@
type postgrey_etc_t;
files_config_file(postgrey_etc_t)
@@ -19149,11 +19274,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
+manage_dirs_pattern(postgrey_t,postgrey_spool_t,postgrey_spool_t)
+manage_files_pattern(postgrey_t,postgrey_spool_t,postgrey_spool_t)
+manage_fifo_files_pattern(postgrey_t,postgrey_spool_t,postgrey_spool_t)
++manage_sock_files_pattern(postgrey_t,postgrey_spool_t,postgrey_spool_t)
+
manage_files_pattern(postgrey_t,postgrey_var_lib_t,postgrey_var_lib_t)
files_var_lib_filetrans(postgrey_t,postgrey_var_lib_t,file)
-@@ -85,6 +96,11 @@
+@@ -85,6 +97,11 @@
')
optional_policy(`
@@ -20512,123 +20638,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/roun
########################################
#
# Local policy
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.fc serefpolicy-3.3.1/policy/modules/services/rpcbind.fc
---- nsaserefpolicy/policy/modules/services/rpcbind.fc 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/rpcbind.fc 2008-04-04 12:06:56.000000000 -0400
-@@ -5,3 +5,5 @@
- /var/run/rpc.statd\.pid -- gen_context(system_u:object_r:rpcbind_var_run_t,s0)
- /var/run/rpcbind\.lock -- gen_context(system_u:object_r:rpcbind_var_run_t,s0)
- /var/run/rpcbind\.sock -s gen_context(system_u:object_r:rpcbind_var_run_t,s0)
-+
-+/etc/rc.d/init.d/rpcbind -- gen_context(system_u:object_r:rpcbind_script_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.if serefpolicy-3.3.1/policy/modules/services/rpcbind.if
---- nsaserefpolicy/policy/modules/services/rpcbind.if 2007-07-16 14:09:46.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/rpcbind.if 2008-04-04 12:06:56.000000000 -0400
-@@ -95,3 +95,70 @@
- manage_files_pattern($1,rpcbind_var_lib_t,rpcbind_var_lib_t)
- files_search_var_lib($1)
- ')
-+
-+########################################
-+## <summary>
-+## Execute rpcbind server in the rpcbind domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## The type of the process performing this action.
-+## </summary>
-+## </param>
-+#
-+#
-+interface(`rpcbind_script_domtrans',`
-+ gen_require(`
-+ type rpcbind_script_exec_t;
-+ ')
-+
-+ init_script_domtrans_spec($1,rpcbind_script_exec_t)
-+')
-+
-+########################################
-+## <summary>
-+## All of the rules required to administrate
-+## an rpcbind environment
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <param name="role">
-+## <summary>
-+## The role to be allowed to manage the rpcbind domain.
-+## </summary>
-+## </param>
-+## <param name="terminal">
-+## <summary>
-+## The type of the user terminal.
-+## </summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`rpcbind_admin',`
-+ gen_require(`
-+ type rpcbind_t;
-+ type rpcbind_script_exec_t;
-+ type rpcbind_var_lib_t;
-+ type rpcbind_var_run_t;
-+ ')
-+
-+ allow $1 rpcbind_t:process { ptrace signal_perms getattr };
-+ read_files_pattern($1, rpcbind_t, rpcbind_t)
-+
-+ # Allow rpcbind_t to restart the apache service
-+ rpcbind_script_domtrans($1)
-+ domain_system_change_exemption($1)
-+ role_transition $2 rpcbind_script_exec_t system_r;
-+ allow $2 system_r;
-+
-+ files_list_var_lib($1)
-+ manage_all_pattern($1,rpcbind_var_lib_t)
-+
-+ files_list_pids($1)
-+ manage_all_pattern($1,rpcbind_var_run_t)
-+')
-+
-+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.3.1/policy/modules/services/rpcbind.te
---- nsaserefpolicy/policy/modules/services/rpcbind.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/rpcbind.te 2008-04-04 12:06:56.000000000 -0400
-@@ -16,16 +16,21 @@
- type rpcbind_var_lib_t;
- files_type(rpcbind_var_lib_t)
-
-+type rpcbind_script_exec_t;
-+init_script_type(rpcbind_script_exec_t)
-+
- ########################################
- #
- # rpcbind local policy
- #
-
--allow rpcbind_t self:capability setuid;
-+allow rpcbind_t self:capability { dac_override setuid sys_tty_config };
- allow rpcbind_t self:fifo_file rw_file_perms;
- allow rpcbind_t self:unix_stream_socket create_stream_socket_perms;
- allow rpcbind_t self:netlink_route_socket r_netlink_socket_perms;
- allow rpcbind_t self:udp_socket create_socket_perms;
-+# BROKEN ...
-+dontaudit rpcbind_t self:udp_socket listen;
- allow rpcbind_t self:tcp_socket create_stream_socket_perms;
-
- manage_files_pattern(rpcbind_t,rpcbind_var_run_t,rpcbind_var_run_t)
-@@ -37,6 +42,7 @@
- manage_sock_files_pattern(rpcbind_t,rpcbind_var_lib_t,rpcbind_var_lib_t)
- files_var_lib_filetrans(rpcbind_t,rpcbind_var_lib_t, { file dir sock_file })
-
-+kernel_read_system_state(rpcbind_t)
- kernel_read_network_state(rpcbind_t)
-
- corenet_all_recvfrom_unlabeled(rpcbind_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.3.1/policy/modules/services/rpc.if
--- nsaserefpolicy/policy/modules/services/rpc.if 2007-12-04 11:02:50.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/services/rpc.if 2008-04-04 12:06:56.000000000 -0400
@@ -20672,7 +20681,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.3.1/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/rpc.te 2008-04-07 22:12:28.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/rpc.te 2008-04-14 10:54:17.000000000 -0400
@@ -60,10 +60,14 @@
manage_files_pattern(rpcd_t,rpcd_var_run_t,rpcd_var_run_t)
files_pid_filetrans(rpcd_t,rpcd_var_run_t,file)
@@ -20746,7 +20755,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
files_read_usr_symlinks(gssd_t)
+auth_use_nsswitch(gssd_t)
-+auth_rw_cache(gssd_t)
++auth_manage_cache(gssd_t)
+
miscfiles_read_certs(gssd_t)
@@ -20756,6 +20765,123 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
tunable_policy(`allow_gssd_read_tmp',`
userdom_list_unpriv_users_tmp(gssd_t)
userdom_read_unpriv_users_tmp_files(gssd_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.fc serefpolicy-3.3.1/policy/modules/services/rpcbind.fc
+--- nsaserefpolicy/policy/modules/services/rpcbind.fc 2007-10-12 08:56:07.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/rpcbind.fc 2008-04-04 12:06:56.000000000 -0400
+@@ -5,3 +5,5 @@
+ /var/run/rpc.statd\.pid -- gen_context(system_u:object_r:rpcbind_var_run_t,s0)
+ /var/run/rpcbind\.lock -- gen_context(system_u:object_r:rpcbind_var_run_t,s0)
+ /var/run/rpcbind\.sock -s gen_context(system_u:object_r:rpcbind_var_run_t,s0)
++
++/etc/rc.d/init.d/rpcbind -- gen_context(system_u:object_r:rpcbind_script_exec_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.if serefpolicy-3.3.1/policy/modules/services/rpcbind.if
+--- nsaserefpolicy/policy/modules/services/rpcbind.if 2007-07-16 14:09:46.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/rpcbind.if 2008-04-04 12:06:56.000000000 -0400
+@@ -95,3 +95,70 @@
+ manage_files_pattern($1,rpcbind_var_lib_t,rpcbind_var_lib_t)
+ files_search_var_lib($1)
+ ')
++
++########################################
++## <summary>
++## Execute rpcbind server in the rpcbind domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++#
++interface(`rpcbind_script_domtrans',`
++ gen_require(`
++ type rpcbind_script_exec_t;
++ ')
++
++ init_script_domtrans_spec($1,rpcbind_script_exec_t)
++')
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an rpcbind environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to be allowed to manage the rpcbind domain.
++## </summary>
++## </param>
++## <param name="terminal">
++## <summary>
++## The type of the user terminal.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`rpcbind_admin',`
++ gen_require(`
++ type rpcbind_t;
++ type rpcbind_script_exec_t;
++ type rpcbind_var_lib_t;
++ type rpcbind_var_run_t;
++ ')
++
++ allow $1 rpcbind_t:process { ptrace signal_perms getattr };
++ read_files_pattern($1, rpcbind_t, rpcbind_t)
++
++ # Allow rpcbind_t to restart the apache service
++ rpcbind_script_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 rpcbind_script_exec_t system_r;
++ allow $2 system_r;
++
++ files_list_var_lib($1)
++ manage_all_pattern($1,rpcbind_var_lib_t)
++
++ files_list_pids($1)
++ manage_all_pattern($1,rpcbind_var_run_t)
++')
++
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.3.1/policy/modules/services/rpcbind.te
+--- nsaserefpolicy/policy/modules/services/rpcbind.te 2007-12-19 05:32:17.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/rpcbind.te 2008-04-04 12:06:56.000000000 -0400
+@@ -16,16 +16,21 @@
+ type rpcbind_var_lib_t;
+ files_type(rpcbind_var_lib_t)
+
++type rpcbind_script_exec_t;
++init_script_type(rpcbind_script_exec_t)
++
+ ########################################
+ #
+ # rpcbind local policy
+ #
+
+-allow rpcbind_t self:capability setuid;
++allow rpcbind_t self:capability { dac_override setuid sys_tty_config };
+ allow rpcbind_t self:fifo_file rw_file_perms;
+ allow rpcbind_t self:unix_stream_socket create_stream_socket_perms;
+ allow rpcbind_t self:netlink_route_socket r_netlink_socket_perms;
+ allow rpcbind_t self:udp_socket create_socket_perms;
++# BROKEN ...
++dontaudit rpcbind_t self:udp_socket listen;
+ allow rpcbind_t self:tcp_socket create_stream_socket_perms;
+
+ manage_files_pattern(rpcbind_t,rpcbind_var_run_t,rpcbind_var_run_t)
+@@ -37,6 +42,7 @@
+ manage_sock_files_pattern(rpcbind_t,rpcbind_var_lib_t,rpcbind_var_lib_t)
+ files_var_lib_filetrans(rpcbind_t,rpcbind_var_lib_t, { file dir sock_file })
+
++kernel_read_system_state(rpcbind_t)
+ kernel_read_network_state(rpcbind_t)
+
+ corenet_all_recvfrom_unlabeled(rpcbind_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.te serefpolicy-3.3.1/policy/modules/services/rshd.te
--- nsaserefpolicy/policy/modules/services/rshd.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/services/rshd.te 2008-04-04 12:06:56.000000000 -0400
@@ -22346,8 +22472,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.3.1/policy/modules/services/snmp.te
--- nsaserefpolicy/policy/modules/services/snmp.te 2008-02-15 09:52:56.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/snmp.te 2008-04-04 12:06:56.000000000 -0400
-@@ -18,6 +18,9 @@
++++ serefpolicy-3.3.1/policy/modules/services/snmp.te 2008-04-14 15:00:01.000000000 -0400
+@@ -18,12 +18,16 @@
type snmpd_var_lib_t;
files_type(snmpd_var_lib_t)
@@ -22357,7 +22483,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp
########################################
#
# Local policy
-@@ -45,6 +48,7 @@
+ #
+ allow snmpd_t self:capability { dac_override kill net_admin sys_nice sys_tty_config };
+ dontaudit snmpd_t self:capability { sys_module sys_tty_config };
++allow snmpd_t self:process getsched;
+ allow snmpd_t self:fifo_file rw_fifo_file_perms;
+ allow snmpd_t self:unix_dgram_socket create_socket_perms;
+ allow snmpd_t self:unix_stream_socket create_stream_socket_perms;
+@@ -45,6 +49,7 @@
kernel_read_device_sysctls(snmpd_t)
kernel_read_kernel_sysctls(snmpd_t)
@@ -22365,7 +22498,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp
kernel_read_net_sysctls(snmpd_t)
kernel_read_proc_symlinks(snmpd_t)
kernel_read_system_state(snmpd_t)
-@@ -81,8 +85,7 @@
+@@ -81,8 +86,7 @@
files_read_usr_files(snmpd_t)
files_read_etc_runtime_files(snmpd_t)
files_search_home(snmpd_t)
@@ -23680,7 +23813,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
/etc/ssh/ssh_host_key -- gen_context(system_u:object_r:sshd_key_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.3.1/policy/modules/services/ssh.if
--- nsaserefpolicy/policy/modules/services/ssh.if 2008-02-06 10:33:21.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/ssh.if 2008-04-04 12:06:56.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/ssh.if 2008-04-14 12:04:54.000000000 -0400
@@ -36,6 +36,7 @@
gen_require(`
attribute ssh_server;
@@ -23851,7 +23984,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.3.1/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/ssh.te 2008-04-04 12:06:56.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/ssh.te 2008-04-14 12:35:04.000000000 -0400
@@ -24,7 +24,7 @@
# Type for the ssh-agent executable.
@@ -23861,12 +23994,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
# ssh client executable.
type ssh_exec_t;
-@@ -57,6 +57,12 @@
+@@ -57,6 +57,13 @@
init_ranged_daemon_domain(sshd_t,sshd_exec_t,s0 - mcs_systemhigh)
')
+type user_ssh_home_t;
+userdom_user_home_content(user,user_ssh_home_t)
++typealias user_ssh_home_t alias user_home_ssh_t;
+
+type user_ssh_tmp_t;
+files_tmp_file(user_ssh_tmp_t)
@@ -23874,7 +24008,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
#################################
#
# sshd local policy
-@@ -80,6 +86,11 @@
+@@ -80,6 +87,11 @@
corenet_tcp_bind_xserver_port(sshd_t)
corenet_sendrecv_xserver_server_packets(sshd_t)
@@ -23886,7 +24020,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
tunable_policy(`ssh_sysadm_login',`
# Relabel and access ptys created by sshd
# ioctl is necessary for logout() processing for utmp entry and for w to
-@@ -101,6 +112,10 @@
+@@ -101,6 +113,10 @@
')
optional_policy(`
@@ -23897,7 +24031,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
daemontools_service_domain(sshd_t, sshd_exec_t)
')
-@@ -119,7 +134,11 @@
+@@ -119,7 +135,11 @@
')
optional_policy(`
@@ -25692,7 +25826,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.3.1/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/xserver.te 2008-04-07 22:44:31.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/xserver.te 2008-04-14 14:45:06.000000000 -0400
@@ -8,6 +8,14 @@
## <desc>
@@ -25765,7 +25899,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
type iceauth_exec_t;
-application_executable_file(iceauth_exec_t)
+application_domain(iceauth_t,iceauth_exec_t)
-+
+
+type input_xevent_t, xevent_type;
+type manage_xevent_t, xevent_type;
+type output_xext_t, xextension_type;
@@ -25781,7 +25915,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+type x_rootcolormap_t;
+type x_rootscreen_t;
+type x_rootwindow_t;
-
++
+type xauth_t;
type xauth_exec_t;
-application_executable_file(xauth_exec_t)
@@ -25883,7 +26017,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
manage_dirs_pattern(xdm_t,xdm_var_lib_t,xdm_var_lib_t)
manage_files_pattern(xdm_t,xdm_var_lib_t,xdm_var_lib_t)
- files_var_lib_filetrans(xdm_t,xdm_var_lib_t,file)
+-files_var_lib_filetrans(xdm_t,xdm_var_lib_t,file)
++files_var_lib_filetrans(xdm_t,xdm_var_lib_t,{ file dir })
+# Read machine-id
+files_read_var_lib_files(xdm_t)
@@ -26112,7 +26247,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# VNC v4 module in X server
corenet_tcp_bind_vnc_port(xdm_xserver_t)
-@@ -404,9 +577,17 @@
+@@ -404,9 +577,18 @@
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_unpriv_users_home_content_files(xdm_xserver_t)
@@ -26122,6 +26257,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+getty_use_fds(xdm_xserver_t)
+locallogin_use_fds(xdm_xserver_t)
++userdom_dontaudit_write_user_home_content_files(user, xdm_xserver_t)
+
+optional_policy(`
+ userhelper_search_config(xdm_xserver_t)
@@ -26130,7 +26266,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xdm_xserver_t)
fs_manage_nfs_files(xdm_xserver_t)
-@@ -420,6 +601,22 @@
+@@ -420,6 +602,22 @@
')
optional_policy(`
@@ -26153,7 +26289,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
resmgr_stream_connect(xdm_t)
')
-@@ -429,47 +626,139 @@
+@@ -429,47 +627,138 @@
')
optional_policy(`
@@ -26177,11 +26313,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+ # xserver signals unconfined user on startx
+ unconfined_signal(xdm_xserver_t)
+ unconfined_getpgid(xdm_xserver_t)
++ unconfined_domain(xdm_xserver_t)
+')
+
+
+tunable_policy(`allow_xserver_execmem', `
+ allow xdm_xserver_t self:process { execheap execmem execstack };
++')
++
++ifndef(`distro_redhat',`
++ allow xdm_xserver_t self:process { execheap execmem };
')
-ifdef(`TODO',`
@@ -26205,20 +26346,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
-allow xdm_t polymember:lnk_file { create unlink };
-# xdm needs access for copying .Xauthority into new home
-allow xdm_t polymember:file { create getattr write };
-+ifndef(`distro_redhat',`
++ifdef(`distro_rhel4',`
+ allow xdm_xserver_t self:process { execheap execmem };
')
-+ifdef(`distro_rhel4',`
-+ allow xdm_xserver_t self:process { execheap execmem };
-+')
-+
+##############################
#
-# Wants to delete .xsession-errors file
+# xauth_t Local policy
- #
--allow xdm_t user_home_type:file unlink;
++#
+domtrans_pattern(xdm_xserver_t, xauth_exec_t, xauth_t)
+
+userdom_user_home_dir_filetrans(user,xauth_t,user_xauth_home_t,file)
@@ -26266,7 +26402,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+##############################
+#
+# iceauth_t Local policy
-+#
+ #
+-allow xdm_t user_home_type:file unlink;
+
+allow iceauth_t user_iceauth_home_t:file manage_file_perms;
+userdom_user_home_dir_filetrans($1,iceauth_t,user_iceauth_home_t,file)
@@ -26325,8 +26462,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+tunable_policy(`allow_read_x_device',`
+ allow xserver_unconfined_type { x_domain x_server_domain self }:x_device read;
+')
-+
-+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zabbix.fc serefpolicy-3.3.1/policy/modules/services/zabbix.fc
--- nsaserefpolicy/policy/modules/services/zabbix.fc 2007-04-11 15:52:54.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/services/zabbix.fc 2008-04-04 12:06:56.000000000 -0400
@@ -26549,7 +26684,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
+/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.3.1/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2008-02-01 09:12:53.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/authlogin.if 2008-04-07 22:13:19.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/authlogin.if 2008-04-14 10:53:59.000000000 -0400
@@ -99,7 +99,7 @@
template(`authlogin_per_role_template',`
@@ -26703,7 +26838,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
')
')
-@@ -1491,3 +1563,41 @@
+@@ -1491,3 +1563,59 @@
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
@@ -26745,6 +26880,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
+
+ rw_files_pattern($1, auth_cache_t, auth_cache_t)
+')
++########################################
++## <summary>
++## Manage authentication cache
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`auth_manage_cache',`
++ gen_require(`
++ type auth_cache_t;
++ ')
++
++ manage_files_pattern($1, auth_cache_t, auth_cache_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.3.1/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te 2008-02-19 17:24:26.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/system/authlogin.te 2008-04-04 12:06:56.000000000 -0400
@@ -28484,7 +28637,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi
+HOME_DIR/\.fontconfig(/.*)? gen_context(system_u:object_r:user_fonts_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.3.1/policy/modules/system/miscfiles.if
--- nsaserefpolicy/policy/modules/system/miscfiles.if 2007-11-16 13:45:14.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/miscfiles.if 2008-04-06 06:44:20.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/miscfiles.if 2008-04-14 14:21:10.000000000 -0400
@@ -489,3 +489,44 @@
manage_lnk_files_pattern($1,locale_t,locale_t)
')
@@ -30167,7 +30320,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.3.1/policy/modules/system/unconfined.fc
--- nsaserefpolicy/policy/modules/system/unconfined.fc 2007-12-12 11:35:28.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/unconfined.fc 2008-04-04 12:06:56.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/unconfined.fc 2008-04-14 13:29:50.000000000 -0400
@@ -2,15 +2,16 @@
# e.g.:
# /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0)
@@ -30527,7 +30680,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.3.1/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2008-02-13 16:26:06.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/unconfined.te 2008-04-04 12:06:56.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/unconfined.te 2008-04-14 15:20:35.000000000 -0400
@@ -6,35 +6,67 @@
# Declarations
#
@@ -30696,28 +30849,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
')
optional_policy(`
-@@ -134,14 +187,6 @@
+@@ -134,82 +187,92 @@
')
optional_policy(`
- mono_domtrans(unconfined_t)
--')
--
--optional_policy(`
++ oddjob_domtrans_mkhomedir(unconfined_t)
+ ')
+
+ optional_policy(`
- mta_per_role_template(unconfined, unconfined_t, unconfined_r)
--')
--
--optional_policy(`
- oddjob_domtrans_mkhomedir(unconfined_t)
++ prelink_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
')
-@@ -154,62 +199,76 @@
+ optional_policy(`
+- oddjob_domtrans_mkhomedir(unconfined_t)
++ portmap_run_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
-- postfix_run_map(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
-- # cjp: this should probably be removed:
-- postfix_domtrans_master(unconfined_t)
+- prelink_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ tunable_policy(`allow_unconfined_qemu_transition', `
+ qemu_runas(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ ', `
@@ -30727,13 +30878,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
+ qemu_unconfined_role(unconfined_r)
')
-+optional_policy(`
+ optional_policy(`
+- portmap_run_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ rpm_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ # Allow SELinux aware applications to request rpm_script execution
+ rpm_transition_script(unconfined_t)
+ rpm_role_transition(unconfined_r)
-+')
+ ')
+
+ optional_policy(`
+- postfix_run_map(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+- # cjp: this should probably be removed:
+- postfix_domtrans_master(unconfined_t)
++ cron_per_role_template(unconfined, unconfined_t, unconfined_r)
+ ')
+-
optional_policy(`
- pyzor_per_role_template(unconfined)
+ samba_per_role_template(unconfined)
@@ -30807,7 +30967,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
')
########################################
-@@ -219,14 +278,34 @@
+@@ -219,14 +282,35 @@
allow unconfined_execmem_t self:process { execstack execmem };
unconfined_domain_noaudit(unconfined_execmem_t)
@@ -30847,6 +31007,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
+domtrans_pattern(unconfined_t, unconfined_notrans_exec_t, unconfined_notrans_t)
+# Allow SELinux aware applications to request rpm_script execution
+rpm_transition_script(unconfined_notrans_t)
++domain_ptrace_all_domains(unconfined_notrans_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.3.1/policy/modules/system/userdomain.fc
--- nsaserefpolicy/policy/modules/system/userdomain.fc 2007-02-19 11:32:53.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/system/userdomain.fc 2008-04-04 12:06:56.000000000 -0400
@@ -30862,7 +31023,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.3.1/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2008-02-15 09:52:56.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-04-08 14:33:30.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-04-14 12:32:35.000000000 -0400
@@ -29,9 +29,14 @@
')
@@ -31825,8 +31986,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+ manage_sock_files_pattern(privhome,{ user_home_dir_t user_home_t },user_home_t)
+ manage_fifo_files_pattern(privhome,{ user_home_dir_t user_home_t },user_home_t)
+ filetrans_pattern(privhome,user_home_dir_t,user_home_t,{ dir file lnk_file sock_file fifo_file })
-+
-+ optional_policy(`
+
+ optional_policy(`
+- loadkeys_run($1_t,$1_r,$1_tty_device_t)
+ dbus_per_role_template($1, $1_usertype, $1_r)
+ dbus_system_bus_client_template($1, $1_usertype)
+
@@ -31836,12 +31998,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+ optional_policy(`
+ cups_dbus_chat($1_usertype)
+ ')
-+ ')
-
- optional_policy(`
- loadkeys_run($1_t,$1_r,$1_tty_device_t)
')
+
++ optional_policy(`
++ loadkeys_run($1_t,$1_r,$1_tty_device_t)
++ ')
++
')
#######################################
@@ -31948,22 +32110,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
# cjp: why?
files_read_kernel_symbol_table($1_t)
-@@ -1193,12 +1205,11 @@
+@@ -1193,12 +1205,15 @@
# and may change other protocols
tunable_policy(`user_tcp_server',`
corenet_tcp_bind_all_nodes($1_t)
- corenet_tcp_bind_generic_port($1_t)
+ corenet_tcp_bind_all_unreserved_ports($1_t)
++ ')
++
++ optional_policy(`
++ hal_dbus_chat($1_t)
')
optional_policy(`
- netutils_run_ping_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
- netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
-+ hal_dbus_chat($1_t)
++ cron_per_role_template($1, $1_t, $1_r)
')
# Run pppd in pppd_t by default for user
-@@ -1207,7 +1218,27 @@
+@@ -1207,7 +1222,27 @@
')
optional_policy(`
@@ -31992,7 +32158,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
')
-@@ -1284,8 +1315,6 @@
+@@ -1284,8 +1319,6 @@
# Manipulate other users crontab.
allow $1_t self:passwd crontab;
@@ -32001,7 +32167,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1307,8 +1336,6 @@
+@@ -1307,8 +1340,6 @@
dev_getattr_generic_blk_files($1_t)
dev_getattr_generic_chr_files($1_t)
@@ -32010,7 +32176,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
# Allow MAKEDEV to work
dev_create_all_blk_files($1_t)
dev_create_all_chr_files($1_t)
-@@ -1363,13 +1390,6 @@
+@@ -1363,13 +1394,6 @@
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -32024,7 +32190,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
optional_policy(`
userhelper_exec($1_t)
')
-@@ -1422,6 +1442,7 @@
+@@ -1422,6 +1446,7 @@
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -32032,7 +32198,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1787,10 +1808,14 @@
+@@ -1787,10 +1812,14 @@
template(`userdom_user_home_content',`
gen_require(`
attribute $1_file_type;
@@ -32048,7 +32214,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1886,11 +1911,11 @@
+@@ -1886,11 +1915,11 @@
#
template(`userdom_search_user_home_dirs',`
gen_require(`
@@ -32062,7 +32228,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1920,11 +1945,11 @@
+@@ -1920,11 +1949,11 @@
#
template(`userdom_list_user_home_dirs',`
gen_require(`
@@ -32076,7 +32242,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1968,12 +1993,12 @@
+@@ -1968,12 +1997,12 @@
#
template(`userdom_user_home_domtrans',`
gen_require(`
@@ -32092,7 +32258,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2003,10 +2028,11 @@
+@@ -2003,10 +2032,11 @@
#
template(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
@@ -32106,7 +32272,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2038,11 +2064,47 @@
+@@ -2038,11 +2068,47 @@
#
template(`userdom_manage_user_home_content_dirs',`
gen_require(`
@@ -32156,7 +32322,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2074,10 +2136,10 @@
+@@ -2074,10 +2140,10 @@
#
template(`userdom_dontaudit_setattr_user_home_content_files',`
gen_require(`
@@ -32169,7 +32335,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2107,11 +2169,11 @@
+@@ -2107,11 +2173,11 @@
#
template(`userdom_read_user_home_content_files',`
gen_require(`
@@ -32183,7 +32349,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2141,11 +2203,11 @@
+@@ -2141,11 +2207,11 @@
#
template(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -32198,7 +32364,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2175,10 +2237,14 @@
+@@ -2175,10 +2241,14 @@
#
template(`userdom_dontaudit_write_user_home_content_files',`
gen_require(`
@@ -32215,7 +32381,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2208,11 +2274,11 @@
+@@ -2208,11 +2278,11 @@
#
template(`userdom_read_user_home_content_symlinks',`
gen_require(`
@@ -32229,7 +32395,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2242,11 +2308,11 @@
+@@ -2242,11 +2312,11 @@
#
template(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -32243,7 +32409,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2276,10 +2342,10 @@
+@@ -2276,10 +2346,10 @@
#
template(`userdom_dontaudit_exec_user_home_content_files',`
gen_require(`
@@ -32256,7 +32422,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2311,12 +2377,12 @@
+@@ -2311,12 +2381,12 @@
#
template(`userdom_manage_user_home_content_files',`
gen_require(`
@@ -32272,7 +32438,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2348,10 +2414,10 @@
+@@ -2348,10 +2418,10 @@
#
template(`userdom_dontaudit_manage_user_home_content_dirs',`
gen_require(`
@@ -32285,7 +32451,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2383,12 +2449,12 @@
+@@ -2383,12 +2453,12 @@
#
template(`userdom_manage_user_home_content_symlinks',`
gen_require(`
@@ -32301,7 +32467,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2420,12 +2486,12 @@
+@@ -2420,12 +2490,12 @@
#
template(`userdom_manage_user_home_content_pipes',`
gen_require(`
@@ -32317,7 +32483,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2457,12 +2523,12 @@
+@@ -2457,12 +2527,12 @@
#
template(`userdom_manage_user_home_content_sockets',`
gen_require(`
@@ -32333,7 +32499,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2507,11 +2573,11 @@
+@@ -2507,11 +2577,11 @@
#
template(`userdom_user_home_dir_filetrans',`
gen_require(`
@@ -32347,7 +32513,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2556,11 +2622,11 @@
+@@ -2556,11 +2626,11 @@
#
template(`userdom_user_home_content_filetrans',`
gen_require(`
@@ -32361,7 +32527,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2600,11 +2666,11 @@
+@@ -2600,11 +2670,11 @@
#
template(`userdom_user_home_dir_filetrans_user_home_content',`
gen_require(`
@@ -32375,7 +32541,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2634,11 +2700,11 @@
+@@ -2634,11 +2704,11 @@
#
template(`userdom_write_user_tmp_sockets',`
gen_require(`
@@ -32389,7 +32555,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2668,11 +2734,11 @@
+@@ -2668,11 +2738,11 @@
#
template(`userdom_list_user_tmp',`
gen_require(`
@@ -32403,7 +32569,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2704,10 +2770,10 @@
+@@ -2704,10 +2774,10 @@
#
template(`userdom_dontaudit_list_user_tmp',`
gen_require(`
@@ -32416,7 +32582,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2739,10 +2805,10 @@
+@@ -2739,10 +2809,10 @@
#
template(`userdom_dontaudit_manage_user_tmp_dirs',`
gen_require(`
@@ -32429,7 +32595,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2772,12 +2838,12 @@
+@@ -2772,12 +2842,12 @@
#
template(`userdom_read_user_tmp_files',`
gen_require(`
@@ -32445,7 +32611,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2809,10 +2875,10 @@
+@@ -2809,10 +2879,10 @@
#
template(`userdom_dontaudit_read_user_tmp_files',`
gen_require(`
@@ -32458,7 +32624,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2844,10 +2910,48 @@
+@@ -2844,10 +2914,48 @@
#
template(`userdom_dontaudit_append_user_tmp_files',`
gen_require(`
@@ -32509,7 +32675,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2877,12 +2981,12 @@
+@@ -2877,12 +2985,12 @@
#
template(`userdom_rw_user_tmp_files',`
gen_require(`
@@ -32525,7 +32691,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2914,10 +3018,10 @@
+@@ -2914,10 +3022,10 @@
#
template(`userdom_dontaudit_manage_user_tmp_files',`
gen_require(`
@@ -32538,7 +32704,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2949,12 +3053,12 @@
+@@ -2949,12 +3057,12 @@
#
template(`userdom_read_user_tmp_symlinks',`
gen_require(`
@@ -32554,7 +32720,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2986,11 +3090,11 @@
+@@ -2986,11 +3094,11 @@
#
template(`userdom_manage_user_tmp_dirs',`
gen_require(`
@@ -32568,7 +32734,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -3022,11 +3126,11 @@
+@@ -3022,11 +3130,11 @@
#
template(`userdom_manage_user_tmp_files',`
gen_require(`
@@ -32582,7 +32748,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -3058,11 +3162,11 @@
+@@ -3058,11 +3166,11 @@
#
template(`userdom_manage_user_tmp_symlinks',`
gen_require(`
@@ -32596,7 +32762,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -3094,11 +3198,11 @@
+@@ -3094,11 +3202,11 @@
#
template(`userdom_manage_user_tmp_pipes',`
gen_require(`
@@ -32610,7 +32776,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -3130,11 +3234,11 @@
+@@ -3130,11 +3238,11 @@
#
template(`userdom_manage_user_tmp_sockets',`
gen_require(`
@@ -32624,7 +32790,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -3179,10 +3283,10 @@
+@@ -3179,10 +3287,10 @@
#
template(`userdom_user_tmp_filetrans',`
gen_require(`
@@ -32637,7 +32803,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
files_search_tmp($2)
')
-@@ -3223,10 +3327,10 @@
+@@ -3223,10 +3331,10 @@
#
template(`userdom_tmp_filetrans_user_tmp',`
gen_require(`
@@ -32650,7 +32816,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -3254,24 +3358,24 @@
+@@ -3254,24 +3362,24 @@
## </summary>
## </param>
#
@@ -32679,7 +32845,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## </p>
## <p>
## This is a templated interface, and should only
-@@ -3290,23 +3394,24 @@
+@@ -3290,23 +3398,24 @@
## </summary>
## </param>
#
@@ -32711,7 +32877,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## </p>
## <p>
## This is a templated interface, and should only
-@@ -3321,25 +3426,28 @@
+@@ -3321,25 +3430,96 @@
## </param>
## <param name="domain">
## <summary>
@@ -32743,33 +32909,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## <p>
-## Read user untrusted files.
+## List users untrusted directories.
- ## </p>
- ## <p>
- ## This is a templated interface, and should only
-@@ -3358,18 +3466,86 @@
- ## </summary>
- ## </param>
- #
--template(`userdom_read_user_untrusted_content_files',`
-+template(`userdom_list_user_untrusted_content',`
- gen_require(`
- type $1_untrusted_content_t;
- ')
-
- allow $2 $1_untrusted_content_t:dir list_dir_perms;
-- read_files_pattern($2,$1_untrusted_content_t,$1_untrusted_content_t)
- ')
-
- ########################################
- ## <summary>
--## Manage user untrusted files.
-+## Do not audit attempts to list user
-+## untrusted directories.
-+## </summary>
-+## <desc>
-+## <p>
-+## Do not audit attempts to read user
-+## untrusted directories.
+## </p>
+## <p>
+## This is a templated interface, and should only
@@ -32784,25 +32923,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+## </param>
+## <param name="domain">
+## <summary>
-+## Domain to not audit.
++## Domain allowed access.
+## </summary>
+## </param>
+#
-+template(`userdom_dontaudit_list_user_untrusted_content',`
++template(`userdom_list_user_untrusted_content',`
+ gen_require(`
+ type $1_untrusted_content_t;
+ ')
+
-+ dontaudit $2 $1_untrusted_content_t:dir list_dir_perms;
++ allow $2 $1_untrusted_content_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
-+## Read user untrusted files.
++## Do not audit attempts to list user
++## untrusted directories.
+## </summary>
+## <desc>
+## <p>
-+## Read user untrusted files.
++## Do not audit attempts to read user
++## untrusted directories.
+## </p>
+## <p>
+## This is a templated interface, and should only
@@ -32817,26 +32958,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+## </param>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
+#
-+template(`userdom_read_user_untrusted_content_files',`
++template(`userdom_dontaudit_list_user_untrusted_content',`
+ gen_require(`
+ type $1_untrusted_content_t;
+ ')
+
-+ allow $2 $1_untrusted_content_t:dir list_dir_perms;
-+ read_files_pattern($2,$1_untrusted_content_t,$1_untrusted_content_t)
++ dontaudit $2 $1_untrusted_content_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
-+## Manage user untrusted files.
- ## </summary>
- ## <desc>
- ## <p>
-@@ -4231,11 +4407,11 @@
++## Read user untrusted files.
++## </summary>
++## <desc>
++## <p>
++## Read user untrusted files.
+ ## </p>
+ ## <p>
+ ## This is a templated interface, and should only
+@@ -4231,11 +4411,11 @@
#
interface(`userdom_search_staff_home_dirs',`
gen_require(`
@@ -32850,7 +32994,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4251,10 +4427,10 @@
+@@ -4251,10 +4431,10 @@
#
interface(`userdom_dontaudit_search_staff_home_dirs',`
gen_require(`
@@ -32863,7 +33007,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4270,11 +4446,11 @@
+@@ -4270,11 +4450,11 @@
#
interface(`userdom_manage_staff_home_dirs',`
gen_require(`
@@ -32877,7 +33021,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4289,16 +4465,16 @@
+@@ -4289,16 +4469,16 @@
#
interface(`userdom_relabelto_staff_home_dirs',`
gen_require(`
@@ -32897,7 +33041,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## users home directory.
## </summary>
## <param name="domain">
-@@ -4307,12 +4483,27 @@
+@@ -4307,12 +4487,27 @@
## </summary>
## </param>
#
@@ -32928,7 +33072,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4327,13 +4518,13 @@
+@@ -4327,13 +4522,13 @@
#
interface(`userdom_read_staff_home_content_files',`
gen_require(`
@@ -32946,7 +33090,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4531,10 +4722,10 @@
+@@ -4531,10 +4726,10 @@
#
interface(`userdom_getattr_sysadm_home_dirs',`
gen_require(`
@@ -32959,7 +33103,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4551,10 +4742,10 @@
+@@ -4551,10 +4746,10 @@
#
interface(`userdom_dontaudit_getattr_sysadm_home_dirs',`
gen_require(`
@@ -32972,7 +33116,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4569,10 +4760,10 @@
+@@ -4569,10 +4764,10 @@
#
interface(`userdom_search_sysadm_home_dirs',`
gen_require(`
@@ -32985,7 +33129,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4588,10 +4779,10 @@
+@@ -4588,10 +4783,10 @@
#
interface(`userdom_dontaudit_search_sysadm_home_dirs',`
gen_require(`
@@ -32998,7 +33142,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4606,10 +4797,10 @@
+@@ -4606,10 +4801,10 @@
#
interface(`userdom_list_sysadm_home_dirs',`
gen_require(`
@@ -33011,7 +33155,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4625,10 +4816,10 @@
+@@ -4625,10 +4820,10 @@
#
interface(`userdom_dontaudit_list_sysadm_home_dirs',`
gen_require(`
@@ -33024,7 +33168,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4644,12 +4835,11 @@
+@@ -4644,12 +4839,11 @@
#
interface(`userdom_dontaudit_read_sysadm_home_content_files',`
gen_require(`
@@ -33040,7 +33184,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4676,10 +4866,10 @@
+@@ -4676,10 +4870,10 @@
#
interface(`userdom_sysadm_home_dir_filetrans',`
gen_require(`
@@ -33053,7 +33197,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4694,10 +4884,10 @@
+@@ -4694,10 +4888,10 @@
#
interface(`userdom_search_sysadm_home_content_dirs',`
gen_require(`
@@ -33066,7 +33210,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4712,13 +4902,13 @@
+@@ -4712,13 +4906,13 @@
#
interface(`userdom_read_sysadm_home_content_files',`
gen_require(`
@@ -33084,7 +33228,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4754,11 +4944,49 @@
+@@ -4754,11 +4948,49 @@
#
interface(`userdom_search_all_users_home_dirs',`
gen_require(`
@@ -33135,7 +33279,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4778,6 +5006,14 @@
+@@ -4778,6 +5010,14 @@
files_list_home($1)
allow $1 home_dir_type:dir list_dir_perms;
@@ -33150,7 +33294,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4839,6 +5075,26 @@
+@@ -4839,6 +5079,26 @@
########################################
## <summary>
@@ -33177,7 +33321,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Create, read, write, and delete all directories
## in all users home directories.
## </summary>
-@@ -4859,6 +5115,25 @@
+@@ -4859,6 +5119,25 @@
########################################
## <summary>
@@ -33203,7 +33347,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Create, read, write, and delete all files
## in all users home directories.
## </summary>
-@@ -4879,6 +5154,26 @@
+@@ -4879,6 +5158,26 @@
########################################
## <summary>
@@ -33230,7 +33374,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Create, read, write, and delete all symlinks
## in all users home directories.
## </summary>
-@@ -5115,7 +5410,7 @@
+@@ -5115,7 +5414,7 @@
#
interface(`userdom_relabelto_generic_user_home_dirs',`
gen_require(`
@@ -33239,7 +33383,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
files_search_home($1)
-@@ -5304,6 +5599,50 @@
+@@ -5304,6 +5603,50 @@
########################################
## <summary>
@@ -33290,7 +33434,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Create, read, write, and delete directories in
## unprivileged users home directories.
## </summary>
-@@ -5509,6 +5848,42 @@
+@@ -5509,6 +5852,42 @@
########################################
## <summary>
@@ -33333,7 +33477,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Read and write unprivileged user ttys.
## </summary>
## <param name="domain">
-@@ -5559,7 +5934,7 @@
+@@ -5559,7 +5938,7 @@
attribute userdomain;
')
@@ -33342,7 +33486,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
kernel_search_proc($1)
')
-@@ -5674,7 +6049,7 @@
+@@ -5674,7 +6053,7 @@
########################################
## <summary>
@@ -33351,7 +33495,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## </summary>
## <param name="domain">
## <summary>
-@@ -5682,18 +6057,54 @@
+@@ -5682,18 +6061,17 @@
## </summary>
## </param>
#
@@ -33370,13 +33514,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## <summary>
-## Unconfined access to user domains. (Deprecated)
+## dontaudit search keys for all user domains.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5701,6 +6079,410 @@
+ ## </summary>
+ ## </param>
+ #
+-interface(`userdom_unconfined',`
+- refpolicywarn(`$0($*) has been deprecated.')
+interface(`userdom_dontaudit_search_all_users_keys',`
+ gen_require(`
+ attribute userdomain;
@@ -33407,13 +33553,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+########################################
+## <summary>
+## Unconfined access to user domains. (Deprecated)
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -5704,3 +6115,370 @@
- interface(`userdom_unconfined',`
- refpolicywarn(`$0($*) has been deprecated.')
- ')
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_unconfined',`
++ refpolicywarn(`$0($*) has been deprecated.')
++')
+
+########################################
+## <summary>
@@ -33778,7 +33927,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+ netutils_run_ping_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
+ netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
+ ')
-+')
+ ')
+
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.3.1/policy/modules/system/userdomain.te
@@ -35283,47 +35432,3 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.3
- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
-')
+gen_user(root, user, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-3.3.1/Rules.modular
---- nsaserefpolicy/Rules.modular 2007-12-19 05:32:18.000000000 -0500
-+++ serefpolicy-3.3.1/Rules.modular 2008-04-04 12:06:56.000000000 -0400
-@@ -73,8 +73,8 @@
- $(tmpdir)/%.mod: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf %.te
- @echo "Compliling $(NAME) $(@F) module"
- @test -d $(tmpdir) || mkdir -p $(tmpdir)
-- $(call perrole-expansion,$(basename $(@F)),$@.role)
-- $(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp)
-+# $(call perrole-expansion,$(basename $(@F)),$@.role)
-+ $(verbose) $(M4) $(M4PARAM) -s $^ > $(@:.mod=.tmp)
- $(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
-
- $(tmpdir)/%.mod.fc: $(m4support) %.fc
-@@ -129,7 +129,7 @@
- @test -d $(tmpdir) || mkdir -p $(tmpdir)
- # define all available object classes
- $(verbose) $(genperm) $(avs) $(secclass) > $@
-- $(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@)
-+# $(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@)
- $(verbose) test -f $(booleans) && $(setbools) $(booleans) >> $@ || true
-
- $(tmpdir)/global_bools.conf: M4PARAM += -D self_contained_policy
-@@ -147,7 +147,7 @@
- $(tmpdir)/rolemap.conf: M4PARAM += -D self_contained_policy
- $(tmpdir)/rolemap.conf: $(rolemap)
- $(verbose) echo "" > $@
-- $(call parse-rolemap,base,$@)
-+# $(call parse-rolemap,base,$@)
-
- $(tmpdir)/all_te_files.conf: M4PARAM += -D self_contained_policy
- $(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(base_te_files) $(tmpdir)/rolemap.conf
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.monolithic serefpolicy-3.3.1/Rules.monolithic
---- nsaserefpolicy/Rules.monolithic 2007-11-20 06:55:20.000000000 -0500
-+++ serefpolicy-3.3.1/Rules.monolithic 2008-04-04 12:06:56.000000000 -0400
-@@ -96,7 +96,7 @@
- #
- # Load the binary policy
- #
--reload $(tmpdir)/load: $(loadpath) $(fcpath) $(appfiles)
-+reload $(tmpdir)/load: $(loadpath) $(fcpath) $(ncpath) $(appfiles)
- @echo "Loading $(NAME) $(loadpath)"
- $(verbose) $(LOADPOLICY) -q $(loadpath)
- @touch $(tmpdir)/load
diff --git a/selinux-policy.spec b/selinux-policy.spec
index e3744a7..b0b21db 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.3.1
-Release: 34%{?dist}
+Release: 35%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -383,7 +383,7 @@ exit 0
%endif
%changelog
-* Thu Apr 10 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-34
+* Mon Apr 14 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-35
* Thu Apr 10 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-33
- Allow dhcpd to read kernel network state