diff --git a/policy-20071130.patch b/policy-20071130.patch
index c0fb315..a1d2cee 100644
--- a/policy-20071130.patch
+++ b/policy-20071130.patch
@@ -957,7 +957,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc
/var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.2.5/policy/modules/admin/rpm.if
--- nsaserefpolicy/policy/modules/admin/rpm.if 2007-05-18 11:12:44.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/admin/rpm.if 2008-01-03 11:32:09.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/admin/rpm.if 2008-01-08 08:11:14.000000000 -0500
@@ -152,6 +152,24 @@
########################################
@@ -983,7 +983,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if
## Send and receive messages from
## rpm over dbus.
##
-@@ -210,6 +228,24 @@
+@@ -173,6 +191,27 @@
+
+ ########################################
+ ##
++## Send and receive messages from
++## rpm_script over dbus.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`rpm_script_dbus_chat',`
++ gen_require(`
++ type rpm_script_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 rpm_script_t:dbus send_msg;
++ allow rpm_script_t $1:dbus send_msg;
++')
++
++########################################
++##
+ ## Create, read, write, and delete the RPM log.
+ ##
+ ##
+@@ -210,6 +249,24 @@
########################################
##
@@ -1008,7 +1036,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if
## Create, read, write, and delete RPM
## script temporary files.
##
-@@ -225,7 +261,29 @@
+@@ -225,7 +282,29 @@
')
files_search_tmp($1)
@@ -1038,7 +1066,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if
')
########################################
-@@ -289,3 +347,137 @@
+@@ -289,3 +368,137 @@
dontaudit $1 rpm_var_lib_t:file manage_file_perms;
dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
')
@@ -1304,7 +1332,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.2.5/policy/modules/admin/su.if
--- nsaserefpolicy/policy/modules/admin/su.if 2007-10-12 08:56:09.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/admin/su.if 2008-01-03 13:47:22.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/admin/su.if 2008-01-08 05:34:26.000000000 -0500
@@ -41,15 +41,13 @@
allow $2 $1_su_t:process signal;
@@ -1330,7 +1358,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s
logging_send_syslog_msg($1_su_t)
miscfiles_read_localization($1_su_t)
-@@ -172,13 +171,12 @@
+@@ -119,11 +118,6 @@
+ optional_policy(`
+ kerberos_use($1_su_t)
+ ')
+-
+- ifdef(`TODO',`
+- # Caused by su - init scripts
+- dontaudit $1_su_t initrc_devpts_t:chr_file { getattr ioctl };
+- ') dnl end TODO
+ ')
+
+ #######################################
+@@ -172,13 +166,12 @@
domain_interactive_fd($1_su_t)
role $3 types $1_su_t;
@@ -1347,7 +1387,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s
allow $1_su_t self:key { search write };
# Transition from the user domain to this domain.
-@@ -188,7 +186,7 @@
+@@ -188,7 +181,7 @@
corecmd_shell_domtrans($1_su_t,$2)
allow $2 $1_su_t:fd use;
allow $2 $1_su_t:fifo_file rw_file_perms;
@@ -1356,7 +1396,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s
kernel_read_system_state($1_su_t)
kernel_read_kernel_sysctls($1_su_t)
-@@ -203,15 +201,15 @@
+@@ -203,15 +196,15 @@
# needed for pam_rootok
selinux_compute_access_vector($1_su_t)
@@ -1375,7 +1415,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s
files_read_etc_files($1_su_t)
files_read_etc_runtime_files($1_su_t)
files_search_var_lib($1_su_t)
-@@ -226,12 +224,14 @@
+@@ -226,12 +219,14 @@
libs_use_ld_so($1_su_t)
libs_use_shared_libs($1_su_t)
@@ -1391,7 +1431,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s
ifdef(`distro_rhel4',`
domain_role_change_exemption($1_su_t)
-@@ -295,13 +295,7 @@
+@@ -295,13 +290,7 @@
xserver_domtrans_user_xauth($1, $1_su_t)
')
@@ -2327,8 +2367,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if s
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.2.5/policy/modules/apps/gpg.te
--- nsaserefpolicy/policy/modules/apps/gpg.te 2007-12-19 05:32:09.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/apps/gpg.te 2008-01-03 17:11:59.000000000 -0500
-@@ -7,15 +7,223 @@
++++ serefpolicy-3.2.5/policy/modules/apps/gpg.te 2008-01-08 05:15:21.000000000 -0500
+@@ -7,15 +7,225 @@
#
# Type for gpg or pgp executables.
@@ -2378,6 +2418,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s
+allow gpg_t user_gpg_secret_t:dir create_dir_perms;
+userdom_user_home_dir_filetrans(user, gpg_t, user_gpg_secret_t, dir)
+userdom_manage_user_home_content_files(user,gpg_t)
++userdom_manage_user_tmp_files(user,gpg_t)
+
+# transition from the gpg domain to the helper domain
+domtrans_pattern(gpg_t,gpg_helper_exec_t,gpg_helper_t)
@@ -2397,6 +2438,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s
+dev_read_urand(gpg_t)
+
+fs_getattr_xattr_fs(gpg_t)
++fs_list_inotifyfs(gpg_t)
+
+domain_use_interactive_fds(gpg_t)
+
@@ -4364,8 +4406,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.2.5/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2007-12-12 11:35:27.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/kernel/corecommands.fc 2008-01-03 14:26:07.000000000 -0500
-@@ -7,6 +7,7 @@
++++ serefpolicy-3.2.5/policy/modules/kernel/corecommands.fc 2008-01-07 11:08:14.000000000 -0500
+@@ -7,11 +7,11 @@
/bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0)
@@ -4373,7 +4415,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
/bin/ksh.* -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/tcsh -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -58,6 +59,8 @@
+ /bin/zsh.* -- gen_context(system_u:object_r:shell_exec_t,s0)
+-
+ #
+ # /dev
+ #
+@@ -58,6 +58,8 @@
/etc/netplug\.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -4382,7 +4429,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
/etc/ppp/ip-down\..* -- gen_context(system_u:object_r:bin_t,s0)
/etc/ppp/ip-up\..* -- gen_context(system_u:object_r:bin_t,s0)
/etc/ppp/ipv6-up\..* -- gen_context(system_u:object_r:bin_t,s0)
-@@ -127,6 +130,8 @@
+@@ -127,6 +129,8 @@
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
')
@@ -4391,7 +4438,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
#
# /usr
#
-@@ -147,7 +152,7 @@
+@@ -147,7 +151,7 @@
/usr/lib(64)?/cups/backend(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/cups/cgi-bin/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/cups/daemon(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -4400,15 +4447,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
/usr/lib(64)?/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0)
-@@ -186,6 +191,8 @@
+@@ -186,7 +190,10 @@
/usr/local/Printer/[^/]*/cupswrapper(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/local/Printer/[^/]*/lpd(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/bin/scponly -- gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
++/usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0)
@@ -284,3 +291,6 @@
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
@@ -5003,6 +5052,36 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storag
/dev/fd[^/]+ -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/flash[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/gscd -b gen_context(system_u:object_r:removable_device_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.if serefpolicy-3.2.5/policy/modules/kernel/storage.if
+--- nsaserefpolicy/policy/modules/kernel/storage.if 2007-10-29 18:02:31.000000000 -0400
++++ serefpolicy-3.2.5/policy/modules/kernel/storage.if 2008-01-08 06:26:10.000000000 -0500
+@@ -81,6 +81,26 @@
+
+ ########################################
+ ##
++## dontaudit the caller attempts to read from a fixed disk.
++##
++##
++##
++## The type of the process performing this action.
++##
++##
++#
++interface(`storage_dontaudit_raw_read_fixed_disk',`
++ gen_require(`
++ attribute fixed_disk_raw_read;
++ type fixed_disk_device_t;
++ ')
++
++ dontaudit $1 fixed_disk_device_t:blk_file read_blk_file_perms;
++ dontaudit $1 fixed_disk_device_t:chr_file read_chr_file_perms;
++')
++
++########################################
++##
+ ## Allow the caller to directly read from a fixed disk.
+ ## This is extremly dangerous as it can bypass the
+ ## SELinux protections for filesystem objects, and
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.2.5/policy/modules/kernel/terminal.if
--- nsaserefpolicy/policy/modules/kernel/terminal.if 2007-09-12 10:34:17.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/kernel/terminal.if 2007-12-19 05:38:09.000000000 -0500
@@ -7012,7 +7091,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.
-')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.2.5/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if 2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/dbus.if 2007-12-30 09:53:47.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/dbus.if 2008-01-08 10:52:45.000000000 -0500
@@ -53,6 +53,7 @@
gen_require(`
type system_dbusd_exec_t, system_dbusd_t, dbusd_etc_t;
@@ -7063,7 +7142,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
ifdef(`hide_broken_symptoms', `
dontaudit $2 $1_dbusd_t:netlink_selinux_socket { read write };
-@@ -214,7 +221,7 @@
+@@ -182,6 +189,7 @@
+ optional_policy(`
+ xserver_use_xdm_fds($1_dbusd_t)
+ xserver_rw_xdm_pipes($1_dbusd_t)
++ xserver_dontaudit_xdm_lib_search($1_dbusd_t)
+ ')
+ ')
+
+@@ -214,7 +222,7 @@
# SE-DBus specific permissions
# allow $1_dbusd_system_t { system_dbusd_t self }:dbus send_msg;
@@ -7072,7 +7159,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
read_files_pattern($2, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
files_search_var_lib($2)
-@@ -251,6 +258,7 @@
+@@ -223,6 +231,10 @@
+ files_search_pids($2)
+ stream_connect_pattern($2,system_dbusd_var_run_t,system_dbusd_var_run_t,system_dbusd_t)
+ dbus_read_config($2)
++
++ optional_policy(`
++ rpm_script_dbus_chat($2)
++ ')
+ ')
+
+ #######################################
+@@ -251,6 +263,7 @@
template(`dbus_user_bus_client_template',`
gen_require(`
type $1_dbusd_t;
@@ -7080,7 +7178,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
class dbus send_msg;
')
-@@ -263,6 +271,7 @@
+@@ -263,6 +276,7 @@
# For connecting to the bus
allow $3 $1_dbusd_t:unix_stream_socket connectto;
@@ -7088,7 +7186,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
')
########################################
-@@ -292,6 +301,59 @@
+@@ -292,6 +306,59 @@
########################################
##
@@ -7148,7 +7246,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
## Read dbus configuration.
##
##
-@@ -366,3 +428,53 @@
+@@ -366,3 +433,53 @@
allow $1 system_dbusd_t:dbus *;
')
@@ -7243,7 +7341,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.
##
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.2.5/policy/modules/services/dcc.te
--- nsaserefpolicy/policy/modules/services/dcc.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/dcc.te 2007-12-19 05:38:09.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/dcc.te 2008-01-04 09:52:10.000000000 -0500
@@ -124,7 +124,7 @@
# dcc procmail interface local policy
#
@@ -7253,15 +7351,41 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.
allow dcc_client_t self:unix_dgram_socket create_socket_perms;
allow dcc_client_t self:udp_socket create_socket_perms;
-@@ -148,6 +148,8 @@
+@@ -148,6 +148,10 @@
files_read_etc_files(dcc_client_t)
files_read_etc_runtime_files(dcc_client_t)
+kernel_read_system_state(dcc_client_t)
+
++auth_use_nsswitch(dcc_client_t)
++
libs_use_ld_so(dcc_client_t)
libs_use_shared_libs(dcc_client_t)
+@@ -155,11 +159,8 @@
+
+ miscfiles_read_localization(dcc_client_t)
+
+-sysnet_read_config(dcc_client_t)
+-sysnet_dns_name_resolve(dcc_client_t)
+-
+ optional_policy(`
+- nscd_socket_use(dcc_client_t)
++ spamassassin_read_spamd_tmp_files(dcc_client_t)
+ ')
+
+ ########################################
+@@ -275,9 +276,7 @@
+ userdom_dontaudit_use_unpriv_user_fds(dccd_t)
+ userdom_dontaudit_search_sysadm_home_dirs(dccd_t)
+
+-optional_policy(`
+- nscd_socket_use(dccd_t)
+-')
++auth_use_nsswitch(dccd_t)
+
+ optional_policy(`
+ seutil_sigchld_newrole(dccd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dictd.fc serefpolicy-3.2.5/policy/modules/services/dictd.fc
--- nsaserefpolicy/policy/modules/services/dictd.fc 2006-11-16 17:15:20.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/dictd.fc 2007-12-19 05:38:09.000000000 -0500
@@ -7730,7 +7854,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.fc serefpolicy-3.2.5/policy/modules/services/fail2ban.fc
--- nsaserefpolicy/policy/modules/services/fail2ban.fc 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/services/fail2ban.fc 2007-12-19 05:38:09.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/fail2ban.fc 2008-01-08 13:32:00.000000000 -0500
@@ -1,3 +1,4 @@
/usr/bin/fail2ban -- gen_context(system_u:object_r:fail2ban_exec_t,s0)
+/usr/bin/fail2ban-server -- gen_context(system_u:object_r:fail2ban_exec_t,s0)
@@ -7887,7 +8011,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.2.5/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/hal.te 2007-12-20 14:02:58.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/hal.te 2008-01-08 09:48:17.000000000 -0500
@@ -49,6 +49,9 @@
type hald_var_lib_t;
files_type(hald_var_lib_t)
@@ -7940,7 +8064,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
#
allow hald_acl_t self:capability { dac_override fowner };
-+allow hald_acl_t self:process signal;
++allow hald_acl_t self:process { getattr signal };
allow hald_acl_t self:fifo_file read_fifo_file_perms;
domtrans_pattern(hald_t, hald_acl_exec_t, hald_acl_t)
@@ -8376,7 +8500,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail
+files_type(mailscanner_spool_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.2.5/policy/modules/services/mta.if
--- nsaserefpolicy/policy/modules/services/mta.if 2007-12-06 13:12:03.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/mta.if 2007-12-27 11:44:00.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/mta.if 2008-01-04 10:12:33.000000000 -0500
@@ -133,6 +133,12 @@
sendmail_create_log($1_mail_t)
')
@@ -9437,6 +9561,60 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.
logrotate_exec(ntpd_t)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.te serefpolicy-3.2.5/policy/modules/services/oddjob.te
+--- nsaserefpolicy/policy/modules/services/oddjob.te 2007-12-19 05:32:17.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/oddjob.te 2008-01-04 12:24:30.000000000 -0500
+@@ -15,6 +15,7 @@
+ type oddjob_mkhomedir_t;
+ type oddjob_mkhomedir_exec_t;
+ domain_type(oddjob_mkhomedir_t)
++domain_obj_id_change_exemption(oddjob_mkhomedir_t)
+ init_daemon_domain(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
+ oddjob_system_entry(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
+
+@@ -68,20 +69,38 @@
+ # oddjob_mkhomedir local policy
+ #
+
++allow oddjob_mkhomedir_t self:capability { chown fowner fsetid dac_override };
++allow oddjob_mkhomedir_t self:process setfscreate;
+ allow oddjob_mkhomedir_t self:fifo_file { read write };
+ allow oddjob_mkhomedir_t self:unix_stream_socket create_stream_socket_perms;
+
+ files_read_etc_files(oddjob_mkhomedir_t)
+
++kernel_read_system_state(oddjob_mkhomedir_t)
++
++auth_use_nsswitch(oddjob_mkhomedir_t)
++
+ libs_use_ld_so(oddjob_mkhomedir_t)
+ libs_use_shared_libs(oddjob_mkhomedir_t)
+
++logging_send_syslog_msg(oddjob_mkhomedir_t)
++
+ miscfiles_read_localization(oddjob_mkhomedir_t)
+
++selinux_get_fs_mount(oddjob_mkhomedir_t)
++selinux_validate_context(oddjob_mkhomedir_t)
++selinux_compute_access_vector(oddjob_mkhomedir_t)
++selinux_compute_create_context(oddjob_mkhomedir_t)
++selinux_compute_relabel_context(oddjob_mkhomedir_t)
++selinux_compute_user_contexts(oddjob_mkhomedir_t)
++
++seutil_read_config(oddjob_mkhomedir_t)
++seutil_read_file_contexts(oddjob_mkhomedir_t)
++seutil_read_default_contexts(oddjob_mkhomedir_t)
++
+ # Add/remove user home directories
++userdom_manage_unpriv_users_home_content_dirs(oddjob_mkhomedir_t)
+ userdom_home_filetrans_generic_user_home_dir(oddjob_mkhomedir_t)
+-userdom_manage_generic_user_home_content_dirs(oddjob_mkhomedir_t)
+-userdom_manage_generic_user_home_content_files(oddjob_mkhomedir_t)
+-userdom_manage_generic_user_home_dirs(oddjob_mkhomedir_t)
+-userdom_manage_staff_home_dirs(oddjob_mkhomedir_t)
++userdom_manage_all_users_home_content_dirs(oddjob_mkhomedir_t)
++userdom_manage_all_users_home_content_files(oddjob_mkhomedir_t)
+ userdom_generic_user_home_dir_filetrans_generic_user_home_content(oddjob_mkhomedir_t,notdevfile_class_set)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openct.te serefpolicy-3.2.5/policy/modules/services/openct.te
--- nsaserefpolicy/policy/modules/services/openct.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/openct.te 2007-12-19 05:38:09.000000000 -0500
@@ -9460,7 +9638,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open
/var/run/openvpn(/.*)? gen_context(system_u:object_r:openvpn_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.2.5/policy/modules/services/openvpn.te
--- nsaserefpolicy/policy/modules/services/openvpn.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/openvpn.te 2007-12-19 05:38:09.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/openvpn.te 2008-01-08 13:31:47.000000000 -0500
@@ -8,7 +8,7 @@
##
@@ -9479,7 +9657,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open
allow openvpn_t self:process { signal getsched };
allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto };
-@@ -110,3 +110,12 @@
+@@ -47,6 +47,7 @@
+ allow openvpn_t openvpn_etc_t:dir list_dir_perms;
+ read_files_pattern(openvpn_t,openvpn_etc_t,openvpn_etc_t)
+ read_lnk_files_pattern(openvpn_t,openvpn_etc_t,openvpn_etc_t)
++can_exec(openvpn_t,openvpn_etc_t)
+
+ allow openvpn_t openvpn_var_log_t:file manage_file_perms;
+ logging_log_filetrans(openvpn_t,openvpn_var_log_t,file)
+@@ -77,6 +78,7 @@
+ corenet_sendrecv_openvpn_server_packets(openvpn_t)
+ corenet_rw_tun_tap_dev(openvpn_t)
+ corenet_tcp_connect_openvpn_port(openvpn_t)
++corenet_tcp_connect_http_port(openvpn_t)
+
+ dev_search_sysfs(openvpn_t)
+ dev_read_rand(openvpn_t)
+@@ -110,3 +112,12 @@
networkmanager_dbus_chat(openvpn_t)
')
@@ -10077,8 +10271,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.2.5/policy/modules/services/procmail.te
--- nsaserefpolicy/policy/modules/services/procmail.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/procmail.te 2008-01-03 10:56:43.000000000 -0500
-@@ -129,7 +129,9 @@
++++ serefpolicy-3.2.5/policy/modules/services/procmail.te 2008-01-08 11:05:41.000000000 -0500
+@@ -102,6 +102,10 @@
+ ')
+
+ optional_policy(`
++ cron_read_pipes(procmail_t)
++')
++
++optional_policy(`
+ munin_dontaudit_search_lib(procmail_t)
+ ')
+
+@@ -129,7 +133,9 @@
corenet_udp_bind_generic_port(procmail_t)
corenet_dontaudit_udp_bind_all_ports(procmail_t)
@@ -10167,6 +10372,55 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo
')
########################################
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qmail.te serefpolicy-3.2.5/policy/modules/services/qmail.te
+--- nsaserefpolicy/policy/modules/services/qmail.te 2007-10-02 09:54:52.000000000 -0400
++++ serefpolicy-3.2.5/policy/modules/services/qmail.te 2008-01-07 16:36:33.000000000 -0500
+@@ -85,6 +85,8 @@
+ libs_use_ld_so(qmail_inject_t)
+ libs_use_shared_libs(qmail_inject_t)
+
++miscfiles_read_localization(qmail_inject_t)
++
+ qmail_read_config(qmail_inject_t)
+
+ ########################################
+@@ -106,15 +108,25 @@
+
+ kernel_read_system_state(qmail_local_t)
+
++corecmd_exec_bin(qmail_local_t)
+ corecmd_exec_shell(qmail_local_t)
++can_exec(qmail_local_t, qmail_local_exec_t)
+
+ files_read_etc_files(qmail_local_t)
+ files_read_etc_runtime_files(qmail_local_t)
+
++auth_use_nsswitch(qmail_local_t)
++
++logging_send_syslog(qmail_local_t)
++
+ mta_append_spool(qmail_local_t)
+
+ qmail_domtrans_queue(qmail_local_t)
+
++optional_policy(`
++ spamassassin_domtrans_spamc(qmail_local_t)
++')
++
+ ########################################
+ #
+ # qmail-lspawn local policy
+@@ -155,6 +167,10 @@
+ manage_files_pattern(qmail_queue_t,qmail_spool_t,qmail_spool_t)
+ rw_fifo_files_pattern(qmail_queue_t,qmail_spool_t,qmail_spool_t)
+
++corecmd_exec_bin(qmail_queue_t)
++
++logging_send_syslog(qmail_queue_t)
++
+ optional_policy(`
+ daemontools_ipc_domain(qmail_queue_t)
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.fc serefpolicy-3.2.5/policy/modules/services/razor.fc
--- nsaserefpolicy/policy/modules/services/razor.fc 2007-10-12 08:56:07.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/services/razor.fc 2007-12-19 05:38:09.000000000 -0500
@@ -10364,7 +10618,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
##
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.2.5/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/rpc.te 2007-12-19 05:38:09.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/rpc.te 2008-01-08 06:24:04.000000000 -0500
@@ -60,10 +60,14 @@
manage_files_pattern(rpcd_t,rpcd_var_run_t,rpcd_var_run_t)
files_pid_filetrans(rpcd_t,rpcd_var_run_t,file)
@@ -10399,13 +10653,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
########################################
#
# NFSD local policy
-@@ -92,9 +102,13 @@
+@@ -92,9 +102,16 @@
allow nfsd_t exports_t:file { getattr read };
allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
+dev_dontaudit_getattr_all_blk_files(nfsd_t)
+dev_dontaudit_getattr_all_chr_files(nfsd_t)
+
++dev_read_lvm_control(nfsd_t)
++storage_dontaudit_raw_read_fixed_disk(nfsd_t)
++
# for /proc/fs/nfs/exports - should we have a new type?
kernel_read_system_state(nfsd_t)
kernel_read_network_state(nfsd_t)
@@ -10413,7 +10670,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
corenet_tcp_bind_all_rpc_ports(nfsd_t)
corenet_udp_bind_all_rpc_ports(nfsd_t)
-@@ -124,6 +138,7 @@
+@@ -124,6 +141,7 @@
tunable_policy(`nfs_export_all_rw',`
fs_read_noxattr_fs_files(nfsd_t)
auth_manage_all_files_except_shadow(nfsd_t)
@@ -10421,7 +10678,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
')
tunable_policy(`nfs_export_all_ro',`
-@@ -144,6 +159,7 @@
+@@ -144,6 +162,7 @@
manage_files_pattern(gssd_t,gssd_tmp_t,gssd_tmp_t)
files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
@@ -10429,7 +10686,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
kernel_read_network_state(gssd_t)
kernel_read_network_state_symlinks(gssd_t)
kernel_search_network_sysctl(gssd_t)
-@@ -157,8 +173,13 @@
+@@ -157,8 +176,13 @@
files_list_tmp(gssd_t)
files_read_usr_symlinks(gssd_t)
@@ -10584,7 +10841,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
/var/run/samba/brlock\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.2.5/policy/modules/services/samba.if
--- nsaserefpolicy/policy/modules/services/samba.if 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/services/samba.if 2007-12-19 05:38:09.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/samba.if 2008-01-08 13:39:02.000000000 -0500
@@ -331,6 +331,25 @@
########################################
@@ -10619,7 +10876,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
')
########################################
-@@ -492,3 +512,102 @@
+@@ -492,3 +512,103 @@
allow $1 samba_var_t:dir search_dir_perms;
stream_connect_pattern($1,winbind_var_run_t,winbind_var_run_t,winbind_t)
')
@@ -10669,6 +10926,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
+ type samba_share_t;
+ ')
+
++ allow $1 samba_share_t:filesystem getattr;
+ read_files_pattern($1, samba_share_t, samba_share_t)
+')
+
@@ -10724,7 +10982,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.2.5/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/samba.te 2007-12-19 05:38:09.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/samba.te 2008-01-08 13:40:20.000000000 -0500
@@ -26,28 +26,28 @@
##
@@ -10801,7 +11059,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
allow smbd_t samba_net_tmp_t:file getattr;
-@@ -251,7 +256,7 @@
+@@ -234,6 +239,7 @@
+ manage_dirs_pattern(smbd_t,samba_share_t,samba_share_t)
+ manage_files_pattern(smbd_t,samba_share_t,samba_share_t)
+ manage_lnk_files_pattern(smbd_t,samba_share_t,samba_share_t)
++allow smbd_t samba_share_t:filesystem getattr;
+
+ manage_dirs_pattern(smbd_t,samba_var_t,samba_var_t)
+ manage_files_pattern(smbd_t,samba_var_t,samba_var_t)
+@@ -251,7 +257,7 @@
manage_sock_files_pattern(smbd_t,smbd_var_run_t,smbd_var_run_t)
files_pid_filetrans(smbd_t,smbd_var_run_t,file)
@@ -10810,7 +11076,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
kernel_getattr_core_if(smbd_t)
kernel_getattr_message_if(smbd_t)
-@@ -340,6 +345,17 @@
+@@ -340,6 +346,17 @@
tunable_policy(`samba_share_nfs',`
fs_manage_nfs_dirs(smbd_t)
fs_manage_nfs_files(smbd_t)
@@ -10828,7 +11094,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
')
optional_policy(`
-@@ -391,7 +407,7 @@
+@@ -391,7 +408,7 @@
allow nmbd_t self:msgq create_msgq_perms;
allow nmbd_t self:sem create_sem_perms;
allow nmbd_t self:shm create_shm_perms;
@@ -10837,7 +11103,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
allow nmbd_t self:tcp_socket create_stream_socket_perms;
allow nmbd_t self:udp_socket create_socket_perms;
allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto };
-@@ -403,8 +419,7 @@
+@@ -403,8 +420,7 @@
read_files_pattern(nmbd_t,samba_etc_t,samba_etc_t)
manage_dirs_pattern(nmbd_t,samba_log_t,samba_log_t)
@@ -10847,7 +11113,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
read_files_pattern(nmbd_t,samba_log_t,samba_log_t)
create_files_pattern(nmbd_t,samba_log_t,samba_log_t)
-@@ -439,6 +454,7 @@
+@@ -439,6 +455,7 @@
dev_getattr_mtrr_dev(nmbd_t)
fs_getattr_all_fs(nmbd_t)
@@ -10855,7 +11121,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
fs_search_auto_mountpoints(nmbd_t)
domain_use_interactive_fds(nmbd_t)
-@@ -522,6 +538,7 @@
+@@ -522,6 +539,7 @@
storage_raw_write_fixed_disk(smbmount_t)
term_list_ptys(smbmount_t)
@@ -10863,7 +11129,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
corecmd_list_bin(smbmount_t)
-@@ -546,28 +563,37 @@
+@@ -546,28 +564,37 @@
userdom_use_all_users_fds(smbmount_t)
@@ -10908,7 +11174,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
allow swat_t smbd_var_run_t:file read;
manage_dirs_pattern(swat_t,swat_tmp_t,swat_tmp_t)
-@@ -577,7 +603,9 @@
+@@ -577,7 +604,9 @@
manage_files_pattern(swat_t,swat_var_run_t,swat_var_run_t)
files_pid_filetrans(swat_t,swat_var_run_t,file)
@@ -10919,7 +11185,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
kernel_read_kernel_sysctls(swat_t)
kernel_read_system_state(swat_t)
-@@ -602,6 +630,7 @@
+@@ -602,6 +631,7 @@
dev_read_urand(swat_t)
@@ -10927,7 +11193,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
files_read_etc_files(swat_t)
files_search_home(swat_t)
files_read_usr_files(swat_t)
-@@ -614,6 +643,7 @@
+@@ -614,6 +644,7 @@
libs_use_shared_libs(swat_t)
logging_send_syslog_msg(swat_t)
@@ -10935,7 +11201,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
logging_search_logs(swat_t)
miscfiles_read_localization(swat_t)
-@@ -631,6 +661,17 @@
+@@ -631,6 +662,17 @@
kerberos_use(swat_t)
')
@@ -10953,7 +11219,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
########################################
#
# Winbind local policy
-@@ -679,6 +720,8 @@
+@@ -679,6 +721,8 @@
manage_sock_files_pattern(winbind_t,winbind_var_run_t,winbind_var_run_t)
files_pid_filetrans(winbind_t,winbind_var_run_t,file)
@@ -10962,7 +11228,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
kernel_read_kernel_sysctls(winbind_t)
kernel_list_proc(winbind_t)
kernel_read_proc_symlinks(winbind_t)
-@@ -766,6 +809,7 @@
+@@ -766,6 +810,7 @@
optional_policy(`
squid_read_log(winbind_helper_t)
squid_append_log(winbind_helper_t)
@@ -10970,7 +11236,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
')
########################################
-@@ -790,3 +834,37 @@
+@@ -790,3 +835,37 @@
domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t)
')
')
@@ -11223,7 +11489,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
-') dnl end TODO
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.2.5/policy/modules/services/setroubleshoot.te
--- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/setroubleshoot.te 2007-12-19 05:38:09.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/setroubleshoot.te 2008-01-08 06:17:24.000000000 -0500
@@ -27,8 +27,8 @@
# setroubleshootd local policy
#
@@ -11245,16 +11511,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr
corecmd_exec_bin(setroubleshootd_t)
corecmd_exec_shell(setroubleshootd_t)
-@@ -73,7 +75,7 @@
+@@ -68,13 +70,17 @@
+
+ dev_read_urand(setroubleshootd_t)
+ dev_read_sysfs(setroubleshootd_t)
++dev_getattr_all_blk_files(setroubleshootd_t)
++dev_getattr_all_chr_files(setroubleshootd_t)
+
+ domain_dontaudit_search_all_domains_state(setroubleshootd_t)
files_read_usr_files(setroubleshootd_t)
files_read_etc_files(setroubleshootd_t)
-files_getattr_all_dirs(setroubleshootd_t)
+files_list_all(setroubleshootd_t)
files_getattr_all_files(setroubleshootd_t)
++files_getattr_all_pipes(setroubleshootd_t)
++files_getattr_all_sockets(setroubleshootd_t)
fs_getattr_all_dirs(setroubleshootd_t)
-@@ -110,6 +112,7 @@
+ fs_getattr_all_files(setroubleshootd_t)
+@@ -110,6 +116,7 @@
optional_policy(`
dbus_system_bus_client_template(setroubleshootd, setroubleshootd_t)
dbus_connect_system_bus(setroubleshootd_t)
@@ -12584,7 +12860,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.2.5/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/xserver.if 2008-01-03 16:24:11.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/xserver.if 2008-01-08 11:18:17.000000000 -0500
@@ -15,6 +15,7 @@
template(`xserver_common_domain_template',`
gen_require(`
@@ -13158,7 +13434,42 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -974,6 +1041,37 @@
+@@ -937,7 +1004,7 @@
+
+ ########################################
+ ##
+-## Read XDM var lib files.
++## dontaudit search of XDM var lib directories.
+ ##
+ ##
+ ##
+@@ -945,12 +1012,12 @@
+ ##
+ ##
+ #
+-interface(`xserver_read_xdm_lib_files',`
++interface(`xserver_dontaudit_xdm_lib_search',`
+ gen_require(`
+ type xdm_var_lib_t;
+ ')
+
+- allow $1 xdm_var_lib_t:file { getattr read };
++ dontaudit $1 xdm_var_lib_t:dir search_dir_perms;
+ ')
+
+ ########################################
+@@ -965,15 +1032,47 @@
+ #
+ interface(`xserver_domtrans_xdm_xserver',`
+ gen_require(`
+- type xdm_xserver_t, xserver_exec_t;
++ type xdm_xserver_t, xserver_exec_t, xdm_t;
+ ')
+
+ allow $1 xdm_xserver_t:process siginh;
++ allow xdm_t $1:process sigchld;
+ domtrans_pattern($1,xserver_exec_t,xdm_xserver_t)
+ ')
########################################
##
@@ -13196,7 +13507,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
## Make an X session script an entrypoint for the specified domain.
##
##
-@@ -1123,7 +1221,7 @@
+@@ -1123,7 +1222,7 @@
type xdm_xserver_tmp_t;
')
@@ -13205,7 +13516,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -1312,3 +1410,45 @@
+@@ -1312,3 +1411,45 @@
files_search_tmp($1)
stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
')
@@ -14276,7 +14587,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.2.5/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/system/init.te 2007-12-19 05:38:09.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/system/init.te 2008-01-08 13:52:56.000000000 -0500
@@ -10,6 +10,20 @@
# Declarations
#
@@ -14430,7 +14741,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -729,6 +765,11 @@
+@@ -708,9 +744,11 @@
+ squid_manage_logs(initrc_t)
+ ')
+
+-optional_policy(`
+- # allow init scripts to su
+- su_restricted_domain_template(initrc,initrc_t,system_r)
++ifndef(`targeted_policy',`
++ optional_policy(`
++ # allow init scripts to su
++ su_restricted_domain_template(initrc,initrc_t,system_r)
++ ')
+ ')
+
+ optional_policy(`
+@@ -729,6 +767,11 @@
uml_setattr_util_sockets(initrc_t)
')
@@ -14442,7 +14768,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
optional_policy(`
unconfined_domain(initrc_t)
-@@ -743,6 +784,10 @@
+@@ -743,6 +786,10 @@
')
optional_policy(`
@@ -16552,7 +16878,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.2.5/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-11-29 13:29:35.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/system/userdomain.if 2008-01-03 16:34:20.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/system/userdomain.if 2008-01-08 05:05:58.000000000 -0500
@@ -29,8 +29,9 @@
')
@@ -19565,8 +19891,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.i
+## Policy for staff user
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.te serefpolicy-3.2.5/policy/modules/users/staff.te
--- nsaserefpolicy/policy/modules/users/staff.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/users/staff.te 2008-01-03 17:06:13.000000000 -0500
-@@ -0,0 +1,31 @@
++++ serefpolicy-3.2.5/policy/modules/users/staff.te 2008-01-08 05:06:18.000000000 -0500
+@@ -0,0 +1,34 @@
+policy_module(staff,1.0.1)
+userdom_unpriv_user_template(staff)
+
@@ -19574,6 +19900,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.t
+userdom_role_change_template(staff, sysadm)
+userdom_dontaudit_use_sysadm_terms(staff_t)
+
++domain_read_all_domains_state(staff_t)
++domain_getattr_all_domains(staff_t)
++
+optional_policy(`
+ xserver_per_role_template(staff, staff_t, staff_r)
+')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index a870114..fb26e1d 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.2.5
-Release: 8%{?dist}
+Release: 9%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -306,19 +306,20 @@ fi
exit 0
-%triggerpostun targeted -- selinux-policy-targeted < 3.2.4-3.fc9
+%triggerpostun targeted -- selinux-policy-targeted < 3.2.5-9.fc9
setsebool -P use_nfs_home_dirs=1
semanage user -l | grep -s unconfined_u
if [ $? == 0 ]; then
- semanage user -m -P unconfined -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u 2> /dev/null
+ semanage user -m -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u 2> /dev/null
else
- semanage user -a -P unconfined -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u 2> /dev/null
+ semanage user -a -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u 2> /dev/null
fi
seuser=`semanage login -l | grep __default__ | awk '{ print $2 }'`
[ $seuser == "system_u" ] && semanage login -m -s "unconfined_u" -r s0-s0:c0.c1023 __default__
seuser=`semanage login -l | grep root | awk '{ print $2 }'`
[ $seuser == "system_u" ] && semanage login -m -s "unconfined_u" -r s0-s0:c0.c1023 root
restorecon -R /root /etc/selinux/targeted 2> /dev/null
+semodule -r qmail 2> /dev/null
exit 0
%files targeted
@@ -386,6 +387,9 @@ exit 0
%endif
%changelog
+* Mon Jan 7 2008 Dan Walsh 3.2.5-9
+- Update gpg to allow reading of inotify
+
* Wed Jan 2 2008 Dan Walsh 3.2.5-8
- Change user and staff roles to work correctly with varied perms