diff --git a/modules-targeted.conf b/modules-targeted.conf
index 6a4d3f4..cadf2fa 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -1648,3 +1648,10 @@ kerneloops = module
#
openoffice = base
+# Layer: services
+# Module: podsleuth
+#
+# Podsleuth probes, identifies, and exposes properties and metadata bound to iPods.
+#
+podsleuth = module
+
diff --git a/policy-20071130.patch b/policy-20071130.patch
index bca837b..7b320e4 100644
--- a/policy-20071130.patch
+++ b/policy-20071130.patch
@@ -3117,7 +3117,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/evolutio
nscd_socket_use($1_evolution_webcal_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/games.if serefpolicy-3.3.1/policy/modules/apps/games.if
--- nsaserefpolicy/policy/modules/apps/games.if 2007-10-12 08:56:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/apps/games.if 2008-04-21 11:02:48.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/apps/games.if 2008-04-30 13:16:27.000000000 -0400
@@ -146,7 +146,7 @@
')
@@ -3127,6 +3127,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/games.if
xserver_create_xdm_tmp_sockets($1_games_t)
xserver_read_xdm_lib_files($1_games_t)
')
+@@ -165,3 +165,23 @@
+ ')
+ ')
+ ')
++
++########################################
++##
++## Allow the specified domain to read/write
++## games data.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`games_rw_data',`
++ gen_require(`
++ type games_data_t;
++ ')
++
++ rw_files_pattern($1,games_data_t, games_data_t)
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gift.fc serefpolicy-3.3.1/policy/modules/apps/gift.fc
--- nsaserefpolicy/policy/modules/apps/gift.fc 2007-10-12 08:56:02.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/apps/gift.fc 2008-04-21 11:02:48.000000000 -0400
@@ -3239,7 +3263,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc
/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.3.1/policy/modules/apps/gnome.if
--- nsaserefpolicy/policy/modules/apps/gnome.if 2007-07-23 10:20:12.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/apps/gnome.if 2008-04-29 09:37:23.004992000 -0400
++++ serefpolicy-3.3.1/policy/modules/apps/gnome.if 2008-04-29 09:37:23.000000000 -0400
@@ -33,9 +33,60 @@
##
#
@@ -4522,8 +4546,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys
+userdom_dontaudit_list_sysadm_home_dirs(loadkeys_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.3.1/policy/modules/apps/mono.if
--- nsaserefpolicy/policy/modules/apps/mono.if 2007-01-02 12:57:22.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/apps/mono.if 2008-04-29 11:57:14.653875000 -0400
-@@ -18,3 +18,102 @@
++++ serefpolicy-3.3.1/policy/modules/apps/mono.if 2008-05-06 11:03:56.500459000 -0400
+@@ -18,3 +18,122 @@
corecmd_search_bin($1)
domtrans_pattern($1, mono_exec_t, mono_t)
')
@@ -4626,6 +4650,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if
+ fs_dontaudit_rw_tmpfs_files($1_mono_t)
+ corecmd_bin_domtrans($1_mono_t, $1_t)
+')
++
++########################################
++##
++## Execute the mono program in the mono domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mono_exec',`
++ gen_require(`
++ type mono_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ can_exec($1, mono_exec_t)
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-3.3.1/policy/modules/apps/mono.te
--- nsaserefpolicy/policy/modules/apps/mono.te 2007-12-19 05:32:09.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/apps/mono.te 2008-04-21 11:02:48.000000000 -0400
@@ -8881,7 +8925,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.3.1/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2007-10-23 17:17:42.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/apache.if 2008-04-21 11:02:48.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/apache.if 2008-04-30 13:15:30.000000000 -0400
@@ -13,21 +13,16 @@
#
template(`apache_content_template',`
@@ -13212,7 +13256,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.3.1/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if 2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/dbus.if 2008-04-29 10:45:04.731105000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/dbus.if 2008-04-29 10:45:04.000000000 -0400
@@ -53,6 +53,7 @@
gen_require(`
type system_dbusd_exec_t, system_dbusd_t, dbusd_etc_t;
@@ -18871,6 +18915,120 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pega
rpm_exec(pegasus_t)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/podsleuth.fc serefpolicy-3.3.1/policy/modules/services/podsleuth.fc
+--- nsaserefpolicy/policy/modules/services/podsleuth.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/podsleuth.fc 2008-05-06 10:38:33.000000000 -0400
+@@ -0,0 +1,2 @@
++
++/usr/bin/podsleuth -- gen_context(system_u:object_r:podsleuth_exec_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/podsleuth.if serefpolicy-3.3.1/policy/modules/services/podsleuth.if
+--- nsaserefpolicy/policy/modules/services/podsleuth.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/podsleuth.if 2008-05-06 10:38:33.000000000 -0400
+@@ -0,0 +1,54 @@
++
++## policy for podsleuth
++
++########################################
++##
++## Execute a domain transition to run podsleuth.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`podsleuth_domtrans',`
++ gen_require(`
++ type podsleuth_t;
++ type podsleuth_exec_t;
++ ')
++
++ domtrans_pattern($1,podsleuth_exec_t,podsleuth_t)
++')
++
++
++########################################
++##
++## Execute podsleuth in the podsleuth domain, and
++## allow the specified role the podsleuth domain.
++##
++##
++##
++## Domain allowed access
++##
++##
++##
++##
++## The role to be allowed the podsleuth domain.
++##
++##
++##
++##
++## The type of the role's terminal.
++##
++##
++#
++interface(`podsleuth_run',`
++ gen_require(`
++ type podsleuth_t;
++ ')
++
++ podsleuth_domtrans($1)
++ role $2 types podsleuth_t;
++ dontaudit podsleuth_t $3:chr_file rw_term_perms;
++')
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/podsleuth.te serefpolicy-3.3.1/policy/modules/services/podsleuth.te
+--- nsaserefpolicy/policy/modules/services/podsleuth.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/podsleuth.te 2008-05-06 10:48:34.000000000 -0400
+@@ -0,0 +1,46 @@
++policy_module(podsleuth,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type podsleuth_t;
++type podsleuth_exec_t;
++application_domain(podsleuth_t, podsleuth_exec_t)
++role system_r types podsleuth_t;
++
++########################################
++#
++# podsleuth local policy
++#
++allow podsleuth_t self:process { ptrace signal getsched execheap execmem };
++
++## internal communication is often done using fifo and unix sockets.
++allow podsleuth_t self:fifo_file rw_file_perms;
++allow podsleuth_t self:unix_stream_socket create_stream_socket_perms;
++
++dev_read_urand(podsleuth_t)
++
++kernel_read_system_state(podsleuth_t)
++
++files_read_etc_files(podsleuth_t)
++
++libs_use_ld_so(podsleuth_t)
++libs_use_shared_libs(podsleuth_t)
++
++miscfiles_read_localization(podsleuth_t)
++
++mono_exec(podsleuth_t)
++hal_dbus_chat(podsleuth_t)
++
++optional_policy(`
++ dbus_system_bus_client_template(podsleuth,podsleuth_t)
++')
++
++gen_require(`
++ type hald_t;
++')
++
++podsleuth_domtrans(hald_t)
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.fc serefpolicy-3.3.1/policy/modules/services/polkit.fc
--- nsaserefpolicy/policy/modules/services/polkit.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/services/polkit.fc 2008-04-28 15:14:56.000000000 -0400
@@ -25256,7 +25414,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.3.1/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/xserver.if 2008-04-29 09:37:38.934561000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/xserver.if 2008-04-29 09:37:38.000000000 -0400
@@ -12,9 +12,15 @@
##
##
@@ -26632,7 +26790,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.3.1/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/xserver.te 2008-04-29 11:09:45.700467000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/xserver.te 2008-04-29 11:09:45.000000000 -0400
@@ -8,6 +8,14 @@
##
@@ -27516,7 +27674,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
+/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.3.1/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2008-02-01 09:12:53.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/authlogin.if 2008-04-29 10:58:08.742336000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/authlogin.if 2008-04-29 10:58:08.000000000 -0400
@@ -99,7 +99,7 @@
template(`authlogin_per_role_template',`
@@ -27735,7 +27893,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.3.1/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te 2008-02-19 17:24:26.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/authlogin.te 2008-04-21 11:02:50.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/authlogin.te 2008-05-05 13:39:12.000000000 -0400
@@ -59,6 +59,9 @@
type utempter_exec_t;
application_domain(utempter_t,utempter_exec_t)
@@ -27779,7 +27937,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(pam_t)
-@@ -282,6 +295,11 @@
+@@ -155,6 +168,8 @@
+ dev_read_sysfs(pam_console_t)
+ dev_getattr_apm_bios_dev(pam_console_t)
+ dev_setattr_apm_bios_dev(pam_console_t)
++dev_getattr_cpu_dev(pam_console_t)
++dev_setattr_cpu_dev(pam_console_t)
+ dev_getattr_dri_dev(pam_console_t)
+ dev_setattr_dri_dev(pam_console_t)
+ dev_getattr_input_dev(pam_console_t)
+@@ -179,6 +194,10 @@
+ dev_setattr_video_dev(pam_console_t)
+ dev_getattr_xserver_misc_dev(pam_console_t)
+ dev_setattr_xserver_misc_dev(pam_console_t)
++
++dev_getattr_all_chr_files(pam_console_t)
++dev_setattr_all_chr_files(pam_console_t)
++
+ dev_read_urand(pam_console_t)
+
+ mls_file_read_all_levels(pam_console_t)
+@@ -282,6 +301,11 @@
')
')
@@ -27791,7 +27969,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
########################################
#
# updpwd local policy
-@@ -297,8 +315,10 @@
+@@ -297,8 +321,10 @@
files_manage_etc_files(updpwd_t)
term_dontaudit_use_console(updpwd_t)
@@ -27803,7 +27981,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
auth_manage_shadow(updpwd_t)
auth_use_nsswitch(updpwd_t)
-@@ -359,11 +379,6 @@
+@@ -359,11 +385,6 @@
')
optional_policy(`
@@ -28850,7 +29028,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
+/var/cfengine/outputs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.3.1/policy/modules/system/logging.if
--- nsaserefpolicy/policy/modules/system/logging.if 2007-12-12 11:35:28.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/logging.if 2008-04-29 08:53:40.798973000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/logging.if 2008-04-29 08:53:40.000000000 -0400
@@ -213,12 +213,7 @@
##
#
@@ -29316,7 +29494,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc
+/var/run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.3.1/policy/modules/system/lvm.te
--- nsaserefpolicy/policy/modules/system/lvm.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/lvm.te 2008-04-29 08:38:10.482745000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/lvm.te 2008-04-29 08:38:10.000000000 -0400
@@ -22,7 +22,7 @@
role system_r types lvm_t;
@@ -29627,7 +29805,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
##
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.3.1/policy/modules/system/modutils.te
--- nsaserefpolicy/policy/modules/system/modutils.te 2008-02-06 10:33:22.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/modutils.te 2008-04-29 08:36:55.595920000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/modutils.te 2008-04-29 08:36:55.000000000 -0400
@@ -22,6 +22,8 @@
type insmod_exec_t;
application_domain(insmod_t,insmod_exec_t)
@@ -29951,8 +30129,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.f
+/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.if serefpolicy-3.3.1/policy/modules/system/qemu.if
--- nsaserefpolicy/policy/modules/system/qemu.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/qemu.if 2008-04-21 11:02:50.000000000 -0400
-@@ -0,0 +1,303 @@
++++ serefpolicy-3.3.1/policy/modules/system/qemu.if 2008-05-06 13:00:22.930868000 -0400
+@@ -0,0 +1,304 @@
+
+## policy for qemu
+
@@ -30252,13 +30430,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.i
+ optional_policy(`
+ xserver_stream_connect_xdm_xserver($1_t)
+ xserver_read_xdm_tmp_files($1_t)
++ xserver_read_xdm_pid($1_t)
+ xserver_xdm_rw_shm($1_t)
+ ')
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.te serefpolicy-3.3.1/policy/modules/system/qemu.te
--- nsaserefpolicy/policy/modules/system/qemu.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/qemu.te 2008-04-28 16:14:23.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/qemu.te 2008-05-06 12:59:56.894791000 -0400
@@ -0,0 +1,49 @@
+policy_module(qemu,1.0.0)
+
@@ -30311,7 +30490,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.t
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.3.1/policy/modules/system/raid.te
--- nsaserefpolicy/policy/modules/system/raid.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/raid.te 2008-04-29 08:35:21.523317000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/raid.te 2008-04-29 08:35:21.000000000 -0400
@@ -19,7 +19,7 @@
# Local policy
#
@@ -31177,7 +31356,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
xen_append_log(ifconfig_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.if serefpolicy-3.3.1/policy/modules/system/udev.if
--- nsaserefpolicy/policy/modules/system/udev.if 2007-01-02 12:57:49.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/udev.if 2008-04-29 08:34:43.098742000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/udev.if 2008-04-29 08:34:43.000000000 -0400
@@ -96,6 +96,24 @@
########################################
@@ -31291,8 +31470,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.3.1/policy/modules/system/unconfined.fc
--- nsaserefpolicy/policy/modules/system/unconfined.fc 2007-12-12 11:35:28.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/unconfined.fc 2008-04-21 11:02:50.000000000 -0400
-@@ -2,15 +2,16 @@
++++ serefpolicy-3.3.1/policy/modules/system/unconfined.fc 2008-05-06 11:32:14.189425000 -0400
+@@ -2,15 +2,18 @@
# e.g.:
# /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0)
# For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t
@@ -31313,6 +31492,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
+/usr/sbin/mock -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
+/usr/bin/livecd-creator -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
+/usr/sbin/sysreport -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
++/usr/lib64/erlang/erts-[^/]+/bin/beam.smp -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
++/usr/lib/erlang/erts-[^/]+/bin/beam.smp -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.3.1/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2007-11-16 15:30:49.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/system/unconfined.if 2008-04-25 13:52:57.000000000 -0400
@@ -31660,7 +31841,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.3.1/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2008-02-13 16:26:06.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/unconfined.te 2008-04-29 12:04:03.912060000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/unconfined.te 2008-04-29 12:04:03.000000000 -0400
@@ -6,35 +6,74 @@
# Declarations
#
@@ -32003,7 +32184,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.3.1/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2008-02-15 09:52:56.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-04-29 10:58:27.618425000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-04-30 13:19:45.000000000 -0400
@@ -29,9 +29,14 @@
')
@@ -33117,7 +33298,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
# cjp: why?
files_read_kernel_symbol_table($1_t)
-@@ -1193,12 +1204,11 @@
+@@ -1182,23 +1193,16 @@
+ ')
+ ')
+
+- tunable_policy(`user_dmesg',`
+- kernel_read_ring_buffer($1_t)
+- ',`
+- kernel_dontaudit_read_ring_buffer($1_t)
+- ')
+-
+ # Allow users to run TCP servers (bind to ports and accept connection from
+ # the same domain and outside users) disabling this forces FTP passive mode
# and may change other protocols
tunable_policy(`user_tcp_server',`
corenet_tcp_bind_all_nodes($1_t)
@@ -33128,15 +33320,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
optional_policy(`
- netutils_run_ping_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
- netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
-+ hal_dbus_chat($1_t)
++ hal_dbus_chat($1_usertype)
')
# Run pppd in pppd_t by default for user
-@@ -1207,7 +1217,27 @@
+@@ -1207,7 +1211,31 @@
')
optional_policy(`
- setroubleshoot_stream_connect($1_t)
++ games_rw_data($1_usertype)
++ ')
++
++ optional_policy(`
+ mount_run($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
+ ')
+
@@ -33161,7 +33357,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
')
-@@ -1284,8 +1314,6 @@
+@@ -1284,8 +1312,6 @@
# Manipulate other users crontab.
allow $1_t self:passwd crontab;
@@ -33170,7 +33366,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1307,8 +1335,6 @@
+@@ -1307,8 +1333,6 @@
dev_getattr_generic_blk_files($1_t)
dev_getattr_generic_chr_files($1_t)
@@ -33179,7 +33375,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
# Allow MAKEDEV to work
dev_create_all_blk_files($1_t)
dev_create_all_chr_files($1_t)
-@@ -1363,13 +1389,6 @@
+@@ -1363,13 +1387,6 @@
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -33193,7 +33389,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
optional_policy(`
userhelper_exec($1_t)
')
-@@ -1422,6 +1441,7 @@
+@@ -1422,6 +1439,7 @@
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -33201,7 +33397,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1787,10 +1807,14 @@
+@@ -1787,10 +1805,14 @@
template(`userdom_user_home_content',`
gen_require(`
attribute $1_file_type;
@@ -33217,7 +33413,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1886,11 +1910,11 @@
+@@ -1886,11 +1908,11 @@
#
template(`userdom_search_user_home_dirs',`
gen_require(`
@@ -33231,7 +33427,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1920,11 +1944,11 @@
+@@ -1920,11 +1942,11 @@
#
template(`userdom_list_user_home_dirs',`
gen_require(`
@@ -33245,7 +33441,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1968,12 +1992,12 @@
+@@ -1968,12 +1990,12 @@
#
template(`userdom_user_home_domtrans',`
gen_require(`
@@ -33261,7 +33457,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2003,10 +2027,11 @@
+@@ -2003,10 +2025,11 @@
#
template(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
@@ -33275,7 +33471,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2038,11 +2063,47 @@
+@@ -2038,11 +2061,47 @@
#
template(`userdom_manage_user_home_content_dirs',`
gen_require(`
@@ -33325,7 +33521,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2074,10 +2135,10 @@
+@@ -2074,10 +2133,10 @@
#
template(`userdom_dontaudit_setattr_user_home_content_files',`
gen_require(`
@@ -33338,7 +33534,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2107,11 +2168,11 @@
+@@ -2107,11 +2166,11 @@
#
template(`userdom_read_user_home_content_files',`
gen_require(`
@@ -33352,7 +33548,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2141,11 +2202,11 @@
+@@ -2141,11 +2200,11 @@
#
template(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -33367,7 +33563,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2175,10 +2236,14 @@
+@@ -2175,10 +2234,14 @@
#
template(`userdom_dontaudit_write_user_home_content_files',`
gen_require(`
@@ -33384,7 +33580,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2208,11 +2273,11 @@
+@@ -2208,11 +2271,11 @@
#
template(`userdom_read_user_home_content_symlinks',`
gen_require(`
@@ -33398,7 +33594,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2242,11 +2307,11 @@
+@@ -2242,11 +2305,11 @@
#
template(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -33412,7 +33608,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2276,10 +2341,10 @@
+@@ -2276,10 +2339,10 @@
#
template(`userdom_dontaudit_exec_user_home_content_files',`
gen_require(`
@@ -33425,7 +33621,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2311,12 +2376,12 @@
+@@ -2311,12 +2374,12 @@
#
template(`userdom_manage_user_home_content_files',`
gen_require(`
@@ -33441,7 +33637,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2348,10 +2413,10 @@
+@@ -2348,10 +2411,10 @@
#
template(`userdom_dontaudit_manage_user_home_content_dirs',`
gen_require(`
@@ -33454,7 +33650,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2383,12 +2448,12 @@
+@@ -2383,12 +2446,12 @@
#
template(`userdom_manage_user_home_content_symlinks',`
gen_require(`
@@ -33470,7 +33666,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2420,12 +2485,12 @@
+@@ -2420,12 +2483,12 @@
#
template(`userdom_manage_user_home_content_pipes',`
gen_require(`
@@ -33486,7 +33682,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2457,12 +2522,12 @@
+@@ -2457,12 +2520,12 @@
#
template(`userdom_manage_user_home_content_sockets',`
gen_require(`
@@ -33502,7 +33698,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2507,11 +2572,11 @@
+@@ -2507,11 +2570,11 @@
#
template(`userdom_user_home_dir_filetrans',`
gen_require(`
@@ -33516,7 +33712,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2556,11 +2621,11 @@
+@@ -2556,11 +2619,11 @@
#
template(`userdom_user_home_content_filetrans',`
gen_require(`
@@ -33530,7 +33726,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2600,11 +2665,11 @@
+@@ -2600,11 +2663,11 @@
#
template(`userdom_user_home_dir_filetrans_user_home_content',`
gen_require(`
@@ -33544,7 +33740,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2634,11 +2699,11 @@
+@@ -2634,11 +2697,11 @@
#
template(`userdom_write_user_tmp_sockets',`
gen_require(`
@@ -33558,7 +33754,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2668,11 +2733,11 @@
+@@ -2668,11 +2731,11 @@
#
template(`userdom_list_user_tmp',`
gen_require(`
@@ -33572,7 +33768,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2704,10 +2769,10 @@
+@@ -2704,10 +2767,10 @@
#
template(`userdom_dontaudit_list_user_tmp',`
gen_require(`
@@ -33585,7 +33781,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2739,10 +2804,10 @@
+@@ -2739,10 +2802,10 @@
#
template(`userdom_dontaudit_manage_user_tmp_dirs',`
gen_require(`
@@ -33598,7 +33794,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2772,12 +2837,12 @@
+@@ -2772,12 +2835,12 @@
#
template(`userdom_read_user_tmp_files',`
gen_require(`
@@ -33614,7 +33810,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2809,10 +2874,10 @@
+@@ -2809,10 +2872,10 @@
#
template(`userdom_dontaudit_read_user_tmp_files',`
gen_require(`
@@ -33627,7 +33823,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2844,10 +2909,48 @@
+@@ -2844,10 +2907,48 @@
#
template(`userdom_dontaudit_append_user_tmp_files',`
gen_require(`
@@ -33678,7 +33874,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2877,12 +2980,12 @@
+@@ -2877,12 +2978,12 @@
#
template(`userdom_rw_user_tmp_files',`
gen_require(`
@@ -33694,7 +33890,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2914,10 +3017,10 @@
+@@ -2914,10 +3015,10 @@
#
template(`userdom_dontaudit_manage_user_tmp_files',`
gen_require(`
@@ -33707,7 +33903,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2949,12 +3052,12 @@
+@@ -2949,12 +3050,12 @@
#
template(`userdom_read_user_tmp_symlinks',`
gen_require(`
@@ -33723,7 +33919,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2986,11 +3089,11 @@
+@@ -2986,11 +3087,11 @@
#
template(`userdom_manage_user_tmp_dirs',`
gen_require(`
@@ -33737,7 +33933,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -3022,11 +3125,11 @@
+@@ -3022,11 +3123,11 @@
#
template(`userdom_manage_user_tmp_files',`
gen_require(`
@@ -33751,7 +33947,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -3058,11 +3161,11 @@
+@@ -3058,11 +3159,11 @@
#
template(`userdom_manage_user_tmp_symlinks',`
gen_require(`
@@ -33765,7 +33961,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -3094,11 +3197,11 @@
+@@ -3094,11 +3195,11 @@
#
template(`userdom_manage_user_tmp_pipes',`
gen_require(`
@@ -33779,7 +33975,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -3130,11 +3233,11 @@
+@@ -3130,11 +3231,11 @@
#
template(`userdom_manage_user_tmp_sockets',`
gen_require(`
@@ -33793,7 +33989,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -3179,10 +3282,10 @@
+@@ -3179,10 +3280,10 @@
#
template(`userdom_user_tmp_filetrans',`
gen_require(`
@@ -33806,7 +34002,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
files_search_tmp($2)
')
-@@ -3223,10 +3326,10 @@
+@@ -3223,10 +3324,10 @@
#
template(`userdom_tmp_filetrans_user_tmp',`
gen_require(`
@@ -33819,7 +34015,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -3254,24 +3357,24 @@
+@@ -3254,24 +3355,24 @@
##
##
#
@@ -33848,7 +34044,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
##
##
## This is a templated interface, and should only
-@@ -3290,23 +3393,24 @@
+@@ -3290,23 +3391,24 @@
##
##
#
@@ -33880,25 +34076,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
##
##
## This is a templated interface, and should only
-@@ -3321,18 +3425,89 @@
+@@ -3321,7 +3423,78 @@
##
##
##
-## Domain to not audit.
+## Domain allowed access.
- ##
- ##
- #
--template(`userdom_dontaudit_list_user_untrusted_content',`
++##
++##
++#
+template(`userdom_delete_user_tmpfs_files',`
- gen_require(`
-- type $1_untrusted_content_t;
++ gen_require(`
+ type $1_tmpfs_t;
- ')
-
-- dontaudit $2 $1_untrusted_content_t:dir list_dir_perms;
--')
--
++ ')
++
+ fs_search_tmpfs($2)
+ allow $2 $1_tmpfs_t:dir list_dir_perms;
+ delete_files_pattern($2,$1_tmpfs_t,$1_tmpfs_t)
@@ -33962,21 +34153,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+##
+##
+## Domain to not audit.
-+##
-+##
-+#
-+template(`userdom_dontaudit_list_user_untrusted_content',`
-+ gen_require(`
-+ type $1_untrusted_content_t;
-+ ')
-+
-+ dontaudit $2 $1_untrusted_content_t:dir list_dir_perms;
-+')
-+
- ########################################
- ##
- ## Read user untrusted files.
-@@ -4231,11 +4406,11 @@
+ ##
+ ##
+ #
+@@ -4231,11 +4404,11 @@
#
interface(`userdom_search_staff_home_dirs',`
gen_require(`
@@ -33990,7 +34170,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4251,10 +4426,10 @@
+@@ -4251,10 +4424,10 @@
#
interface(`userdom_dontaudit_search_staff_home_dirs',`
gen_require(`
@@ -34003,7 +34183,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4270,11 +4445,11 @@
+@@ -4270,11 +4443,11 @@
#
interface(`userdom_manage_staff_home_dirs',`
gen_require(`
@@ -34017,7 +34197,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4289,16 +4464,16 @@
+@@ -4289,16 +4462,16 @@
#
interface(`userdom_relabelto_staff_home_dirs',`
gen_require(`
@@ -34037,7 +34217,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## users home directory.
##
##
-@@ -4307,12 +4482,35 @@
+@@ -4307,12 +4480,35 @@
##
##
#
@@ -34076,7 +34256,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4327,13 +4525,13 @@
+@@ -4327,13 +4523,13 @@
#
interface(`userdom_read_staff_home_content_files',`
gen_require(`
@@ -34094,7 +34274,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4531,10 +4729,10 @@
+@@ -4531,10 +4727,10 @@
#
interface(`userdom_getattr_sysadm_home_dirs',`
gen_require(`
@@ -34107,7 +34287,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4551,10 +4749,10 @@
+@@ -4551,10 +4747,10 @@
#
interface(`userdom_dontaudit_getattr_sysadm_home_dirs',`
gen_require(`
@@ -34120,7 +34300,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4569,10 +4767,10 @@
+@@ -4569,10 +4765,10 @@
#
interface(`userdom_search_sysadm_home_dirs',`
gen_require(`
@@ -34133,7 +34313,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4588,10 +4786,10 @@
+@@ -4588,10 +4784,10 @@
#
interface(`userdom_dontaudit_search_sysadm_home_dirs',`
gen_require(`
@@ -34146,7 +34326,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4606,10 +4804,10 @@
+@@ -4606,10 +4802,10 @@
#
interface(`userdom_list_sysadm_home_dirs',`
gen_require(`
@@ -34159,7 +34339,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4625,10 +4823,10 @@
+@@ -4625,10 +4821,10 @@
#
interface(`userdom_dontaudit_list_sysadm_home_dirs',`
gen_require(`
@@ -34172,7 +34352,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4644,12 +4842,11 @@
+@@ -4644,12 +4840,11 @@
#
interface(`userdom_dontaudit_read_sysadm_home_content_files',`
gen_require(`
@@ -34188,7 +34368,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4676,10 +4873,10 @@
+@@ -4676,10 +4871,10 @@
#
interface(`userdom_sysadm_home_dir_filetrans',`
gen_require(`
@@ -34201,7 +34381,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4694,10 +4891,10 @@
+@@ -4694,10 +4889,10 @@
#
interface(`userdom_search_sysadm_home_content_dirs',`
gen_require(`
@@ -34214,7 +34394,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4712,13 +4909,13 @@
+@@ -4712,13 +4907,13 @@
#
interface(`userdom_read_sysadm_home_content_files',`
gen_require(`
@@ -34232,7 +34412,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4754,11 +4951,49 @@
+@@ -4754,11 +4949,49 @@
#
interface(`userdom_search_all_users_home_dirs',`
gen_require(`
@@ -34283,7 +34463,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4778,6 +5013,14 @@
+@@ -4778,6 +5011,14 @@
files_list_home($1)
allow $1 home_dir_type:dir list_dir_perms;
@@ -34298,7 +34478,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4839,6 +5082,26 @@
+@@ -4839,6 +5080,26 @@
########################################
##
@@ -34325,7 +34505,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Create, read, write, and delete all directories
## in all users home directories.
##
-@@ -4859,6 +5122,25 @@
+@@ -4859,6 +5120,25 @@
########################################
##
@@ -34351,7 +34531,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Create, read, write, and delete all files
## in all users home directories.
##
-@@ -4879,6 +5161,26 @@
+@@ -4879,6 +5159,26 @@
########################################
##
@@ -34378,7 +34558,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Create, read, write, and delete all symlinks
## in all users home directories.
##
-@@ -5115,7 +5417,7 @@
+@@ -5115,7 +5415,7 @@
#
interface(`userdom_relabelto_generic_user_home_dirs',`
gen_require(`
@@ -34387,7 +34567,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
files_search_home($1)
-@@ -5304,6 +5606,63 @@
+@@ -5304,6 +5604,63 @@
########################################
##
@@ -34451,7 +34631,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Create, read, write, and delete directories in
## unprivileged users home directories.
##
-@@ -5509,7 +5868,7 @@
+@@ -5509,7 +5866,7 @@
########################################
##
@@ -34460,7 +34640,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
##
##
##
-@@ -5517,18 +5876,17 @@
+@@ -5517,18 +5874,17 @@
##
##
#
@@ -34483,7 +34663,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
##
##
##
-@@ -5536,17 +5894,17 @@
+@@ -5536,17 +5892,17 @@
##
##
#
@@ -34505,7 +34685,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
##
##
##
-@@ -5554,12 +5912,49 @@
+@@ -5554,19 +5910,56 @@
##
##
#
@@ -34517,11 +34697,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
- read_files_pattern($1,userdomain,userdomain)
+- kernel_search_proc($1)
+ allow $1 user_ttynode:chr_file rw_term_perms;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Get the attributes of all user domains.
+-##
+## Do not audit attempts to use unprivileged
+## user ttys.
+##
@@ -34555,10 +34738,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+ ')
+
+ ps_process_pattern($1,userdomain)
- kernel_search_proc($1)
- ')
-
-@@ -5674,6 +6069,42 @@
++ kernel_search_proc($1)
++')
++
++########################################
++##
++## Get the attributes of all user domains.
++##
+ ##
+ ##
+ ## Domain allowed access.
+@@ -5674,6 +6067,42 @@
########################################
##
@@ -34601,7 +34791,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Send a dbus message to all user domains.
##
##
-@@ -5704,3 +6135,408 @@
+@@ -5704,3 +6133,408 @@
interface(`userdom_unconfined',`
refpolicywarn(`$0($*) has been deprecated.')
')
@@ -35012,7 +35202,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.3.1/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/userdomain.te 2008-04-21 11:02:50.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/userdomain.te 2008-04-30 13:23:52.000000000 -0400
@@ -2,12 +2,7 @@
policy_module(userdomain,2.5.0)
@@ -35049,7 +35239,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Allow users to connect to PostgreSQL
##
##
-@@ -74,6 +62,9 @@
+@@ -45,13 +33,6 @@
+
+ ##
+ ##
+-## Allow users to read system messages.
+-##
+-##
+-gen_tunable(user_dmesg,false)
+-
+-##
+-##
+ ## Allow user to r/w files on filesystems
+ ## that do not have extended attributes (FAT, CDROM, FLOPPY)
+ ##
+@@ -74,6 +55,9 @@
# users home directory contents
attribute home_type;
@@ -35059,7 +35263,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
# The privhome attribute identifies every domain that can create files under
# regular user home directories in the regular context (IE act on behalf of
# a user in writing regular files)
-@@ -97,44 +88,54 @@
+@@ -97,44 +81,54 @@
# unprivileged user domains
attribute unpriv_userdomain;
@@ -35076,11 +35280,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
-userdom_admin_user_template(sysadm)
-userdom_unpriv_user_template(staff)
-userdom_unpriv_user_template(user)
--
--# user role change rules:
--# sysadm_r can change to user roles
--userdom_role_change_template(sysadm, user)
--userdom_role_change_template(sysadm, staff)
+type admin_home_t, home_type;
+files_type(admin_home_t)
+files_associate_tmp(admin_home_t)
@@ -35105,12 +35304,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+files_poly_member(user_home_dir_t)
+files_poly_parent(user_home_dir_t)
--# only staff_r can change to sysadm_r
--userdom_role_change_template(staff, sysadm)
--dontaudit staff_t admin_terminal:chr_file { read write };
+-# user role change rules:
+-# sysadm_r can change to user roles
+-userdom_role_change_template(sysadm, user)
+-userdom_role_change_template(sysadm, staff)
+type user_tmp_t, user_file_type, user_tmpfile;
+files_tmp_file(user_tmp_t)
+-# only staff_r can change to sysadm_r
+-userdom_role_change_template(staff, sysadm)
+-dontaudit staff_t admin_terminal:chr_file { read write };
+-
-ifdef(`enable_mls',`
- userdom_unpriv_user_template(secadm)
- userdom_unpriv_user_template(auditadm)
@@ -35142,7 +35346,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
########################################
#
-@@ -153,6 +154,12 @@
+@@ -153,6 +147,12 @@
mls_process_read_up(sysadm_t)
init_exec(sysadm_t)
@@ -35155,7 +35359,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
# Following for sending reboot and wall messages
userdom_use_unpriv_users_ptys(sysadm_t)
-@@ -170,46 +177,7 @@
+@@ -170,46 +170,7 @@
')
')
@@ -35203,7 +35407,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
logging_manage_audit_log(sysadm_t)
logging_manage_audit_config(sysadm_t)
logging_run_auditctl(sysadm_t, sysadm_r, admin_terminal)
-@@ -224,6 +192,10 @@
+@@ -224,6 +185,10 @@
')
optional_policy(`
@@ -35214,7 +35418,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
apache_run_helper(sysadm_t, sysadm_r, admin_terminal)
#apache_run_all_scripts(sysadm_t, sysadm_r)
#apache_domtrans_sys_script(sysadm_t)
-@@ -279,14 +251,6 @@
+@@ -279,14 +244,6 @@
')
optional_policy(`
@@ -35229,7 +35433,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
cron_admin_template(sysadm, sysadm_t, sysadm_r)
')
-@@ -302,12 +266,9 @@
+@@ -302,12 +259,9 @@
optional_policy(`
dmesg_exec(sysadm_t)
@@ -35243,7 +35447,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
optional_policy(`
dmidecode_run(sysadm_t, sysadm_r, admin_terminal)
')
-@@ -352,6 +313,10 @@
+@@ -352,6 +306,10 @@
')
optional_policy(`
@@ -35254,7 +35458,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
lvm_run(sysadm_t, sysadm_r, admin_terminal)
')
-@@ -387,6 +352,10 @@
+@@ -387,6 +345,10 @@
')
optional_policy(`
@@ -35265,7 +35469,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
netutils_run(sysadm_t, sysadm_r, admin_terminal)
netutils_run_ping(sysadm_t, sysadm_r, admin_terminal)
netutils_run_traceroute(sysadm_t, sysadm_r, admin_terminal)
-@@ -436,15 +405,19 @@
+@@ -436,15 +398,19 @@
optional_policy(`
samba_run_net(sysadm_t, sysadm_r, admin_terminal)
@@ -35286,7 +35490,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
', `
userdom_security_admin_template(sysadm_t, sysadm_r, admin_terminal)
')
-@@ -487,3 +460,31 @@
+@@ -487,3 +453,31 @@
optional_policy(`
yam_run(sysadm_t, sysadm_r, admin_terminal)
')
@@ -36267,8 +36471,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.i
+## Policy for staff user
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.te serefpolicy-3.3.1/policy/modules/users/staff.te
--- nsaserefpolicy/policy/modules/users/staff.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/users/staff.te 2008-04-24 15:09:37.000000000 -0400
-@@ -0,0 +1,23 @@
++++ serefpolicy-3.3.1/policy/modules/users/staff.te 2008-04-30 13:20:29.000000000 -0400
+@@ -0,0 +1,25 @@
+policy_module(staff,1.0.1)
+userdom_admin_login_user_template(staff)
+
@@ -36276,6 +36480,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.t
+userdom_role_change_template(staff, sysadm)
+userdom_dontaudit_use_sysadm_terms(staff_t)
+
++kernel_read_ring_buffer(staff_t)
++
+auth_domtrans_pam_console(staff_t)
+
+optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 5952351..a8fab7c 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.3.1
-Release: 44%{?dist}
+Release: 45%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -385,6 +385,10 @@ exit 0
%endif
%changelog
+* Wed Apr 30 2008 Dan Walsh 3.3.1-45
+- Remove dmesg boolean
+- Allow user domains to read/write game data
+
* Mon Apr 28 2008 Dan Walsh 3.3.1-44
- Change unconfined_t to transition to unconfined_mono_t when running mono
- Change XXX_mono_t to transition to XXX_t when executing bin_t files, so gnome-do will work