diff --git a/.cvsignore b/.cvsignore
index 4c1f1a7..b668565 100644
--- a/.cvsignore
+++ b/.cvsignore
@@ -127,3 +127,4 @@ serefpolicy-3.0.6.tgz
serefpolicy-3.0.7.tgz
serefpolicy-3.0.8.tgz
serefpolicy-3.1.0.tgz
+serefpolicy-3.1.1.tgz
diff --git a/booleans-targeted.conf b/booleans-targeted.conf
index eb70247..d122def 100644
--- a/booleans-targeted.conf
+++ b/booleans-targeted.conf
@@ -1,6 +1,6 @@
# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
#
-allow_execmem = true
+allow_execmem = false
# Allow making a modified private filemapping executable (text relocation).
#
@@ -8,7 +8,7 @@ allow_execmod = false
# Allow making the stack executable via mprotect.Also requires allow_execmem.
#
-allow_execstack = true
+allow_execstack = false
# Allow ftpd to read cifs directories.
#
@@ -148,7 +148,7 @@ stunnel_is_daemon = false
# Support NFS home directories
#
-use_nfs_home_dirs = false
+use_nfs_home_dirs = true
# Support SAMBA home directories
#
diff --git a/modules-targeted.conf b/modules-targeted.conf
index ad634d3..bec5ec0 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -887,6 +887,13 @@ portmap = base
#
postfix = base
+o# Layer: services
+# Module: postgrey
+#
+# email scanner
+#
+postgrey = base
+
# Layer: services
# Module: ppp
#
@@ -1500,6 +1507,13 @@ vmware = module
guest = module
# Layer: users
+# Module: xguest
+#
+# Minimally privs guest account on X Windows logins
+#
+xguest = module
+
+# Layer: users
# Module: logadm
#
# Minimally prived root role for managing logging system
diff --git a/policy-20071023.patch b/policy-20071023.patch
index 3cac7b8..0e8afd2 100644
--- a/policy-20071023.patch
+++ b/policy-20071023.patch
@@ -1,3 +1,14 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/Changelog serefpolicy-3.1.0/Changelog
+--- nsaserefpolicy/Changelog 2007-11-08 09:29:27.000000000 -0500
++++ serefpolicy-3.1.0/Changelog 2007-11-06 09:28:26.000000000 -0500
+@@ -12,7 +12,6 @@
+ of confined and unconfined users.
+ - Added modules:
+ exim (Dan Walsh)
+- postfixpolicyd (Jan-Frode Myklebust)
+
+ * Fri Sep 28 2007 Chris PeBenito <selinux@tresys.com> - 20070928
+ - Add support for setting the unknown permissions handling.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/default_contexts serefpolicy-3.1.0/config/appconfig-mcs/default_contexts
--- nsaserefpolicy/config/appconfig-mcs/default_contexts 2007-10-12 08:56:09.000000000 -0400
+++ serefpolicy-3.1.0/config/appconfig-mcs/default_contexts 2007-11-06 09:28:35.000000000 -0500
@@ -283,7 +294,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors
class key
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.1.0/policy/global_tunables
--- nsaserefpolicy/policy/global_tunables 2007-10-12 08:56:09.000000000 -0400
-+++ serefpolicy-3.1.0/policy/global_tunables 2007-11-06 09:28:35.000000000 -0500
++++ serefpolicy-3.1.0/policy/global_tunables 2007-11-07 15:32:58.000000000 -0500
@@ -6,38 +6,35 @@
## <desc>
@@ -328,7 +339,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables seref
## </p>
## </desc>
gen_tunable(allow_polyinstantiation,false)
-@@ -132,3 +129,12 @@
+@@ -64,23 +61,14 @@
+
+ ## <desc>
+ ## <p>
+-## Allow email client to various content.
+-## nfs, samba, removable devices, user temp
+-## and untrusted content files
+-## </p>
+-## </desc>
+-gen_tunable(mail_read_content,false)
+-
+-## <desc>
+-## <p>
+-## Allow nfs to be exported read/write.
++## Allow any files/directories to be exported read/write via NFS.
+ ## </p>
+ ## </desc>
+ gen_tunable(nfs_export_all_rw,false)
+
+ ## <desc>
+ ## <p>
+-## Allow nfs to be exported read only
++## Allow any files/directories to be exported read/only via NFS.
+ ## </p>
+ ## </desc>
+ gen_tunable(nfs_export_all_ro,false)
+@@ -132,3 +120,12 @@
## </p>
## </desc>
gen_tunable(write_untrusted_content,false)
@@ -1462,7 +1499,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.1.0/policy/modules/admin/su.if
--- nsaserefpolicy/policy/modules/admin/su.if 2007-10-12 08:56:09.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/admin/su.if 2007-11-06 09:28:35.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/admin/su.if 2007-11-08 11:40:26.000000000 -0500
@@ -41,12 +41,11 @@
allow $2 $1_su_t:process signal;
@@ -1580,7 +1617,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreap
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.1.0/policy/modules/admin/usermanage.te
--- nsaserefpolicy/policy/modules/admin/usermanage.te 2007-10-23 07:37:52.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/admin/usermanage.te 2007-11-06 09:28:35.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/admin/usermanage.te 2007-11-08 13:57:59.000000000 -0500
@@ -92,6 +92,7 @@
dev_read_urand(chfn_t)
@@ -1589,7 +1626,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
auth_dontaudit_read_shadow(chfn_t)
# allow checking if a shell is executable
-@@ -297,9 +298,11 @@
+@@ -123,13 +124,7 @@
+ # on user home dir
+ userdom_dontaudit_search_all_users_home_content(chfn_t)
+
+-optional_policy(`
+- nis_use_ypbind(chfn_t)
+-')
+-
+-optional_policy(`
+- nscd_socket_use(chfn_t)
+-')
++auth_use_nsswitch(chfn_t)
+
+ ########################################
+ #
+@@ -297,9 +292,11 @@
term_use_all_user_ttys(passwd_t)
term_use_all_user_ptys(passwd_t)
@@ -1601,7 +1653,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
# allow checking if a shell is executable
corecmd_check_exec_shell(passwd_t)
-@@ -533,6 +536,12 @@
+@@ -334,12 +331,9 @@
+ # on user home dir
+ userdom_dontaudit_search_all_users_home_content(passwd_t)
+
+-optional_policy(`
+- nis_use_ypbind(passwd_t)
+-')
++auth_use_nsswitch(passwd_t)
+
+ optional_policy(`
+- nscd_socket_use(passwd_t)
+ nscd_domtrans(passwd_t)
+ ')
+
+@@ -425,12 +419,9 @@
+ # on user home dir
+ userdom_dontaudit_search_all_users_home_content(sysadm_passwd_t)
+
+-optional_policy(`
+- nis_use_ypbind(sysadm_passwd_t)
+-')
++auth_use_nsswitch(sysadm_passwd_t)
+
+ optional_policy(`
+- nscd_socket_use(sysadm_passwd_t)
+ nscd_domtrans(sysadm_passwd_t)
+ ')
+
+@@ -533,6 +524,12 @@
')
optional_policy(`
@@ -2847,20 +2927,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
+/etc/apcupsd/offbattery -- gen_context(system_u:object_r:bin_t,s0)
+/etc/apcupsd/onbattery -- gen_context(system_u:object_r:bin_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.1.0/policy/modules/kernel/corenetwork.te.in
---- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2007-10-29 18:02:31.000000000 -0400
+--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2007-11-08 09:29:27.000000000 -0500
+++ serefpolicy-3.1.0/policy/modules/kernel/corenetwork.te.in 2007-11-07 08:31:44.000000000 -0500
-@@ -132,6 +132,7 @@
+@@ -132,7 +132,7 @@
network_port(openvpn, tcp,1194,s0, udp,1194,s0)
network_port(pegasus_http, tcp,5988,s0)
network_port(pegasus_https, tcp,5989,s0)
+-network_port(postfix_policyd, tcp,10031,s0)
+network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0)
network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
network_port(portmap, udp,111,s0, tcp,111,s0)
network_port(postgresql, tcp,5432,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.1.0/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/kernel/devices.fc 2007-11-06 09:28:35.000000000 -0500
-@@ -20,6 +20,7 @@
++++ serefpolicy-3.1.0/policy/modules/kernel/devices.fc 2007-11-10 07:48:09.000000000 -0500
+@@ -13,6 +13,7 @@
+ /dev/audio.* -c gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/beep -c gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/dmfm -c gen_context(system_u:object_r:sound_device_t,s0)
++/dev/dmmidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/dsp.* -c gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/efirtc -c gen_context(system_u:object_r:clock_device_t,s0)
+ /dev/em8300.* -c gen_context(system_u:object_r:v4l_device_t,s0)
+@@ -20,6 +21,7 @@
/dev/evtchn -c gen_context(system_u:object_r:xen_device_t,s0)
/dev/fb[0-9]* -c gen_context(system_u:object_r:framebuf_device_t,s0)
/dev/full -c gen_context(system_u:object_r:null_device_t,s0)
@@ -2868,7 +2957,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
/dev/fw.* -c gen_context(system_u:object_r:usb_device_t,s0)
/dev/hiddev.* -c gen_context(system_u:object_r:usb_device_t,s0)
/dev/hpet -c gen_context(system_u:object_r:clock_device_t,s0)
-@@ -30,6 +31,7 @@
+@@ -30,6 +32,7 @@
/dev/js.* -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/kmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
/dev/kmsg -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
@@ -2878,7 +2967,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
/dev/mcelog -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.1.0/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/kernel/devices.if 2007-11-06 09:28:35.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/kernel/devices.if 2007-11-08 14:28:51.000000000 -0500
@@ -65,7 +65,7 @@
relabelfrom_dirs_pattern($1,device_t,device_node)
@@ -2888,10 +2977,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
relabelfrom_fifo_files_pattern($1,device_t,device_node)
relabelfrom_sock_files_pattern($1,device_t,device_node)
relabel_blk_files_pattern($1,device_t,{ device_t device_node })
-@@ -2787,6 +2787,78 @@
+@@ -2787,6 +2787,97 @@
########################################
## <summary>
++## Read and write generic the USB fifo files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_rw_generic_usb_pipes',`
++ gen_require(`
++ type usb_device_t;
++ ')
++
++ allow $1 device_t:dir search_dir_perms;
++ allow $1 usb_device_t:fifo_file rw_fifo_file_perms;
++')
++
++########################################
++## <summary>
+## Get the attributes of the kvm devices.
+## </summary>
+## <param name="domain">
@@ -2967,7 +3075,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
## Mount a usbfs filesystem.
## </summary>
## <param name="domain">
-@@ -3322,3 +3394,4 @@
+@@ -3322,3 +3413,4 @@
typeattribute $1 devices_unconfined_type;
')
@@ -3008,7 +3116,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
selinux_dontaudit_read_fs($1)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.1.0/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/kernel/domain.te 2007-11-06 10:15:22.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/kernel/domain.te 2007-11-08 13:58:30.000000000 -0500
@@ -145,3 +145,9 @@
# act on all domains keys
@@ -3017,12 +3125,37 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
+# Allow all domains to use fds past to them
+allow domain domain:fd use;
+optional_policy(`
-+ rpm_dontaudit_rw_pipes(domain)
++ rpm_rw_pipes(domain)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.1.0/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/kernel/files.if 2007-11-06 09:28:35.000000000 -0500
-@@ -4756,3 +4756,54 @@
++++ serefpolicy-3.1.0/policy/modules/kernel/files.if 2007-11-09 14:39:44.000000000 -0500
+@@ -3054,6 +3054,24 @@
+
+ ########################################
+ ## <summary>
++## Remove entries from the tmp directory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_delete_tmp_dir_entry',`
++ gen_require(`
++ type root_t;
++ ')
++
++ allow $1 tmp_t:dir del_entry_dir_perms;
++')
++
++########################################
++## <summary>
+ ## Search the tmp directory (/tmp).
+ ## </summary>
+ ## <param name="domain">
+@@ -4756,3 +4774,54 @@
allow $1 { file_type -security_file_type }:dir manage_dir_perms;
')
@@ -3090,6 +3223,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
#
# etc_runtime_t is the type of various
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.1.0/policy/modules/kernel/filesystem.te
+--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2007-10-29 18:02:31.000000000 -0400
++++ serefpolicy-3.1.0/policy/modules/kernel/filesystem.te 2007-11-10 07:39:37.000000000 -0500
+@@ -25,6 +25,8 @@
+ fs_use_xattr encfs gen_context(system_u:object_r:fs_t,s0);
+ fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
+ fs_use_xattr ext3 gen_context(system_u:object_r:fs_t,s0);
++fs_use_xattr ext4 gen_context(system_u:object_r:fs_t,s0);
++fs_use_xattr ext4dev gen_context(system_u:object_r:fs_t,s0);
+ fs_use_xattr gfs gen_context(system_u:object_r:fs_t,s0);
+ fs_use_xattr gfs2 gen_context(system_u:object_r:fs_t,s0);
+ fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0);
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.1.0/policy/modules/kernel/selinux.if
--- nsaserefpolicy/policy/modules/kernel/selinux.if 2007-06-21 09:32:03.000000000 -0400
+++ serefpolicy-3.1.0/policy/modules/kernel/selinux.if 2007-11-06 09:28:35.000000000 -0500
@@ -3255,7 +3400,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.1.0/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2007-10-23 17:17:42.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/services/apache.if 2007-11-07 12:47:31.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/services/apache.if 2007-11-08 09:03:24.000000000 -0500
@@ -18,10 +18,6 @@
attribute httpd_script_exec_type;
type httpd_t, httpd_suexec_t, httpd_log_t;
@@ -3547,8 +3692,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.1.0/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2007-10-23 07:37:52.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/services/apache.te 2007-11-06 09:28:35.000000000 -0500
-@@ -20,16 +20,25 @@
++++ serefpolicy-3.1.0/policy/modules/services/apache.te 2007-11-07 15:26:15.000000000 -0500
+@@ -20,20 +20,22 @@
# Declarations
#
@@ -3565,20 +3710,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
## <desc>
## <p>
+-## Allow Apache to use mod_auth_pam
+## Allow Apache to communicate with avahi service via dbus
-+## </p>
-+## </desc>
-+gen_tunable(allow_httpd_dbus_avahi,false)
-+
-+## <desc>
-+## <p>
- ## Allow Apache to use mod_auth_pam
## </p>
## </desc>
-@@ -44,6 +53,13 @@
+-gen_tunable(allow_httpd_mod_auth_pam,false)
++gen_tunable(allow_httpd_dbus_avahi,false)
+
+ ## <desc>
+ ## <p>
+@@ -44,14 +46,21 @@
## <desc>
## <p>
+-## Allow http daemon to tcp connect
+## Allow http daemon to send mail
+## </p>
+## </desc>
@@ -3586,23 +3731,54 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+
+## <desc>
+## <p>
- ## Allow http daemon to tcp connect
++## Allow HTTPD scripts and modules to connect to the network
+ ## </p>
+ ## </desc>
+ gen_tunable(httpd_can_network_connect,false)
+
+ ## <desc>
+ ## <p>
+-## Allow httpd to connect to mysql/posgresql
++## Allow HTTPD scripts and modules to network connect to databases, mysql/posgresql
+ ## </p>
+ ## </desc>
+ gen_tunable(httpd_can_network_connect_db, false)
+@@ -87,25 +96,46 @@
+
+ ## <desc>
+ ## <p>
+-## Run SSI execs in system CGI script domain.
++## Allow HTTPD to run SSI executables in the same domain as system CGI scripts
+ ## </p>
+ ## </desc>
+ gen_tunable(httpd_ssi_exec,false)
+
+ ## <desc>
+ ## <p>
+-## Allow http daemon to communicate with the TTY
++## Unify HTTPD to communicate with the terminal. Needed for handling certificates
## </p>
## </desc>
-@@ -106,6 +122,27 @@
+ gen_tunable(httpd_tty_comm,false)
+
+ ## <desc>
+ ## <p>
+-## Run CGI in the main httpd domain
++## Unify HTTPD handling of all content files
+ ## </p>
## </desc>
gen_tunable(httpd_unified,false)
+## <desc>
+## <p>
-+## Allow httpd to read nfs files
++## Allow httpd to access nfs file systems
+## </p>
+## </desc>
+gen_tunable(httpd_use_nfs,false)
+
+## <desc>
+## <p>
-+## Allow httpd to read cifs files
++## Allow httpd to access cifs file systems
+## </p>
+## </desc>
+gen_tunable(httpd_use_cifs,false)
@@ -3617,7 +3793,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
attribute httpdcontent;
attribute httpd_user_content_type;
-@@ -144,6 +181,9 @@
+@@ -144,6 +174,9 @@
type httpd_log_t;
logging_log_file(httpd_log_t)
@@ -3627,7 +3803,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
# httpd_modules_t is the type given to module files (libraries)
# that come with Apache /etc/httpd/modules and /usr/lib/apache
type httpd_modules_t;
-@@ -204,7 +244,7 @@
+@@ -204,7 +237,7 @@
# Apache server local policy
#
@@ -3636,7 +3812,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
dontaudit httpd_t self:capability { net_admin sys_tty_config };
allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow httpd_t self:fd use;
-@@ -246,6 +286,7 @@
+@@ -246,6 +279,7 @@
allow httpd_t httpd_modules_t:dir list_dir_perms;
mmap_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t)
read_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t)
@@ -3644,7 +3820,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
apache_domtrans_rotatelogs(httpd_t)
# Apache-httpd needs to be able to send signals to the log rotate procs.
-@@ -286,6 +327,7 @@
+@@ -286,6 +320,7 @@
kernel_read_kernel_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
@@ -3652,7 +3828,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
corenet_all_recvfrom_unlabeled(httpd_t)
corenet_all_recvfrom_netlabel(httpd_t)
-@@ -332,6 +374,10 @@
+@@ -332,6 +367,10 @@
files_read_var_lib_symlinks(httpd_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -3663,7 +3839,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
libs_use_ld_so(httpd_t)
libs_use_shared_libs(httpd_t)
-@@ -346,12 +392,8 @@
+@@ -346,12 +385,8 @@
seutil_dontaudit_search_config(httpd_t)
@@ -3676,8 +3852,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`allow_httpd_anon_write',`
miscfiles_manage_public_files(httpd_t)
')
-@@ -362,6 +404,7 @@
+@@ -360,8 +395,16 @@
+ #
+ # We need optionals to be able to be within booleans to make this work
#
++## <desc>
++## <p>
++## Allow Apache to use mod_auth_pam
++## </p>
++## </desc>
++gen_tunable(allow_httpd_mod_auth_pam,false)
++
tunable_policy(`allow_httpd_mod_auth_pam',`
auth_domtrans_chk_passwd(httpd_t)
+ auth_domtrans_upd_passwd(httpd_t)
@@ -4111,7 +4296,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avah
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.1.0/policy/modules/services/bind.te
--- nsaserefpolicy/policy/modules/services/bind.te 2007-10-29 07:52:49.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/services/bind.te 2007-11-06 09:28:35.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/services/bind.te 2007-11-07 15:41:34.000000000 -0500
+@@ -9,7 +9,7 @@
+ ## <desc>
+ ## <p>
+ ## Allow BIND to write the master zone files.
+-## Generally this is used for dynamic DNS.
++## Generally this is used for dynamic DNS, or zone transfers
+ ## </p>
+ ## </desc>
+ gen_tunable(named_write_master_zones,false)
@@ -156,6 +156,12 @@
')
@@ -4186,6 +4380,38 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
+optional_policy(`
+ mailscanner_manage_spool(clamscan_t)
+')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/comsat.te serefpolicy-3.1.0/policy/modules/services/comsat.te
+--- nsaserefpolicy/policy/modules/services/comsat.te 2007-07-16 14:09:46.000000000 -0400
++++ serefpolicy-3.1.0/policy/modules/services/comsat.te 2007-11-08 13:31:46.000000000 -0500
+@@ -57,6 +57,8 @@
+ files_search_spool(comsat_t)
+ files_search_home(comsat_t)
+
++auth_use_nsswitch(comsat_t)
++
+ init_read_utmp(comsat_t)
+ init_dontaudit_write_utmp(comsat_t)
+
+@@ -67,8 +69,6 @@
+
+ miscfiles_read_localization(comsat_t)
+
+-sysnet_read_config(comsat_t)
+-
+ userdom_dontaudit_getattr_sysadm_ttys(comsat_t)
+
+ mta_getattr_spool(comsat_t)
+@@ -77,10 +77,3 @@
+ kerberos_use(comsat_t)
+ ')
+
+-optional_policy(`
+- nis_use_ypbind(comsat_t)
+-')
+-
+-optional_policy(`
+- nscd_socket_use(comsat_t)
+-')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.1.0/policy/modules/services/consolekit.if
--- nsaserefpolicy/policy/modules/services/consolekit.if 2007-03-20 09:23:13.000000000 -0400
+++ serefpolicy-3.1.0/policy/modules/services/consolekit.if 2007-11-06 09:28:35.000000000 -0500
@@ -4738,7 +4964,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
+/usr/local/Brother/inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.1.0/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2007-10-29 07:52:49.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/services/cups.te 2007-11-06 09:28:35.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/services/cups.te 2007-11-08 13:32:52.000000000 -0500
@@ -48,9 +48,7 @@
type hplip_t;
type hplip_exec_t;
@@ -4817,7 +5043,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
mls_file_downgrade(cupsd_t)
mls_file_write_all_levels(cupsd_t)
mls_file_read_all_levels(cupsd_t)
-@@ -187,7 +189,7 @@
+@@ -173,6 +175,8 @@
+ term_use_unallocated_ttys(cupsd_t)
+ term_search_ptys(cupsd_t)
+
++auth_use_nsswitch(cupsd_t)
++
+ auth_domtrans_chk_passwd(cupsd_t)
+ auth_dontaudit_read_pam_pid(cupsd_t)
+
+@@ -187,7 +191,7 @@
# read python modules
files_read_usr_files(cupsd_t)
# for /var/lib/defoma
@@ -4826,7 +5061,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
files_list_world_readable(cupsd_t)
files_read_world_readable_files(cupsd_t)
files_read_world_readable_symlinks(cupsd_t)
-@@ -196,12 +198,9 @@
+@@ -196,12 +200,9 @@
files_read_var_symlinks(cupsd_t)
# for /etc/printcap
files_dontaudit_write_etc_files(cupsd_t)
@@ -4840,7 +5075,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
init_exec_script_files(cupsd_t)
-@@ -221,17 +220,37 @@
+@@ -221,17 +222,37 @@
sysnet_read_config(cupsd_t)
@@ -4878,7 +5113,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
apm_domtrans_client(cupsd_t)
')
-@@ -262,16 +281,16 @@
+@@ -262,16 +283,16 @@
')
optional_policy(`
@@ -4899,7 +5134,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
seutil_sigchld_newrole(cupsd_t)
')
-@@ -291,7 +310,9 @@
+@@ -291,7 +312,9 @@
allow cupsd_config_t self:unix_stream_socket create_socket_perms;
allow cupsd_config_t self:unix_dgram_socket create_socket_perms;
allow cupsd_config_t self:tcp_socket create_stream_socket_perms;
@@ -4910,7 +5145,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
allow cupsd_config_t cupsd_t:process signal;
ps_process_pattern(cupsd_config_t,cupsd_t)
-@@ -330,6 +351,7 @@
+@@ -330,6 +353,7 @@
dev_read_sysfs(cupsd_config_t)
dev_read_urand(cupsd_config_t)
dev_read_rand(cupsd_config_t)
@@ -4918,7 +5153,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
fs_getattr_all_fs(cupsd_config_t)
fs_search_auto_mountpoints(cupsd_config_t)
-@@ -354,6 +376,8 @@
+@@ -354,6 +378,8 @@
logging_send_syslog_msg(cupsd_config_t)
@@ -4927,7 +5162,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
miscfiles_read_localization(cupsd_config_t)
seutil_dontaudit_search_config(cupsd_config_t)
-@@ -376,6 +400,14 @@
+@@ -376,6 +402,14 @@
')
optional_policy(`
@@ -4942,7 +5177,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
cron_system_entry(cupsd_config_t, cupsd_config_exec_t)
')
-@@ -391,6 +423,7 @@
+@@ -391,6 +425,7 @@
optional_policy(`
hal_domtrans(cupsd_config_t)
hal_read_tmp_files(cupsd_config_t)
@@ -4950,7 +5185,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
')
optional_policy(`
-@@ -402,14 +435,6 @@
+@@ -402,14 +437,6 @@
')
optional_policy(`
@@ -4965,7 +5200,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
rpm_read_db(cupsd_config_t)
')
-@@ -430,7 +455,6 @@
+@@ -430,7 +457,6 @@
allow cupsd_lpd_t self:fifo_file rw_fifo_file_perms;
allow cupsd_lpd_t self:tcp_socket connected_stream_socket_perms;
allow cupsd_lpd_t self:udp_socket create_socket_perms;
@@ -4973,7 +5208,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
# for identd
# cjp: this should probably only be inetd_child rules?
-@@ -480,6 +504,8 @@
+@@ -480,6 +506,8 @@
files_read_etc_files(cupsd_lpd_t)
@@ -4982,7 +5217,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
libs_use_ld_so(cupsd_lpd_t)
libs_use_shared_libs(cupsd_lpd_t)
-@@ -495,14 +521,6 @@
+@@ -495,14 +523,6 @@
inetd_service_domain(cupsd_lpd_t,cupsd_lpd_exec_t)
')
@@ -4997,7 +5232,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
########################################
#
# HPLIP local policy
-@@ -523,11 +541,9 @@
+@@ -523,11 +543,9 @@
allow hplip_t cupsd_etc_t:dir search;
cups_stream_connect(hplip_t)
@@ -5012,7 +5247,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
manage_files_pattern(hplip_t,hplip_var_run_t,hplip_var_run_t)
files_pid_filetrans(hplip_t,hplip_var_run_t,file)
-@@ -558,7 +574,9 @@
+@@ -558,7 +576,9 @@
dev_read_urand(hplip_t)
dev_read_rand(hplip_t)
dev_rw_generic_usb_dev(hplip_t)
@@ -5023,7 +5258,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
fs_getattr_all_fs(hplip_t)
fs_search_auto_mountpoints(hplip_t)
-@@ -585,8 +603,6 @@
+@@ -585,8 +605,6 @@
userdom_dontaudit_search_sysadm_home_dirs(hplip_t)
userdom_dontaudit_search_all_users_home_content(hplip_t)
@@ -5032,7 +5267,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
optional_policy(`
seutil_sigchld_newrole(hplip_t)
')
-@@ -666,3 +682,15 @@
+@@ -666,3 +684,15 @@
optional_policy(`
udev_read_db(ptal_t)
')
@@ -5050,7 +5285,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.1.0/policy/modules/services/cvs.te
--- nsaserefpolicy/policy/modules/services/cvs.te 2007-07-10 13:21:26.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/services/cvs.te 2007-11-06 09:28:35.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/services/cvs.te 2007-11-08 11:58:06.000000000 -0500
@@ -16,6 +16,7 @@
type cvs_t;
type cvs_exec_t;
@@ -5059,15 +5294,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.
role system_r types cvs_t;
type cvs_data_t; # customizable
-@@ -68,6 +69,7 @@
+@@ -67,7 +68,9 @@
+
fs_getattr_xattr_fs(cvs_t)
++sysnet_dns_name_resolve(cvs_t)
auth_domtrans_chk_passwd(cvs_t)
+auth_domtrans_upd_passwd_chk(cvs_t)
corecmd_exec_bin(cvs_t)
corecmd_exec_shell(cvs_t)
-@@ -81,6 +83,7 @@
+@@ -81,6 +84,7 @@
libs_use_shared_libs(cvs_t)
logging_send_syslog_msg(cvs_t)
@@ -5075,6 +5312,66 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.
miscfiles_read_localization(cvs_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.te serefpolicy-3.1.0/policy/modules/services/cyrus.te
+--- nsaserefpolicy/policy/modules/services/cyrus.te 2007-10-12 08:56:07.000000000 -0400
++++ serefpolicy-3.1.0/policy/modules/services/cyrus.te 2007-11-08 13:33:43.000000000 -0500
+@@ -41,7 +41,6 @@
+ allow cyrus_t self:unix_stream_socket connectto;
+ allow cyrus_t self:tcp_socket create_stream_socket_perms;
+ allow cyrus_t self:udp_socket create_socket_perms;
+-allow cyrus_t self:netlink_route_socket r_netlink_socket_perms;
+
+ manage_dirs_pattern(cyrus_t,cyrus_tmp_t,cyrus_tmp_t)
+ manage_files_pattern(cyrus_t,cyrus_tmp_t,cyrus_tmp_t)
+@@ -95,6 +94,8 @@
+ files_read_etc_runtime_files(cyrus_t)
+ files_read_usr_files(cyrus_t)
+
++auth_use_nsswitch(cyrus_t)
++
+ libs_use_ld_so(cyrus_t)
+ libs_use_shared_libs(cyrus_t)
+ libs_exec_lib_files(cyrus_t)
+@@ -122,14 +123,6 @@
+ ')
+
+ optional_policy(`
+- ldap_stream_connect(cyrus_t)
+-')
+-
+-optional_policy(`
+- nis_use_ypbind(cyrus_t)
+-')
+-
+-optional_policy(`
+ sasl_connect(cyrus_t)
+ ')
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbskk.te serefpolicy-3.1.0/policy/modules/services/dbskk.te
+--- nsaserefpolicy/policy/modules/services/dbskk.te 2007-07-16 14:09:46.000000000 -0400
++++ serefpolicy-3.1.0/policy/modules/services/dbskk.te 2007-11-08 12:00:39.000000000 -0500
+@@ -63,6 +63,8 @@
+
+ files_read_etc_files(dbskkd_t)
+
++auth_use_nsswitch(dbskkd_t)
++
+ libs_use_ld_so(dbskkd_t)
+ libs_use_shared_libs(dbskkd_t)
+
+@@ -70,12 +72,3 @@
+
+ miscfiles_read_localization(dbskkd_t)
+
+-sysnet_read_config(dbskkd_t)
+-
+-optional_policy(`
+- nis_use_ypbind(dbskkd_t)
+-')
+-
+-optional_policy(`
+- nscd_socket_use(dbskkd_t)
+-')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.1.0/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if 2007-10-29 07:52:49.000000000 -0400
+++ serefpolicy-3.1.0/policy/modules/services/dbus.if 2007-11-06 09:28:35.000000000 -0500
@@ -5683,12 +5980,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.1.0/policy/modules/services/ftp.te
--- nsaserefpolicy/policy/modules/services/ftp.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/services/ftp.te 2007-11-06 09:28:35.000000000 -0500
-@@ -9,7 +9,7 @@
++++ serefpolicy-3.1.0/policy/modules/services/ftp.te 2007-11-07 15:45:09.000000000 -0500
+@@ -8,8 +8,8 @@
+
## <desc>
## <p>
- ## Allow ftp servers to modify public files
+-## Allow ftp servers to modify public files
-## used for public file transfer services.
++## Allow ftp servers to upload files,
+## used for public file transfer services. Directories must be labeled public_content_rw_t
## </p>
## </desc>
@@ -5764,7 +6063,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-3.1.0/policy/modules/services/hal.fc
--- nsaserefpolicy/policy/modules/services/hal.fc 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/services/hal.fc 2007-11-06 09:28:35.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/services/hal.fc 2007-11-10 08:16:03.000000000 -0500
@@ -8,14 +8,18 @@
/usr/libexec/hal-hotplug-map -- gen_context(system_u:object_r:hald_exec_t,s0)
/usr/libexec/hal-system-sonypic -- gen_context(system_u:object_r:hald_sonypic_exec_t,s0)
@@ -5857,7 +6156,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.te serefpolicy-3.1.0/policy/modules/services/inetd.te
--- nsaserefpolicy/policy/modules/services/inetd.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/services/inetd.te 2007-11-07 10:34:39.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/services/inetd.te 2007-11-08 13:24:56.000000000 -0500
@@ -84,6 +84,7 @@
corenet_udp_bind_ftp_port(inetd_t)
corenet_tcp_bind_inetd_child_port(inetd_t)
@@ -6074,6 +6373,46 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
')
optional_policy(`
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.te serefpolicy-3.1.0/policy/modules/services/ldap.te
+--- nsaserefpolicy/policy/modules/services/ldap.te 2007-10-12 08:56:07.000000000 -0400
++++ serefpolicy-3.1.0/policy/modules/services/ldap.te 2007-11-08 13:18:08.000000000 -0500
+@@ -42,7 +42,6 @@
+ dontaudit slapd_t self:capability sys_tty_config;
+ allow slapd_t self:process setsched;
+ allow slapd_t self:fifo_file { read write };
+-allow slapd_t self:netlink_route_socket r_netlink_socket_perms;
+ allow slapd_t self:udp_socket create_socket_perms;
+ #slapd needs to listen and accept needed by ldapsearch (slapd needs to accept from ldapseach)
+ allow slapd_t self:tcp_socket create_stream_socket_perms;
+@@ -104,6 +103,8 @@
+ files_read_usr_files(slapd_t)
+ files_list_var_lib(slapd_t)
+
++auth_use_nsswitch(slapd_t)
++
+ libs_use_ld_so(slapd_t)
+ libs_use_shared_libs(slapd_t)
+
+@@ -112,8 +113,6 @@
+ miscfiles_read_certs(slapd_t)
+ miscfiles_read_localization(slapd_t)
+
+-sysnet_read_config(slapd_t)
+-
+ userdom_dontaudit_use_unpriv_user_fds(slapd_t)
+ userdom_dontaudit_search_sysadm_home_dirs(slapd_t)
+
+@@ -122,10 +121,6 @@
+ ')
+
+ optional_policy(`
+- nis_use_ypbind(slapd_t)
+-')
+-
+-optional_policy(`
+ seutil_sigchld_newrole(slapd_t)
+ ')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.fc serefpolicy-3.1.0/policy/modules/services/lpd.fc
--- nsaserefpolicy/policy/modules/services/lpd.fc 2006-11-16 17:15:21.000000000 -0500
+++ serefpolicy-3.1.0/policy/modules/services/lpd.fc 2007-11-06 09:28:35.000000000 -0500
@@ -6387,7 +6726,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
## <summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.1.0/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/services/mta.te 2007-11-06 09:28:35.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/services/mta.te 2007-11-08 08:57:27.000000000 -0500
@@ -6,6 +6,8 @@
# Declarations
#
@@ -7151,7 +7490,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.1.0/policy/modules/services/openvpn.te
--- nsaserefpolicy/policy/modules/services/openvpn.te 2007-10-29 07:52:49.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/services/openvpn.te 2007-11-06 09:28:35.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/services/openvpn.te 2007-11-07 15:47:03.000000000 -0500
+@@ -8,7 +8,7 @@
+
+ ## <desc>
+ ## <p>
+-## Allow openvpn to read home directories
++## Allow openvpn service access to users home directories
+ ## </p>
+ ## </desc>
+ gen_tunable(openvpn_enable_homedirs,false)
@@ -110,3 +110,12 @@
networkmanager_dbus_chat(openvpn_t)
@@ -7275,8 +7623,80 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
')
########################################
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfixpolicyd.fc serefpolicy-3.1.0/policy/modules/services/postfixpolicyd.fc
+--- nsaserefpolicy/policy/modules/services/postfixpolicyd.fc 2007-11-08 09:29:27.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/services/postfixpolicyd.fc 1969-12-31 19:00:00.000000000 -0500
+@@ -1,5 +0,0 @@
+-/etc/policyd.conf -- gen_context(system_u:object_r:postfix_policyd_conf_t, s0)
+-
+-/usr/sbin/policyd -- gen_context(system_u:object_r:postfix_policyd_exec_t, s0)
+-
+-/var/run/policyd\.pid -- gen_context(system_u:object_r:postfix_policyd_var_run_t, s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfixpolicyd.if serefpolicy-3.1.0/policy/modules/services/postfixpolicyd.if
+--- nsaserefpolicy/policy/modules/services/postfixpolicyd.if 2007-11-08 09:29:27.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/services/postfixpolicyd.if 1969-12-31 19:00:00.000000000 -0500
+@@ -1 +0,0 @@
+-## <summary>Postfix policy server</summary>
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfixpolicyd.te serefpolicy-3.1.0/policy/modules/services/postfixpolicyd.te
+--- nsaserefpolicy/policy/modules/services/postfixpolicyd.te 2007-11-08 09:29:27.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/services/postfixpolicyd.te 1969-12-31 19:00:00.000000000 -0500
+@@ -1,54 +0,0 @@
+-
+-policy_module(postfixpolicyd, 1.0.0)
+-
+-########################################
+-#
+-# Declarations
+-#
+-
+-type postfix_policyd_t;
+-type postfix_policyd_exec_t;
+-init_daemon_domain(postfix_policyd_t, postfix_policyd_exec_t)
+-
+-type postfix_policyd_conf_t;
+-files_config_file(postfix_policyd_conf_t)
+-
+-type postfix_policyd_var_run_t;
+-files_pid_file(postfix_policyd_var_run_t)
+-
+-########################################
+-#
+-# Local Policy
+-#
+-
+-allow postfix_policyd_t self:tcp_socket create_stream_socket_perms;
+-allow postfix_policyd_t self:capability { sys_resource sys_chroot setgid setuid };
+-allow postfix_policyd_t self:process setrlimit;
+-allow postfix_policyd_t self:unix_dgram_socket { connect create write};
+-
+-allow postfix_policyd_t postfix_policyd_conf_t:dir list_dir_perms;
+-allow postfix_policyd_t postfix_policyd_conf_t:file read_file_perms;
+-allow postfix_policyd_t postfix_policyd_conf_t:lnk_file { getattr read };
+-
+-manage_files_pattern(postfix_policyd_t, postfix_policyd_var_run_t, postfix_policyd_var_run_t)
+-files_pid_filetrans(postfix_policyd_t, postfix_policyd_var_run_t, file)
+-
+-corenet_all_recvfrom_unlabeled(postfix_policyd_t)
+-corenet_tcp_sendrecv_generic_if(postfix_policyd_t)
+-corenet_tcp_sendrecv_all_nodes(postfix_policyd_t)
+-corenet_tcp_sendrecv_all_ports(postfix_policyd_t)
+-corenet_tcp_bind_all_nodes(postfix_policyd_t)
+-corenet_tcp_bind_postfix_policyd_port(postfix_policyd_t)
+-corenet_tcp_bind_mysqld_port(postfix_policyd_t)
+-
+-files_read_etc_files(postfix_policyd_t)
+-files_read_usr_files(postfix_policyd_t)
+-
+-libs_use_ld_so(postfix_policyd_t)
+-libs_use_shared_libs(postfix_policyd_t)
+-
+-logging_send_syslog_msg(postfix_policyd_t)
+-
+-miscfiles_read_localization(postfix_policyd_t)
+-
+-sysnet_dns_name_resolve(postfix_policyd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.1.0/policy/modules/services/postfix.te
---- nsaserefpolicy/policy/modules/services/postfix.te 2007-10-12 08:56:07.000000000 -0400
+--- nsaserefpolicy/policy/modules/services/postfix.te 2007-11-08 09:29:27.000000000 -0500
+++ serefpolicy-3.1.0/policy/modules/services/postfix.te 2007-11-06 09:28:35.000000000 -0500
@@ -6,6 +6,14 @@
# Declarations
@@ -7404,7 +7824,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
########################################
#
# Postfix smtp delivery local policy
-@@ -569,6 +581,10 @@
+@@ -547,9 +559,6 @@
+ # connect to master process
+ stream_connect_pattern(postfix_smtpd_t,{ postfix_private_t postfix_public_t },{ postfix_private_t postfix_public_t },postfix_master_t)
+
+-# Connect to policy server
+-corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t)
+-
+ # for prng_exch
+ allow postfix_smtpd_t postfix_spool_t:file rw_file_perms;
+ allow postfix_smtpd_t postfix_prng_t:file rw_file_perms;
+@@ -572,6 +581,10 @@
sasl_connect(postfix_smtpd_t)
')
@@ -7507,7 +7937,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.1.0/policy/modules/services/postgresql.te
--- nsaserefpolicy/policy/modules/services/postgresql.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/services/postgresql.te 2007-11-06 09:28:35.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/services/postgresql.te 2007-11-08 13:36:00.000000000 -0500
@@ -27,6 +27,9 @@
type postgresql_var_run_t;
files_pid_file(postgresql_var_run_t)
@@ -7518,6 +7948,44 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
########################################
#
# postgresql Local policy
+@@ -42,7 +45,6 @@
+ allow postgresql_t self:udp_socket create_stream_socket_perms;
+ allow postgresql_t self:unix_dgram_socket create_socket_perms;
+ allow postgresql_t self:unix_stream_socket create_stream_socket_perms;
+-allow postgresql_t self:netlink_route_socket r_netlink_socket_perms;
+
+ manage_dirs_pattern(postgresql_t,postgresql_db_t,postgresql_db_t)
+ manage_files_pattern(postgresql_t,postgresql_db_t,postgresql_db_t)
+@@ -118,6 +120,8 @@
+
+ init_read_utmp(postgresql_t)
+
++auth_use_nsswitch(postgresql_t)
++
+ libs_use_ld_so(postgresql_t)
+ libs_use_shared_libs(postgresql_t)
+
+@@ -127,9 +131,6 @@
+
+ seutil_dontaudit_search_config(postgresql_t)
+
+-sysnet_read_config(postgresql_t)
+-sysnet_use_ldap(postgresql_t)
+-
+ userdom_dontaudit_search_sysadm_home_dirs(postgresql_t)
+ userdom_dontaudit_use_sysadm_ttys(postgresql_t)
+ userdom_dontaudit_use_unpriv_user_fds(postgresql_t)
+@@ -158,10 +159,6 @@
+ ')
+
+ optional_policy(`
+- nis_use_ypbind(postgresql_t)
+-')
+-
+-optional_policy(`
+ seutil_sigchld_newrole(postgresql_t)
+ ')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.fc serefpolicy-3.1.0/policy/modules/services/ppp.fc
--- nsaserefpolicy/policy/modules/services/ppp.fc 2006-11-16 17:15:20.000000000 -0500
+++ serefpolicy-3.1.0/policy/modules/services/ppp.fc 2007-11-06 09:28:35.000000000 -0500
@@ -7914,7 +8382,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.1.0/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/services/rpc.te 2007-11-06 09:28:35.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/services/rpc.te 2007-11-08 12:02:07.000000000 -0500
@@ -8,7 +8,7 @@
## <desc>
@@ -7987,18 +8455,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
')
tunable_policy(`nfs_export_all_ro',`
-@@ -143,6 +159,9 @@
+@@ -143,6 +159,7 @@
manage_files_pattern(gssd_t,gssd_tmp_t,gssd_tmp_t)
files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
-+auth_use_nsswitch(gssd_t)
-+
+kernel_read_system_state(gssd_t)
kernel_read_network_state(gssd_t)
kernel_read_network_state_symlinks(gssd_t)
kernel_search_network_sysctl(gssd_t)
-@@ -158,6 +177,9 @@
+@@ -156,8 +173,14 @@
+ files_list_tmp(gssd_t)
+ files_read_usr_symlinks(gssd_t)
++auth_read_cache(gssd_t)
++auth_use_nsswitch(gssd_t)
++
miscfiles_read_certs(gssd_t)
+userdom_dontaudit_search_users_home_dirs(rpcd_t)
@@ -8083,12 +8554,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.1.0/policy/modules/services/rsync.te
--- nsaserefpolicy/policy/modules/services/rsync.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/services/rsync.te 2007-11-06 09:28:35.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/services/rsync.te 2007-11-08 13:36:17.000000000 -0500
@@ -8,8 +8,15 @@
## <desc>
## <p>
-+## Allow rsync export files read only
++## Allow rsync to export any files/directories read only
+## </p>
+## </desc>
+gen_tunable(rsync_export_all_ro,false)
@@ -8101,15 +8572,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn
## </p>
## </desc>
gen_tunable(allow_rsync_anon_write,false)
-@@ -58,6 +65,8 @@
- manage_files_pattern(rsync_t,rsync_var_run_t,rsync_var_run_t)
- files_pid_filetrans(rsync_t,rsync_var_run_t,file)
+@@ -81,6 +88,8 @@
+ files_read_etc_files(rsync_t)
+ files_search_home(rsync_t)
+auth_use_nsswitch(rsync_t)
+
- kernel_read_kernel_sysctls(rsync_t)
- kernel_read_system_state(rsync_t)
- kernel_read_network_state(rsync_t)
+ libs_use_ld_so(rsync_t)
+ libs_use_shared_libs(rsync_t)
+
@@ -90,8 +99,6 @@
miscfiles_read_localization(rsync_t)
miscfiles_read_public_files(rsync_t)
@@ -8296,8 +8767,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.1.0/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/services/samba.te 2007-11-06 09:28:35.000000000 -0500
-@@ -9,7 +9,7 @@
++++ serefpolicy-3.1.0/policy/modules/services/samba.te 2007-11-07 16:11:34.000000000 -0500
+@@ -9,14 +9,14 @@
## <desc>
## <p>
## Allow samba to modify public files
@@ -8306,6 +8777,47 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
## </p>
## </desc>
gen_tunable(allow_smbd_anon_write,false)
+
+ ## <desc>
+ ## <p>
+-## Allow samba to run as the domain controller; add machines to passwd file
++## Allow samba to act as the domain controller, add users, groups and change passwords
+ ##
+ ## </p>
+ ## </desc>
+@@ -24,28 +24,28 @@
+
+ ## <desc>
+ ## <p>
+-## Allow samba to export user home directories.
++## Allow Samba to share users home directories
+ ## </p>
+ ## </desc>
+ gen_tunable(samba_enable_home_dirs,false)
+
+ ## <desc>
+ ## <p>
+-## Export all files on system read only.
++## Allow Samba to share any file/directory read only
+ ## </p>
+ ## </desc>
+ gen_tunable(samba_export_all_ro,false)
+
+ ## <desc>
+ ## <p>
+-## Export all files on system read-write.
++## Allow Samba to share any file/directory read/write
+ ## </p>
+ ## </desc>
+ gen_tunable(samba_export_all_rw,false)
+
+ ## <desc>
+ ## <p>
+-## Allow samba to run unconfined scripts
++## Allow Samba to run unconfined scripts in /var/lib/samba/scripts directory
+ ## </p>
+ ## </desc>
+ gen_tunable(samba_run_unconfined,false)
@@ -137,6 +137,11 @@
type winbind_var_run_t;
files_pid_file(winbind_var_run_t)
@@ -8710,7 +9222,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
+allow smbcontrol_t nmbd_var_run_t:file { read lock };
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.1.0/policy/modules/services/sasl.te
--- nsaserefpolicy/policy/modules/services/sasl.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/services/sasl.te 2007-11-06 09:28:35.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/services/sasl.te 2007-11-10 07:56:05.000000000 -0500
@@ -64,6 +64,7 @@
selinux_compute_access_vector(saslauthd_t)
@@ -8719,6 +9231,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl
auth_use_nsswitch(saslauthd_t)
domain_use_interactive_fds(saslauthd_t)
+@@ -107,6 +108,10 @@
+ ')
+
+ optional_policy(`
++ nis_authenticate(saslauthd_t)
++')
++
++optional_policy(`
+ seutil_sigchld_newrole(saslauthd_t)
+ ')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.1.0/policy/modules/services/sendmail.if
--- nsaserefpolicy/policy/modules/services/sendmail.if 2007-08-27 13:57:20.000000000 -0400
+++ serefpolicy-3.1.0/policy/modules/services/sendmail.if 2007-11-06 09:28:35.000000000 -0500
@@ -8810,7 +9333,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.1.0/policy/modules/services/sendmail.te
--- nsaserefpolicy/policy/modules/services/sendmail.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/services/sendmail.te 2007-11-06 09:28:35.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/services/sendmail.te 2007-11-10 07:37:48.000000000 -0500
@@ -20,19 +20,22 @@
mta_mailserver_delivery(sendmail_t)
mta_mailserver_sender(sendmail_t)
@@ -8845,7 +9368,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
corenet_all_recvfrom_unlabeled(sendmail_t)
corenet_all_recvfrom_netlabel(sendmail_t)
corenet_tcp_sendrecv_all_if(sendmail_t)
-@@ -94,30 +99,28 @@
+@@ -94,30 +99,32 @@
miscfiles_read_certs(sendmail_t)
miscfiles_read_localization(sendmail_t)
@@ -8864,15 +9387,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
mta_manage_queue(sendmail_t)
mta_manage_spool(sendmail_t)
+mta_sendmail_exec(sendmail_t)
++
++optional_policy(`
++ cron_read_pipes(sendmail_t)
++')
optional_policy(`
-- clamav_search_lib(sendmail_t)
-+ cron_read_pipes(sendmail_t)
+ clamav_search_lib(sendmail_t)
')
optional_policy(`
- nis_use_ypbind(sendmail_t)
-+ clamav_search_lib(sendmail_t)
++ cyrus_stream_connect(sendmail_t)
')
optional_policy(`
@@ -8881,7 +9407,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
')
optional_policy(`
-@@ -131,6 +134,10 @@
+@@ -131,6 +138,10 @@
')
optional_policy(`
@@ -8892,7 +9418,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
seutil_sigchld_newrole(sendmail_t)
')
-@@ -156,3 +163,15 @@
+@@ -156,3 +167,15 @@
dontaudit sendmail_t admin_tty_type:chr_file { getattr ioctl };
') dnl end TODO
@@ -9248,6 +9774,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
seutil_sigchld_newrole(ssh_keygen_t)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/stunnel.te serefpolicy-3.1.0/policy/modules/services/stunnel.te
+--- nsaserefpolicy/policy/modules/services/stunnel.te 2007-10-12 08:56:07.000000000 -0400
++++ serefpolicy-3.1.0/policy/modules/services/stunnel.te 2007-11-08 13:38:03.000000000 -0500
+@@ -68,6 +68,8 @@
+
+ fs_getattr_all_fs(stunnel_t)
+
++auth_use_nsswitch(stunnel_t)
++
+ libs_use_ld_so(stunnel_t)
+ libs_use_shared_libs(stunnel_t)
+
+@@ -112,14 +114,6 @@
+ optional_policy(`
+ kerberos_use(stunnel_t)
+ ')
+-
+- optional_policy(`
+- nis_use_ypbind(stunnel_t)
+- ')
+-
+- optional_policy(`
+- nscd_socket_use(stunnel_t)
+- ')
+ ')
+
+ # hack since this port has no interfaces since it doesnt
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/telnet.te serefpolicy-3.1.0/policy/modules/services/telnet.te
--- nsaserefpolicy/policy/modules/services/telnet.te 2007-07-16 14:09:46.000000000 -0400
+++ serefpolicy-3.1.0/policy/modules/services/telnet.te 2007-11-06 09:28:35.000000000 -0500
@@ -9360,6 +9913,39 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp
sysnet_read_config(tftpd_t)
sysnet_use_ldap(tftpd_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.1.0/policy/modules/services/uucp.te
+--- nsaserefpolicy/policy/modules/services/uucp.te 2007-10-12 08:56:07.000000000 -0400
++++ serefpolicy-3.1.0/policy/modules/services/uucp.te 2007-11-08 13:41:35.000000000 -0500
+@@ -88,6 +88,8 @@
+ files_search_home(uucpd_t)
+ files_search_spool(uucpd_t)
+
++auth_use_nsswitch(uucpd_t)
++
+ libs_use_ld_so(uucpd_t)
+ libs_use_shared_libs(uucpd_t)
+
+@@ -95,20 +97,10 @@
+
+ miscfiles_read_localization(uucpd_t)
+
+-sysnet_read_config(uucpd_t)
+-
+ optional_policy(`
+ kerberos_use(uucpd_t)
+ ')
+
+-optional_policy(`
+- nis_use_ypbind(uucpd_t)
+-')
+-
+-optional_policy(`
+- nscd_socket_use(uucpd_t)
+-')
+-
+ ########################################
+ #
+ # UUX Local policy
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uwimap.te serefpolicy-3.1.0/policy/modules/services/uwimap.te
--- nsaserefpolicy/policy/modules/services/uwimap.te 2007-10-12 08:56:07.000000000 -0400
+++ serefpolicy-3.1.0/policy/modules/services/uwimap.te 2007-11-06 09:28:35.000000000 -0500
@@ -9445,7 +10031,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.1.0/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/services/xserver.if 2007-11-07 12:15:33.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/services/xserver.if 2007-11-08 14:26:18.000000000 -0500
@@ -58,7 +58,6 @@
allow $1_xserver_t self:msg { send receive };
allow $1_xserver_t self:unix_dgram_socket { create_socket_perms sendto };
@@ -9454,15 +10040,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
allow $1_xserver_t self:tcp_socket create_stream_socket_perms;
allow $1_xserver_t self:udp_socket create_socket_perms;
-@@ -126,6 +125,7 @@
+@@ -126,6 +125,9 @@
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev($1_xserver_t)
dev_rwx_zero($1_xserver_t)
+ dev_read_urand($1_xserver_t)
++ dev_rw_generic_usb_dev($1_xserver_t)
++ dev_rw_generic_usb_pipes($1_xserver_t)
domain_mmap_low($1_xserver_t)
-@@ -141,10 +141,14 @@
+@@ -141,10 +143,14 @@
fs_getattr_xattr_fs($1_xserver_t)
fs_search_nfs($1_xserver_t)
fs_search_auto_mountpoints($1_xserver_t)
@@ -9478,7 +10066,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
term_setattr_unallocated_ttys($1_xserver_t)
term_use_unallocated_ttys($1_xserver_t)
-@@ -160,8 +164,6 @@
+@@ -160,8 +166,6 @@
seutil_dontaudit_search_config($1_xserver_t)
@@ -9487,7 +10075,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
ifndef(`distro_redhat',`
allow $1_xserver_t self:process { execmem execheap execstack };
')
-@@ -179,14 +181,6 @@
+@@ -179,14 +183,6 @@
')
optional_policy(`
@@ -9502,7 +10090,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
rhgb_getpgid($1_xserver_t)
rhgb_signal($1_xserver_t)
')
-@@ -251,7 +245,7 @@
+@@ -251,7 +247,7 @@
userdom_user_home_content($1,$1_fonts_cache_t)
type $1_fonts_config_t, fonts_config_type;
@@ -9511,7 +10099,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
type $1_iceauth_t;
domain_type($1_iceauth_t)
-@@ -282,11 +276,14 @@
+@@ -282,11 +278,14 @@
domtrans_pattern($1_xserver_t, xauth_exec_t, $1_xauth_t)
allow $1_xserver_t $1_xauth_home_t:file { getattr read };
@@ -9526,7 +10114,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
manage_dirs_pattern($2,$1_fonts_t,$1_fonts_t)
manage_files_pattern($2,$1_fonts_t,$1_fonts_t)
-@@ -316,6 +313,7 @@
+@@ -316,6 +315,7 @@
userdom_use_user_ttys($1,$1_xserver_t)
userdom_setattr_user_ttys($1,$1_xserver_t)
userdom_rw_user_tmpfs_files($1,$1_xserver_t)
@@ -9534,7 +10122,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
xserver_use_user_fonts($1,$1_xserver_t)
xserver_rw_xdm_tmp_files($1_xauth_t)
-@@ -353,12 +351,6 @@
+@@ -353,12 +353,6 @@
# allow ps to show xauth
ps_process_pattern($2,$1_xauth_t)
@@ -9547,7 +10135,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
domain_use_interactive_fds($1_xauth_t)
files_read_etc_files($1_xauth_t)
-@@ -387,6 +379,14 @@
+@@ -387,6 +381,14 @@
')
optional_policy(`
@@ -9562,7 +10150,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
nis_use_ypbind($1_xauth_t)
')
-@@ -536,17 +536,15 @@
+@@ -536,17 +538,15 @@
template(`xserver_user_client_template',`
gen_require(`
@@ -9586,7 +10174,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
-@@ -555,25 +553,53 @@
+@@ -555,25 +555,53 @@
allow $2 xdm_tmp_t:sock_file { read write };
dontaudit $2 xdm_t:tcp_socket { read write };
@@ -9644,11 +10232,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+ ')
+
+ optional_policy(`
-+ xserver_rw_session_template($1,$2,$3)
++ xserver_rw_session_template(xdm,$2,$3)
')
')
-@@ -626,6 +652,24 @@
+@@ -626,6 +654,24 @@
########################################
## <summary>
@@ -9673,7 +10261,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
## Transition to a user Xauthority domain.
## </summary>
## <desc>
-@@ -659,6 +703,73 @@
+@@ -659,6 +705,73 @@
########################################
## <summary>
@@ -9747,7 +10335,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
## Transition to a user Xauthority domain.
## </summary>
## <desc>
-@@ -927,6 +1038,7 @@
+@@ -927,6 +1040,7 @@
files_search_tmp($1)
allow $1 xdm_tmp_t:dir list_dir_perms;
create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t)
@@ -9755,7 +10343,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -987,6 +1099,37 @@
+@@ -987,6 +1101,37 @@
########################################
## <summary>
@@ -9793,7 +10381,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
## Make an X session script an entrypoint for the specified domain.
## </summary>
## <param name="domain">
-@@ -1136,7 +1279,7 @@
+@@ -1136,7 +1281,7 @@
type xdm_xserver_tmp_t;
')
@@ -9802,7 +10390,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -1325,3 +1468,45 @@
+@@ -1325,3 +1470,45 @@
files_search_tmp($1)
stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
')
@@ -10065,7 +10653,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
+/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.1.0/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/system/authlogin.if 2007-11-06 09:28:35.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/system/authlogin.if 2007-11-10 07:11:28.000000000 -0500
@@ -169,6 +169,7 @@
interface(`auth_login_pgm_domain',`
gen_require(`
@@ -10095,7 +10683,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
# for SSP/ProPolice
dev_read_urand($1)
# for fingerprint readers
-@@ -221,11 +230,17 @@
+@@ -221,11 +230,22 @@
logging_send_audit_msgs($1)
logging_send_syslog_msg($1)
@@ -10106,6 +10694,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
seutil_read_default_contexts($1)
+ userdom_set_rlimitnh($1)
++ userdom_unlink_unpriv_users_tmp_files($1)
++
++ optional_policy(`
++ mount_domtrans($1)
++ ')
+
+ optional_policy(`
+ nis_authenticate($1)
@@ -10114,7 +10707,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
tunable_policy(`allow_polyinstantiation',`
files_polyinstantiate_all($1)
')
-@@ -342,6 +357,8 @@
+@@ -342,6 +362,8 @@
optional_policy(`
kerberos_use($1)
@@ -10123,7 +10716,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
')
optional_policy(`
-@@ -440,6 +457,59 @@
+@@ -440,6 +462,59 @@
########################################
## <summary>
@@ -10183,7 +10776,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
## Get the attributes of the shadow passwords file.
## </summary>
## <param name="domain">
-@@ -1457,6 +1527,7 @@
+@@ -1457,6 +1532,7 @@
optional_policy(`
samba_stream_connect_winbind($1)
samba_read_var_files($1)
@@ -10191,6 +10784,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
')
')
+@@ -1491,3 +1567,23 @@
+ typeattribute $1 can_write_shadow_passwords;
+ typeattribute $1 can_relabelto_shadow_passwords;
+ ')
++
++########################################
++## <summary>
++## Read authentication cache
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`auth_read_cache',`
++ gen_require(`
++ type auth_cache_t;
++ ')
++
++ read_files_pattern($1, auth_cache_t, auth_cache_t)
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.1.0/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te 2007-10-29 18:02:31.000000000 -0400
+++ serefpolicy-3.1.0/policy/modules/system/authlogin.te 2007-11-06 09:28:35.000000000 -0500
@@ -10671,7 +11288,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.1.0/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2007-10-29 07:52:50.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/system/init.te 2007-11-06 09:28:35.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/system/init.te 2007-11-08 13:26:15.000000000 -0500
@@ -10,6 +10,20 @@
# Declarations
#
@@ -10749,7 +11366,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
-@@ -201,10 +217,9 @@
+@@ -196,15 +212,13 @@
+ allow initrc_t self:tcp_socket create_stream_socket_perms;
+ allow initrc_t self:udp_socket create_socket_perms;
+ allow initrc_t self:fifo_file rw_file_perms;
+-allow initrc_t self:netlink_route_socket r_netlink_socket_perms;
+
allow initrc_t initrc_devpts_t:chr_file rw_term_perms;
term_create_pty(initrc_t,initrc_devpts_t)
@@ -10762,7 +11384,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
manage_dirs_pattern(initrc_t,initrc_state_t,initrc_state_t)
manage_files_pattern(initrc_t,initrc_state_t,initrc_state_t)
-@@ -283,7 +298,6 @@
+@@ -283,7 +297,6 @@
mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
@@ -10770,7 +11392,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
selinux_get_enforce_mode(initrc_t)
-@@ -497,6 +511,33 @@
+@@ -365,7 +378,7 @@
+
+ seutil_read_config(initrc_t)
+
+-sysnet_read_config(initrc_t)
++auth_use_nsswitch(initrc_t)
+
+ userdom_read_all_users_home_content_files(initrc_t)
+ # Allow access to the sysadm TTYs. Note that this will give access to the
+@@ -497,6 +510,33 @@
')
optional_policy(`
@@ -10804,7 +11435,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
')
-@@ -631,12 +672,6 @@
+@@ -631,12 +671,6 @@
mta_read_config(initrc_t)
mta_dontaudit_read_spool_symlinks(initrc_t)
')
@@ -10817,7 +11448,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
optional_policy(`
ifdef(`distro_redhat',`
-@@ -702,6 +737,9 @@
+@@ -648,15 +682,10 @@
+ ')
+
+ optional_policy(`
+- nis_use_ypbind(initrc_t)
+ nis_list_var_yp(initrc_t)
+ ')
+
+ optional_policy(`
+- nscd_socket_use(initrc_t)
+-')
+-
+-optional_policy(`
+ openvpn_read_config(initrc_t)
+ ')
+
+@@ -702,6 +731,9 @@
# why is this needed:
rpm_manage_db(initrc_t)
@@ -10827,7 +11474,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -749,6 +787,10 @@
+@@ -749,6 +781,10 @@
')
optional_policy(`
@@ -10937,8 +11584,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.1.0/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2007-10-12 08:56:08.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/system/libraries.fc 2007-11-06 09:28:35.000000000 -0500
-@@ -65,11 +65,12 @@
++++ serefpolicy-3.1.0/policy/modules/system/libraries.fc 2007-11-08 16:04:38.000000000 -0500
+@@ -65,11 +65,13 @@
/opt/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
/opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/(.*/)?jre/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
@@ -10950,10 +11597,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
-/opt/f-secure/fspms/libexec/librapi.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/opt/ibm/java2-ppc64-50/jre/bin/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/f-secure/fspms/libexec/librapi\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/opt/Adobe(/.*?)/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
ifdef(`distro_gentoo',`
# despite the extensions, they are actually libs
-@@ -135,6 +136,8 @@
+@@ -135,6 +137,8 @@
/usr/(local/)?lib(64)?/(sse2/)?libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/NX/lib/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/NX/lib/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -10962,7 +11610,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
/usr/X11R6/lib/libGL\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/X11R6/lib/libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -158,6 +161,7 @@
+@@ -158,6 +162,7 @@
# Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv
# HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php
/usr/lib(64)?/gstreamer-.*/[^/]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -10970,7 +11618,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
/usr/lib(64)?/libstdc\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libg\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -216,6 +220,7 @@
+@@ -216,6 +221,7 @@
/usr/lib(64)?/libpostproc\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libavformat.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libavcodec.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -10978,7 +11626,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
/usr/lib(64)?/libavutil.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libxvidcore\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xine/plugins/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -236,7 +241,9 @@
+@@ -236,7 +242,9 @@
/usr/lib(64)?/libdivxdecore\.so\.0 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libdivxencore\.so\.0 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -10989,7 +11637,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
# vmware
/usr/lib(64)?/vmware/lib(/.*)?/libgdk-x11-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -284,3 +291,10 @@
+@@ -284,3 +292,10 @@
/var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
@@ -11761,7 +12409,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.1.0/policy/modules/system/selinuxutil.if
--- nsaserefpolicy/policy/modules/system/selinuxutil.if 2007-05-18 11:12:44.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/system/selinuxutil.if 2007-11-07 11:58:01.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/system/selinuxutil.if 2007-11-10 07:25:19.000000000 -0500
@@ -585,7 +585,7 @@
type selinux_config_t;
')
@@ -11893,7 +12541,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
## Full management of the semanage
## module store.
## </summary>
-@@ -1058,3 +1134,138 @@
+@@ -1058,3 +1134,140 @@
files_search_etc($1)
rw_files_pattern($1,selinux_config_t,semanage_trans_lock_t)
')
@@ -12027,6 +12675,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
+ seutil_get_semanage_trans_lock($1)
+ seutil_get_semanage_read_lock($1)
+
++ userdom_dontaudit_write_unpriv_user_home_content_files($1)
++
+ optional_policy(`
+ rpm_dontaudit_rw_tmp_files($1)
+ rpm_dontaudit_rw_pipes($1)
@@ -12034,7 +12684,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.1.0/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2007-10-12 08:56:08.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/system/selinuxutil.te 2007-11-06 09:28:35.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/system/selinuxutil.te 2007-11-09 14:28:06.000000000 -0500
@@ -76,7 +76,6 @@
type restorecond_exec_t;
init_daemon_domain(restorecond_t,restorecond_exec_t)
@@ -12267,7 +12917,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
# cjp: need a more general way to handle this:
ifdef(`enable_mls',`
# read secadm tmp files
-@@ -519,7 +499,9 @@
+@@ -519,7 +499,12 @@
allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir list_dir_perms;
allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file read_file_perms;
@@ -12275,10 +12925,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
+allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file { read_lnk_file_perms ioctl lock};
+
+logging_send_audit_msgs(setfiles_t)
++
++files_list_isid_type_dirs(setfiles_t)
++files_read_isid_type_files(setfiles_t)
kernel_read_system_state(setfiles_t)
kernel_relabelfrom_unlabeled_dirs(setfiles_t)
-@@ -537,6 +519,7 @@
+@@ -537,6 +522,7 @@
fs_getattr_xattr_fs(setfiles_t)
fs_list_all(setfiles_t)
@@ -12286,7 +12939,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
fs_search_auto_mountpoints(setfiles_t)
fs_relabelfrom_noxattr_fs(setfiles_t)
-@@ -590,8 +573,16 @@
+@@ -590,8 +576,16 @@
fs_relabel_tmpfs_chr_file(setfiles_t)
')
@@ -13008,7 +13661,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
/tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.1.0/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-10-29 07:52:50.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/system/userdomain.if 2007-11-07 11:01:16.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/system/userdomain.if 2007-11-09 14:39:07.000000000 -0500
@@ -29,8 +29,9 @@
')
@@ -14049,7 +14702,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -3077,7 +3210,7 @@
+@@ -2706,6 +2839,25 @@
+
+ ########################################
+ ## <summary>
++## unlink all unprivileged users files in /tmp
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_unlink_unpriv_users_tmp_files',`
++ gen_require(`
++ attribute user_tmpfile;
++ ')
++
++ files_delete_tmp_dir_entry($1)
++ allow $1 user_tmpfile:file unlink;
++')
++
++########################################
++## <summary>
+ ## Read and write user temporary files.
+ ## </summary>
+ ## <desc>
+@@ -3077,7 +3229,7 @@
#
template(`userdom_tmp_filetrans_user_tmp',`
gen_require(`
@@ -14058,7 +14737,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
files_tmp_filetrans($2,$1_tmp_t,$3)
-@@ -3911,7 +4044,7 @@
+@@ -3911,7 +4063,7 @@
type sysadm_t;
')
@@ -14067,7 +14746,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
allow sysadm_t $1:fd use;
allow sysadm_t $1:fifo_file rw_file_perms;
allow sysadm_t $1:process sigchld;
-@@ -4201,11 +4334,11 @@
+@@ -4201,11 +4353,11 @@
## </param>
#
interface(`userdom_sigchld_sysadm',`
@@ -14083,7 +14762,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4571,8 +4704,8 @@
+@@ -4571,8 +4723,8 @@
files_search_home($1)
allow $1 { sysadm_home_dir_t sysadm_home_t }:dir list_dir_perms;
@@ -14094,7 +14773,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4592,8 +4725,8 @@
+@@ -4592,8 +4744,8 @@
files_search_tmp($1)
allow $1 sysadm_tmp_t:dir list_dir_perms;
@@ -14105,7 +14784,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4608,11 +4741,29 @@
+@@ -4608,11 +4760,29 @@
#
interface(`userdom_search_all_users_home_dirs',`
gen_require(`
@@ -14136,7 +14815,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4632,6 +4783,14 @@
+@@ -4632,6 +4802,14 @@
files_list_home($1)
allow $1 home_dir_type:dir list_dir_perms;
@@ -14151,7 +14830,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4950,7 +5109,7 @@
+@@ -4950,7 +5128,7 @@
#
interface(`userdom_manage_generic_user_home_content_dirs',`
gen_require(`
@@ -14160,7 +14839,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
files_search_home($1)
-@@ -5068,7 +5227,7 @@
+@@ -5068,7 +5246,7 @@
#
interface(`userdom_manage_generic_user_home_content_symlinks',`
gen_require(`
@@ -14169,7 +14848,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
files_search_home($1)
-@@ -5088,7 +5247,7 @@
+@@ -5088,7 +5266,7 @@
#
interface(`userdom_manage_generic_user_home_content_pipes',`
gen_require(`
@@ -14178,7 +14857,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
files_search_home($1)
-@@ -5108,7 +5267,7 @@
+@@ -5108,7 +5286,7 @@
#
interface(`userdom_manage_generic_user_home_content_sockets',`
gen_require(`
@@ -14187,7 +14866,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
files_search_home($1)
-@@ -5322,7 +5481,7 @@
+@@ -5322,7 +5500,7 @@
attribute user_tmpfile;
')
@@ -14196,7 +14875,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -5528,6 +5687,24 @@
+@@ -5528,6 +5706,24 @@
########################################
## <summary>
@@ -14221,7 +14900,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Send a dbus message to all user domains.
## </summary>
## <param name="domain">
-@@ -5558,3 +5735,379 @@
+@@ -5558,3 +5754,379 @@
interface(`userdom_unconfined',`
refpolicywarn(`$0($*) has been deprecated.')
')
@@ -14603,7 +15282,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.1.0/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2007-10-12 08:56:08.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/system/userdomain.te 2007-11-06 16:05:43.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/system/userdomain.te 2007-11-07 15:10:02.000000000 -0500
@@ -17,20 +17,13 @@
## <desc>
@@ -15050,26 +15729,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.i
+## <summary>Policy for guest user</summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.te serefpolicy-3.1.0/policy/modules/users/guest.te
--- nsaserefpolicy/policy/modules/users/guest.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.1.0/policy/modules/users/guest.te 2007-11-06 09:28:35.000000000 -0500
-@@ -0,0 +1,18 @@
++++ serefpolicy-3.1.0/policy/modules/users/guest.te 2007-11-08 08:58:06.000000000 -0500
+@@ -0,0 +1,4 @@
+policy_module(guest,1.0.0)
+userdom_unpriv_login_user(guest)
+userdom_unpriv_login_user(gadmin)
-+userdom_unpriv_xwindows_login_user(xguest)
-+mozilla_per_role_template(xguest, xguest_t, xguest_r)
+
-+optional_policy(`
-+ consolekit_dbus_chat(xguest_t)
-+')
-+
-+optional_policy(`
-+ bluetooth_dbus_chat(xguest_t)
-+')
-+
-+# Allow mounting of file systems
-+optional_policy(`
-+ hal_dbus_chat(xguest_t)
-+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.fc serefpolicy-3.1.0/policy/modules/users/logadm.fc
--- nsaserefpolicy/policy/modules/users/logadm.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.1.0/policy/modules/users/logadm.fc 2007-11-06 09:28:35.000000000 -0500
@@ -15156,9 +15821,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.
+')
+allow gadmin_t webadm_t:process transition;
+allow webadm_t gadmin_t:dir getattr;
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/xguest.fc serefpolicy-3.1.0/policy/modules/users/xguest.fc
+--- nsaserefpolicy/policy/modules/users/xguest.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/users/xguest.fc 2007-11-08 08:59:47.000000000 -0500
+@@ -0,0 +1 @@
++# No xguest file contexts.
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/xguest.if serefpolicy-3.1.0/policy/modules/users/xguest.if
+--- nsaserefpolicy/policy/modules/users/xguest.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/users/xguest.if 2007-11-08 08:59:47.000000000 -0500
+@@ -0,0 +1 @@
++## <summary>Policy for xguest user</summary>
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/xguest.te serefpolicy-3.1.0/policy/modules/users/xguest.te
+--- nsaserefpolicy/policy/modules/users/xguest.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/users/xguest.te 2007-11-08 08:59:49.000000000 -0500
+@@ -0,0 +1,11 @@
++policy_module(xguest,1.0.0)
++userdom_unpriv_xwindows_login_user(xguest)
++mozilla_per_role_template(xguest, xguest_t, xguest_r)
++# Allow mounting of file systems
++optional_policy(`
++ hal_dbus_chat(xguest_t)
++')
++
++optional_policy(`
++ bluetooth_dbus_chat(xguest_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.1.0/policy/support/obj_perm_sets.spt
--- nsaserefpolicy/policy/support/obj_perm_sets.spt 2007-10-12 08:56:09.000000000 -0400
-+++ serefpolicy-3.1.0/policy/support/obj_perm_sets.spt 2007-11-06 09:28:36.000000000 -0500
++++ serefpolicy-3.1.0/policy/support/obj_perm_sets.spt 2007-11-09 14:33:41.000000000 -0500
@@ -204,7 +204,7 @@
define(`getattr_file_perms',`{ getattr }')
define(`setattr_file_perms',`{ setattr }')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index b92e76c..b6ab7fd 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -16,7 +16,7 @@
%define CHECKPOLICYVER 2.0.3-1
Summary: SELinux policy configuration
Name: selinux-policy
-Version: 3.1.0
+Version: 3.1.1
Release: 1%{?dist}
License: GPLv2+
Group: System Environment/Base
@@ -179,7 +179,7 @@ Based off of reference policy: Checked out revision 2483.
# Build targeted policy
%{__rm} -fR %{buildroot}
mkdir -p %{buildroot}%{_mandir}
-cp -R man %{buildroot}%{_mandir}
+cp -R man/* %{buildroot}%{_mandir}
mkdir -p %{buildroot}%{_sysconfdir}/selinux
mkdir -p %{buildroot}%{_sysconfdir}/sysconfig
touch %{buildroot}%{_sysconfdir}/selinux/config
@@ -379,6 +379,9 @@ exit 0
%endif
%changelog
+* Sat Nov 10 2007 Dan Walsh <dwalsh@redhat.com> 3.1.1-1
+- Update to upstream
+
* Mon Oct 22 2007 Dan Walsh <dwalsh@redhat.com> 3.1.0-1
- Update to upstream
diff --git a/sources b/sources
index ef91975..9f90c78 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-31bbdec681a061d2589003b5715f7755 serefpolicy-3.1.0.tgz
+68f90a44c27dbe325fa27b88608da3b4 serefpolicy-3.1.1.tgz