diff --git a/modules-minimum.conf b/modules-minimum.conf
index abdf2ef..eb63df8 100644
--- a/modules-minimum.conf
+++ b/modules-minimum.conf
@@ -493,6 +493,13 @@ finger = module
#
firstboot = base
+# Layer: services
+# Module: fprintd
+#
+# finger print server
+#
+fprintd = module
+
# Layer: system
# Module: fstools
#
@@ -987,7 +994,7 @@ portmap = module
#
postfix = module
-o# Layer: services
+# Layer: services
# Module: postgrey
#
# email scanner
@@ -1172,20 +1179,6 @@ rsync = module
rwho = module
# Layer: services
-# Module: sasl
-#
-# SASL authentication server
-#
-sasl = module
-
-# Layer: services
-# Module: sendmail
-#
-# Policy for sendmail.
-#
-sendmail = base
-
-# Layer: services
# Module: samba
#
# SMB and CIFS client/server programs for UNIX and
@@ -1201,6 +1194,13 @@ samba = module
#
sambagui = module
+# Layer: services
+# Module: sasl
+#
+# SASL authentication server
+#
+sasl = module
+
# Layer: apps
# Module: screen
#
@@ -1223,6 +1223,20 @@ selinux = base
#
selinuxutil = base
+# Layer: services
+# Module: sendmail
+#
+# Policy for sendmail.
+#
+sendmail = base
+
+# Layer: services
+# Module: shorewall
+#
+# Policy for shorewall
+#
+shorewall = base
+
# Layer: system
# Module: setrans
# Required in base
diff --git a/policy-20090105.patch b/policy-20090105.patch
index 5e28ed7..80e0831 100644
--- a/policy-20090105.patch
+++ b/policy-20090105.patch
@@ -799,7 +799,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-/usr/sbin/readahead -- gen_context(system_u:object_r:readahead_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.6.12/policy/modules/admin/readahead.te
--- nsaserefpolicy/policy/modules/admin/readahead.te 2009-01-05 15:39:44.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/admin/readahead.te 2009-04-30 14:18:18.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/admin/readahead.te 2009-05-08 11:49:07.000000000 -0400
@@ -11,8 +11,8 @@
init_daemon_domain(readahead_t, readahead_exec_t)
application_domain(readahead_t, readahead_exec_t)
@@ -811,11 +811,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
type readahead_var_run_t;
files_pid_file(readahead_var_run_t)
-@@ -24,14 +24,17 @@
+@@ -23,15 +23,17 @@
+ #
allow readahead_t self:capability { fowner dac_override dac_read_search };
- dontaudit readahead_t self:capability sys_tty_config;
+-dontaudit readahead_t self:capability sys_tty_config;
-allow readahead_t self:process signal_perms;
++dontaudit readahead_t self:capability { net_admin sys_tty_config };
+allow readahead_t self:process { setsched signal_perms };
-manage_files_pattern(readahead_t, readahead_etc_rw_t, readahead_etc_rw_t)
@@ -826,12 +828,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_files_pattern(readahead_t, readahead_var_run_t, readahead_var_run_t)
files_pid_filetrans(readahead_t, readahead_var_run_t, file)
- kernel_read_kernel_sysctls(readahead_t)
-+kernel_read_net_sysctls(readahead_t)
+-kernel_read_kernel_sysctls(readahead_t)
++kernel_read_all_sysctls(readahead_t)
kernel_read_system_state(readahead_t)
kernel_dontaudit_getattr_core_if(readahead_t)
-@@ -46,10 +49,12 @@
+@@ -46,10 +48,12 @@
storage_raw_read_fixed_disk(readahead_t)
domain_use_interactive_fds(readahead_t)
@@ -844,7 +846,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
fs_getattr_all_fs(readahead_t)
fs_search_auto_mountpoints(readahead_t)
-@@ -58,6 +63,7 @@
+@@ -58,6 +62,7 @@
fs_dontaudit_search_ramfs(readahead_t)
fs_dontaudit_read_ramfs_pipes(readahead_t)
fs_dontaudit_read_ramfs_files(readahead_t)
@@ -852,7 +854,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
fs_read_tmpfs_symlinks(readahead_t)
fs_list_inotifyfs(readahead_t)
-@@ -72,6 +78,7 @@
+@@ -72,6 +77,7 @@
init_getattr_initctl(readahead_t)
logging_send_syslog_msg(readahead_t)
@@ -2223,7 +2225,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.6.12/policy/modules/apps/gpg.te
--- nsaserefpolicy/policy/modules/apps/gpg.te 2009-01-19 11:03:28.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/apps/gpg.te 2009-04-23 09:44:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/apps/gpg.te 2009-05-08 12:51:11.000000000 -0400
@@ -60,7 +60,7 @@
allow gpg_t self:capability { ipc_lock setuid };
@@ -2321,6 +2323,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
# GPG agent local policy
+@@ -248,5 +266,5 @@
+ ')
+
+ optional_policy(`
+- xserver_stream_connect(gpg_pinentry_t)
++ xserver_common_app(gpg_pinentry_t)
+ ')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.6.12/policy/modules/apps/java.fc
--- nsaserefpolicy/policy/modules/apps/java.fc 2009-01-05 15:39:38.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/apps/java.fc 2009-04-23 09:44:57.000000000 -0400
@@ -2360,7 +2369,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/usr/lib/opera(/.*)?/opera -- gen_context(system_u:object_r:java_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.6.12/policy/modules/apps/java.if
--- nsaserefpolicy/policy/modules/apps/java.if 2008-11-11 16:13:42.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/apps/java.if 2009-04-28 12:20:13.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/apps/java.if 2009-05-08 12:53:35.000000000 -0400
@@ -30,6 +30,7 @@
allow java_t $2:unix_stream_socket connectto;
@@ -2369,7 +2378,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -68,3 +69,130 @@
+@@ -68,3 +69,131 @@
domtrans_pattern($1, java_exec_t, unconfined_java_t)
corecmd_search_bin($1)
')
@@ -2497,12 +2506,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ corecmd_bin_domtrans($1_java_t, $1_t)
+
+ optional_policy(`
++ xserver_common_app($1_java_t)
+ xserver_role($1_r, $1_java_t)
+ ')
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.6.12/policy/modules/apps/java.te
--- nsaserefpolicy/policy/modules/apps/java.te 2009-01-19 11:03:28.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/apps/java.te 2009-04-28 12:19:47.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/apps/java.te 2009-05-08 12:53:24.000000000 -0400
@@ -20,6 +20,8 @@
typealias java_t alias { staff_javaplugin_t user_javaplugin_t sysadm_javaplugin_t };
typealias java_t alias { auditadm_javaplugin_t secadm_javaplugin_t };
@@ -2544,7 +2554,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
nis_use_ypbind(java_t)
')
-@@ -147,4 +151,12 @@
+@@ -131,6 +135,7 @@
+ ')
+
+ optional_policy(`
++ xserver_common_app(java_t)
+ xserver_user_x_domain_template(java, java_t, java_tmpfs_t)
+ ')
+
+@@ -147,4 +152,12 @@
unconfined_domain_noaudit(unconfined_java_t)
unconfined_dbus_chat(unconfined_java_t)
@@ -3167,8 +3185,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.6.12/policy/modules/apps/nsplugin.te
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/apps/nsplugin.te 2009-04-23 09:44:57.000000000 -0400
-@@ -0,0 +1,294 @@
++++ serefpolicy-3.6.12/policy/modules/apps/nsplugin.te 2009-05-08 12:52:11.000000000 -0400
+@@ -0,0 +1,293 @@
+
+policy_module(nsplugin, 1.0.0)
+
@@ -3358,8 +3376,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ type user_tmpfs_t;
+ ')
+ xserver_user_x_domain_template(nsplugin, nsplugin_t, user_tmpfs_t)
-+ xserver_stream_connect_xdm(nsplugin_t)
-+ xserver_stream_connect(nsplugin_t)
++ xserver_common_app(nsplugin_t)
+ xserver_rw_shm(nsplugin_t)
+ xserver_read_xdm_tmp_files(nsplugin_t)
+ xserver_read_xdm_pid(nsplugin_t)
@@ -3472,8 +3489,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.if serefpolicy-3.6.12/policy/modules/apps/openoffice.if
--- nsaserefpolicy/policy/modules/apps/openoffice.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/apps/openoffice.if 2009-04-23 09:44:57.000000000 -0400
-@@ -0,0 +1,92 @@
++++ serefpolicy-3.6.12/policy/modules/apps/openoffice.if 2009-05-08 12:53:55.000000000 -0400
+@@ -0,0 +1,93 @@
+## Openoffice
+
+#######################################
@@ -3563,6 +3580,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ allow $3 $1_openoffice_t:process { signal sigkill };
+ allow $1_openoffice_t $3:unix_stream_socket connectto;
+ optional_policy(`
++ xserver_common_app($1_openoffice_t)
+ xserver_common_x_domain_template($1, $1_openoffice_t)
+ ')
+')
@@ -3876,7 +3894,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.6.12/policy/modules/apps/pulseaudio.te
--- nsaserefpolicy/policy/modules/apps/pulseaudio.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/apps/pulseaudio.te 2009-04-23 09:48:50.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/apps/pulseaudio.te 2009-05-08 12:51:50.000000000 -0400
@@ -0,0 +1,111 @@
+policy_module(pulseaudio,1.0.0)
+
@@ -3977,7 +3995,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+optional_policy(`
+ xserver_common_app(pulseaudio_t)
+ xserver_read_xdm_pid(pulseaudio_t)
-+ xserver_stream_connect(pulseaudio_t)
++ xserver_common_app(pulseaudio_t)
+ xserver_manage_xdm_tmp_files(pulseaudio_t)
+ xserver_read_xdm_lib_files(pulseaudio_t)
+')
@@ -4573,7 +4591,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
typealias uml_tmp_t alias { user_uml_tmp_t staff_uml_tmp_t sysadm_uml_tmp_t };
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.6.12/policy/modules/apps/vmware.te
--- nsaserefpolicy/policy/modules/apps/vmware.te 2009-01-19 11:03:28.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/apps/vmware.te 2009-04-23 09:44:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/apps/vmware.te 2009-05-08 12:51:38.000000000 -0400
@@ -29,6 +29,10 @@
type vmware_host_exec_t;
init_daemon_domain(vmware_host_t, vmware_host_exec_t)
@@ -4646,7 +4664,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+optional_policy(`
+ xserver_read_tmp_files(vmware_host_t)
+ xserver_read_xdm_pid(vmware_host_t)
-+ xserver_stream_connect(vmware_host_t)
++ xserver_common_app(vmware_host_t)
+')
+
+
@@ -4759,7 +4777,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.6.12/policy/modules/apps/wine.te
--- nsaserefpolicy/policy/modules/apps/wine.te 2009-01-05 15:39:38.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/apps/wine.te 2009-04-23 09:44:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/apps/wine.te 2009-05-08 12:51:26.000000000 -0400
@@ -9,6 +9,7 @@
type wine_t;
type wine_exec_t;
@@ -4787,7 +4805,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+optional_policy(`
+ xserver_common_app(wine_t)
+ xserver_read_xdm_pid(wine_t)
-+ xserver_stream_connect(wine_t)
++ xserver_common_app(wine_t)
+ xserver_rw_shm(wine_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.fc serefpolicy-3.6.12/policy/modules/apps/wm.fc
@@ -5241,13 +5259,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
type urandom_device_t;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.12/policy/modules/kernel/domain.if
--- nsaserefpolicy/policy/modules/kernel/domain.if 2009-01-05 15:39:38.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/kernel/domain.if 2009-05-07 10:28:45.000000000 -0400
-@@ -1,4 +1,4 @@
--## Core policy for domains.
-+# Core policy for domains.
- ##
- ## Contains the concept of a domain.
- ##
++++ serefpolicy-3.6.12/policy/modules/kernel/domain.if 2009-05-08 11:33:48.000000000 -0400
@@ -525,7 +525,7 @@
')
@@ -5483,7 +5495,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/lib/nfs/rpc_pipefs(/.*)? <>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.12/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2009-01-05 15:39:38.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/kernel/files.if 2009-05-07 10:31:31.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/kernel/files.if 2009-05-08 13:00:36.000000000 -0400
@@ -110,6 +110,11 @@
##
#
@@ -5639,7 +5651,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
allow $1 modules_object_t:dir search_dir_perms;
-+ read_link_file_pattern($1, modules_object_t, modules_object_t)
++ read_lnk_files_pattern($1, modules_object_t, modules_object_t)
')
########################################
@@ -6003,7 +6015,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
#
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.6.12/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2009-01-05 15:39:38.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/kernel/kernel.if 2009-05-04 11:25:35.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/kernel/kernel.if 2009-05-08 11:48:52.000000000 -0400
@@ -1197,6 +1197,26 @@
')
@@ -10511,7 +10523,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.6.12/policy/modules/services/consolekit.te
--- nsaserefpolicy/policy/modules/services/consolekit.te 2009-01-05 15:39:43.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/consolekit.te 2009-04-30 17:45:01.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/consolekit.te 2009-05-08 12:52:48.000000000 -0400
@@ -13,6 +13,9 @@
type consolekit_var_run_t;
files_pid_file(consolekit_var_run_t)
@@ -10602,7 +10614,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+optional_policy(`
+ xserver_read_xdm_pid(consolekit_t)
xserver_read_user_xauth(consolekit_t)
- xserver_stream_connect(consolekit_t)
+- xserver_stream_connect(consolekit_t)
++ xserver_common_app(consolekit_t)
+ xserver_ptrace_xdm(consolekit_t)
+ xserver_common_app(consolekit_t)
+ corenet_tcp_connect_xserver_port(consolekit_t)
@@ -13581,12 +13594,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_pid_file(fetchmail_var_run_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.fc serefpolicy-3.6.12/policy/modules/services/fprintd.fc
--- nsaserefpolicy/policy/modules/services/fprintd.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/fprintd.fc 2009-05-07 10:07:34.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/fprintd.fc 2009-05-08 11:59:23.000000000 -0400
@@ -0,0 +1,4 @@
+
+/usr/libexec/fprintd -- gen_context(system_u:object_r:fprintd_exec_t,s0)
+
-+/var/lib/fprint gen_context(system_u:object_r:fprintd_var_lib_t,s0)
++/var/lib/fprint(/.*)? gen_context(system_u:object_r:fprintd_var_lib_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.if serefpolicy-3.6.12/policy/modules/services/fprintd.if
--- nsaserefpolicy/policy/modules/services/fprintd.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/services/fprintd.if 2009-05-07 10:09:49.000000000 -0400
@@ -20533,6 +20546,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
+
')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhgb.te serefpolicy-3.6.12/policy/modules/services/rhgb.te
+--- nsaserefpolicy/policy/modules/services/rhgb.te 2009-01-19 11:06:49.000000000 -0500
++++ serefpolicy-3.6.12/policy/modules/services/rhgb.te 2009-05-08 12:53:02.000000000 -0400
+@@ -118,7 +118,7 @@
+ xserver_domtrans(rhgb_t)
+ xserver_signal(rhgb_t)
+ xserver_read_xdm_tmp_files(rhgb_t)
+-xserver_stream_connect(rhgb_t)
++xserver_common_app(rhgb_t)
+
+ optional_policy(`
+ consoletype_exec(rhgb_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.6.12/policy/modules/services/ricci.te
--- nsaserefpolicy/policy/modules/services/ricci.te 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/services/ricci.te 2009-04-23 09:44:57.000000000 -0400
@@ -22699,7 +22724,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.6.12/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/spamassassin.te 2009-04-30 08:12:59.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/spamassassin.te 2009-05-08 07:53:09.000000000 -0400
@@ -20,6 +20,35 @@
##
gen_tunable(spamd_enable_home_dirs, true)
@@ -22736,7 +22761,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
type spamassassin_t;
type spamassassin_exec_t;
typealias spamassassin_t alias { user_spamassassin_t staff_spamassassin_t sysadm_spamassassin_t };
-@@ -51,11 +80,18 @@
+@@ -51,10 +80,18 @@
typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t };
files_tmp_file(spamc_tmp_t)
ubac_constrained(spamc_tmp_t)
@@ -22745,17 +22770,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
type spamd_t;
type spamd_exec_t;
init_daemon_domain(spamd_t, spamd_exec_t)
-
++can_exec(spamd_t, spamd_exec_t)
++
+type spamd_initrc_exec_t;
+init_script_file(spamd_initrc_exec_t)
+
+type spamd_log_t;
+logging_log_file(spamd_log_t)
-+
+
type spamd_spool_t;
files_type(spamd_spool_t)
-
-@@ -110,6 +146,7 @@
+@@ -110,6 +147,7 @@
dev_read_urand(spamassassin_t)
fs_search_auto_mountpoints(spamassassin_t)
@@ -22763,7 +22788,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# this should probably be removed
corecmd_list_bin(spamassassin_t)
-@@ -159,6 +196,7 @@
+@@ -159,6 +197,7 @@
corenet_udp_sendrecv_all_ports(spamassassin_t)
corenet_tcp_connect_all_ports(spamassassin_t)
corenet_sendrecv_all_client_packets(spamassassin_t)
@@ -22771,7 +22796,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
sysnet_read_config(spamassassin_t)
')
-@@ -195,6 +233,7 @@
+@@ -195,6 +234,7 @@
optional_policy(`
mta_read_config(spamassassin_t)
sendmail_stub(spamassassin_t)
@@ -22779,7 +22804,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -216,16 +255,32 @@
+@@ -216,16 +256,32 @@
allow spamc_t self:unix_stream_socket connectto;
allow spamc_t self:tcp_socket create_stream_socket_perms;
allow spamc_t self:udp_socket create_socket_perms;
@@ -22812,7 +22837,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_all_recvfrom_unlabeled(spamc_t)
corenet_all_recvfrom_netlabel(spamc_t)
-@@ -239,6 +294,7 @@
+@@ -239,6 +295,7 @@
corenet_sendrecv_all_client_packets(spamc_t)
fs_search_auto_mountpoints(spamc_t)
@@ -22820,7 +22845,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# cjp: these should probably be removed:
corecmd_list_bin(spamc_t)
-@@ -255,9 +311,15 @@
+@@ -255,9 +312,15 @@
files_dontaudit_search_var(spamc_t)
# cjp: this may be removable:
files_list_home(spamc_t)
@@ -22836,7 +22861,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
miscfiles_read_localization(spamc_t)
# cjp: this should probably be removed:
-@@ -265,13 +327,16 @@
+@@ -265,13 +328,16 @@
sysnet_read_config(spamc_t)
@@ -22860,7 +22885,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -280,16 +345,21 @@
+@@ -280,16 +346,21 @@
')
optional_policy(`
@@ -22884,7 +22909,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -301,7 +371,7 @@
+@@ -301,7 +372,7 @@
# setuids to the user running spamc. Comment this if you are not
# using this ability.
@@ -22893,7 +22918,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dontaudit spamd_t self:capability sys_tty_config;
allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow spamd_t self:fd use;
-@@ -317,10 +387,13 @@
+@@ -317,10 +388,13 @@
allow spamd_t self:unix_stream_socket connectto;
allow spamd_t self:tcp_socket create_stream_socket_perms;
allow spamd_t self:udp_socket create_socket_perms;
@@ -22908,7 +22933,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_spool_filetrans(spamd_t, spamd_spool_t, { file dir })
manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
-@@ -329,10 +402,11 @@
+@@ -329,10 +403,11 @@
# var/lib files for spamd
allow spamd_t spamd_var_lib_t:dir list_dir_perms;
@@ -22921,7 +22946,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_pid_filetrans(spamd_t, spamd_var_run_t, { dir file })
kernel_read_all_sysctls(spamd_t)
-@@ -382,22 +456,27 @@
+@@ -382,22 +457,27 @@
init_dontaudit_rw_utmp(spamd_t)
@@ -22953,7 +22978,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
fs_manage_cifs_files(spamd_t)
')
-@@ -415,6 +494,7 @@
+@@ -415,6 +495,7 @@
optional_policy(`
dcc_domtrans_client(spamd_t)
@@ -22961,7 +22986,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dcc_stream_connect_dccifd(spamd_t)
')
-@@ -424,10 +504,6 @@
+@@ -424,10 +505,6 @@
')
optional_policy(`
@@ -22972,7 +22997,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
postfix_read_config(spamd_t)
')
-@@ -442,6 +518,10 @@
+@@ -442,6 +519,10 @@
optional_policy(`
razor_domtrans(spamd_t)
@@ -22983,7 +23008,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -454,5 +534,9 @@
+@@ -454,5 +535,9 @@
')
optional_policy(`
@@ -23340,7 +23365,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.12/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/ssh.te 2009-04-23 09:44:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/ssh.te 2009-05-08 12:48:13.000000000 -0400
@@ -41,6 +41,9 @@
files_tmp_file(sshd_tmp_t)
files_poly_parent(sshd_tmp_t)
@@ -23440,7 +23465,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
xserver_user_x_domain_template(ssh, ssh_t, ssh_tmpfs_t)
xserver_domtrans_xauth(ssh_t)
-+ xserver_stream_connect(ssh_t)
++ xserver_common_app(ssh_t)
')
########################################
@@ -24305,7 +24330,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.12/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/virt.te 2009-05-07 13:00:34.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/virt.te 2009-05-08 12:01:14.000000000 -0400
@@ -8,19 +8,31 @@
##
@@ -24399,21 +24424,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -67,7 +106,12 @@
+@@ -67,7 +106,11 @@
manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
-manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
+virtual_manage_image(virtd_t)
+virtual_image_relabel(virtd_t)
-+virtual_read_all_domains_state(virtd_t)
+
+manage_dirs_pattern(virtd_t, virt_content_t, virt_content_t)
+manage_files_pattern(virtd_t, virt_content_t, virt_content_t)
manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
-@@ -86,6 +130,7 @@
+@@ -86,6 +129,7 @@
kernel_read_network_state(virtd_t)
kernel_rw_net_sysctls(virtd_t)
kernel_load_module(virtd_t)
@@ -24421,7 +24445,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corecmd_exec_bin(virtd_t)
corecmd_exec_shell(virtd_t)
-@@ -96,7 +141,7 @@
+@@ -96,29 +140,48 @@
corenet_tcp_sendrecv_generic_node(virtd_t)
corenet_tcp_sendrecv_all_ports(virtd_t)
corenet_tcp_bind_generic_node(virtd_t)
@@ -24430,9 +24454,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_tcp_bind_vnc_port(virtd_t)
corenet_tcp_connect_vnc_port(virtd_t)
corenet_tcp_connect_soundd_port(virtd_t)
-@@ -104,21 +149,40 @@
+ corenet_rw_tun_tap_dev(virtd_t)
- dev_read_sysfs(virtd_t)
+-dev_read_sysfs(virtd_t)
++dev_rw_sysfs(virtd_t)
dev_read_rand(virtd_t)
+dev_rw_kvm(virtd_t)
+dev_getattr_all_chr_files(virtd_t)
@@ -24472,7 +24497,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
term_getattr_pty_fs(virtd_t)
term_use_ptmx(virtd_t)
-@@ -129,6 +193,13 @@
+@@ -129,6 +192,13 @@
logging_send_syslog_msg(virtd_t)
@@ -24486,7 +24511,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_read_all_users_state(virtd_t)
tunable_policy(`virt_use_nfs',`
-@@ -167,22 +238,34 @@
+@@ -167,22 +237,34 @@
dnsmasq_domtrans(virtd_t)
dnsmasq_signal(virtd_t)
dnsmasq_kill(virtd_t)
@@ -24526,7 +24551,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -195,8 +278,88 @@
+@@ -195,8 +277,88 @@
xen_stream_connect(virtd_t)
xen_stream_connect_xenstore(virtd_t)
@@ -24710,7 +24735,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.12/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2009-01-05 15:39:43.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/xserver.if 2009-05-07 14:58:55.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/xserver.if 2009-05-08 12:47:46.000000000 -0400
@@ -90,7 +90,7 @@
allow $2 xauth_home_t:file manage_file_perms;
allow $2 xauth_home_t:file { relabelfrom relabelto };
@@ -24850,15 +24875,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -680,6 +680,7 @@
-
- files_search_tmp($1)
- stream_connect_pattern($1, xdm_tmp_t, xdm_tmp_t, xdm_t)
-+ xserver_common_app($1)
- ')
-
- ########################################
-@@ -738,6 +739,7 @@
+@@ -738,6 +738,7 @@
files_search_tmp($1)
allow $1 xdm_tmp_t:dir list_dir_perms;
create_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
@@ -24866,7 +24883,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -756,7 +758,26 @@
+@@ -756,7 +757,26 @@
')
files_search_pids($1)
@@ -24894,7 +24911,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -779,6 +800,50 @@
+@@ -779,6 +799,50 @@
########################################
##
@@ -24945,7 +24962,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Make an X session script an entrypoint for the specified domain.
##
##
-@@ -872,6 +937,27 @@
+@@ -872,6 +936,27 @@
########################################
##
@@ -24973,7 +24990,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Do not audit attempts to write the X server
## log files.
##
-@@ -1018,10 +1104,11 @@
+@@ -1018,10 +1103,11 @@
#
interface(`xserver_domtrans',`
gen_require(`
@@ -24986,15 +25003,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
domtrans_pattern($1, xserver_exec_t, xserver_t)
')
-@@ -1136,6 +1223,7 @@
-
- files_search_tmp($1)
- stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
-+ xserver_common_app($1)
- ')
-
- ########################################
-@@ -1159,6 +1247,275 @@
+@@ -1159,6 +1245,275 @@
########################################
##
@@ -25270,7 +25279,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Interface to provide X object permissions on a given X server to
## an X client domain. Gives the domain complete control over the
## display.
-@@ -1172,7 +1529,102 @@
+@@ -1172,7 +1527,103 @@
interface(`xserver_unconfined',`
gen_require(`
attribute xserver_unconfined_type;
@@ -25349,6 +25358,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ # can receive own events
+ allow $1 xevent_type:{ x_event x_synthetic_event } { receive send };
+ xserver_communicate($1, $1)
++ xserver_stream_connect($1)
+ xserver_use_xdm($1)
+')
+
@@ -28174,7 +28184,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.6.12/policy/modules/system/modutils.te
--- nsaserefpolicy/policy/modules/system/modutils.te 2009-01-05 15:39:43.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/system/modutils.te 2009-04-23 09:44:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/system/modutils.te 2009-05-08 12:50:09.000000000 -0400
@@ -42,7 +42,7 @@
# insmod local policy
#
@@ -30615,7 +30625,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.12/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/system/userdomain.if 2009-05-07 10:23:04.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/system/userdomain.if 2009-05-08 13:06:19.000000000 -0400
@@ -30,8 +30,9 @@
')
@@ -30977,7 +30987,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
#######################################
-@@ -420,34 +421,43 @@
+@@ -420,34 +421,41 @@
## is the prefix for user_t).
##
##
@@ -31022,7 +31032,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ xserver_user_client($1, user_tmpfs_t)
+ xserver_xsession_entry_type($1)
+ xserver_dontaudit_write_log($1)
-+ xserver_stream_connect_xdm($1)
# certain apps want to read xdm.pid file
- xserver_read_xdm_pid($1_t)
+ xserver_read_xdm_pid($1)
@@ -31032,14 +31041,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Needed for escd, remove if we get escd policy
- xserver_manage_xdm_tmp_files($1_t)
+ xserver_manage_xdm_tmp_files($1)
-+ xserver_stream_connect($1)
+ xserver_xdm_dbus_chat($1)
+ ')
+
')
#######################################
-@@ -497,11 +507,7 @@
+@@ -497,11 +505,7 @@
attribute unpriv_userdomain;
')
@@ -31052,7 +31060,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
##############################
#
-@@ -512,189 +518,200 @@
+@@ -512,189 +516,200 @@
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
@@ -31334,7 +31342,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
#######################################
-@@ -722,13 +739,26 @@
+@@ -722,13 +737,26 @@
userdom_base_user_template($1)
@@ -31366,7 +31374,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_change_password_template($1)
-@@ -746,70 +776,71 @@
+@@ -746,70 +774,71 @@
allow $1_t self:context contains;
@@ -31471,7 +31479,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
')
-@@ -846,6 +877,28 @@
+@@ -846,6 +875,28 @@
# Local policy
#
@@ -31500,16 +31508,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
loadkeys_run($1_t,$1_r)
')
-@@ -876,7 +929,7 @@
+@@ -876,7 +927,10 @@
userdom_restricted_user_template($1)
- userdom_xwindows_client_template($1)
+ userdom_xwindows_client($1_usertype)
++ optional_policy(`
++ xserver_common_app($1_t)
++ ')
##############################
#
-@@ -884,14 +937,19 @@
+@@ -884,14 +938,19 @@
#
auth_role($1_r, $1_t)
@@ -31534,7 +31545,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
logging_dontaudit_send_audit_msgs($1_t)
# Need to to this just so screensaver will work. Should be moved to screensaver domain
-@@ -899,28 +957,33 @@
+@@ -899,28 +958,33 @@
selinux_get_enforce_mode($1_t)
optional_policy(`
@@ -31575,7 +31586,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
')
-@@ -954,8 +1017,8 @@
+@@ -954,8 +1018,8 @@
# Declarations
#
@@ -31585,7 +31596,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_common_user_template($1)
##############################
-@@ -964,11 +1027,12 @@
+@@ -964,11 +1028,12 @@
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -31600,7 +31611,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# cjp: why?
files_read_kernel_symbol_table($1_t)
-@@ -986,37 +1050,55 @@
+@@ -986,37 +1051,55 @@
')
')
@@ -31670,7 +31681,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
#######################################
-@@ -1050,7 +1132,7 @@
+@@ -1050,7 +1133,7 @@
#
template(`userdom_admin_user_template',`
gen_require(`
@@ -31679,7 +31690,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
##############################
-@@ -1059,8 +1141,7 @@
+@@ -1059,8 +1142,7 @@
#
# Inherit rules for ordinary users.
@@ -31689,7 +31700,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
domain_obj_id_change_exemption($1_t)
role system_r types $1_t;
-@@ -1083,7 +1164,8 @@
+@@ -1083,7 +1165,8 @@
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -31699,7 +31710,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
-@@ -1099,6 +1181,7 @@
+@@ -1099,6 +1182,7 @@
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -31707,7 +31718,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1106,8 +1189,6 @@
+@@ -1106,8 +1190,6 @@
dev_getattr_generic_blk_files($1_t)
dev_getattr_generic_chr_files($1_t)
@@ -31716,7 +31727,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Allow MAKEDEV to work
dev_create_all_blk_files($1_t)
dev_create_all_chr_files($1_t)
-@@ -1162,20 +1243,6 @@
+@@ -1162,20 +1244,6 @@
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -31737,7 +31748,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1221,6 +1288,7 @@
+@@ -1221,6 +1289,7 @@
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -31745,7 +31756,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1286,11 +1354,15 @@
+@@ -1286,11 +1355,15 @@
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -31761,7 +31772,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1387,7 +1459,7 @@
+@@ -1387,7 +1460,7 @@
########################################
##
@@ -31770,7 +31781,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
##
##
##
-@@ -1420,6 +1492,14 @@
+@@ -1420,6 +1493,14 @@
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -31785,7 +31796,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1435,9 +1515,11 @@
+@@ -1435,9 +1516,11 @@
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -31797,7 +31808,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1494,6 +1576,25 @@
+@@ -1494,6 +1577,25 @@
allow $1 user_home_dir_t:dir relabelto;
')
@@ -31823,7 +31834,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
##
## Create directories in the home dir root with
-@@ -1568,6 +1669,8 @@
+@@ -1568,6 +1670,8 @@
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -31832,7 +31843,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1643,6 +1746,7 @@
+@@ -1643,6 +1747,7 @@
type user_home_dir_t, user_home_t;
')
@@ -31840,7 +31851,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
files_search_home($1)
')
-@@ -1741,30 +1845,80 @@
+@@ -1741,30 +1846,80 @@
########################################
##
@@ -31903,7 +31914,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+interface(`userdom_dontaudit_delete_user_home_content_files',`
+ gen_require(`
+ type user_home_t;
- ')
++ ')
+
+ allow $1 user_home_t:dir delete_file_perms;
+')
@@ -31923,7 +31934,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ gen_require(`
+ type user_home_dir_t;
+ attribute user_home_type;
-+ ')
+ ')
+
+ files_search_home($1)
+ exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
@@ -31931,7 +31942,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1787,6 +1941,46 @@
+@@ -1787,6 +1942,46 @@
########################################
##
@@ -31978,7 +31989,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Create, read, write, and delete files
## in a user home subdirectory.
##
-@@ -1799,6 +1993,7 @@
+@@ -1799,6 +1994,7 @@
interface(`userdom_manage_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -31986,7 +31997,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
manage_files_pattern($1, user_home_t, user_home_t)
-@@ -2328,7 +2523,7 @@
+@@ -2328,7 +2524,7 @@
########################################
##
@@ -31995,7 +32006,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
##
##
##
-@@ -2814,12 +3009,12 @@
+@@ -2814,12 +3010,12 @@
type user_tmp_t;
')
@@ -32010,7 +32021,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
##
##
##
-@@ -2827,17 +3022,17 @@
+@@ -2827,17 +3023,35 @@
##
##
#
@@ -32029,14 +32040,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
##
-## Read the process state of all user domains.
+## Do not audit attempts to use user ttys.
- ##
- ##
- ##
-@@ -2845,12 +3040,31 @@
- ##
- ##
- #
--interface(`userdom_read_all_users_state',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`userdom_dontaudit_use_user_ttys',`
+ gen_require(`
+ type user_tty_device_t;
@@ -32048,16 +32058,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+########################################
+##
+## Read the process state of all user domains.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_read_all_users_state',`
- gen_require(`
- attribute userdomain;
+ ##
+ ##
+ ##
+@@ -2851,6 +3065,7 @@
')
read_files_pattern($1,userdomain,userdomain)
@@ -32065,7 +32069,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_search_proc($1)
')
-@@ -2981,3 +3195,481 @@
+@@ -2981,3 +3196,481 @@
allow $1 userdomain:dbus send_msg;
')
@@ -32642,8 +32646,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+# No application file contexts.
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.if serefpolicy-3.6.12/policy/modules/system/virtual.if
--- nsaserefpolicy/policy/modules/system/virtual.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/system/virtual.if 2009-05-07 10:24:35.000000000 -0400
-@@ -0,0 +1,135 @@
++++ serefpolicy-3.6.12/policy/modules/system/virtual.if 2009-05-08 13:09:00.000000000 -0400
+@@ -0,0 +1,119 @@
+## Virtual machine emulator and virtualizer
+
+########################################
@@ -32676,6 +32680,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ # could be started by libvirt
+ domain_user_exemption_target($1)
++
++ optional_policy(`
++ xserver_common_app($1)
++ ')
++
+')
+
+########################################
@@ -32758,31 +32767,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ allow $1 virtualdomain:process { setsched transition signal signull sigkill };
+')
+
-+
-+########################################
-+##
-+## Read the process state of all virtual domains.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`virtual_read_all_domains_state',`
-+ gen_require(`
-+ attribute virtualdomain;
-+ ')
-+
-+ read_files_pattern($1,virtualdomain,virtualdomain)
-+ read_lnk_files_pattern($1,virtualdomain,virtualdomain)
-+ kernel_search_proc($1)
-+')
-+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.te serefpolicy-3.6.12/policy/modules/system/virtual.te
--- nsaserefpolicy/policy/modules/system/virtual.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/system/virtual.te 2009-04-23 09:44:57.000000000 -0400
-@@ -0,0 +1,80 @@
++++ serefpolicy-3.6.12/policy/modules/system/virtual.te 2009-05-08 13:08:19.000000000 -0400
+@@ -0,0 +1,79 @@
+
+policy_module(virtualization, 1.1.2)
+
@@ -32858,7 +32846,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
+
+optional_policy(`
-+ xserver_stream_connect(virtualdomain)
+ xserver_read_xdm_tmp_files(virtualdomain)
+ xserver_read_xdm_pid(virtualdomain)
+ xserver_rw_shm(virtualdomain)