diff --git a/booleans-targeted.conf b/booleans-targeted.conf
index c08c7a9..8662f82 100644
--- a/booleans-targeted.conf
+++ b/booleans-targeted.conf
@@ -245,7 +245,7 @@ allow_nsplugin_execmem=true
# Allow unconfined domain to transition to confined domain
#
-allow_unconfined_nsplugin_transition=true
+allow_unconfined_nsplugin_transition=false
# System uses init upstart program
#
diff --git a/policy-F12.patch b/policy-F12.patch
index 6c82550..41a9d6c 100644
--- a/policy-F12.patch
+++ b/policy-F12.patch
@@ -12909,7 +12909,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.6.32/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2009-08-14 13:14:31.000000000 -0700
-+++ serefpolicy-3.6.32/policy/modules/services/networkmanager.te 2009-09-21 19:37:35.000000000 -0700
++++ serefpolicy-3.6.32/policy/modules/services/networkmanager.te 2009-09-24 17:38:43.000000000 -0700
@@ -19,6 +19,9 @@
type NetworkManager_tmp_t;
files_tmp_file(NetworkManager_tmp_t)
@@ -12951,16 +12951,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_dirs_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
-@@ -63,6 +70,8 @@
+@@ -63,6 +70,9 @@
kernel_read_network_state(NetworkManager_t)
kernel_read_kernel_sysctls(NetworkManager_t)
kernel_load_module(NetworkManager_t)
++kernel_request_load_module(NetworkManager_t)
+kernel_read_debugfs(NetworkManager_t)
+kernel_rw_net_sysctls(NetworkManager_t)
corenet_all_recvfrom_unlabeled(NetworkManager_t)
corenet_all_recvfrom_netlabel(NetworkManager_t)
-@@ -81,13 +90,18 @@
+@@ -81,13 +91,18 @@
corenet_sendrecv_isakmp_server_packets(NetworkManager_t)
corenet_sendrecv_dhcpc_server_packets(NetworkManager_t)
corenet_sendrecv_all_client_packets(NetworkManager_t)
@@ -12979,7 +12980,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
mls_file_read_all_levels(NetworkManager_t)
-@@ -98,15 +112,20 @@
+@@ -98,15 +113,20 @@
domain_use_interactive_fds(NetworkManager_t)
domain_read_confined_domains_state(NetworkManager_t)
@@ -13001,7 +13002,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
logging_send_syslog_msg(NetworkManager_t)
miscfiles_read_localization(NetworkManager_t)
-@@ -116,25 +135,40 @@
+@@ -116,25 +136,40 @@
seutil_read_config(NetworkManager_t)
@@ -13049,7 +13050,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -146,8 +180,25 @@
+@@ -146,8 +181,25 @@
')
optional_policy(`
@@ -13077,7 +13078,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -155,23 +206,51 @@
+@@ -155,23 +207,51 @@
')
optional_policy(`
@@ -13131,7 +13132,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -179,12 +258,15 @@
+@@ -179,12 +259,15 @@
')
optional_policy(`
@@ -15843,7 +15844,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## </summary>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.6.32/policy/modules/services/rpc.if
--- nsaserefpolicy/policy/modules/services/rpc.if 2009-07-14 11:19:57.000000000 -0700
-+++ serefpolicy-3.6.32/policy/modules/services/rpc.if 2009-09-16 07:03:09.000000000 -0700
++++ serefpolicy-3.6.32/policy/modules/services/rpc.if 2009-09-25 07:42:34.000000000 -0700
@@ -54,7 +54,7 @@
allow $1_t self:unix_dgram_socket create_socket_perms;
allow $1_t self:unix_stream_socket create_stream_socket_perms;
@@ -15853,7 +15854,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_dirs_pattern($1_t, var_lib_nfs_t, var_lib_nfs_t)
manage_files_pattern($1_t, var_lib_nfs_t, var_lib_nfs_t)
-@@ -109,6 +109,10 @@
+@@ -99,6 +99,7 @@
+ files_read_etc_runtime_files($1_t)
+ files_search_var($1_t)
+ files_search_var_lib($1_t)
++ files_list_home($1_t)
+
+ auth_use_nsswitch($1_t)
+
+@@ -109,6 +110,10 @@
userdom_dontaudit_use_unpriv_user_fds($1_t)
optional_policy(`
@@ -15866,7 +15875,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.6.32/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te 2009-08-14 13:14:31.000000000 -0700
-+++ serefpolicy-3.6.32/policy/modules/services/rpc.te 2009-09-16 07:03:09.000000000 -0700
++++ serefpolicy-3.6.32/policy/modules/services/rpc.te 2009-09-25 07:42:43.000000000 -0700
+@@ -53,7 +53,7 @@
+ # RPC local policy
+ #
+
+-allow rpcd_t self:capability { chown dac_override setgid setuid };
++allow rpcd_t self:capability { sys_admin chown dac_override setgid setuid };
+ allow rpcd_t self:fifo_file rw_fifo_file_perms;
+
+ allow rpcd_t rpcd_var_run_t:dir setattr;
@@ -91,6 +91,8 @@
seutil_dontaudit_search_config(rpcd_t)
@@ -19016,7 +19034,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_tcp_connect_http_port(httpd_w3c_validator_script_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.6.32/policy/modules/services/xserver.fc
--- nsaserefpolicy/policy/modules/services/xserver.fc 2009-07-14 11:19:57.000000000 -0700
-+++ serefpolicy-3.6.32/policy/modules/services/xserver.fc 2009-09-16 07:03:09.000000000 -0700
++++ serefpolicy-3.6.32/policy/modules/services/xserver.fc 2009-09-25 07:58:35.000000000 -0700
@@ -3,12 +3,17 @@
#
HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0)
@@ -19028,7 +19046,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+HOME_DIR/\.xsession-errors.* -- gen_context(system_u:object_r:xdm_home_t,s0)
-+HOME_DIR/\.dmrc -- gen_context(system_u:object_r:xdm_home_t,s0)
++HOME_DIR/\.dmrc.* -- gen_context(system_u:object_r:xdm_home_t,s0)
+/root/\.Xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+/root/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
@@ -23546,8 +23564,36 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.6.32/policy/modules/system/selinuxutil.if
--- nsaserefpolicy/policy/modules/system/selinuxutil.if 2009-07-14 11:19:57.000000000 -0700
-+++ serefpolicy-3.6.32/policy/modules/system/selinuxutil.if 2009-09-16 07:03:09.000000000 -0700
-@@ -535,6 +535,53 @@
++++ serefpolicy-3.6.32/policy/modules/system/selinuxutil.if 2009-09-24 20:11:24.000000000 -0700
+@@ -351,6 +351,27 @@
+
+ ########################################
+ ## <summary>
++## Execute restorecond in the caller domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`seutil_exec_restorecond',`
++ gen_require(`
++ type restorecond_exec_t;
++ ')
++
++ files_search_usr($1)
++ corecmd_search_bin($1)
++ can_exec($1, restorecond_exec_t)
++')
++
++########################################
++## <summary>
+ ## Execute run_init in the run_init domain.
+ ## </summary>
+ ## <param name="domain">
+@@ -535,6 +556,53 @@
########################################
## <summary>
@@ -23601,7 +23647,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Execute setfiles in the caller domain.
## </summary>
## <param name="domain">
-@@ -680,6 +727,7 @@
+@@ -680,6 +748,7 @@
')
files_search_etc($1)
@@ -23609,7 +23655,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_files_pattern($1, selinux_config_t, selinux_config_t)
read_lnk_files_pattern($1, selinux_config_t, selinux_config_t)
')
-@@ -999,6 +1047,26 @@
+@@ -999,6 +1068,26 @@
########################################
## <summary>
@@ -23636,7 +23682,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Execute semanage in the semanage domain, and
## allow the specified role the semanage domain,
## and use the caller's terminal.
-@@ -1010,7 +1078,7 @@
+@@ -1010,7 +1099,7 @@
## </param>
## <param name="role">
## <summary>
@@ -23645,7 +23691,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## </summary>
## </param>
## <rolecap/>
-@@ -1028,6 +1096,33 @@
+@@ -1028,6 +1117,33 @@
########################################
## <summary>
@@ -23679,7 +23725,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Full management of the semanage
## module store.
## </summary>
-@@ -1139,3 +1234,194 @@
+@@ -1139,3 +1255,194 @@
selinux_dontaudit_get_fs_mount($1)
seutil_dontaudit_read_config($1)
')
@@ -25608,7 +25654,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+HOME_DIR/\.gvfs(/.*)? <<none>>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.32/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-08-31 10:30:04.000000000 -0700
-+++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-09-21 05:24:59.000000000 -0700
++++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-09-24 20:12:04.000000000 -0700
@@ -30,8 +30,9 @@
')
@@ -26055,7 +26101,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
##############################
#
-@@ -508,182 +515,208 @@
+@@ -508,182 +515,209 @@
# evolution and gnome-session try to create a netlink socket
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
@@ -26160,6 +26206,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
seutil_exec_checkpolicy($1_t)
- seutil_exec_setfiles($1_t)
+ seutil_exec_setfiles($1_usertype)
++ seutil_exec_restorecond($1_usertype)
# for when the network connection is killed
# this is needed when a login role can change
# to this one.
@@ -26337,7 +26384,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
#######################################
-@@ -711,13 +744,26 @@
+@@ -711,13 +745,26 @@
userdom_base_user_template($1)
@@ -26369,7 +26416,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_change_password_template($1)
-@@ -735,70 +781,71 @@
+@@ -735,70 +782,71 @@
allow $1_t self:context contains;
@@ -26474,7 +26521,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
')
-@@ -835,6 +882,32 @@
+@@ -835,6 +883,32 @@
# Local policy
#
@@ -26507,7 +26554,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
loadkeys_run($1_t,$1_r)
')
-@@ -865,51 +938,81 @@
+@@ -865,51 +939,81 @@
userdom_restricted_user_template($1)
@@ -26602,7 +26649,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
')
-@@ -943,8 +1046,8 @@
+@@ -943,8 +1047,8 @@
# Declarations
#
@@ -26612,7 +26659,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_common_user_template($1)
##############################
-@@ -953,11 +1056,12 @@
+@@ -953,11 +1057,12 @@
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -26627,7 +26674,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# cjp: why?
files_read_kernel_symbol_table($1_t)
-@@ -975,36 +1079,53 @@
+@@ -975,36 +1080,53 @@
')
')
@@ -26695,7 +26742,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
')
-@@ -1040,7 +1161,7 @@
+@@ -1040,7 +1162,7 @@
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -26704,7 +26751,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
##############################
-@@ -1049,8 +1170,7 @@
+@@ -1049,8 +1171,7 @@
#
# Inherit rules for ordinary users.
@@ -26714,7 +26761,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
domain_obj_id_change_exemption($1_t)
role system_r types $1_t;
-@@ -1075,6 +1195,9 @@
+@@ -1075,6 +1196,9 @@
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -26724,7 +26771,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1089,6 +1212,7 @@
+@@ -1089,6 +1213,7 @@
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -26732,7 +26779,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1096,8 +1220,6 @@
+@@ -1096,8 +1221,6 @@
dev_getattr_generic_blk_files($1_t)
dev_getattr_generic_chr_files($1_t)
@@ -26741,7 +26788,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Allow MAKEDEV to work
dev_create_all_blk_files($1_t)
dev_create_all_chr_files($1_t)
-@@ -1124,6 +1246,8 @@
+@@ -1124,6 +1247,8 @@
files_exec_usr_src_files($1_t)
fs_getattr_all_fs($1_t)
@@ -26750,7 +26797,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
fs_set_all_quotas($1_t)
fs_exec_noxattr($1_t)
-@@ -1152,20 +1276,6 @@
+@@ -1152,20 +1277,6 @@
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -26771,7 +26818,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1211,6 +1321,7 @@
+@@ -1211,6 +1322,7 @@
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -26779,7 +26826,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1276,11 +1387,15 @@
+@@ -1276,11 +1388,15 @@
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -26795,7 +26842,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1391,12 +1506,13 @@
+@@ -1391,12 +1507,13 @@
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -26810,7 +26857,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## </summary>
## <param name="domain">
## <summary>
-@@ -1429,6 +1545,14 @@
+@@ -1429,6 +1546,14 @@
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -26825,7 +26872,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1444,9 +1568,11 @@
+@@ -1444,9 +1569,11 @@
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -26837,7 +26884,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1503,6 +1629,25 @@
+@@ -1503,6 +1630,25 @@
allow $1 user_home_dir_t:dir relabelto;
')
@@ -26863,7 +26910,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
## <summary>
## Create directories in the home dir root with
-@@ -1577,6 +1722,8 @@
+@@ -1577,6 +1723,8 @@
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -26872,7 +26919,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1670,6 +1817,7 @@
+@@ -1670,6 +1818,7 @@
type user_home_dir_t, user_home_t;
')
@@ -26880,7 +26927,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
files_search_home($1)
')
-@@ -1797,19 +1945,32 @@
+@@ -1797,19 +1946,32 @@
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -26920,7 +26967,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1844,6 +2005,7 @@
+@@ -1844,6 +2006,7 @@
interface(`userdom_manage_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -26928,7 +26975,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
manage_files_pattern($1, user_home_t, user_home_t)
-@@ -2391,27 +2553,7 @@
+@@ -2391,27 +2554,7 @@
########################################
## <summary>
@@ -26957,7 +27004,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## </summary>
## <param name="domain">
## <summary>
-@@ -2765,11 +2907,32 @@
+@@ -2765,11 +2908,32 @@
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -26992,7 +27039,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2897,7 +3060,25 @@
+@@ -2897,7 +3061,25 @@
type user_tmp_t;
')
@@ -27019,7 +27066,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2934,6 +3115,7 @@
+@@ -2934,6 +3116,7 @@
')
read_files_pattern($1, userdomain, userdomain)
@@ -27027,7 +27074,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_search_proc($1)
')
-@@ -3064,3 +3246,559 @@
+@@ -3064,3 +3247,559 @@
allow $1 userdomain:dbus send_msg;
')
diff --git a/policygentool b/policygentool
index bbdfa97..117f4fa 100644
--- a/policygentool
+++ b/policygentool
@@ -1,297 +1,3 @@
-#! /usr/bin/env python
-# Copyright (C) 2006 Red Hat
-# see file 'COPYING' for use and warranty information
-#
-# policygentool is a tool for the initial generation of SELinux policy
-#
-# This program is free software; you can redistribute it and/or
-# modify it under the terms of the GNU General Public License as
-# published by the Free Software Foundation; either version 2 of
-# the License, or (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
-# 02111-1307 USA
-#
-#
-import os, sys, getopt
-import re
-
-########################### Interface File #############################
-interface="""\
-## <summary>policy for TEMPLATETYPE</summary>
-
-########################################
-## <summary>
-## Execute a domain transition to run TEMPLATETYPE.
-## </summary>
-## <param name=\"domain\">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`TEMPLATETYPE_domtrans',`
- gen_require(`
- type TEMPLATETYPE_t, TEMPLATETYPE_exec_t;
- ')
-
- domain_auto_trans($1,TEMPLATETYPE_exec_t,TEMPLATETYPE_t)
-
- allow TEMPLATETYPE_t $1:fd use;
- allow TEMPLATETYPE_t $1:fifo_file rw_file_perms;
- allow TEMPLATETYPE_t $1:process sigchld;
-')
-"""
-
-########################### Type Enforcement File #############################
-te="""\
-policy_module(TEMPLATETYPE,1.0.0)
-
-########################################
-#
-# Declarations
-#
-
-type TEMPLATETYPE_t;
-type TEMPLATETYPE_exec_t;
-domain_type(TEMPLATETYPE_t)
-init_daemon_domain(TEMPLATETYPE_t, TEMPLATETYPE_exec_t)
-"""
-te_logfile="""
-# log files
-type TEMPLATETYPE_var_log_t;
-logging_log_file(TEMPLATETYPE_var_log_t)
-"""
-te_pidfile="""
-# pid files
-type TEMPLATETYPE_var_run_t;
-files_pid_file(TEMPLATETYPE_var_run_t)
-"""
-te_libfile="""
-# var/lib files
-type TEMPLATETYPE_var_lib_t;
-files_type(TEMPLATETYPE_var_lib_t)
-"""
-te_sep="""
-########################################
-#
-# TEMPLATETYPE local policy
-#
-# Check in /etc/selinux/refpolicy/include for macros to use instead of allow rules.
-
-# Some common macros (you might be able to remove some)
-files_read_etc_files(TEMPLATETYPE_t)
-libs_use_ld_so(TEMPLATETYPE_t)
-libs_use_shared_libs(TEMPLATETYPE_t)
-miscfiles_read_localization(TEMPLATETYPE_t)
-## internal communication is often done using fifo and unix sockets.
-allow TEMPLATETYPE_t self:fifo_file { read write };
-allow TEMPLATETYPE_t self:unix_stream_socket create_stream_socket_perms;
-"""
-te_pidfile2="""
-# pid file
-allow TEMPLATETYPE_t TEMPLATETYPE_var_run_t:file manage_file_perms;
-allow TEMPLATETYPE_t TEMPLATETYPE_var_run_t:sock_file manage_file_perms;
-allow TEMPLATETYPE_t TEMPLATETYPE_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(TEMPLATETYPE_t,TEMPLATETYPE_var_run_t, { file sock_file })
-"""
-te_logfile2="""
-# log files
-allow TEMPLATETYPE_t TEMPLATETYPE_var_log_t:file create_file_perms;
-allow TEMPLATETYPE_t TEMPLATETYPE_var_log_t:sock_file create_file_perms;
-allow TEMPLATETYPE_t TEMPLATETYPE_var_log_t:dir { rw_dir_perms setattr };
-logging_log_filetrans(TEMPLATETYPE_t,TEMPLATETYPE_var_log_t,{ sock_file file dir })
-"""
-te_libfile2="""
-# var/lib files for TEMPLATETYPE
-allow TEMPLATETYPE_t TEMPLATETYPE_var_lib_t:file create_file_perms;
-allow TEMPLATETYPE_t TEMPLATETYPE_var_lib_t:sock_file create_file_perms;
-allow TEMPLATETYPE_t TEMPLATETYPE_var_lib_t:dir create_dir_perms;
-files_var_lib_filetrans(TEMPLATETYPE_t,TEMPLATETYPE_var_lib_t, { file dir sock_file })
-"""
-te_network2="""
-## Networking basics (adjust to your needs!)
-sysnet_dns_name_resolve(TEMPLATETYPE_t)
-corenet_tcp_sendrecv_all_if(TEMPLATETYPE_t)
-corenet_tcp_sendrecv_all_nodes(TEMPLATETYPE_t)
-corenet_tcp_sendrecv_all_ports(TEMPLATETYPE_t)
-corenet_non_ipsec_sendrecv(TEMPLATETYPE_t)
-corenet_tcp_connect_http_port(TEMPLATETYPE_t)
-#corenet_tcp_connect_all_ports(TEMPLATETYPE_t)
-## if it is a network daemon, consider these:
-#corenet_tcp_bind_all_ports(TEMPLATETYPE_t)
-#corenet_tcp_bind_all_nodes(TEMPLATETYPE_t)
-allow TEMPLATETYPE_t self:tcp_socket { listen accept };
-"""
-te_initsc2="""
-# Init script handling
-init_use_fds(TEMPLATETYPE_t)
-init_use_script_ptys(TEMPLATETYPE_t)
-domain_use_interactive_fds(TEMPLATETYPE_t)
-"""
-
-########################### File Context ##################################
-fc="""\
-# TEMPLATETYPE executable will have:
-# label: system_u:object_r:TEMPLATETYPE_exec_t
-# MLS sensitivity: s0
-# MCS categories: <none>
-
-EXECUTABLE -- gen_context(system_u:object_r:TEMPLATETYPE_exec_t,s0)
-"""
-fc_pidfile="""\
-FILENAME gen_context(system_u:object_r:TEMPLATETYPE_var_run_t,s0)
-"""
-fc_logfile="""\
-FILENAME gen_context(system_u:object_r:TEMPLATETYPE_var_log_t,s0)
-"""
-fc_libfile="""\
-FILENAME gen_context(system_u:object_r:TEMPLATETYPE_var_lib_t,s0)
-"""
-def errorExit(error):
- sys.stderr.write("%s: " % sys.argv[0])
- sys.stderr.write("%s\n" % error)
- sys.stderr.flush()
- sys.exit(1)
-
-
-def write_te_file(module, pidfile, logfile, libfile, network, initsc):
- file="%s.te" % module
- newte=re.sub("TEMPLATETYPE", module, te)
- if libfile:
- newte= newte + re.sub("TEMPLATETYPE", module, te_libfile)
- if logfile:
- newte= newte + re.sub("TEMPLATETYPE", module, te_logfile)
- if pidfile:
- newte= newte + re.sub("TEMPLATETYPE", module, te_pidfile)
- newte= newte + re.sub("TEMPLATETYPE", module, te_sep)
- if libfile:
- newte= newte + re.sub("TEMPLATETYPE", module, te_libfile2)
- if logfile:
- newte= newte + re.sub("TEMPLATETYPE", module, te_logfile2)
- if pidfile:
- newte= newte + re.sub("TEMPLATETYPE", module, te_pidfile2)
- if network:
- newte= newte + re.sub("TEMPLATETYPE", module, te_network2)
- if initsc:
- newte= newte + re.sub("TEMPLATETYPE", module, te_initsc2)
- if os.path.exists(file):
- errorExit("%s already exists" % file)
- fd = open(file, 'w')
- fd.write(newte)
- fd.close()
-
-def write_if_file(module):
- file="%s.if" % module
- newif=re.sub("TEMPLATETYPE", module, interface)
- if os.path.exists(file):
- errorExit("%s already exists" % file)
- fd = open(file, 'w')
- fd.write(newif)
- fd.close()
-
-def write_fc_file(module, executable, pidfile, logfile, libfile):
- file="%s.fc" % module
- temp=re.sub("TEMPLATETYPE", module, fc)
- newfc=re.sub("EXECUTABLE", executable, temp)
- if pidfile:
- temp=re.sub("TEMPLATETYPE", module, fc_pidfile)
- newfc=newfc + re.sub("FILENAME", pidfile, temp)
- if logfile:
- temp=re.sub("TEMPLATETYPE", module, fc_logfile)
- newfc=newfc + re.sub("FILENAME", logfile, temp)
- if libfile:
- temp=re.sub("TEMPLATETYPE", module, fc_libfile)
- newfc=newfc + re.sub("FILENAME", libfile, temp)
- if os.path.exists(file):
- errorExit("%s already exists" % file)
- fd = open(file, 'w')
- fd.write(newfc)
- fd.close()
-
-def gen_policy(module, executable, pidfile, logfile, libfile, initsc, network):
- write_te_file(module, pidfile, logfile, libfile, initsc, network)
- write_if_file(module)
- write_fc_file(module, executable, pidfile, logfile, libfile)
-
-if __name__ == '__main__':
- def usage(message = ""):
- print '%s ModuleName Executable' % sys.argv[0]
- sys.exit(1)
-
- if len(sys.argv) != 3:
- usage()
-
- print """\n
-This tool generate three files for policy development, A Type Enforcement (te)
-file, a File Context (fc), and a Interface File(if). Most of the policy rules
-will be written in the te file. Use the File Context file to associate file
-paths with security context. Use the interface rules to allow other protected
-domains to interact with the newly defined domains.
-
-After generating these files use the /usr/share/selinux/devel/Makefile to
-compile your policy package. Then use the semodule tool to load it.
-
-# /usr/share/selinux/devel/policygentool myapp /usr/bin/myapp
-# make -f /usr/share/selinux/devel/Makefile
-# semodule -i myapp.pp
-# restorecon -R -v /usr/bin/myapp "all files defined in myapp.fc"
-
-Now you can turn on permissive mode, start your application and avc messages
-will be generated. You can use audit2allow to help translate the avc messages
-into policy.
-
-# setenforce 0
-# service myapp start
-# audit2allow -R -i /var/log/audit/audit.log
-
-Return to continue:"""
- sys.stdin.readline().rstrip()
-
- print 'If the module uses pidfiles, what is the pidfile called?'
- pidfile = sys.stdin.readline().rstrip()
- if pidfile == "":
- pidfile = None
- print 'If the module uses logfiles, where are they stored?'
- logfile = sys.stdin.readline().rstrip()
- if logfile == "":
- logfile = None
- print 'If the module has var/lib files, where are they stored?'
- libfile = sys.stdin.readline().rstrip()
- if libfile == "":
- libfile = None
- print 'Does the module have a init script? [yN]'
- initsc = sys.stdin.readline().rstrip()
- if initsc == "" or initsc == "n" or initsc == "N":
- initsc = False
- elif initsc == "y" or initsc == "Y":
- initsc = True
- else:
- raise "Please answer with 'y' or 'n'!"
- print 'Does the module use the network? [yN]'
- network = sys.stdin.readline().rstrip()
- if network == "" or network == "n" or network == "N":
- network = False
- elif network == "y" or network == "Y":
- network = True
- else:
- raise "Please answer with 'y' or 'n'!"
-
- gen_policy(
- module=sys.argv[1],
- executable=sys.argv[2],
- pidfile=pidfile,
- logfile=logfile,
- libfile=libfile,
- initsc=initsc,
- network=network
- )
-
-
+#!/bin/sh
+echo "$0 is no longer supported, better tools exist for creating policy"
+echo "Please use /usr/bin/sepolgen, slide or polgengui to generate policy"
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 4189670..31bd863 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.32
-Release: 10%{?dist}
+Release: 11%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -448,6 +448,9 @@ exit 0
%endif
%changelog
+* Thu Sep 24 2009 Dan Walsh <dwalsh@redhat.com> 3.6.32-11
+- Allow users to exec restorecond
+
* Tue Sep 21 2009 Dan Walsh <dwalsh@redhat.com> 3.6.32-10
- Allow sendmail to request kernel modules load