diff --git a/modules-targeted.conf b/modules-targeted.conf
index 474c0b5..f2fc695 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -479,6 +479,13 @@ gnome = module
#
hal = module
+# Layer: services
+# Module: polkit
+#
+# Hardware abstraction layer
+#
+polkit = module
+
# Layer: system
# Module: hostname
#
diff --git a/policy-20071130.patch b/policy-20071130.patch
index 03f871f..03e1063 100644
--- a/policy-20071130.patch
+++ b/policy-20071130.patch
@@ -1,6 +1,6 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/default_contexts serefpolicy-3.2.3/config/appconfig-mcs/default_contexts
--- nsaserefpolicy/config/appconfig-mcs/default_contexts 2007-10-12 08:56:09.000000000 -0400
-+++ serefpolicy-3.2.3/config/appconfig-mcs/default_contexts 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/config/appconfig-mcs/default_contexts 2007-12-06 16:37:24.000000000 -0500
@@ -1,15 +1,9 @@
-system_r:crond_t:s0 user_r:user_crond_t:s0 staff_r:staff_crond_t:s0 sysadm_r:sysadm_crond_t:s0 system_r:system_crond_t:s0 unconfined_r:unconfined_crond_t:s0
-system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
@@ -28,13 +28,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/default
+system_r:xdm_t:s0 system_r:unconfined_t:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/failsafe_context serefpolicy-3.2.3/config/appconfig-mcs/failsafe_context
--- nsaserefpolicy/config/appconfig-mcs/failsafe_context 2007-10-12 08:56:09.000000000 -0400
-+++ serefpolicy-3.2.3/config/appconfig-mcs/failsafe_context 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/config/appconfig-mcs/failsafe_context 2007-12-06 16:37:24.000000000 -0500
@@ -1 +1 @@
-sysadm_r:sysadm_t:s0
+system_r:unconfined_t:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/guest_u_default_contexts serefpolicy-3.2.3/config/appconfig-mcs/guest_u_default_contexts
--- nsaserefpolicy/config/appconfig-mcs/guest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.3/config/appconfig-mcs/guest_u_default_contexts 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/config/appconfig-mcs/guest_u_default_contexts 2007-12-06 16:37:24.000000000 -0500
@@ -0,0 +1,4 @@
+system_r:local_login_t:s0 guest_r:guest_t:s0
+system_r:remote_login_t:s0 guest_r:guest_t:s0
@@ -42,7 +42,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/guest_u
+system_r:crond_t:s0 guest_r:guest_crond_t:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/root_default_contexts serefpolicy-3.2.3/config/appconfig-mcs/root_default_contexts
--- nsaserefpolicy/config/appconfig-mcs/root_default_contexts 2007-10-12 08:56:09.000000000 -0400
-+++ serefpolicy-3.2.3/config/appconfig-mcs/root_default_contexts 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/config/appconfig-mcs/root_default_contexts 2007-12-06 16:37:24.000000000 -0500
@@ -1,11 +1,10 @@
-system_r:crond_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_crond_t:s0 staff_r:staff_crond_t:s0 user_r:user_crond_t:s0
-system_r:local_login_t:s0 unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
@@ -64,7 +64,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/root_de
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/seusers serefpolicy-3.2.3/config/appconfig-mcs/seusers
--- nsaserefpolicy/config/appconfig-mcs/seusers 2007-10-12 08:56:09.000000000 -0400
-+++ serefpolicy-3.2.3/config/appconfig-mcs/seusers 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/config/appconfig-mcs/seusers 2007-12-06 16:37:24.000000000 -0500
@@ -1,3 +1,2 @@
-system_u:system_u:s0-mcs_systemhigh
root:root:s0-mcs_systemhigh
@@ -72,13 +72,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/seusers
+__default__:system_u:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/userhelper_context serefpolicy-3.2.3/config/appconfig-mcs/userhelper_context
--- nsaserefpolicy/config/appconfig-mcs/userhelper_context 2007-10-12 08:56:09.000000000 -0400
-+++ serefpolicy-3.2.3/config/appconfig-mcs/userhelper_context 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/config/appconfig-mcs/userhelper_context 2007-12-06 16:37:24.000000000 -0500
@@ -1 +1 @@
-system_u:sysadm_r:sysadm_t:s0
+system_u:system_r:unconfined_t:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts serefpolicy-3.2.3/config/appconfig-mcs/user_u_default_contexts
--- nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts 2007-11-05 10:28:59.000000000 -0500
-+++ serefpolicy-3.2.3/config/appconfig-mcs/user_u_default_contexts 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/config/appconfig-mcs/user_u_default_contexts 2007-12-06 16:37:24.000000000 -0500
@@ -1,8 +1,7 @@
-system_r:local_login_t:s0 user_r:user_t:s0
-system_r:remote_login_t:s0 user_r:user_t:s0
@@ -97,7 +97,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/user_u_
+user_r:user_sudo_t:s0 system_r:unconfined_t:s0 user_r:user_t:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/xguest_u_default_contexts serefpolicy-3.2.3/config/appconfig-mcs/xguest_u_default_contexts
--- nsaserefpolicy/config/appconfig-mcs/xguest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.3/config/appconfig-mcs/xguest_u_default_contexts 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/config/appconfig-mcs/xguest_u_default_contexts 2007-12-06 16:37:24.000000000 -0500
@@ -0,0 +1,5 @@
+system_r:local_login_t xguest_r:xguest_t:s0
+system_r:remote_login_t xguest_r:xguest_t:s0
@@ -106,7 +106,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/xguest_
+system_r:xdm_t xguest_r:xguest_t:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/default_contexts serefpolicy-3.2.3/config/appconfig-mls/default_contexts
--- nsaserefpolicy/config/appconfig-mls/default_contexts 2007-10-12 08:56:09.000000000 -0400
-+++ serefpolicy-3.2.3/config/appconfig-mls/default_contexts 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/config/appconfig-mls/default_contexts 2007-12-06 16:37:24.000000000 -0500
@@ -1,15 +1,12 @@
-system_r:crond_t:s0 user_r:user_crond_t:s0 staff_r:staff_crond_t:s0 sysadm_r:sysadm_crond_t:s0 system_r:system_crond_t:s0 unconfined_r:unconfined_crond_t:s0
-system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
@@ -136,7 +136,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/default
+user_r:user_sudo_t:s0 sysadm_r:sysadm_t:s0 user_r:user_t:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/guest_u_default_contexts serefpolicy-3.2.3/config/appconfig-mls/guest_u_default_contexts
--- nsaserefpolicy/config/appconfig-mls/guest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.3/config/appconfig-mls/guest_u_default_contexts 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/config/appconfig-mls/guest_u_default_contexts 2007-12-06 16:37:24.000000000 -0500
@@ -0,0 +1,4 @@
+system_r:local_login_t:s0 guest_r:guest_t:s0
+system_r:remote_login_t:s0 guest_r:guest_t:s0
@@ -144,7 +144,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/guest_u
+system_r:crond_t:s0 guest_r:guest_crond_t:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/guest_u_default_contexts serefpolicy-3.2.3/config/appconfig-standard/guest_u_default_contexts
--- nsaserefpolicy/config/appconfig-standard/guest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.3/config/appconfig-standard/guest_u_default_contexts 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/config/appconfig-standard/guest_u_default_contexts 2007-12-06 16:37:24.000000000 -0500
@@ -0,0 +1,4 @@
+system_r:local_login_t guest_r:guest_t
+system_r:remote_login_t guest_r:guest_t
@@ -152,16 +152,52 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/gu
+system_r:crond_t guest_r:guest_crond_t
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/xguest_u_default_contexts serefpolicy-3.2.3/config/appconfig-standard/xguest_u_default_contexts
--- nsaserefpolicy/config/appconfig-standard/xguest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.3/config/appconfig-standard/xguest_u_default_contexts 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/config/appconfig-standard/xguest_u_default_contexts 2007-12-06 16:37:24.000000000 -0500
@@ -0,0 +1,5 @@
+system_r:local_login_t xguest_r:xguest_t
+system_r:remote_login_t xguest_r:xguest_t
+system_r:sshd_t xguest_r:xguest_t
+system_r:crond_t xguest_r:xguest_crond_t
+system_r:xdm_t xguest_r:xguest_t
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.2.3/Makefile
+--- nsaserefpolicy/Makefile 2007-10-12 08:56:10.000000000 -0400
++++ serefpolicy-3.2.3/Makefile 2007-12-11 00:02:37.000000000 -0500
+@@ -305,20 +305,22 @@
+
+ # parse-rolemap modulename,outputfile
+ define parse-rolemap
+- $(verbose) $(M4) $(M4PARAM) $(rolemap) | \
+- $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
++ echo "" >> $2
++# $(verbose) $(M4) $(M4PARAM) $(rolemap) | \
++# $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
+ endef
+
+ # perrole-expansion modulename,outputfile
+ define perrole-expansion
+- $(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
+- $(call parse-rolemap,$1,$2)
+- $(verbose) echo "')" >> $2
+-
+- $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2
+- $(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2
+- $(call parse-rolemap-compat,$1,$2)
+- $(verbose) echo "')" >> $2
++ echo "No longer doing perrole-expansion"
++# $(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
++# $(call parse-rolemap,$1,$2)
++# $(verbose) echo "')" >> $2
++
++# $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2
++# $(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2
++# $(call parse-rolemap-compat,$1,$2)
++# $(verbose) echo "')" >> $2
+ endef
+
+ # create-base-per-role-tmpl modulenames,outputfile
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors serefpolicy-3.2.3/policy/flask/access_vectors
--- nsaserefpolicy/policy/flask/access_vectors 2007-08-11 06:22:29.000000000 -0400
-+++ serefpolicy-3.2.3/policy/flask/access_vectors 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/flask/access_vectors 2007-12-06 16:37:24.000000000 -0500
@@ -639,6 +639,8 @@
send
recv
@@ -173,7 +209,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors
class key
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.2.3/policy/global_tunables
--- nsaserefpolicy/policy/global_tunables 2007-10-12 08:56:09.000000000 -0400
-+++ serefpolicy-3.2.3/policy/global_tunables 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/global_tunables 2007-12-06 16:37:24.000000000 -0500
@@ -6,38 +6,35 @@
##
@@ -5065,7 +5173,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind
gen_tunable(named_write_master_zones,false)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.fc serefpolicy-3.2.3/policy/modules/services/bluetooth.fc
--- nsaserefpolicy/policy/modules/services/bluetooth.fc 2006-11-16 17:15:20.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/bluetooth.fc 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/bluetooth.fc 2007-12-06 16:37:24.000000000 -0500
@@ -22,3 +22,4 @@
#
/var/lib/bluetooth(/.*)? gen_context(system_u:object_r:bluetooth_var_lib_t,s0)
@@ -5073,7 +5181,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/blue
+/var/run/bluetoothd_address gen_context(system_u:object_r:bluetooth_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.2.3/policy/modules/services/bluetooth.te
--- nsaserefpolicy/policy/modules/services/bluetooth.te 2007-10-29 07:52:49.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/services/bluetooth.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/bluetooth.te 2007-12-06 16:37:24.000000000 -0500
@@ -44,7 +44,7 @@
allow bluetooth_t self:shm create_shm_perms;
allow bluetooth_t self:socket create_stream_socket_perms;
@@ -5093,7 +5201,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/blue
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.fc serefpolicy-3.2.3/policy/modules/services/clamav.fc
--- nsaserefpolicy/policy/modules/services/clamav.fc 2007-09-05 15:24:44.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/services/clamav.fc 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/clamav.fc 2007-12-06 16:37:24.000000000 -0500
@@ -5,16 +5,18 @@
/usr/bin/freshclam -- gen_context(system_u:object_r:freshclam_exec_t,s0)
@@ -5117,7 +5225,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
/var/spool/amavisd/clamd\.sock -s gen_context(system_u:object_r:clamd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.2.3/policy/modules/services/clamav.te
--- nsaserefpolicy/policy/modules/services/clamav.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/services/clamav.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/clamav.te 2007-12-06 16:37:24.000000000 -0500
@@ -87,6 +87,7 @@
kernel_dontaudit_list_proc(clamd_t)
kernel_read_sysctl(clamd_t)
@@ -5156,7 +5264,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.2.3/policy/modules/services/consolekit.te
--- nsaserefpolicy/policy/modules/services/consolekit.te 2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/consolekit.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/consolekit.te 2007-12-06 16:37:24.000000000 -0500
@@ -36,6 +36,7 @@
domain_read_all_domains_state(consolekit_t)
@@ -5193,7 +5301,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.te serefpolicy-3.2.3/policy/modules/services/courier.te
--- nsaserefpolicy/policy/modules/services/courier.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/services/courier.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/courier.te 2007-12-06 16:37:24.000000000 -0500
@@ -58,6 +58,7 @@
files_getattr_tmp_dirs(courier_authdaemon_t)
@@ -5204,7 +5312,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cour
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.2.3/policy/modules/services/cron.fc
--- nsaserefpolicy/policy/modules/services/cron.fc 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/cron.fc 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/cron.fc 2007-12-11 00:59:24.000000000 -0500
@@ -17,6 +17,8 @@
/var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0)
/var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
@@ -5221,7 +5329,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
+/var/lib/misc(/.*)? gen_context(system_u:object_r:system_crond_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.2.3/policy/modules/services/cron.if
--- nsaserefpolicy/policy/modules/services/cron.if 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/services/cron.if 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/cron.if 2007-12-06 16:37:24.000000000 -0500
@@ -35,38 +35,23 @@
#
template(`cron_per_role_template',`
@@ -5473,7 +5581,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
##
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.2.3/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te 2007-12-06 13:12:03.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/cron.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/cron.te 2007-12-06 16:37:24.000000000 -0500
@@ -50,6 +50,7 @@
type crond_tmp_t;
@@ -5668,7 +5776,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
ifdef(`TODO',`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.2.3/policy/modules/services/cups.fc
--- nsaserefpolicy/policy/modules/services/cups.fc 2007-11-16 15:30:49.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/cups.fc 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/cups.fc 2007-12-06 16:37:24.000000000 -0500
@@ -8,17 +8,15 @@
/etc/cups/ppd/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/cups/ppds\.dat -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@@ -5719,7 +5827,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
+/usr/local/Printer/[^/]*/inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.2.3/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/cups.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/cups.te 2007-12-11 00:11:19.000000000 -0500
@@ -43,14 +43,12 @@
type cupsd_var_run_t;
@@ -5746,9 +5854,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
')
########################################
-@@ -81,11 +81,12 @@
+@@ -79,13 +79,14 @@
+ #
+
# /usr/lib/cups/backend/serial needs sys_admin(?!)
- allow cupsd_t self:capability { sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_resource sys_tty_config };
+-allow cupsd_t self:capability { sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_resource sys_tty_config };
++allow cupsd_t self:capability { dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_admin sys_rawio sys_resource sys_tty_config };
dontaudit cupsd_t self:capability { sys_tty_config net_admin };
-allow cupsd_t self:process { setsched signal_perms };
-allow cupsd_t self:fifo_file rw_file_perms;
@@ -5792,7 +5903,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
allow cupsd_t hplip_var_run_t:file { read getattr };
stream_connect_pattern(cupsd_t,ptal_var_run_t,ptal_var_run_t,ptal_t)
-@@ -149,31 +156,39 @@
+@@ -149,32 +156,35 @@
corenet_tcp_bind_reserved_port(cupsd_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
corenet_tcp_connect_all_ports(cupsd_t)
@@ -5818,24 +5929,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
+mls_fd_use_all_levels(cupsd_t)
mls_file_downgrade(cupsd_t)
--mls_file_write_all_levels(cupsd_t)
--mls_file_read_all_levels(cupsd_t)
-+mls_file_write_down(cupsd_t)
-+mls_file_read_up(cupsd_t)
+ mls_file_write_all_levels(cupsd_t)
+ mls_file_read_all_levels(cupsd_t)
+mls_rangetrans_target(cupsd_t)
mls_socket_write_all_levels(cupsd_t)
term_use_unallocated_ttys(cupsd_t)
term_search_ptys(cupsd_t)
- auth_domtrans_chk_passwd(cupsd_t)
-+auth_domtrans_upd_passwd_chk(cupsd_t)
- auth_dontaudit_read_pam_pid(cupsd_t)
-+auth_rw_faillog(cupsd_t)
-
+-auth_domtrans_chk_passwd(cupsd_t)
+-auth_dontaudit_read_pam_pid(cupsd_t)
+-
# Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp
corecmd_exec_shell(cupsd_t)
-@@ -186,7 +201,7 @@
+ corecmd_exec_bin(cupsd_t)
+@@ -186,7 +196,7 @@
# read python modules
files_read_usr_files(cupsd_t)
# for /var/lib/defoma
@@ -5844,7 +5952,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
files_list_world_readable(cupsd_t)
files_read_world_readable_files(cupsd_t)
files_read_world_readable_symlinks(cupsd_t)
-@@ -195,12 +210,9 @@
+@@ -195,15 +205,16 @@
files_read_var_symlinks(cupsd_t)
# for /etc/printcap
files_dontaudit_write_etc_files(cupsd_t)
@@ -5858,7 +5966,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
init_exec_script_files(cupsd_t)
-@@ -220,16 +232,37 @@
++auth_domtrans_chk_passwd(cupsd_t)
++auth_domtrans_upd_passwd_chk(cupsd_t)
++auth_dontaudit_read_pam_pid(cupsd_t)
++auth_rw_faillog(cupsd_t)
+ auth_use_nsswitch(cupsd_t)
+
+ libs_use_ld_so(cupsd_t)
+@@ -220,16 +231,37 @@
seutil_read_config(cupsd_t)
@@ -5898,7 +6013,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
')
optional_policy(`
-@@ -242,6 +275,7 @@
+@@ -242,6 +274,7 @@
optional_policy(`
dbus_system_bus_client_template(cupsd,cupsd_t)
@@ -5906,7 +6021,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
userdom_dbus_send_all_users(cupsd_t)
-@@ -263,6 +297,10 @@
+@@ -263,6 +296,10 @@
')
optional_policy(`
@@ -5917,7 +6032,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
# cups execs smbtool which reads samba_etc_t files
samba_read_config(cupsd_t)
samba_rw_var_files(cupsd_t)
-@@ -326,11 +364,13 @@
+@@ -326,6 +363,7 @@
dev_read_sysfs(cupsd_config_t)
dev_read_urand(cupsd_config_t)
dev_read_rand(cupsd_config_t)
@@ -5925,13 +6040,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
fs_getattr_all_fs(cupsd_config_t)
fs_search_auto_mountpoints(cupsd_config_t)
-
- corecmd_exec_bin(cupsd_config_t)
-+corecmd_exec_sbin(cupsd_config_t)
- corecmd_exec_shell(cupsd_config_t)
-
- domain_use_interactive_fds(cupsd_config_t)
-@@ -372,12 +412,17 @@
+@@ -372,12 +410,17 @@
')
optional_policy(`
@@ -5949,7 +6058,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
optional_policy(`
hal_dbus_chat(cupsd_config_t)
-@@ -387,6 +432,7 @@
+@@ -387,6 +430,7 @@
optional_policy(`
hal_domtrans(cupsd_config_t)
hal_read_tmp_files(cupsd_config_t)
@@ -5957,7 +6066,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
')
optional_policy(`
-@@ -499,14 +545,12 @@
+@@ -499,14 +543,12 @@
allow hplip_t self:udp_socket create_socket_perms;
allow hplip_t self:rawip_socket create_socket_perms;
@@ -5976,7 +6085,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
manage_files_pattern(hplip_t,hplip_var_run_t,hplip_var_run_t)
files_pid_filetrans(hplip_t,hplip_var_run_t,file)
-@@ -537,13 +581,15 @@
+@@ -537,14 +579,14 @@
dev_read_urand(hplip_t)
dev_read_rand(hplip_t)
dev_rw_generic_usb_dev(hplip_t)
@@ -5989,11 +6098,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
# for python
corecmd_exec_bin(hplip_t)
-+corecmd_search_sbin(hplip_t)
-
+-
domain_use_interactive_fds(hplip_t)
-@@ -565,6 +611,7 @@
+ files_read_etc_files(hplip_t)
+@@ -565,6 +607,7 @@
userdom_dontaudit_search_all_users_home_content(hplip_t)
lpd_read_config(cupsd_t)
@@ -6003,7 +6112,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
seutil_sigchld_newrole(hplip_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.2.3/policy/modules/services/cvs.te
--- nsaserefpolicy/policy/modules/services/cvs.te 2007-11-15 13:40:14.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/cvs.te 2007-12-06 14:18:05.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/cvs.te 2007-12-06 16:37:24.000000000 -0500
@@ -69,6 +69,8 @@
fs_getattr_xattr_fs(cvs_t)
@@ -6036,7 +6145,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.
-')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.2.3/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if 2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/dbus.if 2007-12-06 14:22:51.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/dbus.if 2007-12-06 16:37:24.000000000 -0500
@@ -91,7 +91,7 @@
# SE-DBus specific permissions
allow $1_dbusd_$1_t { $1_dbusd_t self }:dbus send_msg;
@@ -6101,9 +6210,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
+
+')
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.2.3/policy/modules/services/dcc.te
+--- nsaserefpolicy/policy/modules/services/dcc.te 2007-10-12 08:56:07.000000000 -0400
++++ serefpolicy-3.2.3/policy/modules/services/dcc.te 2007-12-10 16:49:33.000000000 -0500
+@@ -124,7 +124,7 @@
+ # dcc procmail interface local policy
+ #
+
+-allow dcc_client_t self:capability setuid;
++allow dcc_client_t self:capability { setgid setuid };
+ allow dcc_client_t self:unix_dgram_socket create_socket_perms;
+ allow dcc_client_t self:udp_socket create_socket_perms;
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dictd.fc serefpolicy-3.2.3/policy/modules/services/dictd.fc
--- nsaserefpolicy/policy/modules/services/dictd.fc 2006-11-16 17:15:20.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/dictd.fc 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/dictd.fc 2007-12-06 16:37:24.000000000 -0500
@@ -4,3 +4,4 @@
/usr/sbin/dictd -- gen_context(system_u:object_r:dictd_exec_t,s0)
@@ -6111,7 +6232,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dict
+/var/run/dictd\.pid -- gen_context(system_u:object_r:dictd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dictd.te serefpolicy-3.2.3/policy/modules/services/dictd.te
--- nsaserefpolicy/policy/modules/services/dictd.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/services/dictd.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/dictd.te 2007-12-06 16:37:24.000000000 -0500
@@ -16,6 +16,9 @@
type dictd_var_lib_t alias var_lib_dictd_t;
files_type(dictd_var_lib_t)
@@ -6134,7 +6255,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dict
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.2.3/policy/modules/services/dnsmasq.te
--- nsaserefpolicy/policy/modules/services/dnsmasq.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/services/dnsmasq.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/dnsmasq.te 2007-12-06 16:37:24.000000000 -0500
@@ -94,3 +94,7 @@
optional_policy(`
udev_read_db(dnsmasq_t)
@@ -6145,7 +6266,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsm
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.2.3/policy/modules/services/dovecot.fc
--- nsaserefpolicy/policy/modules/services/dovecot.fc 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/dovecot.fc 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/dovecot.fc 2007-12-06 16:37:24.000000000 -0500
@@ -17,19 +17,24 @@
ifdef(`distro_debian', `
@@ -6173,7 +6294,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.if serefpolicy-3.2.3/policy/modules/services/dovecot.if
--- nsaserefpolicy/policy/modules/services/dovecot.if 2007-01-02 12:57:43.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/dovecot.if 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/dovecot.if 2007-12-06 16:37:24.000000000 -0500
@@ -18,3 +18,43 @@
manage_files_pattern($1,dovecot_spool_t,dovecot_spool_t)
manage_lnk_files_pattern($1,dovecot_spool_t,dovecot_spool_t)
@@ -6220,7 +6341,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.2.3/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te 2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/dovecot.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/dovecot.te 2007-12-06 20:31:31.000000000 -0500
@@ -15,6 +15,12 @@
domain_entry_file(dovecot_auth_t,dovecot_auth_exec_t)
role system_r types dovecot_auth_t;
@@ -6308,14 +6429,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
files_read_usr_symlinks(dovecot_auth_t)
files_search_tmp(dovecot_auth_t)
files_read_var_lib_files(dovecot_t)
-@@ -184,5 +203,45 @@
+@@ -184,5 +203,49 @@
')
optional_policy(`
- logging_send_syslog_msg(dovecot_auth_t)
+ mysql_search_db(dovecot_auth_t)
+ mysql_stream_connect(dovecot_auth_t)
- ')
++')
+
+optional_policy(`
+ nis_authenticate(dovecot_auth_t)
@@ -6324,7 +6445,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
+optional_policy(`
+ postfix_manage_pivate_sockets(dovecot_auth_t)
+ postfix_search_spool(dovecot_auth_t)
-+')
+ ')
+
+# for gssapi (kerberos)
+userdom_list_unpriv_users_tmp(dovecot_auth_t)
@@ -6335,29 +6456,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
+#
+# dovecot deliver local policy
+#
++allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms;
++
+allow dovecot_deliver_t dovecot_etc_t:file read_file_perms;
+allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
+
+kernel_read_all_sysctls(dovecot_deliver_t)
+kernel_read_system_state(dovecot_deliver_t)
+
-+dovecot_auth_stream_connect(dovecot_deliver_t)
-+
+files_read_etc_files(dovecot_deliver_t)
+files_read_etc_runtime_files(dovecot_deliver_t)
+
+libs_use_ld_so(dovecot_deliver_t)
+libs_use_shared_libs(dovecot_deliver_t)
+
++logging_send_syslog_msg(dovecot_deliver_t)
++
+miscfiles_read_localization(dovecot_deliver_t)
+
++dovecot_auth_stream_connect(dovecot_deliver_t)
++
+optional_policy(`
+ mta_manage_spool(dovecot_deliver_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.if serefpolicy-3.2.3/policy/modules/services/exim.if
--- nsaserefpolicy/policy/modules/services/exim.if 2007-10-24 15:00:24.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/services/exim.if 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/exim.if 2007-12-06 16:37:24.000000000 -0500
@@ -117,6 +117,27 @@
########################################
@@ -6388,7 +6513,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim
##
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.2.3/policy/modules/services/exim.te
--- nsaserefpolicy/policy/modules/services/exim.te 2007-10-24 15:17:31.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/services/exim.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/exim.te 2007-12-06 16:37:24.000000000 -0500
@@ -21,9 +21,20 @@
##
@@ -9449,7 +9774,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
+allow smbcontrol_t nmbd_var_run_t:file { read lock };
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.2.3/policy/modules/services/sasl.te
--- nsaserefpolicy/policy/modules/services/sasl.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/services/sasl.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/sasl.te 2007-12-06 16:37:24.000000000 -0500
@@ -64,6 +64,7 @@
selinux_compute_access_vector(saslauthd_t)
@@ -9471,7 +9796,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.2.3/policy/modules/services/sendmail.if
--- nsaserefpolicy/policy/modules/services/sendmail.if 2007-08-27 13:57:20.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/services/sendmail.if 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/sendmail.if 2007-12-06 16:37:24.000000000 -0500
@@ -149,3 +149,85 @@
logging_log_filetrans($1,sendmail_log_t,file)
@@ -9560,7 +9885,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.2.3/policy/modules/services/sendmail.te
--- nsaserefpolicy/policy/modules/services/sendmail.te 2007-12-06 13:12:03.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/sendmail.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/sendmail.te 2007-12-06 16:37:24.000000000 -0500
@@ -20,12 +20,16 @@
mta_mailserver_delivery(sendmail_t)
mta_mailserver_sender(sendmail_t)
@@ -9660,7 +9985,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
-') dnl end TODO
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.2.3/policy/modules/services/setroubleshoot.te
--- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2007-10-29 07:52:49.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/services/setroubleshoot.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/setroubleshoot.te 2007-12-06 16:37:24.000000000 -0500
@@ -27,8 +27,8 @@
# setroubleshootd local policy
#
@@ -9701,7 +10026,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.2.3/policy/modules/services/snmp.te
--- nsaserefpolicy/policy/modules/services/snmp.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/services/snmp.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/snmp.te 2007-12-06 16:37:24.000000000 -0500
@@ -81,8 +81,7 @@
files_read_usr_files(snmpd_t)
files_read_etc_runtime_files(snmpd_t)
@@ -9714,7 +10039,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp
fs_getattr_all_fs(snmpd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soundserver.fc serefpolicy-3.2.3/policy/modules/services/soundserver.fc
--- nsaserefpolicy/policy/modules/services/soundserver.fc 2006-11-16 17:15:20.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/soundserver.fc 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/soundserver.fc 2007-12-06 16:37:24.000000000 -0500
@@ -1,5 +1,3 @@
-/etc/nas(/.*)? gen_context(system_u:object_r:soundd_etc_t,s0)
-/etc/yiff(/.*)? gen_context(system_u:object_r:soundd_etc_t,s0)
@@ -9730,7 +10055,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soun
/var/state/yiff(/.*)? gen_context(system_u:object_r:soundd_state_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soundserver.te serefpolicy-3.2.3/policy/modules/services/soundserver.te
--- nsaserefpolicy/policy/modules/services/soundserver.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/services/soundserver.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/soundserver.te 2007-12-06 16:37:24.000000000 -0500
@@ -10,9 +10,6 @@
type soundd_exec_t;
init_daemon_domain(soundd_t,soundd_exec_t)
@@ -9793,7 +10118,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soun
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.2.3/policy/modules/services/spamassassin.fc
--- nsaserefpolicy/policy/modules/services/spamassassin.fc 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/services/spamassassin.fc 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/spamassassin.fc 2007-12-06 16:37:24.000000000 -0500
@@ -1,4 +1,4 @@
-HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:ROLE_spamassassin_home_t,s0)
+HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:user_spamassassin_home_t,s0)
@@ -9802,7 +10127,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
/usr/bin/spamassassin -- gen_context(system_u:object_r:spamassassin_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.2.3/policy/modules/services/spamassassin.if
--- nsaserefpolicy/policy/modules/services/spamassassin.if 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/services/spamassassin.if 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/spamassassin.if 2007-12-06 16:37:24.000000000 -0500
@@ -38,6 +38,8 @@
gen_require(`
type spamc_exec_t, spamassassin_exec_t;
@@ -9930,7 +10255,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.2.3/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/services/spamassassin.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/spamassassin.te 2007-12-06 16:37:24.000000000 -0500
@@ -44,6 +44,15 @@
type spamassassin_exec_t;
application_executable_file(spamassassin_exec_t)
@@ -9975,7 +10300,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.fc serefpolicy-3.2.3/policy/modules/services/squid.fc
--- nsaserefpolicy/policy/modules/services/squid.fc 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/squid.fc 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/squid.fc 2007-12-06 16:37:24.000000000 -0500
@@ -12,3 +12,5 @@
/var/run/squid\.pid -- gen_context(system_u:object_r:squid_var_run_t,s0)
@@ -9984,7 +10309,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi
+/usr/lib64/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_squid_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.if serefpolicy-3.2.3/policy/modules/services/squid.if
--- nsaserefpolicy/policy/modules/services/squid.if 2007-05-07 10:32:44.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/services/squid.if 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/squid.if 2007-12-06 16:37:24.000000000 -0500
@@ -131,3 +131,22 @@
interface(`squid_use',`
refpolicywarn(`$0($*) has been deprecated.')
@@ -10010,7 +10335,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.2.3/policy/modules/services/squid.te
--- nsaserefpolicy/policy/modules/services/squid.te 2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/squid.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/squid.te 2007-12-06 16:37:24.000000000 -0500
@@ -36,7 +36,7 @@
# Local policy
#
@@ -10069,7 +10394,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.fc serefpolicy-3.2.3/policy/modules/services/ssh.fc
--- nsaserefpolicy/policy/modules/services/ssh.fc 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/services/ssh.fc 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/ssh.fc 2007-12-06 16:37:24.000000000 -0500
@@ -1,4 +1,4 @@
-HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ROLE_home_ssh_t,s0)
+HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:user_ssh_home_t,s0)
@@ -10078,7 +10403,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
/etc/ssh/ssh_host_key -- gen_context(system_u:object_r:sshd_key_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.2.3/policy/modules/services/ssh.if
--- nsaserefpolicy/policy/modules/services/ssh.if 2007-07-23 10:20:13.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/services/ssh.if 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/ssh.if 2007-12-06 16:37:24.000000000 -0500
@@ -36,6 +36,7 @@
gen_require(`
attribute ssh_server;
@@ -10240,7 +10565,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.2.3/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/services/ssh.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/ssh.te 2007-12-06 16:37:24.000000000 -0500
@@ -24,7 +24,7 @@
# Type for the ssh-agent executable.
@@ -10299,7 +10624,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/telnet.te serefpolicy-3.2.3/policy/modules/services/telnet.te
--- nsaserefpolicy/policy/modules/services/telnet.te 2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/telnet.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/telnet.te 2007-12-06 16:37:24.000000000 -0500
@@ -37,6 +37,8 @@
allow telnetd_t telnetd_devpts_t:chr_file { rw_chr_file_perms setattr };
term_create_pty(telnetd_t,telnetd_devpts_t)
@@ -10350,7 +10675,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/teln
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.fc serefpolicy-3.2.3/policy/modules/services/tftp.fc
--- nsaserefpolicy/policy/modules/services/tftp.fc 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/tftp.fc 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/tftp.fc 2007-12-06 16:37:24.000000000 -0500
@@ -4,3 +4,4 @@
/tftpboot -d gen_context(system_u:object_r:tftpdir_t,s0)
@@ -10358,7 +10683,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp
+/var/lib/tftp(/.*)? gen_context(system_u:object_r:tftpdir_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uwimap.te serefpolicy-3.2.3/policy/modules/services/uwimap.te
--- nsaserefpolicy/policy/modules/services/uwimap.te 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.3/policy/modules/services/uwimap.te 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/uwimap.te 2007-12-06 16:37:24.000000000 -0500
@@ -64,6 +64,7 @@
fs_search_auto_mountpoints(imapd_t)
@@ -10369,18 +10694,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uwim
libs_use_shared_libs(imapd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.fc serefpolicy-3.2.3/policy/modules/services/w3c.fc
--- nsaserefpolicy/policy/modules/services/w3c.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/w3c.fc 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/w3c.fc 2007-12-06 16:37:24.000000000 -0500
@@ -0,0 +1,2 @@
+/usr/share/w3c-markup-validator(/.*)? gen_context(system_u:object_r:httpd_w3c_validator_content_t,s0)
+/usr/share/w3c-markup-validator/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_w3c_validator_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.if serefpolicy-3.2.3/policy/modules/services/w3c.if
--- nsaserefpolicy/policy/modules/services/w3c.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.3/policy/modules/services/w3c.if 2007-12-06 14:13:13.000000000 -0500
++++ serefpolicy-3.2.3/policy/modules/services/w3c.if 2007-12-06 16:37:24.000000000 -0500
@@ -0,0 +1 @@
+##
@@ -14976,7 +15334,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## This template creates a user domain, types, and
## rules for the user's tty, pty, home directories,
## tmp, and tmpfs files.
-@@ -1187,12 +1161,11 @@
+@@ -1187,12 +1162,11 @@
# and may change other protocols
tunable_policy(`user_tcp_server',`
corenet_tcp_bind_all_nodes($1_t)
@@ -14991,7 +15349,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
# Run pppd in pppd_t by default for user
-@@ -1278,8 +1251,6 @@
+@@ -1278,8 +1252,6 @@
# Manipulate other users crontab.
allow $1_t self:passwd crontab;
@@ -15000,7 +15358,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1416,6 +1387,7 @@
+@@ -1416,6 +1388,7 @@
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -15008,7 +15366,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1781,10 +1753,14 @@
+@@ -1781,10 +1754,14 @@
template(`userdom_user_home_content',`
gen_require(`
attribute $1_file_type;
@@ -15024,7 +15382,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1880,11 +1856,11 @@
+@@ -1880,11 +1857,11 @@
#
template(`userdom_search_user_home_dirs',`
gen_require(`
@@ -15038,7 +15396,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1914,11 +1890,11 @@
+@@ -1914,11 +1891,11 @@
#
template(`userdom_list_user_home_dirs',`
gen_require(`
@@ -15052,7 +15410,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1962,12 +1938,12 @@
+@@ -1962,12 +1939,12 @@
#
template(`userdom_user_home_domtrans',`
gen_require(`
@@ -15068,7 +15426,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1997,10 +1973,10 @@
+@@ -1997,10 +1974,10 @@
#
template(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
@@ -15081,7 +15439,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2032,11 +2008,47 @@
+@@ -2032,11 +2009,47 @@
#
template(`userdom_manage_user_home_content_dirs',`
gen_require(`
@@ -15131,7 +15489,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2068,10 +2080,10 @@
+@@ -2068,10 +2081,10 @@
#
template(`userdom_dontaudit_setattr_user_home_content_files',`
gen_require(`
@@ -15144,7 +15502,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2101,11 +2113,11 @@
+@@ -2101,11 +2114,11 @@
#
template(`userdom_read_user_home_content_files',`
gen_require(`
@@ -15158,7 +15516,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2135,11 +2147,11 @@
+@@ -2135,11 +2148,11 @@
#
template(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -15173,7 +15531,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2169,10 +2181,10 @@
+@@ -2169,10 +2182,10 @@
#
template(`userdom_dontaudit_write_user_home_content_files',`
gen_require(`
@@ -15186,7 +15544,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2202,11 +2214,11 @@
+@@ -2202,11 +2215,11 @@
#
template(`userdom_read_user_home_content_symlinks',`
gen_require(`
@@ -15200,7 +15558,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2236,11 +2248,11 @@
+@@ -2236,11 +2249,11 @@
#
template(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -15214,7 +15572,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2270,10 +2282,10 @@
+@@ -2270,10 +2283,10 @@
#
template(`userdom_dontaudit_exec_user_home_content_files',`
gen_require(`
@@ -15227,7 +15585,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2305,12 +2317,12 @@
+@@ -2305,12 +2318,12 @@
#
template(`userdom_manage_user_home_content_files',`
gen_require(`
@@ -15243,7 +15601,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2342,10 +2354,10 @@
+@@ -2342,10 +2355,10 @@
#
template(`userdom_dontaudit_manage_user_home_content_dirs',`
gen_require(`
@@ -15256,7 +15614,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2377,12 +2389,12 @@
+@@ -2377,12 +2390,12 @@
#
template(`userdom_manage_user_home_content_symlinks',`
gen_require(`
@@ -15272,7 +15630,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2414,12 +2426,12 @@
+@@ -2414,12 +2427,12 @@
#
template(`userdom_manage_user_home_content_pipes',`
gen_require(`
@@ -15288,7 +15646,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2451,12 +2463,12 @@
+@@ -2451,12 +2464,12 @@
#
template(`userdom_manage_user_home_content_sockets',`
gen_require(`
@@ -15304,7 +15662,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2501,11 +2513,11 @@
+@@ -2501,11 +2514,11 @@
#
template(`userdom_user_home_dir_filetrans',`
gen_require(`
@@ -15318,7 +15676,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2550,11 +2562,11 @@
+@@ -2550,11 +2563,11 @@
#
template(`userdom_user_home_content_filetrans',`
gen_require(`
@@ -15332,7 +15690,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2594,11 +2606,11 @@
+@@ -2594,11 +2607,11 @@
#
template(`userdom_user_home_dir_filetrans_user_home_content',`
gen_require(`
@@ -15346,7 +15704,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2628,11 +2640,11 @@
+@@ -2628,11 +2641,11 @@
#
template(`userdom_write_user_tmp_sockets',`
gen_require(`
@@ -15360,7 +15718,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2662,11 +2674,11 @@
+@@ -2662,11 +2675,11 @@
#
template(`userdom_list_user_tmp',`
gen_require(`
@@ -15374,7 +15732,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2698,10 +2710,10 @@
+@@ -2698,10 +2711,10 @@
#
template(`userdom_dontaudit_list_user_tmp',`
gen_require(`
@@ -15387,7 +15745,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2733,10 +2745,10 @@
+@@ -2733,10 +2746,10 @@
#
template(`userdom_dontaudit_manage_user_tmp_dirs',`
gen_require(`
@@ -15400,7 +15758,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2766,12 +2778,12 @@
+@@ -2766,12 +2779,12 @@
#
template(`userdom_read_user_tmp_files',`
gen_require(`
@@ -15416,7 +15774,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2803,10 +2815,10 @@
+@@ -2803,10 +2816,10 @@
#
template(`userdom_dontaudit_read_user_tmp_files',`
gen_require(`
@@ -15429,15 +15787,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2838,10 +2850,48 @@
+@@ -2838,10 +2851,48 @@
#
template(`userdom_dontaudit_append_user_tmp_files',`
gen_require(`
- type $1_tmp_t;
+ type user_tmp_t;
- ')
-
-- dontaudit $2 $1_tmp_t:file append;
++ ')
++
+ dontaudit $2 user_tmp_t:file append;
+')
+
@@ -15474,13 +15831,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+ gen_require(`
+ attribute user_tmpfile;
+ attribute userdomain;
-+ ')
-+
+ ')
+
+- dontaudit $2 $1_tmp_t:file append;
+ stream_connect_pattern($1, user_tmpfile, user_tmpfile, userdomain)
')
########################################
-@@ -2871,12 +2921,12 @@
+@@ -2871,12 +2922,12 @@
#
template(`userdom_rw_user_tmp_files',`
gen_require(`
@@ -15496,7 +15854,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2908,10 +2958,10 @@
+@@ -2908,10 +2959,10 @@
#
template(`userdom_dontaudit_manage_user_tmp_files',`
gen_require(`
@@ -15509,7 +15867,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2943,12 +2993,12 @@
+@@ -2943,12 +2994,12 @@
#
template(`userdom_read_user_tmp_symlinks',`
gen_require(`
@@ -15525,7 +15883,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2980,11 +3030,11 @@
+@@ -2980,11 +3031,11 @@
#
template(`userdom_manage_user_tmp_dirs',`
gen_require(`
@@ -15539,7 +15897,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -3016,11 +3066,11 @@
+@@ -3016,11 +3067,11 @@
#
template(`userdom_manage_user_tmp_files',`
gen_require(`
@@ -15553,7 +15911,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -3052,11 +3102,11 @@
+@@ -3052,11 +3103,11 @@
#
template(`userdom_manage_user_tmp_symlinks',`
gen_require(`
@@ -15567,7 +15925,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -3088,11 +3138,11 @@
+@@ -3088,11 +3139,11 @@
#
template(`userdom_manage_user_tmp_pipes',`
gen_require(`
@@ -15581,7 +15939,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -3124,11 +3174,11 @@
+@@ -3124,11 +3175,11 @@
#
template(`userdom_manage_user_tmp_sockets',`
gen_require(`
@@ -15595,7 +15953,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -3173,10 +3223,10 @@
+@@ -3173,10 +3224,10 @@
#
template(`userdom_user_tmp_filetrans',`
gen_require(`
@@ -15608,7 +15966,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
files_search_tmp($2)
')
-@@ -3217,10 +3267,10 @@
+@@ -3217,10 +3268,10 @@
#
template(`userdom_tmp_filetrans_user_tmp',`
gen_require(`
@@ -15621,7 +15979,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4225,11 +4275,11 @@
+@@ -4225,11 +4276,11 @@
#
interface(`userdom_search_staff_home_dirs',`
gen_require(`
@@ -15635,7 +15993,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4245,10 +4295,10 @@
+@@ -4245,10 +4296,10 @@
#
interface(`userdom_dontaudit_search_staff_home_dirs',`
gen_require(`
@@ -15648,7 +16006,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4264,11 +4314,11 @@
+@@ -4264,11 +4315,11 @@
#
interface(`userdom_manage_staff_home_dirs',`
gen_require(`
@@ -15662,7 +16020,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4283,11 +4333,11 @@
+@@ -4283,11 +4334,11 @@
#
interface(`userdom_relabelto_staff_home_dirs',`
gen_require(`
@@ -15676,7 +16034,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4303,10 +4353,10 @@
+@@ -4303,10 +4354,10 @@
#
interface(`userdom_dontaudit_append_staff_home_content_files',`
gen_require(`
@@ -15689,7 +16047,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4321,13 +4371,13 @@
+@@ -4321,13 +4372,13 @@
#
interface(`userdom_read_staff_home_content_files',`
gen_require(`
@@ -15707,7 +16065,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4525,10 +4575,10 @@
+@@ -4525,10 +4576,10 @@
#
interface(`userdom_getattr_sysadm_home_dirs',`
gen_require(`
@@ -15720,7 +16078,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4545,10 +4595,10 @@
+@@ -4545,10 +4596,10 @@
#
interface(`userdom_dontaudit_getattr_sysadm_home_dirs',`
gen_require(`
@@ -15733,7 +16091,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4563,10 +4613,10 @@
+@@ -4563,10 +4614,10 @@
#
interface(`userdom_search_sysadm_home_dirs',`
gen_require(`
@@ -15746,7 +16104,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4582,10 +4632,10 @@
+@@ -4582,10 +4633,10 @@
#
interface(`userdom_dontaudit_search_sysadm_home_dirs',`
gen_require(`
@@ -15759,7 +16117,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4600,10 +4650,10 @@
+@@ -4600,10 +4651,10 @@
#
interface(`userdom_list_sysadm_home_dirs',`
gen_require(`
@@ -15772,7 +16130,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4619,10 +4669,10 @@
+@@ -4619,10 +4670,10 @@
#
interface(`userdom_dontaudit_list_sysadm_home_dirs',`
gen_require(`
@@ -15785,7 +16143,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4638,12 +4688,11 @@
+@@ -4638,12 +4689,11 @@
#
interface(`userdom_dontaudit_read_sysadm_home_content_files',`
gen_require(`
@@ -15801,7 +16159,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4670,10 +4719,10 @@
+@@ -4670,10 +4720,10 @@
#
interface(`userdom_sysadm_home_dir_filetrans',`
gen_require(`
@@ -15814,7 +16172,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4688,10 +4737,10 @@
+@@ -4688,10 +4738,10 @@
#
interface(`userdom_search_sysadm_home_content_dirs',`
gen_require(`
@@ -15827,7 +16185,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4706,13 +4755,13 @@
+@@ -4706,13 +4756,13 @@
#
interface(`userdom_read_sysadm_home_content_files',`
gen_require(`
@@ -15845,7 +16203,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4748,11 +4797,29 @@
+@@ -4748,11 +4798,29 @@
#
interface(`userdom_search_all_users_home_dirs',`
gen_require(`
@@ -15876,7 +16234,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4772,6 +4839,14 @@
+@@ -4772,6 +4840,14 @@
files_list_home($1)
allow $1 home_dir_type:dir list_dir_perms;
@@ -15891,7 +16249,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -5109,7 +5184,7 @@
+@@ -5109,7 +5185,7 @@
#
interface(`userdom_relabelto_generic_user_home_dirs',`
gen_require(`
@@ -15900,10 +16258,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
files_search_home($1)
-@@ -5298,6 +5373,28 @@
+@@ -5298,8 +5374,8 @@
########################################
##