diff --git a/policy-20071130.patch b/policy-20071130.patch
index 2a31a44..0118935 100644
--- a/policy-20071130.patch
+++ b/policy-20071130.patch
@@ -14850,6 +14850,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
+# This is caused by a bug in hald and PolicyKit.
+# Should be removed when this is fixed
+cron_read_system_job_lib_files(hald_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.if serefpolicy-3.3.1/policy/modules/services/inetd.if
+--- nsaserefpolicy/policy/modules/services/inetd.if 2007-03-26 10:39:04.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/inetd.if 2008-03-18 14:31:20.000000000 -0400
+@@ -115,6 +115,10 @@
+
+ allow $1 inetd_t:tcp_socket rw_stream_socket_perms;
+ allow $1 inetd_t:udp_socket rw_socket_perms;
++
++ optional_policy(`
++ stunnel_service_domain($1,$2)
++ ')
+ ')
+
+ ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.te serefpolicy-3.3.1/policy/modules/services/inetd.te
--- nsaserefpolicy/policy/modules/services/inetd.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/services/inetd.te 2008-03-10 16:49:55.000000000 -0400
@@ -19191,8 +19205,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.fc serefpolicy-3.3.1/policy/modules/services/privoxy.fc
--- nsaserefpolicy/policy/modules/services/privoxy.fc 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/privoxy.fc 2008-02-26 08:29:22.000000000 -0500
-@@ -4,3 +4,6 @@
++++ serefpolicy-3.3.1/policy/modules/services/privoxy.fc 2008-03-18 08:36:03.000000000 -0400
+@@ -1,6 +1,10 @@
+
+ /etc/privoxy/user\.action -- gen_context(system_u:object_r:privoxy_etc_rw_t,s0)
++/etc/privoxy/default\.action -- gen_context(system_u:object_r:privoxy_etc_rw_t,s0)
+
/usr/sbin/privoxy -- gen_context(system_u:object_r:privoxy_exec_t,s0)
/var/log/privoxy(/.*)? gen_context(system_u:object_r:privoxy_log_t,s0)
@@ -20405,6 +20423,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn
/usr/bin/rsync -- gen_context(system_u:object_r:rsync_exec_t,s0)
+
+/var/log/rsync.log -- gen_context(system_u:object_r:rsync_log_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.if serefpolicy-3.3.1/policy/modules/services/rsync.if
+--- nsaserefpolicy/policy/modules/services/rsync.if 2006-11-16 17:15:21.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/rsync.if 2008-03-18 14:28:53.000000000 -0400
+@@ -103,3 +103,5 @@
+
+ can_exec($1,rsync_exec_t)
+ ')
++
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.3.1/policy/modules/services/rsync.te
--- nsaserefpolicy/policy/modules/services/rsync.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/services/rsync.te 2008-02-26 08:29:22.000000000 -0500
@@ -21408,7 +21435,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.3.1/policy/modules/services/sendmail.te
--- nsaserefpolicy/policy/modules/services/sendmail.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/sendmail.te 2008-02-26 09:14:48.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/sendmail.te 2008-03-18 14:40:00.000000000 -0400
@@ -20,13 +20,17 @@
mta_mailserver_delivery(sendmail_t)
mta_mailserver_sender(sendmail_t)
@@ -21461,7 +21488,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
auth_use_nsswitch(sendmail_t)
-@@ -97,20 +106,35 @@
+@@ -91,26 +100,42 @@
+ libs_read_lib_files(sendmail_t)
+
+ logging_send_syslog_msg(sendmail_t)
++logging_dontaudit_write_generic_logs(sendmail_t)
+
+ miscfiles_read_certs(sendmail_t)
+ miscfiles_read_localization(sendmail_t)
userdom_dontaudit_use_unpriv_user_fds(sendmail_t)
userdom_dontaudit_search_sysadm_home_dirs(sendmail_t)
@@ -21498,7 +21532,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
postfix_exec_master(sendmail_t)
postfix_read_config(sendmail_t)
postfix_search_spool(sendmail_t)
-@@ -118,6 +142,7 @@
+@@ -118,6 +143,7 @@
optional_policy(`
procmail_domtrans(sendmail_t)
@@ -21506,7 +21540,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
')
optional_policy(`
-@@ -125,24 +150,25 @@
+@@ -125,24 +151,25 @@
')
optional_policy(`
@@ -23452,6 +23486,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
unconfined_shell_domtrans(sshd_t)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/stunnel.if serefpolicy-3.3.1/policy/modules/services/stunnel.if
+--- nsaserefpolicy/policy/modules/services/stunnel.if 2006-11-16 17:15:20.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/stunnel.if 2008-03-18 14:31:14.000000000 -0400
+@@ -1 +1,24 @@
+ ## SSL Tunneling Proxy
++
++########################################
++##
++## Define the specified domain as a stunnel inetd service.
++##
++##
++##
++## The type associated with the stunnel inetd service process.
++##
++##
++##
++##
++## The type associated with the process program.
++##
++##
++#
++interface(`stunnel_service_domain',`
++ gen_require(`
++ type stunnel_t;
++ ')
++
++ domtrans_pattern(stunnel_t,$2,$1)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/telnet.te serefpolicy-3.3.1/policy/modules/services/telnet.te
--- nsaserefpolicy/policy/modules/services/telnet.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/services/telnet.te 2008-02-26 08:29:22.000000000 -0500
@@ -25198,7 +25260,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.3.1/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/xserver.te 2008-03-11 19:35:25.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/xserver.te 2008-03-18 15:08:05.000000000 -0400
@@ -8,6 +8,14 @@
##
@@ -25353,19 +25415,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
optional_policy(`
prelink_object_file(xkb_var_lib_t)
')
-@@ -95,8 +196,9 @@
+@@ -95,8 +196,11 @@
# XDM Local policy
#
-allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
-allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate };
+allow xdm_t self:capability { setgid setuid sys_ptrace sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
++dontaudit xdm_t self:capability sys_admin;
++
+allow xdm_t self:process { getattr setexec setpgid getsched ptrace setsched setrlimit signal_perms };
+
allow xdm_t self:fifo_file rw_fifo_file_perms;
allow xdm_t self:shm create_shm_perms;
allow xdm_t self:sem create_sem_perms;
-@@ -109,6 +211,8 @@
+@@ -109,6 +213,8 @@
allow xdm_t self:key { search link write };
allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
@@ -25374,7 +25438,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Allow gdm to run gdm-binary
can_exec(xdm_t, xdm_exec_t)
-@@ -131,15 +235,22 @@
+@@ -131,15 +237,22 @@
manage_fifo_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
manage_sock_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
fs_tmpfs_filetrans(xdm_t,xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
@@ -25398,7 +25462,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
allow xdm_t xdm_xserver_t:process signal;
allow xdm_t xdm_xserver_t:unix_stream_socket connectto;
-@@ -153,6 +264,7 @@
+@@ -153,6 +266,7 @@
allow xdm_t xdm_xserver_t:process { noatsecure siginh rlimitinh signal sigkill };
allow xdm_t xdm_xserver_t:shm rw_shm_perms;
@@ -25406,7 +25470,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
-@@ -173,6 +285,8 @@
+@@ -173,6 +287,8 @@
corecmd_exec_shell(xdm_t)
corecmd_exec_bin(xdm_t)
@@ -25415,7 +25479,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
corenet_all_recvfrom_unlabeled(xdm_t)
corenet_all_recvfrom_netlabel(xdm_t)
-@@ -184,6 +298,7 @@
+@@ -184,6 +300,7 @@
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_all_nodes(xdm_t)
corenet_udp_bind_all_nodes(xdm_t)
@@ -25423,7 +25487,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
corenet_tcp_connect_all_ports(xdm_t)
corenet_sendrecv_all_client_packets(xdm_t)
# xdm tries to bind to biff_port_t
-@@ -196,6 +311,7 @@
+@@ -196,6 +313,7 @@
dev_getattr_mouse_dev(xdm_t)
dev_setattr_mouse_dev(xdm_t)
dev_rw_apm_bios(xdm_t)
@@ -25431,7 +25495,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
dev_setattr_apm_bios_dev(xdm_t)
dev_rw_dri(xdm_t)
dev_rw_agp(xdm_t)
-@@ -208,8 +324,8 @@
+@@ -208,8 +326,8 @@
dev_setattr_video_dev(xdm_t)
dev_getattr_scanner_dev(xdm_t)
dev_setattr_scanner_dev(xdm_t)
@@ -25442,7 +25506,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
dev_getattr_power_mgmt_dev(xdm_t)
dev_setattr_power_mgmt_dev(xdm_t)
-@@ -226,6 +342,7 @@
+@@ -226,6 +344,7 @@
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -25450,7 +25514,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
fs_getattr_all_fs(xdm_t)
fs_search_auto_mountpoints(xdm_t)
-@@ -237,6 +354,7 @@
+@@ -237,6 +356,7 @@
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -25458,7 +25522,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
term_setattr_console(xdm_t)
term_use_unallocated_ttys(xdm_t)
-@@ -245,6 +363,7 @@
+@@ -245,6 +365,7 @@
auth_domtrans_pam_console(xdm_t)
auth_manage_pam_pid(xdm_t)
auth_manage_pam_console_data(xdm_t)
@@ -25466,7 +25530,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
auth_rw_faillog(xdm_t)
auth_write_login_records(xdm_t)
-@@ -256,12 +375,11 @@
+@@ -256,12 +377,11 @@
libs_exec_lib_files(xdm_t)
logging_read_generic_logs(xdm_t)
@@ -25480,7 +25544,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_dontaudit_search_sysadm_home_dirs(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -270,8 +388,13 @@
+@@ -270,8 +390,13 @@
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -25494,7 +25558,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xdm_t)
-@@ -304,7 +427,11 @@
+@@ -304,7 +429,11 @@
')
optional_policy(`
@@ -25507,7 +25571,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
optional_policy(`
-@@ -312,6 +439,23 @@
+@@ -312,6 +441,23 @@
')
optional_policy(`
@@ -25531,7 +25595,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Talk to the console mouse server.
gpm_stream_connect(xdm_t)
gpm_setattr_gpmctl(xdm_t)
-@@ -322,6 +466,10 @@
+@@ -322,6 +468,10 @@
')
optional_policy(`
@@ -25542,7 +25606,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
loadkeys_exec(xdm_t)
')
-@@ -335,6 +483,11 @@
+@@ -335,6 +485,11 @@
')
optional_policy(`
@@ -25554,7 +25618,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
seutil_sigchld_newrole(xdm_t)
')
-@@ -343,8 +496,8 @@
+@@ -343,8 +498,8 @@
')
optional_policy(`
@@ -25564,7 +25628,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
-@@ -380,7 +533,7 @@
+@@ -380,7 +535,7 @@
allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
@@ -25573,7 +25637,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Label pid and temporary files with derived types.
manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t)
-@@ -392,6 +545,15 @@
+@@ -392,6 +547,15 @@
can_exec(xdm_xserver_t, xkb_var_lib_t)
files_search_var_lib(xdm_xserver_t)
@@ -25589,7 +25653,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# VNC v4 module in X server
corenet_tcp_bind_vnc_port(xdm_xserver_t)
-@@ -404,9 +566,17 @@
+@@ -404,9 +568,17 @@
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_unpriv_users_home_content_files(xdm_xserver_t)
@@ -25607,7 +25671,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xdm_xserver_t)
fs_manage_nfs_files(xdm_xserver_t)
-@@ -420,6 +590,22 @@
+@@ -420,6 +592,22 @@
')
optional_policy(`
@@ -25630,7 +25694,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
resmgr_stream_connect(xdm_t)
')
-@@ -429,47 +615,139 @@
+@@ -429,47 +617,139 @@
')
optional_policy(`
@@ -25654,6 +25718,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+ # xserver signals unconfined user on startx
+ unconfined_signal(xdm_xserver_t)
+ unconfined_getpgid(xdm_xserver_t)
++')
++
++
++tunable_policy(`allow_xserver_execmem', `
++ allow xdm_xserver_t self:process { execheap execmem execstack };
')
-ifdef(`TODO',`
@@ -25677,25 +25746,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
-allow xdm_t polymember:lnk_file { create unlink };
-# xdm needs access for copying .Xauthority into new home
-allow xdm_t polymember:file { create getattr write };
-+
-+tunable_policy(`allow_xserver_execmem', `
-+ allow xdm_xserver_t self:process { execheap execmem execstack };
-+')
-+
+ifndef(`distro_redhat',`
+ allow xdm_xserver_t self:process { execheap execmem };
-+')
-+
-+ifdef(`distro_rhel4',`
-+ allow xdm_xserver_t self:process { execheap execmem };
')
++ifdef(`distro_rhel4',`
++ allow xdm_xserver_t self:process { execheap execmem };
++')
++
+##############################
#
-# Wants to delete .xsession-errors file
+# xauth_t Local policy
- #
--allow xdm_t user_home_type:file unlink;
++#
+domtrans_pattern(xdm_xserver_t, xauth_exec_t, xauth_t)
+
+userdom_user_home_dir_filetrans(user,xauth_t,user_xauth_home_t,file)
@@ -25742,11 +25805,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+
+##############################
#
--# Should fix exec of pam_timestamp_check is not closing xdm file descriptor
+-allow xdm_t user_home_type:file unlink;
+# iceauth_t Local policy
- #
--allow pam_t xdm_t:fifo_file { getattr ioctl write };
--') dnl end TODO
++#
+
+allow iceauth_t user_iceauth_home_t:file manage_file_perms;
+userdom_user_home_dir_filetrans($1,iceauth_t,user_iceauth_home_t,file)
@@ -25770,9 +25831,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+userdom_sysadm_home_dir_filetrans(xauth_t, admin_xauth_home_t, file)
+
+########################################
-+#
+ #
+-# Should fix exec of pam_timestamp_check is not closing xdm file descriptor
+# Rules for unconfined access to this module
-+#
+ #
+-allow pam_t xdm_t:fifo_file { getattr ioctl write };
+-') dnl end TODO
+
+allow xserver_unconfined_type x_server_domain:x_server *;
+allow xserver_unconfined_type { x_domain x_rootwindow_t self }:x_drawable *;
@@ -27184,7 +27248,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.3.1/policy/modules/system/logging.fc
--- nsaserefpolicy/policy/modules/system/logging.fc 2008-02-26 08:17:43.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/logging.fc 2008-02-26 08:29:22.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/system/logging.fc 2008-03-18 14:40:44.000000000 -0400
@@ -4,6 +4,7 @@
/etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
/etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
@@ -27202,16 +27266,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
/var/run/auditd\.pid -- gen_context(system_u:object_r:auditd_var_run_t,s0)
/var/run/auditd_sock -s gen_context(system_u:object_r:auditd_var_run_t,s0)
/var/run/klogd\.pid -- gen_context(system_u:object_r:klogd_var_run_t,s0)
-@@ -57,3 +58,6 @@
+@@ -57,3 +58,8 @@
/var/spool/postfix/pid -d gen_context(system_u:object_r:var_run_t,s0)
/var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
+/etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_script_exec_t,s0)
+/etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_script_exec_t,s0)
++
++/var/cfengine/outputs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.3.1/policy/modules/system/logging.if
--- nsaserefpolicy/policy/modules/system/logging.if 2007-12-12 11:35:28.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/logging.if 2008-02-26 08:29:22.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/system/logging.if 2008-03-18 14:41:32.000000000 -0400
@@ -213,12 +213,7 @@
##
#
@@ -27235,7 +27301,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
')
########################################
-@@ -705,6 +702,7 @@
+@@ -641,6 +638,25 @@
+
+ ########################################
+ ##
++## Dontaudit Write generic log files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`logging_dontaudit_write_generic_logs',`
++ gen_require(`
++ type var_log_t;
++ ')
++
++ files_search_var($1)
++ dontaudit $1 var_log_t:file write;
++')
++
++########################################
++##
+ ## Read and write generic log files.
+ ##
+ ##
+@@ -705,6 +721,7 @@
interface(`logging_admin_audit',`
gen_require(`
type auditd_t, auditd_etc_t, auditd_log_t;
@@ -27243,7 +27335,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
type auditd_var_run_t;
')
-@@ -719,6 +717,15 @@
+@@ -719,6 +736,15 @@
manage_dirs_pattern($1, auditd_var_run_t, auditd_var_run_t)
manage_files_pattern($1, auditd_var_run_t, auditd_var_run_t)
@@ -27259,7 +27351,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
')
########################################
-@@ -749,6 +756,7 @@
+@@ -749,6 +775,7 @@
type syslogd_tmp_t, syslogd_var_lib_t;
type syslogd_var_run_t, klogd_var_run_t;
type klogd_tmp_t, var_log_t;
@@ -27267,7 +27359,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
')
allow $1 syslogd_t:process { ptrace signal_perms };
-@@ -776,6 +784,13 @@
+@@ -776,6 +803,13 @@
manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
logging_manage_all_logs($1)
@@ -27281,7 +27373,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
')
########################################
-@@ -804,3 +819,127 @@
+@@ -804,3 +838,127 @@
logging_admin_audit($1, $2, $3)
logging_admin_syslog($1, $2, $3)
')
@@ -29745,7 +29837,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.3.1/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2008-02-13 16:26:06.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/unconfined.te 2008-03-13 20:23:44.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/unconfined.te 2008-03-18 09:14:04.000000000 -0400
@@ -6,35 +6,67 @@
# Declarations
#
@@ -30025,7 +30117,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
')
########################################
-@@ -219,14 +278,34 @@
+@@ -219,14 +278,41 @@
allow unconfined_execmem_t self:process { execstack execmem };
unconfined_domain_noaudit(unconfined_execmem_t)
@@ -30033,7 +30125,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
optional_policy(`
- dbus_stub(unconfined_execmem_t)
--
++ gen_require(`
++ type unconfined_dbusd_t;
++ ')
++ unconfined_domain(unconfined_dbusd_t)
++')
+
++optional_policy(`
init_dbus_chat_script(unconfined_execmem_t)
+ dbus_system_bus_client_template(unconfined_execmem, unconfined_execmem_t)
unconfined_dbus_chat(unconfined_execmem_t)
@@ -30080,7 +30178,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.3.1/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2008-02-15 09:52:56.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-03-14 14:50:39.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-03-18 14:56:01.000000000 -0400
@@ -29,9 +29,14 @@
')
@@ -30097,7 +30195,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
corecmd_shell_entry_type($1_t)
corecmd_bin_entry_type($1_t)
domain_user_exemption_target($1_t)
-@@ -45,66 +50,74 @@
+@@ -45,66 +50,76 @@
type $1_tty_device_t;
term_user_tty($1_t,$1_tty_device_t)
@@ -30112,23 +30210,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
- allow $1_t self:msg { send receive };
- allow $1_t self:context contains;
- dontaudit $1_t self:socket create;
--
-- allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
-- term_create_pty($1_t,$1_devpts_t)
--
-- allow $1_t $1_tty_device_t:chr_file { setattr rw_chr_file_perms };
--
-- kernel_read_kernel_sysctls($1_t)
-- kernel_dontaudit_list_unlabeled($1_t)
-- kernel_dontaudit_getattr_unlabeled_files($1_t)
-- kernel_dontaudit_getattr_unlabeled_symlinks($1_t)
-- kernel_dontaudit_getattr_unlabeled_pipes($1_t)
-- kernel_dontaudit_getattr_unlabeled_sockets($1_t)
-- kernel_dontaudit_getattr_unlabeled_blk_files($1_t)
-- kernel_dontaudit_getattr_unlabeled_chr_files($1_t)
--
-- dev_dontaudit_getattr_all_blk_files($1_t)
-- dev_dontaudit_getattr_all_chr_files($1_t)
+ allow $1_usertype $1_usertype:process { ptrace signal_perms getsched setsched share getpgid setpgid getcap setcap getsession getattr };
+ allow $1_usertype $1_usertype:fd use;
+ allow $1_usertype $1_t:key { create view read write search link setattr };
@@ -30145,14 +30226,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+
+ allow $1_usertype $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
+ term_create_pty($1_usertype,$1_devpts_t)
-+
+
+- allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
+- term_create_pty($1_t,$1_devpts_t)
+ allow $1_usertype $1_tty_device_t:chr_file { setattr rw_chr_file_perms };
-+
+
+- allow $1_t $1_tty_device_t:chr_file { setattr rw_chr_file_perms };
+ application_exec_all($1_usertype)
+
+- kernel_read_kernel_sysctls($1_t)
+- kernel_dontaudit_list_unlabeled($1_t)
+- kernel_dontaudit_getattr_unlabeled_files($1_t)
+- kernel_dontaudit_getattr_unlabeled_symlinks($1_t)
+- kernel_dontaudit_getattr_unlabeled_pipes($1_t)
+- kernel_dontaudit_getattr_unlabeled_sockets($1_t)
+- kernel_dontaudit_getattr_unlabeled_blk_files($1_t)
+- kernel_dontaudit_getattr_unlabeled_chr_files($1_t)
++ files_exec_usr_files($1_t)
+
+ kernel_read_kernel_sysctls($1_usertype)
+ kernel_read_all_sysctls($1_usertype)
-+
+
+- dev_dontaudit_getattr_all_blk_files($1_t)
+- dev_dontaudit_getattr_all_chr_files($1_t)
+ kernel_dontaudit_list_unlabeled($1_usertype)
+ kernel_dontaudit_getattr_unlabeled_files($1_usertype)
+ kernel_dontaudit_getattr_unlabeled_symlinks($1_usertype)
@@ -30200,9 +30296,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
- libs_use_ld_so($1_t)
- libs_use_shared_libs($1_t)
- libs_exec_ld_so($1_t)
--
-- miscfiles_read_localization($1_t)
-- miscfiles_read_certs($1_t)
+ files_dontaudit_getattr_all_dirs($1_usertype)
+ files_dontaudit_list_non_security($1_usertype)
+ files_dontaudit_getattr_non_security_files($1_usertype)
@@ -30219,13 +30312,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+ libs_use_shared_libs($1_usertype)
+ libs_exec_ld_so($1_usertype)
+- miscfiles_read_localization($1_t)
+- miscfiles_read_certs($1_t)
+-
- sysnet_read_config($1_t)
+ miscfiles_read_localization($1_usertype)
+ miscfiles_read_certs($1_usertype)
tunable_policy(`allow_execmem',`
# Allow loading DSOs that require executable stack.
-@@ -115,6 +128,10 @@
+@@ -115,6 +130,10 @@
# Allow making the stack executable via mprotect.
allow $1_t self:process execstack;
')
@@ -30236,7 +30332,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
#######################################
-@@ -141,33 +158,13 @@
+@@ -141,33 +160,13 @@
#
template(`userdom_ro_home_template',`
gen_require(`
@@ -30275,7 +30371,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
##############################
#
-@@ -175,13 +172,14 @@
+@@ -175,13 +174,14 @@
#
# read-only home directory
@@ -30297,7 +30393,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
files_list_home($1_t)
tunable_policy(`use_nfs_home_dirs',`
-@@ -231,30 +229,14 @@
+@@ -231,30 +231,14 @@
#
template(`userdom_manage_home_template',`
gen_require(`
@@ -30334,7 +30430,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
##############################
#
-@@ -262,43 +244,46 @@
+@@ -262,43 +246,46 @@
#
# full control of the home directory
@@ -30409,7 +30505,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
')
-@@ -316,14 +301,20 @@
+@@ -316,14 +303,20 @@
##
#
template(`userdom_exec_home_template',`
@@ -30435,7 +30531,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
')
-@@ -341,11 +332,10 @@
+@@ -341,11 +334,10 @@
##
#
template(`userdom_poly_home_template',`
@@ -30451,7 +30547,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
#######################################
-@@ -369,18 +359,18 @@
+@@ -369,18 +361,18 @@
#
template(`userdom_manage_tmp_template',`
gen_require(`
@@ -30480,7 +30576,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
#######################################
-@@ -396,7 +386,13 @@
+@@ -396,7 +388,13 @@
##
#
template(`userdom_exec_tmp_template',`
@@ -30495,7 +30591,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
#######################################
-@@ -445,12 +441,12 @@
+@@ -445,12 +443,12 @@
type $1_tmpfs_t, $1_file_type;
files_tmpfs_file($1_tmpfs_t)
@@ -30514,7 +30610,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
#######################################
-@@ -510,10 +506,6 @@
+@@ -510,10 +508,6 @@
##
#
template(`userdom_exec_generic_pgms_template',`
@@ -30525,18 +30621,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
corecmd_exec_bin($1_t)
')
-@@ -531,27 +523,20 @@
+@@ -531,27 +525,20 @@
##
#
template(`userdom_basic_networking_template',`
- gen_require(`
- type $1_t;
- ')
-
+-
- allow $1_t self:tcp_socket create_stream_socket_perms;
- allow $1_t self:udp_socket create_socket_perms;
-+ allow $1_usertype self:tcp_socket create_stream_socket_perms;
-+ allow $1_usertype self:udp_socket create_socket_perms;
- corenet_all_recvfrom_unlabeled($1_t)
- corenet_all_recvfrom_netlabel($1_t)
@@ -30548,7 +30642,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
- corenet_udp_sendrecv_all_ports($1_t)
- corenet_tcp_connect_all_ports($1_t)
- corenet_sendrecv_all_client_packets($1_t)
--
++ allow $1_usertype self:tcp_socket create_stream_socket_perms;
++ allow $1_usertype self:udp_socket create_socket_perms;
+
- optional_policy(`
- ipsec_match_default_spd($1_t)
- ')
@@ -30565,7 +30661,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
#######################################
-@@ -568,30 +553,32 @@
+@@ -568,30 +555,32 @@
#
template(`userdom_xwindows_client_template',`
gen_require(`
@@ -30614,7 +30710,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
#######################################
-@@ -622,13 +609,7 @@
+@@ -622,13 +611,7 @@
##
## The template for allowing the user to change roles.
##
@@ -30629,7 +30725,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
##
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
-@@ -692,183 +673,194 @@
+@@ -692,183 +675,194 @@
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
@@ -30905,7 +31001,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
optional_policy(`
-@@ -895,6 +887,8 @@
+@@ -895,6 +889,8 @@
##
#
template(`userdom_login_user_template', `
@@ -30914,7 +31010,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
userdom_base_user_template($1)
userdom_manage_home_template($1)
-@@ -923,26 +917,26 @@
+@@ -923,70 +919,68 @@
allow $1_t self:context contains;
@@ -30946,16 +31042,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
- fs_rw_anon_inodefs_files($1_t)
+ files_dontaudit_list_default($1_usertype)
+ files_dontaudit_read_default_files($1_usertype)
-+
+
+- auth_dontaudit_write_login_records($1_t)
+ fs_get_all_fs_quotas($1_usertype)
+ fs_getattr_all_fs($1_usertype)
+ fs_search_all($1_usertype)
+ fs_list_inotifyfs($1_usertype)
+ fs_rw_anon_inodefs_files($1_usertype)
- auth_dontaudit_write_login_records($1_t)
-
-@@ -950,43 +944,43 @@
+- application_exec_all($1_t)
++ auth_dontaudit_write_login_records($1_t)
# The library functions always try to open read-write first,
# then fall back to read-only if it fails.
@@ -31158,7 +31254,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## This template creates a user domain, types, and
## rules for the user's tty, pty, home directories,
## tmp, and tmpfs files.
-@@ -1193,12 +1203,11 @@
+@@ -1164,7 +1174,6 @@
+ # Need the following rule to allow users to run vpnc
+ corenet_tcp_bind_xserver_port($1_t)
+
+- files_exec_usr_files($1_t)
+ # cjp: why?
+ files_read_kernel_symbol_table($1_t)
+
+@@ -1193,12 +1202,11 @@
# and may change other protocols
tunable_policy(`user_tcp_server',`
corenet_tcp_bind_all_nodes($1_t)
@@ -31173,7 +31277,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
# Run pppd in pppd_t by default for user
-@@ -1207,7 +1216,27 @@
+@@ -1207,7 +1215,27 @@
')
optional_policy(`
@@ -31202,7 +31306,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
')
-@@ -1284,8 +1313,6 @@
+@@ -1284,8 +1312,6 @@
# Manipulate other users crontab.
allow $1_t self:passwd crontab;
@@ -31211,7 +31315,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1363,13 +1390,6 @@
+@@ -1363,13 +1389,6 @@
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -31225,7 +31329,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
optional_policy(`
userhelper_exec($1_t)
')
-@@ -1422,6 +1442,7 @@
+@@ -1422,6 +1441,7 @@
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -31233,7 +31337,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1787,10 +1808,14 @@
+@@ -1787,10 +1807,14 @@
template(`userdom_user_home_content',`
gen_require(`
attribute $1_file_type;
@@ -31249,7 +31353,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1886,11 +1911,11 @@
+@@ -1886,11 +1910,11 @@
#
template(`userdom_search_user_home_dirs',`
gen_require(`
@@ -31263,7 +31367,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1920,11 +1945,11 @@
+@@ -1920,11 +1944,11 @@
#
template(`userdom_list_user_home_dirs',`
gen_require(`
@@ -31277,7 +31381,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1968,12 +1993,12 @@
+@@ -1968,12 +1992,12 @@
#
template(`userdom_user_home_domtrans',`
gen_require(`
@@ -31293,7 +31397,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2003,10 +2028,10 @@
+@@ -2003,10 +2027,10 @@
#
template(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
@@ -31306,7 +31410,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2038,11 +2063,47 @@
+@@ -2038,11 +2062,47 @@
#
template(`userdom_manage_user_home_content_dirs',`
gen_require(`
@@ -31356,7 +31460,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2074,10 +2135,10 @@
+@@ -2074,10 +2134,10 @@
#
template(`userdom_dontaudit_setattr_user_home_content_files',`
gen_require(`
@@ -31369,7 +31473,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2107,11 +2168,11 @@
+@@ -2107,11 +2167,11 @@
#
template(`userdom_read_user_home_content_files',`
gen_require(`
@@ -31383,7 +31487,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2141,11 +2202,11 @@
+@@ -2141,11 +2201,11 @@
#
template(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -31398,7 +31502,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2175,10 +2236,14 @@
+@@ -2175,10 +2235,14 @@
#
template(`userdom_dontaudit_write_user_home_content_files',`
gen_require(`
@@ -31415,7 +31519,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2208,11 +2273,11 @@
+@@ -2208,11 +2272,11 @@
#
template(`userdom_read_user_home_content_symlinks',`
gen_require(`
@@ -31429,7 +31533,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2242,11 +2307,11 @@
+@@ -2242,11 +2306,11 @@
#
template(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -31443,7 +31547,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2276,10 +2341,10 @@
+@@ -2276,10 +2340,10 @@
#
template(`userdom_dontaudit_exec_user_home_content_files',`
gen_require(`
@@ -31456,7 +31560,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2311,12 +2376,12 @@
+@@ -2311,12 +2375,12 @@
#
template(`userdom_manage_user_home_content_files',`
gen_require(`
@@ -31472,7 +31576,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2348,10 +2413,10 @@
+@@ -2348,10 +2412,10 @@
#
template(`userdom_dontaudit_manage_user_home_content_dirs',`
gen_require(`
@@ -31485,7 +31589,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2383,12 +2448,12 @@
+@@ -2383,12 +2447,12 @@
#
template(`userdom_manage_user_home_content_symlinks',`
gen_require(`
@@ -31501,7 +31605,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2420,12 +2485,12 @@
+@@ -2420,12 +2484,12 @@
#
template(`userdom_manage_user_home_content_pipes',`
gen_require(`
@@ -31517,7 +31621,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2457,12 +2522,12 @@
+@@ -2457,12 +2521,12 @@
#
template(`userdom_manage_user_home_content_sockets',`
gen_require(`
@@ -31533,7 +31637,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2507,11 +2572,11 @@
+@@ -2507,11 +2571,11 @@
#
template(`userdom_user_home_dir_filetrans',`
gen_require(`
@@ -31547,7 +31651,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2556,11 +2621,11 @@
+@@ -2556,11 +2620,11 @@
#
template(`userdom_user_home_content_filetrans',`
gen_require(`
@@ -31561,7 +31665,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2600,11 +2665,11 @@
+@@ -2600,11 +2664,11 @@
#
template(`userdom_user_home_dir_filetrans_user_home_content',`
gen_require(`
@@ -31575,7 +31679,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2634,11 +2699,11 @@
+@@ -2634,11 +2698,11 @@
#
template(`userdom_write_user_tmp_sockets',`
gen_require(`
@@ -31589,7 +31693,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2668,11 +2733,11 @@
+@@ -2668,11 +2732,11 @@
#
template(`userdom_list_user_tmp',`
gen_require(`
@@ -31603,7 +31707,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2704,10 +2769,10 @@
+@@ -2704,10 +2768,10 @@
#
template(`userdom_dontaudit_list_user_tmp',`
gen_require(`
@@ -31616,7 +31720,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2739,10 +2804,10 @@
+@@ -2739,10 +2803,10 @@
#
template(`userdom_dontaudit_manage_user_tmp_dirs',`
gen_require(`
@@ -31629,7 +31733,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2772,12 +2837,12 @@
+@@ -2772,12 +2836,12 @@
#
template(`userdom_read_user_tmp_files',`
gen_require(`
@@ -31645,7 +31749,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2809,10 +2874,10 @@
+@@ -2809,10 +2873,10 @@
#
template(`userdom_dontaudit_read_user_tmp_files',`
gen_require(`
@@ -31658,7 +31762,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2844,10 +2909,48 @@
+@@ -2844,10 +2908,48 @@
#
template(`userdom_dontaudit_append_user_tmp_files',`
gen_require(`
@@ -31709,7 +31813,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2877,12 +2980,12 @@
+@@ -2877,12 +2979,12 @@
#
template(`userdom_rw_user_tmp_files',`
gen_require(`
@@ -31725,7 +31829,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2914,10 +3017,10 @@
+@@ -2914,10 +3016,10 @@
#
template(`userdom_dontaudit_manage_user_tmp_files',`
gen_require(`
@@ -31738,7 +31842,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2949,12 +3052,12 @@
+@@ -2949,12 +3051,12 @@
#
template(`userdom_read_user_tmp_symlinks',`
gen_require(`
@@ -31754,7 +31858,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2986,11 +3089,11 @@
+@@ -2986,11 +3088,11 @@
#
template(`userdom_manage_user_tmp_dirs',`
gen_require(`
@@ -31768,7 +31872,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -3022,11 +3125,11 @@
+@@ -3022,11 +3124,11 @@
#
template(`userdom_manage_user_tmp_files',`
gen_require(`
@@ -31782,7 +31886,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -3058,11 +3161,11 @@
+@@ -3058,11 +3160,11 @@
#
template(`userdom_manage_user_tmp_symlinks',`
gen_require(`
@@ -31796,7 +31900,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -3094,11 +3197,11 @@
+@@ -3094,11 +3196,11 @@
#
template(`userdom_manage_user_tmp_pipes',`
gen_require(`
@@ -31810,7 +31914,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -3130,11 +3233,11 @@
+@@ -3130,11 +3232,11 @@
#
template(`userdom_manage_user_tmp_sockets',`
gen_require(`
@@ -31824,7 +31928,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -3179,10 +3282,10 @@
+@@ -3179,10 +3281,10 @@
#
template(`userdom_user_tmp_filetrans',`
gen_require(`
@@ -31837,7 +31941,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
files_search_tmp($2)
')
-@@ -3223,10 +3326,10 @@
+@@ -3223,10 +3325,10 @@
#
template(`userdom_tmp_filetrans_user_tmp',`
gen_require(`
@@ -31850,7 +31954,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -3254,6 +3357,42 @@
+@@ -3254,6 +3356,42 @@
##
##
#
@@ -31893,7 +31997,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
template(`userdom_rw_user_tmpfs_files',`
gen_require(`
type $1_tmpfs_t;
-@@ -4231,11 +4370,11 @@
+@@ -4231,11 +4369,11 @@
#
interface(`userdom_search_staff_home_dirs',`
gen_require(`
@@ -31907,7 +32011,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4251,10 +4390,10 @@
+@@ -4251,10 +4389,10 @@
#
interface(`userdom_dontaudit_search_staff_home_dirs',`
gen_require(`
@@ -31920,7 +32024,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4270,11 +4409,11 @@
+@@ -4270,11 +4408,11 @@
#
interface(`userdom_manage_staff_home_dirs',`
gen_require(`
@@ -31934,7 +32038,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4289,16 +4428,16 @@
+@@ -4289,16 +4427,16 @@
#
interface(`userdom_relabelto_staff_home_dirs',`
gen_require(`
@@ -31954,7 +32058,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## users home directory.
##
##
-@@ -4307,12 +4446,27 @@
+@@ -4307,12 +4445,27 @@
##
##
#
@@ -31985,7 +32089,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4327,13 +4481,13 @@
+@@ -4327,13 +4480,13 @@
#
interface(`userdom_read_staff_home_content_files',`
gen_require(`
@@ -32003,7 +32107,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4531,10 +4685,10 @@
+@@ -4531,10 +4684,10 @@
#
interface(`userdom_getattr_sysadm_home_dirs',`
gen_require(`
@@ -32016,7 +32120,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4551,10 +4705,10 @@
+@@ -4551,10 +4704,10 @@
#
interface(`userdom_dontaudit_getattr_sysadm_home_dirs',`
gen_require(`
@@ -32029,7 +32133,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4569,10 +4723,10 @@
+@@ -4569,10 +4722,10 @@
#
interface(`userdom_search_sysadm_home_dirs',`
gen_require(`
@@ -32042,7 +32146,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4588,10 +4742,10 @@
+@@ -4588,10 +4741,10 @@
#
interface(`userdom_dontaudit_search_sysadm_home_dirs',`
gen_require(`
@@ -32055,7 +32159,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4606,10 +4760,10 @@
+@@ -4606,10 +4759,10 @@
#
interface(`userdom_list_sysadm_home_dirs',`
gen_require(`
@@ -32068,7 +32172,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4625,10 +4779,10 @@
+@@ -4625,10 +4778,10 @@
#
interface(`userdom_dontaudit_list_sysadm_home_dirs',`
gen_require(`
@@ -32081,7 +32185,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4644,12 +4798,11 @@
+@@ -4644,12 +4797,11 @@
#
interface(`userdom_dontaudit_read_sysadm_home_content_files',`
gen_require(`
@@ -32097,7 +32201,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4676,10 +4829,10 @@
+@@ -4676,10 +4828,10 @@
#
interface(`userdom_sysadm_home_dir_filetrans',`
gen_require(`
@@ -32110,7 +32214,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4694,10 +4847,10 @@
+@@ -4694,10 +4846,10 @@
#
interface(`userdom_search_sysadm_home_content_dirs',`
gen_require(`
@@ -32123,7 +32227,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4712,13 +4865,13 @@
+@@ -4712,13 +4864,13 @@
#
interface(`userdom_read_sysadm_home_content_files',`
gen_require(`
@@ -32141,7 +32245,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4754,11 +4907,49 @@
+@@ -4754,11 +4906,49 @@
#
interface(`userdom_search_all_users_home_dirs',`
gen_require(`
@@ -32192,7 +32296,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4778,6 +4969,14 @@
+@@ -4778,6 +4968,14 @@
files_list_home($1)
allow $1 home_dir_type:dir list_dir_perms;
@@ -32207,7 +32311,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -4839,6 +5038,26 @@
+@@ -4839,6 +5037,26 @@
########################################
##
@@ -32234,7 +32338,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Create, read, write, and delete all directories
## in all users home directories.
##
-@@ -4859,6 +5078,25 @@
+@@ -4859,6 +5077,25 @@
########################################
##
@@ -32260,7 +32364,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Create, read, write, and delete all files
## in all users home directories.
##
-@@ -4879,6 +5117,26 @@
+@@ -4879,6 +5116,26 @@
########################################
##
@@ -32287,7 +32391,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Create, read, write, and delete all symlinks
## in all users home directories.
##
-@@ -5115,7 +5373,7 @@
+@@ -5115,7 +5372,7 @@
#
interface(`userdom_relabelto_generic_user_home_dirs',`
gen_require(`
@@ -32296,7 +32400,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
files_search_home($1)
-@@ -5304,6 +5562,50 @@
+@@ -5304,6 +5561,50 @@
########################################
##
@@ -32347,7 +32451,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Create, read, write, and delete directories in
## unprivileged users home directories.
##
-@@ -5509,6 +5811,42 @@
+@@ -5509,6 +5810,42 @@
########################################
##
@@ -32390,7 +32494,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Read and write unprivileged user ttys.
##
##
-@@ -5674,6 +6012,42 @@
+@@ -5674,6 +6011,42 @@
########################################
##
@@ -32433,7 +32537,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Send a dbus message to all user domains.
##
##
-@@ -5704,3 +6078,370 @@
+@@ -5704,3 +6077,370 @@
interface(`userdom_unconfined',`
refpolicywarn(`$0($*) has been deprecated.')
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 2d31cf7..b6953dc 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.3.1
-Release: 21%{?dist}
+Release: 22%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -387,6 +387,8 @@ exit 0
%endif
%changelog
+* Tue Mar 18 2008 Dan Walsh 3.3.1-22
+
* Mon Mar 17 2008 Dan Walsh 3.3.1-21
- Fixes for qemu/virtd