diff --git a/policy-20080710.patch b/policy-20080710.patch
index 29d84f6..d81e454 100644
--- a/policy-20080710.patch
+++ b/policy-20080710.patch
@@ -4417,8 +4417,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+HOME_DIR/\.gstreamer-.* gen_context(system_u:object_r:nsplugin_home_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.5.9/policy/modules/apps/nsplugin.if
--- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.5.9/policy/modules/apps/nsplugin.if 2008-09-25 08:33:18.000000000 -0400
-@@ -0,0 +1,293 @@
++++ serefpolicy-3.5.9/policy/modules/apps/nsplugin.if 2008-09-29 10:47:02.000000000 -0400
+@@ -0,0 +1,290 @@
+
+## <summary>policy for nsplugin</summary>
+
@@ -4500,7 +4500,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ type nsplugin_home_t;
+ type nsplugin_exec_t;
+ type nsplugin_config_exec_t;
-+ type $1_tmpfs_t;
+ type nsplugin_t;
+ type nsplugin_config_t;
+ ')
@@ -4534,8 +4533,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ stream_connect_pattern(nsplugin_t, user_home_t, user_home_t, $2)
+ gnome_stream_connect(nsplugin_t, $2)
+
-+ allow nsplugin_t $1_tmpfs_t:file { read getattr };
-+
+ userdom_use_user_terminals($1, nsplugin_t)
+ userdom_use_user_terminals($1, nsplugin_config_t)
+
@@ -4714,7 +4711,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.5.9/policy/modules/apps/nsplugin.te
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.5.9/policy/modules/apps/nsplugin.te 2008-09-25 08:33:18.000000000 -0400
++++ serefpolicy-3.5.9/policy/modules/apps/nsplugin.te 2008-09-29 11:06:29.000000000 -0400
@@ -0,0 +1,234 @@
+
+policy_module(nsplugin, 1.0.0)
@@ -4784,6 +4781,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+manage_lnk_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
+userdom_user_home_dir_filetrans(user, nsplugin_t, nsplugin_home_t, {file dir})
+unprivuser_dontaudit_write_home_content_files(nsplugin_t)
++userdom_manage_tmpfs(nsplugin_t)
+
+corecmd_exec_bin(nsplugin_t)
+corecmd_exec_shell(nsplugin_t)
@@ -4814,7 +4812,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+files_read_config_files(nsplugin_t)
+
+fs_list_inotifyfs(nsplugin_t)
-+fs_manage_tmpfs_files(nsplugin_t)
+fs_getattr_tmpfs(nsplugin_t)
+fs_getattr_xattr_fs(nsplugin_t)
+
@@ -8796,7 +8793,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.if serefpolicy-3.5.9/policy/modules/roles/sysadm.if
--- nsaserefpolicy/policy/modules/roles/sysadm.if 2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.9/policy/modules/roles/sysadm.if 2008-09-25 08:33:18.000000000 -0400
++++ serefpolicy-3.5.9/policy/modules/roles/sysadm.if 2008-09-29 15:11:59.000000000 -0400
@@ -334,10 +334,10 @@
#
interface(`sysadm_getattr_home_dirs',`
@@ -8929,7 +8926,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
- dontaudit $1 sysadm_home_dir_t:dir search_dir_perms;
- dontaudit $1 sysadm_home_t:dir search_dir_perms;
- dontaudit $1 sysadm_home_t:file read_file_perms;
-+ dontaudit $1 admin_home_t:dir search_dir_perms;
++ dontaudit $1 admin_home_t:dir list_dir_perms;
+ dontaudit $1 admin_home_t:file read_file_perms;
+
')
@@ -12477,8 +12474,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.fc serefpolicy-3.5.9/policy/modules/services/clamav.fc
--- nsaserefpolicy/policy/modules/services/clamav.fc 2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.9/policy/modules/services/clamav.fc 2008-09-25 08:33:18.000000000 -0400
-@@ -1,20 +1,21 @@
++++ serefpolicy-3.5.9/policy/modules/services/clamav.fc 2008-09-29 13:12:08.000000000 -0400
+@@ -1,20 +1,22 @@
/etc/clamav(/.*)? gen_context(system_u:object_r:clamd_etc_t,s0)
+/etc/rc\.d/init\.d/clamd-wrapper -- gen_context(system_u:object_r:clamd_initrc_exec_t,s0)
@@ -12497,6 +12494,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/var/run/clamd.* gen_context(system_u:object_r:clamd_var_run_t,s0)
/var/lib/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0)
++/var/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0)
-/var/log/clamav -d gen_context(system_u:object_r:clamd_var_log_t,s0)
-/var/log/clamav/clamav.* -- gen_context(system_u:object_r:clamd_var_log_t,s0)
@@ -13547,8 +13545,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-') dnl end TODO
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.5.9/policy/modules/services/cups.fc
--- nsaserefpolicy/policy/modules/services/cups.fc 2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.9/policy/modules/services/cups.fc 2008-09-25 08:33:18.000000000 -0400
-@@ -8,24 +8,31 @@
++++ serefpolicy-3.5.9/policy/modules/services/cups.fc 2008-09-30 10:27:16.000000000 -0400
+@@ -8,24 +8,33 @@
/etc/cups/ppd/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/cups/ppds\.dat -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/cups/printers\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@@ -13556,6 +13554,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/etc/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/rc\.d/init\.d/cups -- gen_context(system_u:object_r:cupsd_initrc_exec_t,s0)
++
++/etc/cups/interfaces(/.*)? gen_context(system_u:object_r:cupsd_interface_t,s0)
/etc/hp(/.*)? gen_context(system_u:object_r:hplip_etc_t,s0)
@@ -13583,7 +13583,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/usr/sbin/printconf-backend -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
/usr/sbin/ptal-printd -- gen_context(system_u:object_r:ptal_exec_t,s0)
/usr/sbin/ptal-mlcd -- gen_context(system_u:object_r:ptal_exec_t,s0)
-@@ -33,7 +40,7 @@
+@@ -33,7 +42,7 @@
/usr/share/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0)
/usr/share/foomatic/db/oldprinterids -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@@ -13592,7 +13592,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-@@ -43,10 +50,20 @@
+@@ -43,10 +52,20 @@
/var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0)
@@ -13744,18 +13744,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.5.9/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2008-09-03 07:59:15.000000000 -0400
-+++ serefpolicy-3.5.9/policy/modules/services/cups.te 2008-09-25 08:33:18.000000000 -0400
-@@ -20,6 +20,9 @@
++++ serefpolicy-3.5.9/policy/modules/services/cups.te 2008-09-29 14:52:28.000000000 -0400
+@@ -20,6 +20,12 @@
type cupsd_etc_t;
files_config_file(cupsd_etc_t)
+type cupsd_initrc_exec_t;
+init_script_file(cupsd_initrc_exec_t)
+
++type cupsd_interface_t;
++files_type(cupsd_interface_t)
++
type cupsd_rw_etc_t;
files_config_file(cupsd_rw_etc_t)
-@@ -48,6 +51,10 @@
+@@ -48,6 +54,10 @@
type hplip_t;
type hplip_exec_t;
init_daemon_domain(hplip_t, hplip_exec_t)
@@ -13766,7 +13769,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
type hplip_etc_t;
files_config_file(hplip_etc_t)
-@@ -65,6 +72,16 @@
+@@ -65,6 +75,16 @@
type ptal_var_run_t;
files_pid_file(ptal_var_run_t)
@@ -13783,7 +13786,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ifdef(`enable_mcs',`
init_ranged_daemon_domain(cupsd_t,cupsd_exec_t,s0 - mcs_systemhigh)
')
-@@ -79,13 +96,14 @@
+@@ -79,13 +99,14 @@
#
# /usr/lib/cups/backend/serial needs sys_admin(?!)
@@ -13801,7 +13804,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow cupsd_t self:tcp_socket create_stream_socket_perms;
allow cupsd_t self:udp_socket create_socket_perms;
allow cupsd_t self:appletalk_socket create_socket_perms;
-@@ -104,7 +122,7 @@
+@@ -97,6 +118,9 @@
+ read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
+ files_search_etc(cupsd_t)
+
++manage_files_pattern(cupsd_t, cupsd_interface_t, cupsd_interface_t)
++can_exec(cupsd_t, cupsd_interface_t)
++
+ manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
+ manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
+ filetrans_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file)
+@@ -104,7 +128,7 @@
# allow cups to execute its backend scripts
can_exec(cupsd_t, cupsd_exec_t)
@@ -13810,7 +13823,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow cupsd_t cupsd_exec_t:lnk_file read;
manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
-@@ -116,13 +134,20 @@
+@@ -116,13 +140,20 @@
manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file })
@@ -13833,7 +13846,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow cupsd_t hplip_var_run_t:file { read getattr };
stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
-@@ -149,44 +174,49 @@
+@@ -149,44 +180,49 @@
corenet_tcp_bind_reserved_port(cupsd_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
corenet_tcp_connect_all_ports(cupsd_t)
@@ -13888,7 +13901,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_list_world_readable(cupsd_t)
files_read_world_readable_files(cupsd_t)
files_read_world_readable_symlinks(cupsd_t)
-@@ -195,15 +225,16 @@
+@@ -195,15 +231,16 @@
files_read_var_symlinks(cupsd_t)
# for /etc/printcap
files_dontaudit_write_etc_files(cupsd_t)
@@ -13909,7 +13922,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
auth_use_nsswitch(cupsd_t)
libs_use_ld_so(cupsd_t)
-@@ -219,17 +250,22 @@
+@@ -219,17 +256,22 @@
miscfiles_read_fonts(cupsd_t)
seutil_read_config(cupsd_t)
@@ -13934,7 +13947,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -246,8 +282,16 @@
+@@ -246,8 +288,16 @@
userdom_dbus_send_all_users(cupsd_t)
optional_policy(`
@@ -13951,7 +13964,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -263,6 +307,10 @@
+@@ -263,6 +313,10 @@
')
optional_policy(`
@@ -13962,7 +13975,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# cups execs smbtool which reads samba_etc_t files
samba_read_config(cupsd_t)
samba_rw_var_files(cupsd_t)
-@@ -281,7 +329,7 @@
+@@ -281,7 +335,7 @@
# Cups configuration daemon local policy
#
@@ -13971,7 +13984,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dontaudit cupsd_config_t self:capability sys_tty_config;
allow cupsd_config_t self:process signal_perms;
allow cupsd_config_t self:fifo_file rw_fifo_file_perms;
-@@ -326,6 +374,7 @@
+@@ -326,6 +380,7 @@
dev_read_sysfs(cupsd_config_t)
dev_read_urand(cupsd_config_t)
dev_read_rand(cupsd_config_t)
@@ -13979,7 +13992,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
fs_getattr_all_fs(cupsd_config_t)
fs_search_auto_mountpoints(cupsd_config_t)
-@@ -343,7 +392,7 @@
+@@ -343,7 +398,7 @@
files_read_var_symlinks(cupsd_config_t)
# Alternatives asks for this
@@ -13988,7 +14001,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
auth_use_nsswitch(cupsd_config_t)
-@@ -353,6 +402,7 @@
+@@ -353,6 +408,7 @@
logging_send_syslog_msg(cupsd_config_t)
miscfiles_read_localization(cupsd_config_t)
@@ -13996,7 +14009,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
seutil_dontaudit_search_config(cupsd_config_t)
-@@ -365,14 +415,16 @@
+@@ -365,14 +421,16 @@
sysadm_dontaudit_search_home_dirs(cupsd_config_t)
ifdef(`distro_redhat',`
@@ -14015,7 +14028,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
cron_system_entry(cupsd_config_t, cupsd_config_exec_t)
')
-@@ -388,6 +440,7 @@
+@@ -388,6 +446,7 @@
optional_policy(`
hal_domtrans(cupsd_config_t)
hal_read_tmp_files(cupsd_config_t)
@@ -14023,7 +14036,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -500,7 +553,7 @@
+@@ -500,7 +559,7 @@
allow hplip_t self:udp_socket create_socket_perms;
allow hplip_t self:rawip_socket create_socket_perms;
@@ -14032,7 +14045,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
cups_stream_connect(hplip_t)
-@@ -509,6 +562,8 @@
+@@ -509,6 +568,8 @@
read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
files_search_etc(hplip_t)
@@ -14041,7 +14054,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
files_pid_filetrans(hplip_t, hplip_var_run_t, file)
-@@ -538,7 +593,8 @@
+@@ -538,7 +599,8 @@
dev_read_urand(hplip_t)
dev_read_rand(hplip_t)
dev_rw_generic_usb_dev(hplip_t)
@@ -14051,7 +14064,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
fs_getattr_all_fs(hplip_t)
fs_search_auto_mountpoints(hplip_t)
-@@ -564,12 +620,14 @@
+@@ -564,12 +626,14 @@
userdom_dontaudit_use_unpriv_user_fds(hplip_t)
userdom_dontaudit_search_all_users_home_content(hplip_t)
@@ -14067,7 +14080,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -651,3 +709,45 @@
+@@ -651,3 +715,45 @@
optional_policy(`
udev_read_db(ptal_t)
')
@@ -15210,7 +15223,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/run/dnsmasq\.pid -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.if serefpolicy-3.5.9/policy/modules/services/dnsmasq.if
--- nsaserefpolicy/policy/modules/services/dnsmasq.if 2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.9/policy/modules/services/dnsmasq.if 2008-09-25 08:33:18.000000000 -0400
++++ serefpolicy-3.5.9/policy/modules/services/dnsmasq.if 2008-09-30 09:59:17.000000000 -0400
@@ -1 +1,117 @@
## <summary>dnsmasq DNS forwarder and DHCP server</summary>
+
@@ -15279,7 +15292,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+## </summary>
+## <param name="domain">
+## <summary>
-+## The type of the process performing this action.
++## Domain allowed access.
+## </summary>
+## </param>
+#
@@ -18671,7 +18684,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## <param name="domain">
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.5.9/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2008-09-24 09:07:28.000000000 -0400
-+++ serefpolicy-3.5.9/policy/modules/services/networkmanager.te 2008-09-25 15:14:50.000000000 -0400
++++ serefpolicy-3.5.9/policy/modules/services/networkmanager.te 2008-09-30 10:18:26.000000000 -0400
@@ -33,9 +33,9 @@
# networkmanager will ptrace itself if gdb is installed
@@ -18730,11 +18743,26 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
libs_use_ld_so(NetworkManager_t)
libs_use_shared_libs(NetworkManager_t)
-@@ -128,14 +136,18 @@
- # in /etc created by NetworkManager will be labelled net_conf_t.
- sysnet_manage_config(NetworkManager_t)
- sysnet_etc_filetrans_config(NetworkManager_t)
+@@ -119,23 +127,27 @@
+
+ seutil_read_config(NetworkManager_t)
+
+-sysnet_domtrans_ifconfig(NetworkManager_t)
++sysnet_etc_filetrans_config(NetworkManager_t)
++sysnet_delete_dhcpc_pid(NetworkManager_t)
+ sysnet_domtrans_dhcpc(NetworkManager_t)
+-sysnet_signal_dhcpc(NetworkManager_t)
++sysnet_domtrans_ifconfig(NetworkManager_t)
++sysnet_kill_dhcpc(NetworkManager_t)
++sysnet_manage_config(NetworkManager_t)
+sysnet_read_dhcp_config(NetworkManager_t)
+ sysnet_read_dhcpc_pid(NetworkManager_t)
+-sysnet_delete_dhcpc_pid(NetworkManager_t)
+ sysnet_search_dhcp_state(NetworkManager_t)
+-# in /etc created by NetworkManager will be labelled net_conf_t.
+-sysnet_manage_config(NetworkManager_t)
+-sysnet_etc_filetrans_config(NetworkManager_t)
++sysnet_signal_dhcpc(NetworkManager_t)
userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t)
userdom_dontaudit_use_unpriv_users_ttys(NetworkManager_t)
@@ -18749,7 +18777,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
bind_domtrans(NetworkManager_t)
bind_manage_cache(NetworkManager_t)
-@@ -151,21 +163,26 @@
+@@ -151,21 +163,32 @@
')
optional_policy(`
@@ -18760,6 +18788,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
- howl_signal(NetworkManager_t)
++ dnsmasq_initrc_domtrans(NetworkManager_t)
++ dnsmasq_signal(NetworkManager_t)
++ dnsmasq_sigkill(NetworkManager_t)
++')
++
++optional_policy(`
+ hal_write_log(NetworkManager_t)
')
@@ -18781,13 +18815,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -174,9 +191,17 @@
+@@ -174,9 +197,18 @@
')
optional_policy(`
- ppp_domtrans(NetworkManager_t)
+ ppp_initrc_domtrans(NetworkManager_t)
ppp_read_pid_files(NetworkManager_t)
++ ppp_sigkill(NetworkManager_t)
ppp_signal(NetworkManager_t)
+ ppp_signull(NetworkManager_t)
+ ppp_read_config(NetworkManager_t)
@@ -20306,7 +20341,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.5.9/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.9/policy/modules/services/postfix.te 2008-09-25 08:33:18.000000000 -0400
++++ serefpolicy-3.5.9/policy/modules/services/postfix.te 2008-09-29 15:12:34.000000000 -0400
@@ -6,6 +6,14 @@
# Declarations
#
@@ -20331,10 +20366,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
type postfix_exec_t;
application_executable_file(postfix_exec_t)
-@@ -27,6 +35,10 @@
+@@ -27,6 +35,12 @@
postfix_server_domain_template(local)
mta_mailserver_delivery(postfix_local_t)
++sysadm_read_home_content_files(postfix_local_t)
++
+tunable_policy(`allow_postfix_local_write_mail_spool',`
+ mta_manage_spool(postfix_local_t)
+')
@@ -20342,7 +20379,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
type postfix_local_tmp_t;
files_tmp_file(postfix_local_tmp_t)
-@@ -34,6 +46,7 @@
+@@ -34,6 +48,7 @@
type postfix_map_t;
type postfix_map_exec_t;
application_domain(postfix_map_t, postfix_map_exec_t)
@@ -20350,7 +20387,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
type postfix_map_tmp_t;
files_tmp_file(postfix_map_tmp_t)
-@@ -80,13 +93,12 @@
+@@ -80,13 +95,12 @@
type postfix_public_t;
files_type(postfix_public_t)
@@ -20367,7 +20404,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
postfix_server_domain_template(virtual)
mta_mailserver_delivery(postfix_virtual_t)
-@@ -103,14 +115,12 @@
+@@ -103,14 +117,12 @@
allow postfix_master_t self:fifo_file rw_fifo_file_perms;
allow postfix_master_t self:tcp_socket create_stream_socket_perms;
allow postfix_master_t self:udp_socket create_socket_perms;
@@ -20383,7 +20420,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms ioctl lock };
allow postfix_master_t postfix_postdrop_exec_t:file getattr;
-@@ -129,6 +139,10 @@
+@@ -129,6 +141,10 @@
domtrans_pattern(postfix_master_t, postfix_showq_exec_t, postfix_showq_t)
@@ -20394,7 +20431,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# allow access to deferred queue and allow removing bogus incoming entries
manage_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t)
manage_files_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t)
-@@ -142,6 +156,7 @@
+@@ -142,6 +158,7 @@
delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
rename_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
@@ -20402,7 +20439,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_all_sysctls(postfix_master_t)
-@@ -181,12 +196,17 @@
+@@ -181,12 +198,17 @@
mta_rw_aliases(postfix_master_t)
mta_read_sendmail_bin(postfix_master_t)
@@ -20420,7 +20457,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# for postalias
mailman_manage_data_files(postfix_master_t)
')
-@@ -196,6 +216,10 @@
+@@ -196,6 +218,10 @@
')
optional_policy(`
@@ -20431,7 +20468,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
sendmail_signal(postfix_master_t)
')
-@@ -255,6 +279,10 @@
+@@ -255,6 +281,10 @@
corecmd_exec_bin(postfix_cleanup_t)
@@ -20442,7 +20479,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
# Postfix local local policy
-@@ -280,18 +308,25 @@
+@@ -280,18 +310,25 @@
files_read_etc_files(postfix_local_t)
@@ -20468,7 +20505,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -302,8 +337,7 @@
+@@ -302,8 +339,7 @@
#
# Postfix map local policy
#
@@ -20478,7 +20515,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow postfix_map_t self:unix_stream_socket create_stream_socket_perms;
allow postfix_map_t self:unix_dgram_socket create_socket_perms;
allow postfix_map_t self:tcp_socket create_stream_socket_perms;
-@@ -353,8 +387,6 @@
+@@ -353,8 +389,6 @@
miscfiles_read_localization(postfix_map_t)
@@ -20487,7 +20524,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`read_default_t',`
files_list_default(postfix_map_t)
files_read_default_files(postfix_map_t)
-@@ -367,6 +399,11 @@
+@@ -367,6 +401,11 @@
locallogin_dontaudit_use_fds(postfix_map_t)
')
@@ -20499,7 +20536,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
# Postfix pickup local policy
-@@ -391,6 +428,7 @@
+@@ -391,6 +430,7 @@
#
allow postfix_pipe_t self:fifo_file rw_fifo_file_perms;
@@ -20507,7 +20544,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
-@@ -398,6 +436,12 @@
+@@ -398,6 +438,12 @@
rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
@@ -20520,7 +20557,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
procmail_domtrans(postfix_pipe_t)
')
-@@ -407,6 +451,14 @@
+@@ -407,6 +453,14 @@
')
optional_policy(`
@@ -20535,7 +20572,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
uucp_domtrans_uux(postfix_pipe_t)
')
-@@ -443,8 +495,11 @@
+@@ -443,8 +497,11 @@
')
optional_policy(`
@@ -20549,7 +20586,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
#######################################
-@@ -470,6 +525,15 @@
+@@ -470,6 +527,15 @@
init_sigchld_script(postfix_postqueue_t)
init_use_script_fds(postfix_postqueue_t)
@@ -20565,7 +20602,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
# Postfix qmgr local policy
-@@ -553,6 +617,10 @@
+@@ -553,6 +619,10 @@
mta_read_aliases(postfix_smtpd_t)
optional_policy(`
@@ -20576,7 +20613,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
mailman_read_data_files(postfix_smtpd_t)
')
-@@ -579,7 +647,7 @@
+@@ -579,7 +649,7 @@
files_tmp_filetrans(postfix_virtual_t, postfix_virtual_tmp_t, { file dir })
# connect to master process
@@ -20942,8 +20979,34 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# /sbin
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.5.9/policy/modules/services/ppp.if
--- nsaserefpolicy/policy/modules/services/ppp.if 2008-09-11 11:28:34.000000000 -0400
-+++ serefpolicy-3.5.9/policy/modules/services/ppp.if 2008-09-25 08:33:18.000000000 -0400
-@@ -310,6 +310,24 @@
++++ serefpolicy-3.5.9/policy/modules/services/ppp.if 2008-09-30 10:18:46.000000000 -0400
+@@ -58,6 +58,25 @@
+
+ ########################################
+ ## <summary>
++## Send ppp a sigkill
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++#
++interface(`ppp_sigkill',`
++ gen_require(`
++ type pppd_t;
++ ')
++
++ allow $1 pppd_t:process sigkill;
++')
++
++########################################
++## <summary>
+ ## Send a generic signal to PPP.
+ ## </summary>
+ ## <param name="domain">
+@@ -310,6 +329,24 @@
########################################
## <summary>
@@ -20968,7 +21031,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## All of the rules required to administrate
## an ppp environment
## </summary>
-@@ -327,33 +345,42 @@
+@@ -327,33 +364,42 @@
type pppd_etc_rw_t, pppd_var_run_t;
type pptp_t, pptp_log_t, pptp_var_run_t;
@@ -21912,7 +21975,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radius.te serefpolicy-3.5.9/policy/modules/services/radius.te
--- nsaserefpolicy/policy/modules/services/radius.te 2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.9/policy/modules/services/radius.te 2008-09-25 08:33:18.000000000 -0400
++++ serefpolicy-3.5.9/policy/modules/services/radius.te 2008-09-29 11:01:06.000000000 -0400
@@ -16,6 +16,9 @@
type radiusd_etc_rw_t;
files_type(radiusd_etc_rw_t)
@@ -21937,7 +22000,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow radiusd_t radiusd_etc_t:dir list_dir_perms;
read_files_pattern(radiusd_t, radiusd_etc_t, radiusd_etc_t)
-@@ -80,15 +82,14 @@
+@@ -57,8 +59,9 @@
+
+ manage_files_pattern(radiusd_t, radiusd_var_lib_t, radiusd_var_lib_t)
+
++manage_sock_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t)
+ manage_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t)
+-files_pid_filetrans(radiusd_t, radiusd_var_run_t, file)
++files_pid_filetrans(radiusd_t, radiusd_var_run_t, { file sock_file })
+
+ kernel_read_kernel_sysctls(radiusd_t)
+ kernel_read_system_state(radiusd_t)
+@@ -80,15 +83,14 @@
corenet_udp_bind_generic_port(radiusd_t)
corenet_dontaudit_udp_bind_all_ports(radiusd_t)
corenet_sendrecv_generic_server_packets(radiusd_t)
@@ -21955,7 +22029,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corecmd_exec_bin(radiusd_t)
corecmd_exec_shell(radiusd_t)
-@@ -98,6 +99,10 @@
+@@ -98,6 +100,10 @@
files_read_etc_files(radiusd_t)
files_read_etc_runtime_files(radiusd_t)
@@ -21966,7 +22040,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
libs_use_ld_so(radiusd_t)
libs_use_shared_libs(radiusd_t)
libs_exec_lib_files(radiusd_t)
-@@ -107,8 +112,6 @@
+@@ -107,8 +113,6 @@
miscfiles_read_localization(radiusd_t)
miscfiles_read_certs(radiusd_t)
@@ -21975,7 +22049,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_dontaudit_use_unpriv_user_fds(radiusd_t)
sysadm_dontaudit_search_home_dirs(radiusd_t)
-@@ -123,7 +126,8 @@
+@@ -123,7 +127,8 @@
')
optional_policy(`
@@ -25288,7 +25362,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/etc/ssh/ssh_host_key -- gen_context(system_u:object_r:sshd_key_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.5.9/policy/modules/services/ssh.if
--- nsaserefpolicy/policy/modules/services/ssh.if 2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.9/policy/modules/services/ssh.if 2008-09-25 08:33:18.000000000 -0400
++++ serefpolicy-3.5.9/policy/modules/services/ssh.if 2008-09-29 15:10:35.000000000 -0400
@@ -36,6 +36,7 @@
gen_require(`
attribute ssh_server;
@@ -25468,9 +25542,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom };
term_create_pty($1_t,$1_devpts_t)
-@@ -479,6 +492,10 @@
+@@ -478,7 +491,12 @@
+ corenet_udp_bind_all_nodes($1_t)
corenet_tcp_bind_ssh_port($1_t)
corenet_tcp_connect_all_ports($1_t)
++ corenet_tcp_bind_all_unreserved_ports($1_t)
corenet_sendrecv_ssh_server_packets($1_t)
+ # -R qualifier
+ corenet_sendrecv_ssh_server_packets($1_t)
@@ -25479,7 +25555,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
fs_dontaudit_getattr_all_fs($1_t)
-@@ -506,9 +523,14 @@
+@@ -506,9 +524,14 @@
userdom_dontaudit_relabelfrom_unpriv_users_ptys($1_t)
userdom_search_all_users_home_dirs($1_t)
@@ -25494,7 +25570,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
tunable_policy(`use_samba_home_dirs',`
-@@ -517,11 +539,7 @@
+@@ -517,11 +540,7 @@
optional_policy(`
kerberos_use($1_t)
@@ -25507,7 +25583,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -710,3 +728,22 @@
+@@ -710,3 +729,22 @@
dontaudit $1 sshd_key_t:file { getattr read };
')
@@ -26145,7 +26221,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.5.9/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2008-09-24 09:07:28.000000000 -0400
-+++ serefpolicy-3.5.9/policy/modules/services/xserver.if 2008-09-25 08:33:18.000000000 -0400
++++ serefpolicy-3.5.9/policy/modules/services/xserver.if 2008-09-26 13:06:46.000000000 -0400
@@ -16,6 +16,7 @@
gen_require(`
type xkb_var_lib_t, xserver_exec_t, xserver_log_t;
@@ -26154,7 +26230,27 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
attribute x_server_domain;
class x_drawable all_x_drawable_perms;
class x_colormap all_x_colormap_perms;
-@@ -128,18 +129,24 @@
+@@ -77,6 +78,9 @@
+ files_tmp_filetrans($1_xserver_t, $1_xserver_tmp_t, { file dir sock_file })
+
+ filetrans_pattern($1_xserver_t, xdm_xserver_tmp_t, $1_xserver_tmp_t, sock_file)
++ ifdef(`enable_mls',`
++ range_transition $1_xserver_t $1_xserver_tmp_t:sock_file s0 - mls_systemhigh;
++ ')
+
+ manage_dirs_pattern($1_xserver_t, $1_xserver_tmpfs_t, $1_xserver_tmpfs_t)
+ manage_files_pattern($1_xserver_t, $1_xserver_tmpfs_t, $1_xserver_tmpfs_t)
+@@ -95,6 +99,9 @@
+
+ # Labeling rules for default windows and colormaps
+ type_transition $1_xserver_t $1_xserver_t:{ x_drawable x_colormap } $1_rootwindow_t;
++ ifdef(`enable_mls',`
++ range_transition $1_xserver_t $1_rootwindow_t:x_drawable s0 - mls_systemhigh;
++ ')
+
+ kernel_read_system_state($1_xserver_t)
+ kernel_read_device_sysctls($1_xserver_t)
+@@ -128,18 +135,24 @@
dev_rw_agp($1_xserver_t)
dev_rw_framebuffer($1_xserver_t)
dev_manage_dri_dev($1_xserver_t)
@@ -26181,7 +26277,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_read_etc_files($1_xserver_t)
files_read_etc_runtime_files($1_xserver_t)
-@@ -153,7 +160,8 @@
+@@ -153,7 +166,8 @@
fs_getattr_xattr_fs($1_xserver_t)
fs_search_nfs($1_xserver_t)
fs_search_auto_mountpoints($1_xserver_t)
@@ -26191,7 +26287,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
selinux_validate_context($1_xserver_t)
selinux_compute_access_vector($1_xserver_t)
-@@ -163,6 +171,9 @@
+@@ -163,6 +177,9 @@
init_getpgid($1_xserver_t)
@@ -26201,7 +26297,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
term_setattr_unallocated_ttys($1_xserver_t)
term_use_unallocated_ttys($1_xserver_t)
-@@ -270,6 +281,8 @@
+@@ -270,6 +287,8 @@
gen_require(`
type iceauth_exec_t, xauth_exec_t;
attribute fonts_type, fonts_cache_type, fonts_config_type;
@@ -26210,7 +26306,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
##############################
-@@ -280,61 +293,41 @@
+@@ -280,61 +299,41 @@
xserver_common_domain_template($1)
role $3 types $1_xserver_t;
@@ -26243,12 +26339,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
- type $1_xauth_home_t alias $1_xauth_rw_t, xauth_home_type;
- files_poly_member($1_xauth_home_t)
- userdom_user_home_content($1, $1_xauth_home_t)
+-
+- type $1_xauth_tmp_t;
+- files_tmp_file($1_xauth_tmp_t)
+ typealias iceauth_home_t alias $1_iceauth_rw_t;
+ typealias iceauth_home_t alias $1_iceauth_home_t;
-- type $1_xauth_tmp_t;
-- files_tmp_file($1_xauth_tmp_t)
--
- ##############################
- #
- # $1_xserver_t Local policy
@@ -26291,7 +26387,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
stream_connect_pattern($2, $1_xserver_tmp_t, $1_xserver_tmp_t, $1_xserver_t)
-@@ -348,85 +341,32 @@
+@@ -348,85 +347,32 @@
locallogin_use_fds($1_xserver_t)
@@ -26360,13 +26456,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-
- # cjp: why?
- term_use_ptmx($1_xauth_t)
--
++ ps_process_pattern($2,xauth_t)
+
- auth_use_nsswitch($1_xauth_t)
-
- libs_use_ld_so($1_xauth_t)
- libs_use_shared_libs($1_xauth_t)
-+ ps_process_pattern($2,xauth_t)
-
+-
- userdom_use_user_terminals($1, $1_xauth_t)
- userdom_read_user_tmp_files($1, $1_xauth_t)
-
@@ -26388,7 +26484,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
##############################
#
-@@ -435,16 +375,16 @@
+@@ -435,16 +381,16 @@
domtrans_pattern($2, iceauth_exec_t, $1_iceauth_t)
@@ -26410,7 +26506,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
fs_search_auto_mountpoints($1_iceauth_t)
-@@ -467,34 +407,12 @@
+@@ -467,34 +413,12 @@
#
# Device rules
@@ -26447,7 +26543,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# xrdb X11:ChangeProperty prop=RESOURCE_MANAGER
allow $2 info_xproperty_t:x_property { create write append };
-@@ -610,7 +528,7 @@
+@@ -610,7 +534,7 @@
# refpolicywarn(`$0() has been deprecated, please use xserver_user_x_domain_template instead.')
gen_require(`
type xdm_t, xdm_tmp_t;
@@ -26456,7 +26552,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
allow $2 self:shm create_shm_perms;
-@@ -618,8 +536,8 @@
+@@ -618,8 +542,8 @@
allow $2 self:unix_stream_socket { connectto create_stream_socket_perms };
# Read .Xauthority file
@@ -26467,7 +26563,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
-@@ -643,11 +561,109 @@
+@@ -643,13 +567,208 @@
xserver_read_xdm_tmp_files($2)
@@ -26578,13 +26674,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ allow $1_xserver_t input_xevent_t:x_event send;
+ allow $1_xserver_t $1_rootwindow_t:x_drawable send;
- ')
-
- #######################################
-@@ -662,6 +678,103 @@
- ## is the prefix for user_t).
- ## </summary>
- ## </param>
++')
++
++#######################################
++## <summary>
++## Interface to provide X object permissions on a given X server to
++## an X client domain. Provides the minimal set required by a basic
++## X client application.
++## </summary>
++## <param name="user">
++## <summary>
++## The prefix of the X server domain (e.g., user
++## is the prefix for user_t).
++## </summary>
++## </param>
+## <param name="domain">
+## <summary>
+## Client domain allowed access.
@@ -26667,25 +26770,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+# xserver_use($1, $1, $2)
+ xserver_use(xdm, $1, $2)
-+')
-+
+ ')
+
+
-+#######################################
-+## <summary>
-+## Interface to provide X object permissions on a given X server to
-+## an X client domain. Provides the minimal set required by a basic
-+## X client application.
-+## </summary>
-+## <param name="user">
-+## <summary>
-+## The prefix of the X server domain (e.g., user
-+## is the prefix for user_t).
-+## </summary>
-+## </param>
- ## <param name="prefix">
- ## <summary>
- ## The prefix of the X client domain (e.g., user
-@@ -676,7 +789,7 @@
+ #######################################
+ ## <summary>
+ ## Interface to provide X object permissions on a given X server to
+@@ -676,7 +795,7 @@
#
template(`xserver_common_x_domain_template',`
gen_require(`
@@ -26694,7 +26785,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
type xproperty_t, info_xproperty_t, clipboard_xproperty_t;
type input_xevent_t, focus_xevent_t, property_xevent_t, manage_xevent_t;
type xevent_t, client_xevent_t;
-@@ -685,7 +798,6 @@
+@@ -685,7 +804,6 @@
attribute x_server_domain, x_domain;
attribute xproperty_type;
attribute xevent_type, xextension_type;
@@ -26702,7 +26793,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
class x_drawable all_x_drawable_perms;
class x_screen all_x_screen_perms;
-@@ -702,6 +814,7 @@
+@@ -702,6 +820,7 @@
class x_resource all_x_resource_perms;
class x_event all_x_event_perms;
class x_synthetic_event all_x_synthetic_event_perms;
@@ -26710,7 +26801,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
##############################
-@@ -709,20 +822,22 @@
+@@ -709,20 +828,22 @@
# Declarations
#
@@ -26736,7 +26827,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
##############################
#
# Local Policy
-@@ -740,7 +855,7 @@
+@@ -740,7 +861,7 @@
allow $3 x_server_domain:x_server getattr;
# everyone can do override-redirect windows.
# this could be used to spoof labels
@@ -26745,7 +26836,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# everyone can receive management events on the root window
# allows to know when new windows appear, among other things
allow $3 manage_xevent_t:x_event receive;
-@@ -749,7 +864,7 @@
+@@ -749,7 +870,7 @@
# can read server-owned resources
allow $3 x_server_domain:x_resource read;
# can mess with own clients
@@ -26754,7 +26845,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# X Protocol Extensions
allow $3 std_xext_t:x_extension { query use };
-@@ -758,27 +873,17 @@
+@@ -758,27 +879,17 @@
# X Properties
# can read and write client properties
@@ -26787,7 +26878,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# X Input
# can receive own events
-@@ -805,6 +910,12 @@
+@@ -805,6 +916,12 @@
allow $3 manage_xevent_t:x_synthetic_event send;
allow $3 client_xevent_t:x_synthetic_event send;
@@ -26800,7 +26891,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# X Selections
# can use the clipboard
allow $3 clipboard_xselection_t:x_selection { getattr setattr read };
-@@ -813,13 +924,15 @@
+@@ -813,13 +930,15 @@
# Other X Objects
# can create and use cursors
@@ -26820,7 +26911,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined($3),
-@@ -879,17 +992,17 @@
+@@ -879,17 +998,17 @@
#
template(`xserver_user_x_domain_template',`
gen_require(`
@@ -26845,7 +26936,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# for when /tmp/.X11-unix is created by the system
allow $3 xdm_t:fd use;
-@@ -916,11 +1029,9 @@
+@@ -916,11 +1035,9 @@
# X object manager
xserver_common_x_domain_template($1, $2, $3)
@@ -26860,7 +26951,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -952,26 +1063,43 @@
+@@ -952,26 +1069,43 @@
#
template(`xserver_use_user_fonts',`
gen_require(`
@@ -26911,7 +27002,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Transition to a user Xauthority domain.
## </summary>
## <desc>
-@@ -997,10 +1125,77 @@
+@@ -997,10 +1131,77 @@
#
template(`xserver_domtrans_user_xauth',`
gen_require(`
@@ -26991,7 +27082,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1030,10 +1225,10 @@
+@@ -1030,10 +1231,10 @@
#
template(`xserver_user_home_dir_filetrans_user_xauth',`
gen_require(`
@@ -27004,7 +27095,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1219,6 +1414,25 @@
+@@ -1219,6 +1420,25 @@
########################################
## <summary>
@@ -27030,7 +27121,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Read xdm-writable configuration files.
## </summary>
## <param name="domain">
-@@ -1273,6 +1487,7 @@
+@@ -1273,6 +1493,7 @@
files_search_tmp($1)
allow $1 xdm_tmp_t:dir list_dir_perms;
create_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
@@ -27038,7 +27129,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1291,7 +1506,7 @@
+@@ -1291,7 +1512,7 @@
')
files_search_pids($1)
@@ -27047,7 +27138,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1314,6 +1529,24 @@
+@@ -1314,6 +1535,24 @@
########################################
## <summary>
@@ -27072,7 +27163,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Execute the X server in the XDM X server domain.
## </summary>
## <param name="domain">
-@@ -1324,15 +1557,47 @@
+@@ -1324,15 +1563,47 @@
#
interface(`xserver_domtrans_xdm_xserver',`
gen_require(`
@@ -27121,7 +27212,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Make an X session script an entrypoint for the specified domain.
## </summary>
## <param name="domain">
-@@ -1482,7 +1747,7 @@
+@@ -1482,7 +1753,7 @@
type xdm_xserver_tmp_t;
')
@@ -27130,7 +27221,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1674,6 +1939,26 @@
+@@ -1674,6 +1945,26 @@
########################################
## <summary>
@@ -27157,7 +27248,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## xdm xserver RW shared memory socket.
## </summary>
## <param name="domain">
-@@ -1692,6 +1977,24 @@
+@@ -1692,6 +1983,24 @@
########################################
## <summary>
@@ -27182,7 +27273,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Interface to provide X object permissions on a given X server to
## an X client domain. Gives the domain complete control over the
## display.
-@@ -1704,8 +2007,126 @@
+@@ -1704,8 +2013,126 @@
#
interface(`xserver_unconfined',`
gen_require(`
@@ -27313,7 +27404,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.5.9/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2008-09-24 09:07:28.000000000 -0400
-+++ serefpolicy-3.5.9/policy/modules/services/xserver.te 2008-09-25 08:33:18.000000000 -0400
++++ serefpolicy-3.5.9/policy/modules/services/xserver.te 2008-09-29 12:10:48.000000000 -0400
@@ -8,6 +8,14 @@
## <desc>
@@ -27449,7 +27540,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_dirs_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
manage_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
-@@ -176,15 +235,25 @@
+@@ -176,15 +235,26 @@
manage_fifo_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
manage_sock_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
fs_tmpfs_filetrans(xdm_t, xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
@@ -27457,6 +27548,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+fs_getattr_all_fs(xdm_t)
+fs_search_inotifyfs(xdm_t)
+fs_list_all(xdm_t)
++fs_read_noxattr_fs_files(xdm_t)
+
+manage_files_pattern(xdm_t, fonts_home_t, fonts_home_t)
@@ -27477,7 +27569,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow xdm_t xdm_xserver_t:process signal;
allow xdm_t xdm_xserver_t:unix_stream_socket connectto;
-@@ -198,6 +267,7 @@
+@@ -198,6 +268,7 @@
allow xdm_t xdm_xserver_t:process { noatsecure siginh rlimitinh signal sigkill };
allow xdm_t xdm_xserver_t:shm rw_shm_perms;
@@ -27485,7 +27577,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t, xdm_xserver_tmp_t, xdm_xserver_tmp_t, xdm_xserver_t)
-@@ -229,6 +299,7 @@
+@@ -229,6 +300,7 @@
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_all_nodes(xdm_t)
corenet_udp_bind_all_nodes(xdm_t)
@@ -27493,7 +27585,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_tcp_connect_all_ports(xdm_t)
corenet_sendrecv_all_client_packets(xdm_t)
# xdm tries to bind to biff_port_t
-@@ -241,6 +312,7 @@
+@@ -241,6 +313,7 @@
dev_getattr_mouse_dev(xdm_t)
dev_setattr_mouse_dev(xdm_t)
dev_rw_apm_bios(xdm_t)
@@ -27501,7 +27593,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dev_setattr_apm_bios_dev(xdm_t)
dev_rw_dri(xdm_t)
dev_rw_agp(xdm_t)
-@@ -253,14 +325,17 @@
+@@ -253,14 +326,17 @@
dev_setattr_video_dev(xdm_t)
dev_getattr_scanner_dev(xdm_t)
dev_setattr_scanner_dev(xdm_t)
@@ -27521,7 +27613,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -271,9 +346,13 @@
+@@ -271,9 +347,13 @@
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -27535,7 +27627,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -282,6 +361,7 @@
+@@ -282,6 +362,7 @@
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -27543,7 +27635,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
term_setattr_console(xdm_t)
term_use_unallocated_ttys(xdm_t)
-@@ -290,6 +370,7 @@
+@@ -290,6 +371,7 @@
auth_domtrans_pam_console(xdm_t)
auth_manage_pam_pid(xdm_t)
auth_manage_pam_console_data(xdm_t)
@@ -27551,7 +27643,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
auth_rw_faillog(xdm_t)
auth_write_login_records(xdm_t)
-@@ -301,21 +382,25 @@
+@@ -301,21 +383,25 @@
libs_exec_lib_files(xdm_t)
logging_read_generic_logs(xdm_t)
@@ -27582,7 +27674,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
xserver_rw_session_template(xdm, xdm_t, xdm_tmpfs_t)
xserver_unconfined(xdm_t)
-@@ -348,10 +433,12 @@
+@@ -348,10 +434,12 @@
optional_policy(`
alsa_domtrans(xdm_t)
@@ -27595,7 +27687,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -359,6 +446,22 @@
+@@ -359,6 +447,22 @@
')
optional_policy(`
@@ -27618,7 +27710,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Talk to the console mouse server.
gpm_stream_connect(xdm_t)
gpm_setattr_gpmctl(xdm_t)
-@@ -382,16 +485,33 @@
+@@ -382,16 +486,33 @@
')
optional_policy(`
@@ -27653,7 +27745,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
-@@ -427,7 +547,7 @@
+@@ -427,7 +548,7 @@
allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
@@ -27662,7 +27754,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Label pid and temporary files with derived types.
manage_files_pattern(xdm_xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -439,6 +559,15 @@
+@@ -439,6 +560,15 @@
can_exec(xdm_xserver_t, xkb_var_lib_t)
files_search_var_lib(xdm_xserver_t)
@@ -27678,7 +27770,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# VNC v4 module in X server
corenet_tcp_bind_vnc_port(xdm_xserver_t)
-@@ -450,10 +579,19 @@
+@@ -450,10 +580,19 @@
# xdm_xserver_t may no longer have any reason
# to read ROLE_home_t - examine this in more detail
# (xauth?)
@@ -27699,7 +27791,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xdm_xserver_t)
fs_manage_nfs_files(xdm_xserver_t)
-@@ -468,8 +606,19 @@
+@@ -468,8 +607,19 @@
optional_policy(`
dbus_system_bus_client_template(xdm_xserver, xdm_xserver_t)
@@ -27719,7 +27811,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
resmgr_stream_connect(xdm_t)
-@@ -481,8 +630,25 @@
+@@ -481,8 +631,25 @@
')
optional_policy(`
@@ -27747,7 +27839,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ifndef(`distro_redhat',`
allow xdm_xserver_t self:process { execheap execmem };
-@@ -491,7 +657,6 @@
+@@ -491,7 +658,6 @@
ifdef(`distro_rhel4',`
allow xdm_xserver_t self:process { execheap execmem };
')
@@ -27755,7 +27847,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
-@@ -544,3 +709,56 @@
+@@ -544,3 +710,56 @@
#
allow pam_t xdm_t:fifo_file { getattr ioctl write };
') dnl end TODO
@@ -30711,7 +30803,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.5.9/policy/modules/system/sysnetwork.if
--- nsaserefpolicy/policy/modules/system/sysnetwork.if 2008-08-07 11:15:12.000000000 -0400
-+++ serefpolicy-3.5.9/policy/modules/system/sysnetwork.if 2008-09-25 08:33:18.000000000 -0400
++++ serefpolicy-3.5.9/policy/modules/system/sysnetwork.if 2008-09-30 10:01:18.000000000 -0400
@@ -553,6 +553,7 @@
type net_conf_t;
')
@@ -31075,8 +31167,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.5.9/policy/modules/system/unconfined.fc
--- nsaserefpolicy/policy/modules/system/unconfined.fc 2008-09-11 16:42:49.000000000 -0400
-+++ serefpolicy-3.5.9/policy/modules/system/unconfined.fc 2008-09-25 14:37:47.000000000 -0400
-@@ -2,15 +2,29 @@
++++ serefpolicy-3.5.9/policy/modules/system/unconfined.fc 2008-09-30 09:48:11.000000000 -0400
+@@ -2,15 +2,28 @@
# e.g.:
# /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0)
# For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t
@@ -31098,7 +31190,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
')
+/usr/bin/totem.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
-+/usr/bin/rhythmbox -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/sbcl -- gen_context(system_u:object_r:execmem_exec_t,s0)
+
+/usr/sbin/mock -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
@@ -31802,7 +31893,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.5.9/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2008-08-07 11:15:12.000000000 -0400
-+++ serefpolicy-3.5.9/policy/modules/system/userdomain.if 2008-09-25 08:33:18.000000000 -0400
++++ serefpolicy-3.5.9/policy/modules/system/userdomain.if 2008-09-29 10:56:25.000000000 -0400
@@ -28,10 +28,14 @@
class context contains;
')
@@ -32242,17 +32333,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
#######################################
-@@ -439,18 +435,18 @@
+@@ -439,18 +435,15 @@
#
template(`userdom_manage_tmpfs_template',`
gen_require(`
- attribute $1_file_type;
-+ attribute user_file_type;
++ attribute $1_usertype;
++ type user_tmpfs_t;
')
- type $1_tmpfs_t, $1_file_type;
-+ type $1_tmpfs_t, user_file_type;
- files_tmpfs_file($1_tmpfs_t)
+- files_tmpfs_file($1_tmpfs_t)
++ ifelse(`$1',`user',`',`
++ typealias user_tmpfs_t alias $1_tmpfs_t;
++ ')
- manage_dirs_pattern($1_t,$1_tmpfs_t,$1_tmpfs_t)
- manage_files_pattern($1_t,$1_tmpfs_t,$1_tmpfs_t)
@@ -32260,16 +32354,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
- manage_sock_files_pattern($1_t,$1_tmpfs_t,$1_tmpfs_t)
- manage_fifo_files_pattern($1_t,$1_tmpfs_t,$1_tmpfs_t)
- fs_tmpfs_filetrans($1_t,$1_tmpfs_t, { dir file lnk_file sock_file fifo_file })
-+ manage_dirs_pattern($1_usertype, $1_tmpfs_t, $1_tmpfs_t)
-+ manage_files_pattern($1_usertype, $1_tmpfs_t, $1_tmpfs_t)
-+ manage_lnk_files_pattern($1_usertype, $1_tmpfs_t, $1_tmpfs_t)
-+ manage_sock_files_pattern($1_usertype, $1_tmpfs_t, $1_tmpfs_t)
-+ manage_fifo_files_pattern($1_usertype, $1_tmpfs_t, $1_tmpfs_t)
-+ fs_tmpfs_filetrans($1_usertype, $1_tmpfs_t, { dir file lnk_file sock_file fifo_file })
++ userdom_manage_tmpfs($1_usertype)
')
#######################################
-@@ -468,17 +464,17 @@
+@@ -468,17 +461,17 @@
#
template(`userdom_untrusted_content_template',`
gen_require(`
@@ -32290,7 +32379,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_tmp_file($1_untrusted_content_tmp_t)
# Allow user to relabel untrusted content
-@@ -510,10 +506,6 @@
+@@ -510,10 +503,6 @@
## <rolebase/>
#
template(`userdom_exec_generic_pgms_template',`
@@ -32301,7 +32390,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corecmd_exec_bin($1_t)
')
-@@ -531,34 +523,20 @@
+@@ -531,34 +520,20 @@
## <rolebase/>
#
template(`userdom_basic_networking_template',`
@@ -32311,7 +32400,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-
- allow $1_t self:tcp_socket create_stream_socket_perms;
- allow $1_t self:udp_socket create_socket_perms;
--
+
- corenet_all_recvfrom_unlabeled($1_t)
- corenet_all_recvfrom_netlabel($1_t)
- corenet_tcp_sendrecv_all_if($1_t)
@@ -32322,11 +32411,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
- corenet_udp_sendrecv_all_ports($1_t)
- corenet_tcp_connect_all_ports($1_t)
- corenet_sendrecv_all_client_packets($1_t)
-
-- corenet_all_recvfrom_labeled($1_t, $1_t)
+ allow $1_usertype self:tcp_socket create_stream_socket_perms;
+ allow $1_usertype self:udp_socket create_socket_perms;
+- corenet_all_recvfrom_labeled($1_t, $1_t)
+-
- optional_policy(`
- init_tcp_recvfrom_all_daemons($1_t)
- init_udp_recvfrom_all_daemons($1_t)
@@ -32348,12 +32437,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
#######################################
-@@ -575,30 +553,33 @@
+@@ -575,30 +550,33 @@
#
template(`userdom_xwindows_client_template',`
gen_require(`
- type $1_t, $1_tmpfs_t;
-+ type $1_tmpfs_t;
++ type user_tmpfs_t;
')
- dev_rw_xserver_misc($1_t)
@@ -32398,7 +32487,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
#######################################
-@@ -629,13 +610,7 @@
+@@ -629,13 +607,7 @@
## <summary>
## The template for allowing the user to change roles.
## </summary>
@@ -32413,7 +32502,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## <summary>
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
-@@ -699,188 +674,202 @@
+@@ -699,188 +671,202 @@
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
@@ -32697,7 +32786,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
#######################################
-@@ -902,9 +891,7 @@
+@@ -902,9 +888,7 @@
## </param>
#
template(`userdom_login_user_template', `
@@ -32708,7 +32797,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_base_user_template($1)
-@@ -930,74 +917,77 @@
+@@ -930,74 +914,77 @@
allow $1_t self:process ~{ setcurrent setexec setrlimit execmem execstack execheap };
dontaudit $1_t self:process setrlimit;
@@ -32819,7 +32908,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
')
-@@ -1031,9 +1021,6 @@
+@@ -1031,9 +1018,6 @@
domain_interactive_fd($1_t)
typeattribute $1_devpts_t user_ptynode;
@@ -32829,7 +32918,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
typeattribute $1_tty_device_t user_ttynode;
##############################
-@@ -1042,12 +1029,25 @@
+@@ -1042,12 +1026,25 @@
#
# privileged home directory writers
@@ -32861,7 +32950,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
loadkeys_run($1_t,$1_r,$1_tty_device_t)
-@@ -1087,14 +1087,16 @@
+@@ -1087,14 +1084,16 @@
#
authlogin_per_role_template($1, $1_t, $1_r)
@@ -32883,7 +32972,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
logging_dontaudit_send_audit_msgs($1_t)
# Need to to this just so screensaver will work. Should be moved to screensaver domain
-@@ -1102,28 +1104,23 @@
+@@ -1102,28 +1101,23 @@
selinux_get_enforce_mode($1_t)
optional_policy(`
@@ -32917,7 +33006,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
')
-@@ -1134,8 +1131,7 @@
+@@ -1134,8 +1128,7 @@
## </summary>
## <desc>
## <p>
@@ -32927,7 +33016,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## </p>
## <p>
## This template creates a user domain, types, and
-@@ -1167,11 +1163,10 @@
+@@ -1167,11 +1160,10 @@
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -32940,7 +33029,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# cjp: why?
files_read_kernel_symbol_table($1_t)
-@@ -1189,36 +1184,49 @@
+@@ -1189,36 +1181,49 @@
')
')
@@ -33003,7 +33092,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
')
-@@ -1295,8 +1303,6 @@
+@@ -1295,8 +1300,6 @@
# Manipulate other users crontab.
allow $1_t self:passwd crontab;
@@ -33012,7 +33101,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1318,8 +1324,6 @@
+@@ -1318,8 +1321,6 @@
dev_getattr_generic_blk_files($1_t)
dev_getattr_generic_chr_files($1_t)
@@ -33021,7 +33110,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Allow MAKEDEV to work
dev_create_all_blk_files($1_t)
dev_create_all_chr_files($1_t)
-@@ -1374,13 +1378,6 @@
+@@ -1374,13 +1375,6 @@
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -33035,7 +33124,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1432,6 +1429,7 @@
+@@ -1432,6 +1426,7 @@
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -33043,7 +33132,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1461,10 +1459,6 @@
+@@ -1461,10 +1456,6 @@
seutil_run_semanage($1,$2,$3)
seutil_run_setfiles($1, $2, $3)
@@ -33054,7 +33143,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
aide_run($1,$2, $3)
')
-@@ -1484,6 +1478,14 @@
+@@ -1484,6 +1475,14 @@
optional_policy(`
netlabel_run_mgmt($1,$2, $3)
')
@@ -33069,7 +33158,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1741,11 +1743,15 @@
+@@ -1741,11 +1740,15 @@
#
template(`userdom_user_home_content',`
gen_require(`
@@ -33088,7 +33177,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1841,11 +1847,11 @@
+@@ -1841,11 +1844,11 @@
#
template(`userdom_search_user_home_dirs',`
gen_require(`
@@ -33102,7 +33191,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1875,11 +1881,11 @@
+@@ -1875,11 +1878,11 @@
#
template(`userdom_list_user_home_dirs',`
gen_require(`
@@ -33116,7 +33205,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1923,12 +1929,12 @@
+@@ -1923,12 +1926,12 @@
#
template(`userdom_user_home_domtrans',`
gen_require(`
@@ -33132,7 +33221,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1958,10 +1964,11 @@
+@@ -1958,10 +1961,11 @@
#
template(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
@@ -33146,7 +33235,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1993,11 +2000,47 @@
+@@ -1993,11 +1997,47 @@
#
template(`userdom_manage_user_home_content_dirs',`
gen_require(`
@@ -33196,7 +33285,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2029,10 +2072,10 @@
+@@ -2029,10 +2069,10 @@
#
template(`userdom_dontaudit_setattr_user_home_content_files',`
gen_require(`
@@ -33209,7 +33298,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2062,11 +2105,11 @@
+@@ -2062,11 +2102,11 @@
#
template(`userdom_read_user_home_content_files',`
gen_require(`
@@ -33223,7 +33312,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2096,11 +2139,11 @@
+@@ -2096,11 +2136,11 @@
#
template(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -33238,7 +33327,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2130,10 +2173,14 @@
+@@ -2130,10 +2170,14 @@
#
template(`userdom_dontaudit_write_user_home_content_files',`
gen_require(`
@@ -33255,7 +33344,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2163,11 +2210,11 @@
+@@ -2163,11 +2207,11 @@
#
template(`userdom_read_user_home_content_symlinks',`
gen_require(`
@@ -33269,7 +33358,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2197,11 +2244,11 @@
+@@ -2197,11 +2241,11 @@
#
template(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -33283,7 +33372,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2231,10 +2278,10 @@
+@@ -2231,10 +2275,10 @@
#
template(`userdom_dontaudit_exec_user_home_content_files',`
gen_require(`
@@ -33296,7 +33385,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2266,12 +2313,12 @@
+@@ -2266,12 +2310,12 @@
#
template(`userdom_manage_user_home_content_files',`
gen_require(`
@@ -33312,7 +33401,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2303,10 +2350,10 @@
+@@ -2303,10 +2347,10 @@
#
template(`userdom_dontaudit_manage_user_home_content_dirs',`
gen_require(`
@@ -33325,7 +33414,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2338,12 +2385,12 @@
+@@ -2338,12 +2382,12 @@
#
template(`userdom_manage_user_home_content_symlinks',`
gen_require(`
@@ -33341,7 +33430,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2375,12 +2422,12 @@
+@@ -2375,12 +2419,12 @@
#
template(`userdom_manage_user_home_content_pipes',`
gen_require(`
@@ -33357,7 +33446,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2412,12 +2459,12 @@
+@@ -2412,12 +2456,12 @@
#
template(`userdom_manage_user_home_content_sockets',`
gen_require(`
@@ -33373,7 +33462,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2462,11 +2509,11 @@
+@@ -2462,11 +2506,11 @@
#
template(`userdom_user_home_dir_filetrans',`
gen_require(`
@@ -33387,7 +33476,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2511,11 +2558,11 @@
+@@ -2511,11 +2555,11 @@
#
template(`userdom_user_home_content_filetrans',`
gen_require(`
@@ -33401,7 +33490,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2555,11 +2602,11 @@
+@@ -2555,11 +2599,11 @@
#
template(`userdom_user_home_dir_filetrans_user_home_content',`
gen_require(`
@@ -33415,7 +33504,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2589,11 +2636,11 @@
+@@ -2589,11 +2633,11 @@
#
template(`userdom_write_user_tmp_sockets',`
gen_require(`
@@ -33429,7 +33518,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2623,11 +2670,11 @@
+@@ -2623,11 +2667,11 @@
#
template(`userdom_list_user_tmp',`
gen_require(`
@@ -33443,7 +33532,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2659,10 +2706,10 @@
+@@ -2659,10 +2703,10 @@
#
template(`userdom_dontaudit_list_user_tmp',`
gen_require(`
@@ -33456,7 +33545,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2694,10 +2741,10 @@
+@@ -2694,10 +2738,10 @@
#
template(`userdom_dontaudit_manage_user_tmp_dirs',`
gen_require(`
@@ -33469,7 +33558,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2727,12 +2774,12 @@
+@@ -2727,12 +2771,12 @@
#
template(`userdom_read_user_tmp_files',`
gen_require(`
@@ -33485,7 +33574,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2764,10 +2811,10 @@
+@@ -2764,10 +2808,10 @@
#
template(`userdom_dontaudit_read_user_tmp_files',`
gen_require(`
@@ -33498,7 +33587,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2799,10 +2846,10 @@
+@@ -2799,10 +2843,10 @@
#
template(`userdom_dontaudit_append_user_tmp_files',`
gen_require(`
@@ -33511,7 +33600,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2832,12 +2879,12 @@
+@@ -2832,12 +2876,12 @@
#
template(`userdom_rw_user_tmp_files',`
gen_require(`
@@ -33527,7 +33616,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2869,10 +2916,10 @@
+@@ -2869,10 +2913,10 @@
#
template(`userdom_dontaudit_manage_user_tmp_files',`
gen_require(`
@@ -33540,7 +33629,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2904,12 +2951,12 @@
+@@ -2904,12 +2948,12 @@
#
template(`userdom_read_user_tmp_symlinks',`
gen_require(`
@@ -33556,7 +33645,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2941,11 +2988,11 @@
+@@ -2941,11 +2985,11 @@
#
template(`userdom_manage_user_tmp_dirs',`
gen_require(`
@@ -33570,7 +33659,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2977,11 +3024,11 @@
+@@ -2977,11 +3021,11 @@
#
template(`userdom_manage_user_tmp_files',`
gen_require(`
@@ -33584,7 +33673,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -3013,11 +3060,11 @@
+@@ -3013,11 +3057,11 @@
#
template(`userdom_manage_user_tmp_symlinks',`
gen_require(`
@@ -33598,7 +33687,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -3049,11 +3096,11 @@
+@@ -3049,11 +3093,11 @@
#
template(`userdom_manage_user_tmp_pipes',`
gen_require(`
@@ -33612,7 +33701,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -3085,11 +3132,11 @@
+@@ -3085,11 +3129,11 @@
#
template(`userdom_manage_user_tmp_sockets',`
gen_require(`
@@ -33626,7 +33715,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -3134,10 +3181,10 @@
+@@ -3134,10 +3178,10 @@
#
template(`userdom_user_tmp_filetrans',`
gen_require(`
@@ -33639,7 +33728,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_search_tmp($2)
')
-@@ -3178,19 +3225,19 @@
+@@ -3178,19 +3222,19 @@
#
template(`userdom_tmp_filetrans_user_tmp',`
gen_require(`
@@ -33663,7 +33752,25 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## </p>
## <p>
## This is a templated interface, and should only
-@@ -4616,11 +4663,11 @@
+@@ -3211,13 +3255,13 @@
+ #
+ template(`userdom_rw_user_tmpfs_files',`
+ gen_require(`
+- type $1_tmpfs_t;
++ type user_tmpfs_t;
+ ')
+
+ fs_search_tmpfs($2)
+- allow $2 $1_tmpfs_t:dir list_dir_perms;
+- rw_files_pattern($2,$1_tmpfs_t,$1_tmpfs_t)
+- read_lnk_files_pattern($2,$1_tmpfs_t,$1_tmpfs_t)
++ allow $2 user_tmpfs_t:dir list_dir_perms;
++ rw_files_pattern($2,user_tmpfs_t,user_tmpfs_t)
++ read_lnk_files_pattern($2,user_tmpfs_t,user_tmpfs_t)
+ ')
+
+ ########################################
+@@ -4616,11 +4660,11 @@
#
interface(`userdom_search_all_users_home_dirs',`
gen_require(`
@@ -33677,7 +33784,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -4640,6 +4687,14 @@
+@@ -4640,6 +4684,14 @@
files_list_home($1)
allow $1 home_dir_type:dir list_dir_perms;
@@ -33692,7 +33799,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -4677,6 +4732,8 @@
+@@ -4677,6 +4729,8 @@
')
dontaudit $1 { home_dir_type home_type }:dir search_dir_perms;
@@ -33701,7 +33808,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -4721,6 +4778,25 @@
+@@ -4721,6 +4775,25 @@
########################################
## <summary>
@@ -33727,7 +33834,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Create, read, write, and delete all files
## in all users home directories.
## </summary>
-@@ -4946,7 +5022,7 @@
+@@ -4946,7 +5019,7 @@
########################################
## <summary>
@@ -33736,7 +33843,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## </summary>
## <param name="domain">
## <summary>
-@@ -5318,7 +5394,7 @@
+@@ -5318,7 +5391,7 @@
########################################
## <summary>
@@ -33745,7 +33852,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## </summary>
## <param name="domain">
## <summary>
-@@ -5326,18 +5402,17 @@
+@@ -5326,18 +5399,17 @@
## </summary>
## </param>
#
@@ -33768,7 +33875,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## </summary>
## <param name="domain">
## <summary>
-@@ -5345,17 +5420,17 @@
+@@ -5345,17 +5417,17 @@
## </summary>
## </param>
#
@@ -33790,7 +33897,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## </summary>
## <param name="domain">
## <summary>
-@@ -5363,18 +5438,18 @@
+@@ -5363,18 +5435,18 @@
## </summary>
## </param>
#
@@ -33814,7 +33921,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## </summary>
## <param name="domain">
## <summary>
-@@ -5382,17 +5457,54 @@
+@@ -5382,17 +5454,54 @@
## </summary>
## </param>
#
@@ -33873,7 +33980,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## </summary>
## <param name="domain">
## <summary>
-@@ -5483,6 +5595,42 @@
+@@ -5483,6 +5592,42 @@
########################################
## <summary>
@@ -33916,7 +34023,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Send a dbus message to all user domains.
## </summary>
## <param name="domain">
-@@ -5513,3 +5661,524 @@
+@@ -5513,3 +5658,548 @@
interface(`userdom_unconfined',`
refpolicywarn(`$0($*) has been deprecated.')
')
@@ -34250,13 +34357,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+#
+template(`userdom_read_user_tmpfs_files',`
+ gen_require(`
-+ type $1_tmpfs_t;
++ type user_tmpfs_t;
+ ')
+
+ fs_search_tmpfs($2)
-+ allow $2 $1_tmpfs_t:dir list_dir_perms;
-+ read_files_pattern($2, $1_tmpfs_t, $1_tmpfs_t)
-+ read_lnk_files_pattern($2, $1_tmpfs_t, $1_tmpfs_t)
++ allow $2 user_tmpfs_t:dir list_dir_perms;
++ read_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
++ read_lnk_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
+')
+
+#######################################
@@ -34441,9 +34548,33 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ dontaudit $1 user_home_t:file unlink;
+')
++
++#######################################
++## <summary>
++## The template for creating a tmpfs type
++## that the user has full access.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_manage_tmpfs',`
++ gen_require(`
++ type user_tmpfs_t;
++ ')
++
++ manage_dirs_pattern($1, user_tmpfs_t, user_tmpfs_t)
++ manage_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
++ manage_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
++ manage_sock_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
++ manage_fifo_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
++ fs_tmpfs_filetrans($1, user_tmpfs_t, { dir file lnk_file sock_file fifo_file })
++')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.5.9/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2008-08-07 11:15:12.000000000 -0400
-+++ serefpolicy-3.5.9/policy/modules/system/userdomain.te 2008-09-25 08:33:18.000000000 -0400
++++ serefpolicy-3.5.9/policy/modules/system/userdomain.te 2008-09-29 08:43:56.000000000 -0400
@@ -8,13 +8,6 @@
## <desc>
@@ -34485,7 +34616,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# The privhome attribute identifies every domain that can create files under
# regular user home directories in the regular context (IE act on behalf of
# a user in writing regular files)
-@@ -81,6 +73,72 @@
+@@ -81,6 +73,76 @@
# unprivileged user domains
attribute unpriv_userdomain;
@@ -34521,6 +34652,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+type user_tmp_t, user_file_type, user_tmpfile;
+files_tmp_file(user_tmp_t)
+
++type user_tmpfs_t, user_file_type;
++files_tmpfs_file(user_tmpfs_t)
++
++
+##############################
+#
+# User home directory file rules
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 735da8e..1bc1b2e 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -10,14 +10,14 @@
%if %{?BUILD_MLS:0}%{!?BUILD_MLS:1}
%define BUILD_MLS 1
%endif
-%define POLICYVER 21
+%define POLICYVER 23
%define libsepolver 2.0.20-1
%define POLICYCOREUTILSVER 2.0.54-2
%define CHECKPOLICYVER 2.0.16-1
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.5.9
-Release: 1%{?dist}
+Release: 2%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -40,8 +40,9 @@ Source15: securetty_types-mls
Url: http://serefpolicy.sourceforge.net
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildArch: noarch
-BuildRequires: python gawk checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils >= %{POLICYCOREUTILSVER}
+BuildRequires: python gawk checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils >= %{POLICYCOREUTILSVER} bzip2
Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} libsemanage >= 2.0.14-3
+Requires(post): /usr/bin/bunzip2
Requires: checkpolicy >= %{CHECKPOLICYVER} m4
Obsoletes: selinux-policy-devel
Provides: selinux-policy-devel
@@ -77,6 +78,9 @@ cp -f $RPM_SOURCE_DIR/booleans-%1.conf ./policy/booleans.conf \
%define moduleList() %([ -f %{_sourcedir}/modules-%{1}.conf ] && \
awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "-i %%s.pp ", $1 }' %{_sourcedir}/modules-%{1}.conf )
+%define bzmoduleList() %([ -f %{_sourcedir}/modules-%{1}.conf ] && \
+awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf " ../%%s.pp.bz2 ", $1 }' %{_sourcedir}/modules-%{1}.conf )
+
%define installCmds() \
make UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 base.pp \
make validate UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 modules \
@@ -96,12 +100,13 @@ touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedir
install -m0644 $RPM_SOURCE_DIR/securetty_types-%1 %{buildroot}%{_sysconfdir}/selinux/%1/contexts/securetty_types \
install -m0644 $RPM_SOURCE_DIR/setrans-%1.conf %{buildroot}%{_sysconfdir}/selinux/%1/setrans.conf \
echo -n > %{buildroot}%{_sysconfdir}/selinux/%1/contexts/customizable_types \
+bzip2 %{buildroot}/%{_usr}/share/selinux/%1/*.pp
%nil
%define fileList() \
%defattr(-,root,root) \
%dir %{_usr}/share/selinux/%1 \
-%{_usr}/share/selinux/%1/*.pp \
+%{_usr}/share/selinux/%1/*.pp.bz2 \
%dir %{_sysconfdir}/selinux/%1 \
%config(noreplace) %{_sysconfdir}/selinux/%1/setrans.conf \
%ghost %{_sysconfdir}/selinux/%1/seusers \
@@ -144,9 +149,13 @@ if [ -s /etc/selinux/config ]; then \
fi
%define loadpolicy() \
-( cd /usr/share/selinux/%1; \
+tempdir=`mktemp -d /usr/share/selinux/%1/tmpXXXX`; \
+( cd $tempdir; \
+cp ../base.pp.bz2 %{expand:%%bzmoduleList %1} .; \
+bunzip2 *; \
semodule -b base.pp %{expand:%%moduleList %1} -s %1; \
); \
+rm -rf $tempdir; \
%define relabel() \
. %{_sysconfdir}/selinux/config; \
@@ -381,6 +390,10 @@ exit 0
%endif
%changelog
+* Mon Sep 29 2008 Dan Walsh <dwalsh@redhat.com> 3.5.9-2
+- Change all user tmpfs_t files to be labeled user_tmpfs_t
+- Allow radiusd to create sock_files
+
* Wed Sep 24 2008 Dan Walsh <dwalsh@redhat.com> 3.5.9-1
- Upgrade to upstream