diff --git a/policy-20080710.patch b/policy-20080710.patch
index 4fb9d26..fe943ea 100644
--- a/policy-20080710.patch
+++ b/policy-20080710.patch
@@ -355,6 +355,28 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con
+system_r:sshd_t xguest_r:xguest_t
+system_r:crond_t xguest_r:xguest_crond_t
+system_r:xdm_t xguest_r:xguest_t
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/httpd_selinux.8 serefpolicy-3.5.13/man/man8/httpd_selinux.8
+--- nsaserefpolicy/man/man8/httpd_selinux.8 2008-08-25 09:12:31.000000000 -0400
++++ serefpolicy-3.5.13/man/man8/httpd_selinux.8 2008-10-27 10:41:03.000000000 -0400
+@@ -57,8 +57,7 @@
+ .EE
+
+ .SH BOOLEANS
+-SELinux policy is customizable based on least access required. So by
+-default SElinux prevents certain http scripts from working. httpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd with the tightest access possible.
++SELinux policy can be customizable based on least access required. So SElinux can prevents certain http scripts from working. httpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd with the tightest access possible.
+ .PP
+ httpd can be setup to allow cgi scripts to be executed, set httpd_enable_cgi to allow this
+
+@@ -75,7 +74,7 @@
+ .EE
+
+ .PP
+-httpd by default is not allowed access to the controling terminal. In most cases this is prefered, because an intruder might be able to use the access to the terminal to gain privileges. But in certain situations httpd needs to prompt for a password to open a certificate file, in these cases, terminal access is required. Set the httpd_tty_comm boolean to allow terminal access.
++httpd by can be configured to not allow access to the controling terminal. In most cases this is prefered, because an intruder might be able to use the access to the terminal to gain privileges. But in certain situations httpd needs to prompt for a password to open a certificate file, in these cases, terminal access is required. Set the httpd_tty_comm boolean to allow terminal access.
+
+ .EX
+ setsebool -P httpd_tty_comm 1
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors serefpolicy-3.5.13/policy/flask/access_vectors
--- nsaserefpolicy/policy/flask/access_vectors 2008-08-07 11:15:00.000000000 -0400
+++ serefpolicy-3.5.13/policy/flask/access_vectors 2008-10-17 10:31:26.000000000 -0400
@@ -4375,8 +4397,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.5.13/policy/modules/apps/nsplugin.te
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.5.13/policy/modules/apps/nsplugin.te 2008-10-23 14:17:48.000000000 -0400
-@@ -0,0 +1,255 @@
++++ serefpolicy-3.5.13/policy/modules/apps/nsplugin.te 2008-10-27 10:05:44.000000000 -0400
+@@ -0,0 +1,256 @@
+
+policy_module(nsplugin, 1.0.0)
+
@@ -4571,6 +4593,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+allow nsplugin_config_t self:unix_stream_socket create_stream_socket_perms;
+
+fs_list_inotifyfs(nsplugin_config_t)
++fs_search_auto_mountpoints(nsplugin_config_t)
+
+can_exec(nsplugin_config_t, nsplugin_rw_t)
+manage_dirs_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
@@ -6170,6 +6193,37 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-3.5.13/policy/modules/kernel/corenetwork.if.in
+--- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in 2008-08-07 11:15:01.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/kernel/corenetwork.if.in 2008-10-27 09:53:12.000000000 -0400
+@@ -1441,10 +1441,11 @@
+ #
+ interface(`corenet_tcp_bind_all_unreserved_ports',`
+ gen_require(`
+- attribute port_type, reserved_port_type;
++ attribute port_type;
++ type reserved_port_t;
+ ')
+
+- allow $1 { port_type -reserved_port_type }:tcp_socket name_bind;
++ allow $1 { port_type -reserved_port_t }:tcp_socket name_bind;
+ ')
+
+ ########################################
+@@ -1459,10 +1460,11 @@
+ #
+ interface(`corenet_udp_bind_all_unreserved_ports',`
+ gen_require(`
+- attribute port_type, reserved_port_type;
++ attribute port_type;
++ type reserved_port_t;
+ ')
+
+- allow $1 { port_type -reserved_port_type }:udp_socket name_bind;
++ allow $1 { port_type -reserved_port_t }:udp_socket name_bind;
+ ')
+
+ ########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.5.13/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2008-10-14 11:58:07.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/kernel/corenetwork.te.in 2008-10-23 14:24:15.000000000 -0400
@@ -10595,7 +10649,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.5.13/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2008-10-16 17:21:16.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/apache.te 2008-10-23 10:30:58.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/services/apache.te 2008-10-27 16:11:48.000000000 -0400
@@ -20,6 +20,8 @@
# Declarations
#
@@ -11259,7 +11313,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+# Removal of fastcgi, will cause problems without the following
+typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t;
+typealias httpd_sys_content_t alias httpd_fastcgi_content_t;
-+typealias httpd_sys_content_rw_t alias httpd_fastcgi_content_rw_t;
++typealias httpd_sys_script_rw_t alias httpd_fastcgi_content_rw_t;
+typealias httpd_sys_script_ra_t alias httpd_fastcgi_script_ra_t;
+typealias httpd_sys_script_ro_t alias httpd_fastcgi_script_ro_t;
+typealias httpd_sys_script_rw_t alias httpd_fastcgi_script_rw_t;
@@ -11812,8 +11866,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.5.13/policy/modules/services/bind.te
--- nsaserefpolicy/policy/modules/services/bind.te 2008-10-16 17:21:16.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/bind.te 2008-10-17 10:31:27.000000000 -0400
-@@ -247,6 +247,8 @@
++++ serefpolicy-3.5.13/policy/modules/services/bind.te 2008-10-27 09:51:11.000000000 -0400
+@@ -118,6 +118,7 @@
+ corenet_tcp_bind_dns_port(named_t)
+ corenet_udp_bind_dns_port(named_t)
+ corenet_tcp_bind_rndc_port(named_t)
++corenet_udp_bind_all_ports(named_t)
+ corenet_tcp_connect_all_ports(named_t)
+ corenet_sendrecv_dns_server_packets(named_t)
+ corenet_sendrecv_dns_client_packets(named_t)
+@@ -247,6 +248,8 @@
sysnet_read_config(ndc_t)
sysnet_dns_name_resolve(ndc_t)
@@ -11909,7 +11971,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.5.13/policy/modules/services/bluetooth.te
--- nsaserefpolicy/policy/modules/services/bluetooth.te 2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/bluetooth.te 2008-10-17 10:31:27.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/services/bluetooth.te 2008-10-27 12:54:15.000000000 -0400
@@ -20,6 +20,9 @@
type bluetooth_helper_exec_t;
application_executable_file(bluetooth_helper_exec_t)
@@ -11967,20 +12029,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
sysadm_dontaudit_use_ptys(bluetooth_t)
sysadm_dontaudit_search_home_dirs(bluetooth_t)
-@@ -126,12 +130,13 @@
- sysadm_dontaudit_search_home_dirs(bluetooth_t)
-
+@@ -128,10 +132,15 @@
optional_policy(`
-- dbus_system_bus_client_template(bluetooth, bluetooth_t)
-- dbus_connect_system_bus(bluetooth_t)
-+ cups_dbus_chat(bluetooth_t)
+ dbus_system_bus_client_template(bluetooth, bluetooth_t)
+ dbus_connect_system_bus(bluetooth_t)
++ dbus_system_domain(bluetooth_t, bluetooth_exec_t)
++
++ optional_policy(`
++ cups_dbus_chat(bluetooth_t)
')
optional_policy(`
- nis_use_ypbind(bluetooth_t)
-+ dbus_system_bus_client_template(bluetooth, bluetooth_t)
-+ dbus_connect_system_bus(bluetooth_t)
-+ dbus_system_domain(bluetooth_t, bluetooth_exec_t)
++ hal_dbus_chat(bluetooth_t)
++ ')
')
optional_policy(`
@@ -29644,7 +29706,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.5.13/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2008-10-14 11:58:09.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/system/unconfined.te 2008-10-24 10:26:04.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/system/unconfined.te 2008-10-27 09:05:47.000000000 -0400
@@ -6,35 +6,76 @@
# Declarations
#
@@ -29941,7 +30003,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -229,14 +295,50 @@
+@@ -229,14 +295,57 @@
allow unconfined_execmem_t self:process { execstack execmem };
unconfined_domain_noaudit(unconfined_execmem_t)
@@ -29966,7 +30028,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+optional_policy(`
+ xserver_rw_xdm_xserver_shm(unconfined_execmem_t)
-+')
+ ')
+
+########################################
+#
@@ -29983,7 +30045,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+optional_policy(`
+ gen_require(`
+ type mplayer_exec_t;
- ')
++ ')
+ domtrans_pattern(unconfined_t, mplayer_exec_t, unconfined_execmem_t)
+')
+
@@ -29994,6 +30056,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ domtrans_pattern(unconfined_t, mozilla_exec_t, unconfined_execmem_t)
+')
+
++optional_policy(`
++ gen_require(`
++ type openoffice_exec_t;
++ ')
++ domtrans_pattern(unconfined_t, openoffice_exec_t, unconfined_execmem_t)
++')
++
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.5.13/policy/modules/system/userdomain.fc
--- nsaserefpolicy/policy/modules/system/userdomain.fc 2008-08-07 11:15:12.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/system/userdomain.fc 2008-10-17 10:31:27.000000000 -0400
@@ -30009,7 +30078,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.5.13/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2008-08-07 11:15:12.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/system/userdomain.if 2008-10-17 17:49:05.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/system/userdomain.if 2008-10-27 09:43:09.000000000 -0400
@@ -28,10 +28,14 @@
class context contains;
')
@@ -31135,6 +31204,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
##
##
## This template creates a user domain, types, and
+@@ -1158,7 +1152,7 @@
+ #
+
+ # Inherit rules for ordinary users.
+- userdom_restricted_user_template($1)
++ userdom_restricted_xwindows_user_template($1)
+ userdom_common_user_template($1)
+
+ ##############################
@@ -1167,11 +1161,10 @@
#
@@ -31148,7 +31226,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# cjp: why?
files_read_kernel_symbol_table($1_t)
-@@ -1189,36 +1182,45 @@
+@@ -1189,36 +1182,41 @@
')
')
@@ -31165,33 +31243,29 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_tcp_bind_all_nodes($1_t)
- corenet_tcp_bind_generic_port($1_t)
+ corenet_tcp_bind_all_unreserved_ports($1_t)
-+ ')
-+
-+ # Run pppd in pppd_t by default for user
-+ optional_policy(`
-+ ppp_run_cond($1_t, $1_r, { $1_tty_device_t $1_devpts_t })
')
++ # Run pppd in pppd_t by default for user
optional_policy(`
- netutils_run_ping_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
- netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
-+ games_rw_data($1_usertype)
++ ppp_run_cond($1_t, $1_r, { $1_tty_device_t $1_devpts_t })
')
optional_policy(`
- postgresql_userdom_template($1,$1_t,$1_r)
-+ mount_run($1_t, $1_r, { $1_tty_device_t $1_devpts_t })
++ games_rw_data($1_usertype)
')
- # Run pppd in pppd_t by default for user
optional_policy(`
- ppp_run_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
-+ cron_per_role_template($1, $1_t, $1_r)
++ mount_run($1_t, $1_r, { $1_tty_device_t $1_devpts_t })
')
optional_policy(`
- setroubleshoot_stream_connect($1_t)
-+ polkit_per_role_template($1, $1_usertype, $1_r)
++ cron_per_role_template($1, $1_t, $1_r)
+ ')
+
+ optional_policy(`
@@ -31207,7 +31281,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
')
-@@ -1295,8 +1297,6 @@
+@@ -1295,8 +1293,6 @@
# Manipulate other users crontab.
allow $1_t self:passwd crontab;
@@ -31216,7 +31290,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1318,8 +1318,6 @@
+@@ -1318,8 +1314,6 @@
dev_getattr_generic_blk_files($1_t)
dev_getattr_generic_chr_files($1_t)
@@ -31225,7 +31299,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Allow MAKEDEV to work
dev_create_all_blk_files($1_t)
dev_create_all_chr_files($1_t)
-@@ -1374,13 +1372,6 @@
+@@ -1374,13 +1368,6 @@
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -31239,7 +31313,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1432,6 +1423,7 @@
+@@ -1432,6 +1419,7 @@
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -31247,7 +31321,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1461,10 +1453,6 @@
+@@ -1461,10 +1449,6 @@
seutil_run_semanage($1,$2,$3)
seutil_run_setfiles($1, $2, $3)
@@ -31258,7 +31332,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
aide_run($1,$2, $3)
')
-@@ -1484,6 +1472,14 @@
+@@ -1484,6 +1468,14 @@
optional_policy(`
netlabel_run_mgmt($1,$2, $3)
')
@@ -31273,7 +31347,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1741,11 +1737,15 @@
+@@ -1741,11 +1733,15 @@
#
template(`userdom_user_home_content',`
gen_require(`
@@ -31292,7 +31366,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1841,11 +1841,11 @@
+@@ -1841,11 +1837,11 @@
#
template(`userdom_search_user_home_dirs',`
gen_require(`
@@ -31306,7 +31380,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1875,11 +1875,11 @@
+@@ -1875,11 +1871,11 @@
#
template(`userdom_list_user_home_dirs',`
gen_require(`
@@ -31320,7 +31394,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1923,12 +1923,12 @@
+@@ -1923,12 +1919,12 @@
#
template(`userdom_user_home_domtrans',`
gen_require(`
@@ -31336,7 +31410,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1958,10 +1958,11 @@
+@@ -1958,10 +1954,11 @@
#
template(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
@@ -31350,7 +31424,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1993,11 +1994,47 @@
+@@ -1993,11 +1990,47 @@
#
template(`userdom_manage_user_home_content_dirs',`
gen_require(`
@@ -31400,7 +31474,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2029,10 +2066,10 @@
+@@ -2029,10 +2062,10 @@
#
template(`userdom_dontaudit_setattr_user_home_content_files',`
gen_require(`
@@ -31413,7 +31487,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2062,11 +2099,11 @@
+@@ -2062,11 +2095,11 @@
#
template(`userdom_read_user_home_content_files',`
gen_require(`
@@ -31427,7 +31501,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2096,11 +2133,11 @@
+@@ -2096,11 +2129,11 @@
#
template(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -31442,7 +31516,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2130,10 +2167,14 @@
+@@ -2130,10 +2163,14 @@
#
template(`userdom_dontaudit_write_user_home_content_files',`
gen_require(`
@@ -31459,7 +31533,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2163,11 +2204,11 @@
+@@ -2163,11 +2200,11 @@
#
template(`userdom_read_user_home_content_symlinks',`
gen_require(`
@@ -31473,7 +31547,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2197,11 +2238,11 @@
+@@ -2197,11 +2234,11 @@
#
template(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -31487,7 +31561,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2231,10 +2272,10 @@
+@@ -2231,10 +2268,10 @@
#
template(`userdom_dontaudit_exec_user_home_content_files',`
gen_require(`
@@ -31500,7 +31574,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2266,12 +2307,12 @@
+@@ -2266,12 +2303,12 @@
#
template(`userdom_manage_user_home_content_files',`
gen_require(`
@@ -31516,7 +31590,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2303,10 +2344,10 @@
+@@ -2303,10 +2340,10 @@
#
template(`userdom_dontaudit_manage_user_home_content_dirs',`
gen_require(`
@@ -31529,7 +31603,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2338,12 +2379,12 @@
+@@ -2338,12 +2375,12 @@
#
template(`userdom_manage_user_home_content_symlinks',`
gen_require(`
@@ -31545,7 +31619,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2375,12 +2416,12 @@
+@@ -2375,12 +2412,12 @@
#
template(`userdom_manage_user_home_content_pipes',`
gen_require(`
@@ -31561,7 +31635,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2412,12 +2453,12 @@
+@@ -2412,12 +2449,12 @@
#
template(`userdom_manage_user_home_content_sockets',`
gen_require(`
@@ -31577,7 +31651,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2462,11 +2503,11 @@
+@@ -2462,11 +2499,11 @@
#
template(`userdom_user_home_dir_filetrans',`
gen_require(`
@@ -31591,7 +31665,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2511,11 +2552,11 @@
+@@ -2511,11 +2548,11 @@
#
template(`userdom_user_home_content_filetrans',`
gen_require(`
@@ -31605,7 +31679,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2555,11 +2596,11 @@
+@@ -2555,11 +2592,11 @@
#
template(`userdom_user_home_dir_filetrans_user_home_content',`
gen_require(`
@@ -31619,7 +31693,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2589,11 +2630,11 @@
+@@ -2589,11 +2626,11 @@
#
template(`userdom_write_user_tmp_sockets',`
gen_require(`
@@ -31633,7 +31707,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2623,11 +2664,11 @@
+@@ -2623,11 +2660,11 @@
#
template(`userdom_list_user_tmp',`
gen_require(`
@@ -31647,7 +31721,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2659,10 +2700,10 @@
+@@ -2659,10 +2696,10 @@
#
template(`userdom_dontaudit_list_user_tmp',`
gen_require(`
@@ -31660,7 +31734,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2694,10 +2735,10 @@
+@@ -2694,10 +2731,10 @@
#
template(`userdom_dontaudit_manage_user_tmp_dirs',`
gen_require(`
@@ -31673,7 +31747,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2727,12 +2768,12 @@
+@@ -2727,12 +2764,12 @@
#
template(`userdom_read_user_tmp_files',`
gen_require(`
@@ -31689,7 +31763,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2764,10 +2805,10 @@
+@@ -2764,10 +2801,10 @@
#
template(`userdom_dontaudit_read_user_tmp_files',`
gen_require(`
@@ -31702,7 +31776,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2799,10 +2840,10 @@
+@@ -2799,10 +2836,10 @@
#
template(`userdom_dontaudit_append_user_tmp_files',`
gen_require(`
@@ -31715,7 +31789,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2832,12 +2873,12 @@
+@@ -2832,12 +2869,12 @@
#
template(`userdom_rw_user_tmp_files',`
gen_require(`
@@ -31731,7 +31805,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2869,10 +2910,10 @@
+@@ -2869,10 +2906,10 @@
#
template(`userdom_dontaudit_manage_user_tmp_files',`
gen_require(`
@@ -31744,7 +31818,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2904,12 +2945,12 @@
+@@ -2904,12 +2941,12 @@
#
template(`userdom_read_user_tmp_symlinks',`
gen_require(`
@@ -31760,7 +31834,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2941,11 +2982,11 @@
+@@ -2941,11 +2978,11 @@
#
template(`userdom_manage_user_tmp_dirs',`
gen_require(`
@@ -31774,7 +31848,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2977,11 +3018,11 @@
+@@ -2977,11 +3014,11 @@
#
template(`userdom_manage_user_tmp_files',`
gen_require(`
@@ -31788,7 +31862,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -3013,11 +3054,11 @@
+@@ -3013,11 +3050,11 @@
#
template(`userdom_manage_user_tmp_symlinks',`
gen_require(`
@@ -31802,7 +31876,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -3049,11 +3090,11 @@
+@@ -3049,11 +3086,11 @@
#
template(`userdom_manage_user_tmp_pipes',`
gen_require(`
@@ -31816,7 +31890,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -3085,11 +3126,11 @@
+@@ -3085,11 +3122,11 @@
#
template(`userdom_manage_user_tmp_sockets',`
gen_require(`
@@ -31830,7 +31904,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -3134,10 +3175,10 @@
+@@ -3134,10 +3171,10 @@
#
template(`userdom_user_tmp_filetrans',`
gen_require(`
@@ -31843,7 +31917,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_search_tmp($2)
')
-@@ -3178,19 +3219,19 @@
+@@ -3178,19 +3215,19 @@
#
template(`userdom_tmp_filetrans_user_tmp',`
gen_require(`
@@ -31867,7 +31941,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
##
##
## This is a templated interface, and should only
-@@ -3211,13 +3252,13 @@
+@@ -3211,13 +3248,13 @@
#
template(`userdom_rw_user_tmpfs_files',`
gen_require(`
@@ -31885,7 +31959,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -4616,11 +4657,11 @@
+@@ -4616,11 +4653,11 @@
#
interface(`userdom_search_all_users_home_dirs',`
gen_require(`
@@ -31899,7 +31973,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -4640,6 +4681,14 @@
+@@ -4640,6 +4677,14 @@
files_list_home($1)
allow $1 home_dir_type:dir list_dir_perms;
@@ -31914,7 +31988,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -4677,6 +4726,8 @@
+@@ -4677,6 +4722,8 @@
')
dontaudit $1 { home_dir_type home_type }:dir search_dir_perms;
@@ -31923,7 +31997,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -4721,6 +4772,25 @@
+@@ -4721,6 +4768,25 @@
########################################
##
@@ -31949,7 +32023,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Create, read, write, and delete all files
## in all users home directories.
##
-@@ -4946,7 +5016,7 @@
+@@ -4946,7 +5012,7 @@
########################################
##
@@ -31958,103 +32032,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
##
##
##
-@@ -5318,7 +5388,7 @@
+@@ -5318,6 +5384,42 @@
########################################
##
--## Read and write unprivileged user ttys.
+## Write all unprivileged users files in /tmp
- ##
- ##
- ##
-@@ -5326,18 +5396,17 @@
- ##
- ##
- #
--interface(`userdom_use_unpriv_users_ttys',`
-+interface(`userdom_manage_unpriv_users_tmp_files',`
- gen_require(`
-- attribute user_ttynode;
-+ type user_tmp_t;
- ')
-
-- allow $1 user_ttynode:chr_file rw_term_perms;
-+ manage_files_pattern($1, user_tmp_t, user_tmp_t)
- ')
-
- ########################################
- ##
--## Do not audit attempts to use unprivileged
--## user ttys.
-+## Write all unprivileged users lnk_files in /tmp
- ##
- ##
- ##
-@@ -5345,17 +5414,17 @@
- ##
- ##
- #
--interface(`userdom_dontaudit_use_unpriv_users_ttys',`
-+interface(`userdom_manage_unpriv_users_tmp_symlinks',`
- gen_require(`
-- attribute user_ttynode;
-+ type user_tmp_t;
- ')
-
-- dontaudit $1 user_ttynode:chr_file rw_file_perms;
-+ manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
- ')
-
- ########################################
- ##
--## Read the process state of all user domains.
-+## Read and write unprivileged user ttys.
- ##
- ##
- ##
-@@ -5363,18 +5432,18 @@
- ##
- ##
- #
--interface(`userdom_read_all_users_state',`
-+interface(`userdom_use_unpriv_users_ttys',`
- gen_require(`
-- attribute userdomain;
-+ attribute user_ttynode;
- ')
-
-- read_files_pattern($1,userdomain,userdomain)
-- kernel_search_proc($1)
-+ allow $1 user_ttynode:chr_file rw_term_perms;
- ')
-
- ########################################
- ##
--## Get the attributes of all user domains.
-+## Do not audit attempts to use unprivileged
-+## user ttys.
- ##
- ##
- ##
-@@ -5382,17 +5451,54 @@
- ##
- ##
- #
--interface(`userdom_getattr_all_users',`
-+interface(`userdom_dontaudit_use_unpriv_users_ttys',`
- gen_require(`
-- attribute userdomain;
-+ attribute user_ttynode;
- ')
-
-- allow $1 userdomain:process getattr;
-+ dontaudit $1 user_ttynode:chr_file rw_file_perms;
- ')
-
- ########################################
- ##
--## Inherit the file descriptors from all user domains
-+## Read the process state of all user domains.
+##
+##
+##
@@ -32062,18 +32044,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+##
+##
+#
-+interface(`userdom_read_all_users_state',`
++interface(`userdom_manage_unpriv_users_tmp_files',`
+ gen_require(`
-+ attribute userdomain;
++ type user_tmp_t;
+ ')
+
-+ ps_process_pattern($1, userdomain)
-+ kernel_search_proc($1)
++ manage_files_pattern($1, user_tmp_t, user_tmp_t)
+')
+
+########################################
+##
-+## Get the attributes of all user domains.
++## Write all unprivileged users lnk_files in /tmp
+##
+##
+##
@@ -32081,24 +32062,33 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+##
+##
+#
-+interface(`userdom_getattr_all_users',`
++interface(`userdom_manage_unpriv_users_tmp_symlinks',`
+ gen_require(`
-+ attribute userdomain;
++ type user_tmp_t;
+ ')
+
-+ allow $1 userdomain:process getattr;
++ manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
+')
+
+########################################
+##
-+## Inherit the file descriptors from all user domains
+ ## Read and write unprivileged user ttys.
##
##
- ##
-@@ -5483,6 +5589,42 @@
+@@ -5368,7 +5470,7 @@
+ attribute userdomain;
+ ')
+
+- read_files_pattern($1,userdomain,userdomain)
++ ps_process_pattern($1, userdomain)
+ kernel_search_proc($1)
+ ')
+
+@@ -5483,7 +5585,43 @@
########################################
##
+-## Send a dbus message to all user domains.
+## Manage keys for all user domains.
+##
+##
@@ -32135,10 +32125,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+########################################
+##
- ## Send a dbus message to all user domains.
++## Send a dbus message to all user domains.
##
##
-@@ -5513,3 +5655,548 @@
+ ##
+@@ -5513,3 +5651,548 @@
interface(`userdom_unconfined',`
refpolicywarn(`$0($*) has been deprecated.')
')
@@ -32689,7 +32680,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.5.13/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2008-10-14 11:58:09.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/system/userdomain.te 2008-10-17 10:31:27.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/system/userdomain.te 2008-10-27 09:04:14.000000000 -0400
@@ -8,13 +8,6 @@
##
@@ -32731,7 +32722,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# The privhome attribute identifies every domain that can create files under
# regular user home directories in the regular context (IE act on behalf of
# a user in writing regular files)
-@@ -81,6 +73,76 @@
+@@ -81,6 +73,75 @@
# unprivileged user domains
attribute unpriv_userdomain;
@@ -32807,7 +32798,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ manage_sock_files_pattern(privhome, cifs_t, cifs_t)
+ manage_fifo_files_pattern(privhome, cifs_t, cifs_t)
+')
-+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.fc serefpolicy-3.5.13/policy/modules/system/xen.fc
--- nsaserefpolicy/policy/modules/system/xen.fc 2008-08-07 11:15:12.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/system/xen.fc 2008-10-17 10:31:27.000000000 -0400
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 3268e2d..7acdfc1 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.5.13
-Release: 8%{?dist}
+Release: 9%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -462,6 +462,9 @@ exit 0
%endif
%changelog
+* Mon Oct 27 2008 Dan Walsh 3.5.13-9
+- Allow openoffice execstack/execmem privs
+
* Fri Oct 24 2008 Dan Walsh 3.5.13-8
- Allow mozilla to run with unconfined_execmem_t