diff --git a/policy-20070703.patch b/policy-20070703.patch
index 7dc7e81..8e6c152 100644
--- a/policy-20070703.patch
+++ b/policy-20070703.patch
@@ -1618,7 +1618,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.0.8/policy/modules/apps/mono.if
--- nsaserefpolicy/policy/modules/apps/mono.if 2007-05-29 14:10:48.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/apps/mono.if 2007-09-20 08:56:35.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/apps/mono.if 2007-09-20 11:42:05.000000000 -0400
@@ -18,3 +18,102 @@
corecmd_search_bin($1)
domtrans_pattern($1, mono_exec_t, mono_t)
@@ -1714,7 +1714,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if
+
+ userdom_unpriv_usertype($1, $1_mono_t)
+
-+ allow $1_mono_t self:process { execheap execmem };
++ allow $1_mono_t self:process { signal getsched execheap execmem };
+
+ domtrans_pattern($2, mono_exec_t, $1_mono_t)
+
@@ -1724,7 +1724,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-3.0.8/policy/modules/apps/mono.te
--- nsaserefpolicy/policy/modules/apps/mono.te 2007-05-29 14:10:48.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/apps/mono.te 2007-09-17 16:20:18.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/apps/mono.te 2007-09-20 11:41:50.000000000 -0400
+@@ -15,7 +15,7 @@
+ # Local policy
+ #
+
+-allow mono_t self:process { execheap execmem };
++allow mono_t self:process { signal getsched execheap execmem };
+
+ userdom_generic_user_home_dir_filetrans_generic_user_home_content(mono_t,{ dir file lnk_file fifo_file sock_file })
+
@@ -46,3 +46,7 @@
unconfined_dbus_chat(mono_t)
unconfined_dbus_connect(mono_t)
@@ -4206,6 +4215,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/audi
dev_read_sound(entropyd_t)
fs_getattr_all_fs(entropyd_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.if serefpolicy-3.0.8/policy/modules/services/automount.if
+--- nsaserefpolicy/policy/modules/services/automount.if 2007-05-29 14:10:57.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/automount.if 2007-09-20 11:17:32.000000000 -0400
+@@ -74,3 +74,21 @@
+
+ dontaudit $1 automount_tmp_t:dir getattr;
+ ')
++
++########################################
++##
++## Do not audit attempts to file descriptors for automount.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`automount_dontaudit_use_fds',`
++ gen_require(`
++ type automount_t;
++ ')
++
++ dontaudit $1 automount_t:fd use;
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.0.8/policy/modules/services/automount.te
--- nsaserefpolicy/policy/modules/services/automount.te 2007-07-25 10:37:42.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/automount.te 2007-09-17 16:20:18.000000000 -0400
@@ -5150,7 +5184,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.0.8/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if 2007-07-03 07:06:27.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/dbus.if 2007-09-17 16:20:18.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/dbus.if 2007-09-20 12:01:41.000000000 -0400
@@ -50,6 +50,12 @@
##
#
@@ -5172,7 +5206,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
allow $1_dbusd_t self:file { getattr read write };
allow $1_dbusd_t self:fifo_file rw_fifo_file_perms;
allow $1_dbusd_t self:dbus { send_msg acquire_svc };
-@@ -135,6 +142,19 @@
+@@ -135,7 +142,21 @@
selinux_compute_relabel_context($1_dbusd_t)
selinux_compute_user_contexts($1_dbusd_t)
@@ -5190,9 +5224,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
+ userdom_read_user_home_content_files($1, $1_dbusd_t)
+
auth_read_pam_console_data($1_dbusd_t)
++ auth_use_nsswitch($1_dbusd_t)
libs_use_ld_so($1_dbusd_t)
-@@ -193,6 +213,7 @@
+ libs_use_shared_libs($1_dbusd_t)
+@@ -193,6 +214,7 @@
gen_require(`
type system_dbusd_t, system_dbusd_t;
type system_dbusd_var_run_t;
@@ -5200,7 +5236,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
class dbus send_msg;
')
-@@ -202,9 +223,12 @@
+@@ -202,9 +224,12 @@
# SE-DBus specific permissions
allow $1_dbusd_system_t { system_dbusd_t self }:dbus send_msg;
@@ -5213,7 +5249,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
')
#######################################
-@@ -271,6 +295,32 @@
+@@ -271,6 +296,32 @@
allow $2 $1_dbusd_t:dbus send_msg;
')
@@ -5246,7 +5282,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
########################################
##
## Read dbus configuration.
-@@ -286,6 +336,7 @@
+@@ -286,6 +337,7 @@
type dbusd_etc_t;
')
@@ -5254,7 +5290,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
allow $1 dbusd_etc_t:file read_file_perms;
')
-@@ -346,3 +397,23 @@
+@@ -346,3 +398,23 @@
allow $1 system_dbusd_t:dbus *;
')
@@ -5280,7 +5316,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.0.8/policy/modules/services/dbus.te
--- nsaserefpolicy/policy/modules/services/dbus.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/dbus.te 2007-09-17 16:20:18.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/dbus.te 2007-09-20 12:01:29.000000000 -0400
@@ -23,6 +23,9 @@
type system_dbusd_var_run_t;
files_pid_file(system_dbusd_var_run_t)
@@ -7986,7 +8022,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
##
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.0.8/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/rpc.te 2007-09-17 16:20:18.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/rpc.te 2007-09-20 11:18:24.000000000 -0400
@@ -59,10 +59,14 @@
manage_files_pattern(rpcd_t,rpcd_var_run_t,rpcd_var_run_t)
files_pid_filetrans(rpcd_t,rpcd_var_run_t,file)
@@ -8002,7 +8038,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
fs_list_rpc(rpcd_t)
fs_read_rpc_files(rpcd_t)
-@@ -76,9 +80,11 @@
+@@ -76,9 +80,16 @@
miscfiles_read_certs(rpcd_t)
seutil_dontaudit_search_config(rpcd_t)
@@ -8011,10 +8047,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
optional_policy(`
nis_read_ypserv_config(rpcd_t)
+ nis_use_ypbind(rpcd_t)
++')
++
++# automount -> mount -> rpcd
++optional_policy(`
++ automount_dontaudit_use_fds(rpcd_t)
')
########################################
-@@ -91,9 +97,13 @@
+@@ -91,9 +102,13 @@
allow nfsd_t exports_t:file { getattr read };
allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
@@ -8028,7 +8069,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
corenet_tcp_bind_all_rpc_ports(nfsd_t)
corenet_udp_bind_all_rpc_ports(nfsd_t)
-@@ -123,6 +133,7 @@
+@@ -123,6 +138,7 @@
tunable_policy(`nfs_export_all_rw',`
fs_read_noxattr_fs_files(nfsd_t)
auth_manage_all_files_except_shadow(nfsd_t)
@@ -8036,7 +8077,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
')
tunable_policy(`nfs_export_all_ro',`
-@@ -143,6 +154,9 @@
+@@ -143,6 +159,9 @@
manage_files_pattern(gssd_t,gssd_tmp_t,gssd_tmp_t)
files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
@@ -8046,7 +8087,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
kernel_read_network_state(gssd_t)
kernel_read_network_state_symlinks(gssd_t)
kernel_search_network_sysctl(gssd_t)
-@@ -158,6 +172,9 @@
+@@ -158,6 +177,9 @@
miscfiles_read_certs(gssd_t)
@@ -9489,7 +9530,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.0.8/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2007-07-03 07:06:27.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/xserver.if 2007-09-20 10:52:36.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/xserver.if 2007-09-20 12:07:15.000000000 -0400
@@ -126,6 +126,8 @@
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev($1_xserver_t)
@@ -9512,7 +9553,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
term_setattr_unallocated_ttys($1_xserver_t)
term_use_unallocated_ttys($1_xserver_t)
-@@ -353,12 +356,6 @@
+@@ -282,6 +285,7 @@
+ domtrans_pattern($1_xserver_t, xauth_exec_t, $1_xauth_t)
+
+ allow $1_xserver_t $1_xauth_home_t:file { getattr read };
++ allow xdm_t $1_xauth_home_t:file append_file_perms;
+
+ domtrans_pattern($2, xserver_exec_t, $1_xserver_t)
+ allow $1_xserver_t $2:process signal;
+@@ -353,12 +357,6 @@
# allow ps to show xauth
ps_process_pattern($2,$1_xauth_t)
@@ -9525,7 +9574,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
domain_use_interactive_fds($1_xauth_t)
files_read_etc_files($1_xauth_t)
-@@ -387,6 +384,14 @@
+@@ -387,6 +385,14 @@
')
optional_policy(`
@@ -9540,16 +9589,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
nis_use_ypbind($1_xauth_t)
')
-@@ -537,16 +542,14 @@
+@@ -537,16 +543,14 @@
gen_require(`
type xdm_t, xdm_tmp_t;
- type $1_xauth_home_t, $1_iceauth_home_t, $1_xserver_t, $1_xserver_tmpfs_t;
')
- allow $2 self:shm create_shm_perms;
- allow $2 self:unix_dgram_socket create_socket_perms;
- allow $2 self:unix_stream_socket { connectto create_stream_socket_perms };
+- allow $2 self:shm create_shm_perms;
+- allow $2 self:unix_dgram_socket create_socket_perms;
+- allow $2 self:unix_stream_socket { connectto create_stream_socket_perms };
++ allow $2 $2:shm create_shm_perms;
++ allow $2 $2:unix_dgram_socket create_socket_perms;
++ allow $2 $2:unix_stream_socket { connectto create_stream_socket_perms };
- # Read .Xauthority file
- allow $2 $1_xauth_home_t:file { getattr read };
@@ -9559,7 +9611,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
-@@ -555,25 +558,52 @@
+@@ -555,25 +559,52 @@
allow $2 xdm_tmp_t:sock_file { read write };
dontaudit $2 xdm_t:tcp_socket { read write };
@@ -9620,7 +9672,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
')
-@@ -626,6 +656,24 @@
+@@ -626,6 +657,24 @@
########################################
##
@@ -9645,7 +9697,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
## Transition to a user Xauthority domain.
##
##
-@@ -659,6 +707,73 @@
+@@ -659,6 +708,73 @@
########################################
##
@@ -9719,7 +9771,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
## Transition to a user Xauthority domain.
##
##
-@@ -927,6 +1042,7 @@
+@@ -927,6 +1043,7 @@
files_search_tmp($1)
allow $1 xdm_tmp_t:dir list_dir_perms;
create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t)
@@ -9727,7 +9779,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -987,6 +1103,37 @@
+@@ -987,6 +1104,37 @@
########################################
##
@@ -9765,7 +9817,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
## Make an X session script an entrypoint for the specified domain.
##
##
-@@ -1136,7 +1283,7 @@
+@@ -1136,7 +1284,7 @@
type xdm_xserver_tmp_t;
')
@@ -9774,7 +9826,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -1325,3 +1472,62 @@
+@@ -1325,3 +1473,62 @@
files_search_tmp($1)
stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
')
@@ -10057,7 +10109,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.0.8/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2007-08-22 07:14:13.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/authlogin.if 2007-09-20 09:08:43.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/authlogin.if 2007-09-20 11:14:45.000000000 -0400
@@ -26,7 +26,8 @@
type $1_chkpwd_t, can_read_shadow_passwords;
application_domain($1_chkpwd_t,chkpwd_exec_t)
@@ -10088,7 +10140,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
domain_type($1)
domain_subj_id_change_exemption($1)
-@@ -176,11 +177,23 @@
+@@ -176,11 +177,24 @@
domain_obj_id_change_exemption($1)
role system_r types $1;
@@ -10098,6 +10150,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
+
+ auth_keyring_domain($1)
+ allow $1 keyring_type:key { search link };
++ auth_domtrans_chk_passwd($1)
+
+ files_list_var_lib($1)
+ manage_files_pattern($1, var_auth_t, var_auth_t)
@@ -10112,7 +10165,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
selinux_get_fs_mount($1)
selinux_validate_context($1)
selinux_compute_access_vector($1)
-@@ -196,22 +209,33 @@
+@@ -196,22 +210,33 @@
mls_fd_share_all_levels($1)
auth_domtrans_chk_passwd($1)
@@ -10147,7 +10200,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
')
')
-@@ -309,9 +333,6 @@
+@@ -309,9 +334,6 @@
type system_chkpwd_t, chkpwd_exec_t, shadow_t;
')
@@ -10157,7 +10210,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
corecmd_search_bin($1)
domtrans_pattern($1,chkpwd_exec_t,system_chkpwd_t)
-@@ -329,6 +350,7 @@
+@@ -329,6 +351,7 @@
optional_policy(`
kerberos_use($1)
@@ -10165,7 +10218,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
')
optional_policy(`
-@@ -347,6 +369,37 @@
+@@ -347,6 +370,37 @@
########################################
##
@@ -10203,7 +10256,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
## Get the attributes of the shadow passwords file.
##
##
-@@ -695,6 +748,24 @@
+@@ -695,6 +749,24 @@
########################################
##
@@ -10228,7 +10281,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
## Execute pam programs in the PAM domain.
##
##
-@@ -1318,14 +1389,9 @@
+@@ -1318,14 +1390,9 @@
##
#
interface(`auth_use_nsswitch',`
@@ -10243,7 +10296,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
files_list_var_lib($1)
miscfiles_read_certs($1)
-@@ -1381,3 +1447,163 @@
+@@ -1381,3 +1448,163 @@
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
@@ -12135,7 +12188,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.0.8/policy/modules/system/selinuxutil.if
--- nsaserefpolicy/policy/modules/system/selinuxutil.if 2007-05-30 11:47:29.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/selinuxutil.if 2007-09-20 09:37:08.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/selinuxutil.if 2007-09-20 11:56:27.000000000 -0400
@@ -432,6 +432,7 @@
role $2 types run_init_t;
allow run_init_t $3:chr_file rw_term_perms;
@@ -12249,7 +12302,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
## Full management of the semanage
## module store.
##
-@@ -1058,3 +1134,124 @@
+@@ -1058,3 +1134,133 @@
files_search_etc($1)
rw_files_pattern($1,selinux_config_t,semanage_trans_lock_t)
')
@@ -12300,6 +12353,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
+ corecmd_search_bin($2)
+ domtrans_pattern($2,setsebool_exec_t,$1_setsebool_t)
+ seutil_semanage_policy($1_setsebool_t)
++
++ # Need to define per type booleans
++ selinux_set_boolean($1_setsebool_t)
++
++ # Bug in semanage
++ seutil_domtrans_setfiles($1_setsebool_t)
++ seutil_manage_file_contexts($1_setsebool_t)
++ seutil_manage_default_contexts($1_setsebool_t)
++ seutil_manage_selinux_config($1_setsebool_t)
+')
+
+#######################################
@@ -12376,7 +12438,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.0.8/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2007-09-12 10:34:51.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/selinuxutil.te 2007-09-20 09:31:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/selinuxutil.te 2007-09-20 11:55:54.000000000 -0400
@@ -76,7 +76,6 @@
type restorecond_exec_t;
init_daemon_domain(restorecond_t,restorecond_exec_t)
@@ -12506,7 +12568,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
auth_dontaudit_read_shadow(run_init_t)
corecmd_exec_bin(run_init_t)
-@@ -423,77 +426,50 @@
+@@ -423,77 +426,53 @@
nscd_socket_use(run_init_t)
')
@@ -12520,6 +12582,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
+selinux_set_boolean(setsebool_t)
+# Bug in semanage
+seutil_domtrans_setfiles(setsebool_t)
++seutil_manage_file_contexts(setsebool_t)
++seutil_manage_default_contexts(setsebool_t)
++seutil_manage_selinux_config(setsebool_t)
-allow semanage_t self:capability { dac_override audit_write };
-allow semanage_t self:unix_stream_socket create_stream_socket_perms;
@@ -12610,7 +12675,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
# cjp: need a more general way to handle this:
ifdef(`enable_mls',`
# read secadm tmp files
-@@ -521,6 +497,8 @@
+@@ -521,6 +500,8 @@
allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file r_file_perms;
allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms;
@@ -12619,7 +12684,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
kernel_read_system_state(setfiles_t)
kernel_relabelfrom_unlabeled_dirs(setfiles_t)
kernel_relabelfrom_unlabeled_files(setfiles_t)
-@@ -537,6 +515,7 @@
+@@ -537,6 +518,7 @@
fs_getattr_xattr_fs(setfiles_t)
fs_list_all(setfiles_t)
@@ -12627,7 +12692,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
fs_search_auto_mountpoints(setfiles_t)
fs_relabelfrom_noxattr_fs(setfiles_t)
-@@ -592,6 +571,10 @@
+@@ -592,6 +574,10 @@
ifdef(`hide_broken_symptoms',`
optional_policy(`
@@ -13163,7 +13228,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
/tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-08-27 09:18:17.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-09-20 10:55:37.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-09-20 12:06:52.000000000 -0400
@@ -29,8 +29,9 @@
')
@@ -13503,26 +13568,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
- # Needed for escd, remove if we get escd policy
- xserver_manage_xdm_tmp_files($1_t)
- ')
-+ dev_rw_xserver_misc($1_t)
-+ dev_rw_power_management($1_t)
-+ dev_read_input($1_t)
-+ dev_read_misc($1_t)
-+ dev_write_misc($1_t)
++ dev_rw_xserver_misc($1_usertype)
++ dev_rw_power_management($1_usertype)
++ dev_read_input($1_usertype)
++ dev_read_misc($1_usertype)
++ dev_write_misc($1_usertype)
+ # open office is looking for the following
-+ dev_getattr_agp_dev($1_t)
-+ dev_dontaudit_rw_dri($1_t)
++ dev_getattr_agp_dev($1_usertype)
++ dev_dontaudit_rw_dri($1_usertype)
+ # GNOME checks for usb and other devices:
-+ dev_rw_usbfs($1_t)
-+ xserver_user_client_template($1,$1_t,$1_tmpfs_t)
-+ xserver_xsession_entry_type($1_t)
-+ xserver_dontaudit_write_log($1_t)
-+ xserver_stream_connect_xdm($1_t)
++ dev_rw_usbfs($1_usertype)
++ xserver_user_client_template($1,$1_usertype,$1_tmpfs_t)
++ xserver_xsession_entry_type($1_usertype)
++ xserver_dontaudit_write_log($1_usertype)
++ xserver_stream_connect_xdm($1_usertype)
+ # certain apps want to read xdm.pid file
-+ xserver_read_xdm_pid($1_t)
++ xserver_read_xdm_pid($1_usertype)
+ # gnome-session creates socket under /tmp/.ICE-unix/
-+ xserver_create_xdm_tmp_sockets($1_t)
++ xserver_create_xdm_tmp_sockets($1_usertype)
+ # Needed for escd, remove if we get escd policy
-+ xserver_manage_xdm_tmp_files($1_t)
++ xserver_manage_xdm_tmp_files($1_usertype)
')
#######################################
@@ -14056,10 +14121,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
-@@ -1902,6 +1987,41 @@
+@@ -1894,10 +1979,46 @@
+ template(`userdom_manage_user_home_content_dirs',`
+ gen_require(`
+ type $1_home_dir_t, $1_home_t;
++ attribute user_home_type;
+ ')
- ########################################
- ##
+ files_search_home($2)
+- manage_dirs_pattern($2,{ $1_home_dir_t $1_home_t },$1_home_t)
++ manage_dirs_pattern($2,{ $1_home_dir_t user_home_type },$1_home_t)
++')
++
++########################################
++##
+## dontaudit attemps to Create files
+## in a user home subdirectory.
+##
@@ -14091,14 +14166,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+ ')
+
+ dontaudit $2 $1_home_dir_t:file create;
-+')
-+
-+########################################
-+##
- ## Do not audit attempts to set the
- ## attributes of user home files.
- ##
-@@ -3078,7 +3198,7 @@
+ ')
+
+ ########################################
+@@ -3078,7 +3199,7 @@
#
template(`userdom_tmp_filetrans_user_tmp',`
gen_require(`
@@ -14107,7 +14178,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
files_tmp_filetrans($2,$1_tmp_t,$3)
-@@ -4615,6 +4735,24 @@
+@@ -4615,6 +4736,24 @@
files_list_home($1)
allow $1 home_dir_type:dir search_dir_perms;
')
@@ -14132,7 +14203,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
########################################
##
-@@ -4633,6 +4771,14 @@
+@@ -4633,6 +4772,14 @@
files_list_home($1)
allow $1 home_dir_type:dir list_dir_perms;
@@ -14147,7 +14218,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -5323,7 +5469,7 @@
+@@ -5323,7 +5470,7 @@
attribute user_tmpfile;
')
@@ -14156,7 +14227,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -5559,3 +5705,375 @@
+@@ -5559,3 +5706,375 @@
interface(`userdom_unconfined',`
refpolicywarn(`$0($*) has been deprecated.')
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 816773f..a610a50 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.0.8
-Release: 4%{?dist}
+Release: 5%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -364,6 +364,7 @@ exit 0
%changelog
* Wed Sep 19 2007 Dan Walsh 3.0.8-4
- Fix to add xguest account when inititial install
+- Allow mono, java, wine to run in userdomains
* Wed Sep 19 2007 Dan Walsh 3.0.8-3
- Allow xserver to search devpts_t